The Digital Personal Data Protection (DPDP) Act, passed by Parliament in August 2023, remains dormant over 16 months later, with no clear timeline for the release of the Draft DPDP Rules, effectively stalling the legislation’s implementation. Despite being ratified more than a year ago, the law remains on hold, awaiting the finalization of key regulations. The recent Winter Session of Parliament marked the fourth consecutive session without any updates on when these rules might be issued.
So, why the delay in releasing the DPDP Rules?
A major challenge lies in the significant impact this law will have on businesses. Organizations must implement systems to comply with DPDP obligations, such as consent mechanisms and data security measures. Moreover, the government needs to establish mechanisms for addressing data privacy disputes and create institutions to enforce the legislation.
Implementing the DPDP Act requires a fundamental shift in attitudes toward personal data, which has not yet received sufficient attention in India. Unlike the introduction of GST, which benefited from existing tax systems, the DPDP Act’s success relies on building new institutions and ensuring their smooth operation.Rashmi Deshpande, Founder of Fountainhead Legal
The government is in the final stages of drafting the DPDP Rules, but their release has been delayed as officials work to ensure they are both thorough and effective. Given India’s diverse economy and sector-specific challenges, lawmakers are being particularly careful to align the rules with the legislative intent of the DPDP Act, 2023.“The delay stems from several factors, including the complexity of the legislation, the need for sector-specific considerations, and the importance of stakeholder consultations. Additionally, the government plans for a phased implementation to ensure smooth integration across industries,” said Anandaday Mishra, Founder & Managing Partner of AMLEGALS.
Experts note that the DPDP Rules will define the procedures for all aspects of the Act. While companies may have already assessed their readiness based on the Act’s principles, the rules are crucial in outlining internal processes and mechanisms that businesses will need to adopt.
“Given the critical nature of the Rules, the government is likely focused on ensuring clarity and transparency in the processes, making sure businesses can easily comply before the rules are published. The government has also indicated further consultation once the Draft Rules are released. It seems they prefer to be thorough rather than rushed,” said Bhaven Shah, co-founder of Presolv360, an Online Dispute Resolution Institute.
What to Expect from the Rules?
The DPDP Act outlines the fundamental principles of data privacy in India, while the Rules are expected to clarify key details. These include the format and method for issuing notices to data principals, the roles and responsibilities of consent managers, and the criteria for identifying ‘significant data fiduciaries,’ who will face additional obligations and heightened accountability. The Rules will also likely establish strong standards for grievance redressal mechanisms within organizations. “We expect the rules to clarify operational details, such as consent frameworks, data transfer mechanisms, grievance redress processes, and obligations for data fiduciaries. Provisions for startups, MSMEs, and sectors with high data dependencies may also be included to ensure effective implementation without hindering innovation,” said Ankit Sahni, Partner at Ajay Sahni & Associates.
The Rules are expected to clarify ambiguities within the Act, including the categorization of Significant Data Fiduciaries, Consent and Notice Frameworks, user rights implementation, breach notification, the establishment and function of the DPBI, penalty mechanisms, and transition periods for compliance, among other details. “Regarding implementation, we anticipate the rules to be phased in, initially addressing priority areas such as user rights, consent mechanisms, and data breach reporting,” said Anupam Prasad, Founder & Managing Partner of AP Law Chambers.
Rules associated with an act provide specific guidelines for its implementation, ensuring the legal requirements are enforceable. They will likely clarify key aspects of the DPDP Act, including obtaining valid consent, the obligations of data fiduciaries, the rights of data principals, cross-border data transfers, and specific exemptions for law enforcement or national security. “The rules will likely also define the functions of the Data Protection Board of India and penalties for non-compliance,” added Ankita Singh, Co-Founder & Partner at A&P Partners.
The DPDP Rules are expected to create a cohesive and efficient framework for implementing the Act’s complex provisions. These will include procedures for consent mechanisms, data portability, privacy notices, data retention and deletion, grievance redressal, compliance requirements, penalties, breach reporting, and adherence to natural justice. They will also clarify the roles of the Board and relevant authorities in overseeing the Act’s execution.
With these developments, India is poised to introduce a world-class data protection framework that addresses its unique challenges while aligning with global data protection standards.Anandaday Mishra, Founder & Managing Partner of AMLEGALS
