 "15 months after DPDP Act, rules to be out by the end of this month")
The Ministry of Electronics and Information Technology (Meity) is learnt to be ready with the much-awaited rules of the Digital Personal Data Protection (DPDP) Act after multiple re-drafts over the past several months.
A source indicated that the rules would be ‘’published’’ by the end of this month. However, the notification of the DPDP rules could spill over to 2025 as a consultation process would be required after the rules are published.
DPDP Act, that is meant to regulate processing of digital personal data, was passed as a law by the Parliament in August 2023 but it could not come into effect as framing of the rules took time. For more than six months, the DPDP rules were drafted and re-drafted, according to an official in the know.
“We have fully closed it now,’’ the source said. Once the Assembly elections are done and the results are out, the data protection rules are expected to get the political green light.
Without elaborating, an official told this newspaper that the rules would be clarificatory in nature and that there wouldn’t be any additional points in the law. ‘’One shouldn’t expect surprises in the rules,’’ the official said.
The Union government has not officially given out any timeline for the DPDP Act rules, which would help introduce safeguards in preventing personal data violations while mandating data fiduciaries to ensure compliance. Against the backdrop of increasing cases of personal data breaches, a privacy law through the DPDP Act assumes significance.
The DPDP Act, once the provisions come into effect, will replace Section 43A of the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules 2011.
More From This Section
Among the key features, the Act states that personal data should only be processed for a lawful purpose for which consent has come from the data principal.
Also, the law puts a limit to data collection. That is, only such personal data, which is necessary, should be collected.
The law will be applicable to all kinds of personal data, without making sub-categories such as sensitive personal data and critical personal data.
Therefore, the new law will be different from the current Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011, which differentiates between personal information and sensitive personal information.