A senior government official told The Economic Times (ET) that the Centre is set to notify the final rules for the Digital Personal Data Protection (DPDP) Act by April. The Ministry of Electronics and Information Technology (MeitY) has already reviewed two-thirds of the public comments received during consultations on the draft DPDP Rules 2025, which began on January 3. The government plans to address the remaining comments soon and aims to finalize the rules by the end of next month.
The DPDP rules are crucial for operationalizing the DPDP Act, which Parliament passed two years ago. Once finalized, these rules will activate the Act, providing industries with a transition period to comply with the new regulations.
Industry stakeholders raised key concerns about data localization and the concept of verifiable parental consent (VPC) during the consultation process. However, the government official emphasized that these concerns may be overstated and that the provision regarding VPC might only be applied sparingly.
Data Localization Draws Strong Criticism
Rule 12(4) allows the government to mandate data localization for Significant Data Fiduciaries (SDFs). Industry bodies like ITI, Nasscom, BSA, and IAMAI have raised concerns about this provision. They argue it conflicts with the DPDP Act’s “open by default” approach to international data transfers.
These groups warn that data localization could disrupt global data flows and stifle innovation. They also believe it will increase operational costs, particularly for India’s IT and business sectors. Nasscom questioned whether the proposal would improve data security or create more uncertainty around data transfers.
Verifiable Parental Consent Sparks Implementation Concerns
Another contentious issue is Rule 10, which requires verifiable parental consent for processing children’s data. The DPDP Act defines a child as anyone under 18. The draft rules mandate companies to obtain parental consent before processing minors’ data.
Industry bodies have raised concerns over the complexity and feasibility of implementing these provisions, especially for smaller businesses and platforms. ITI highlighted the technical challenges associated with ensuring accurate age verification and obtaining parental consent. Additionally, IAMAI cautioned that verifying parental consent for all users could lead to unnecessary data collection, conflicting with the principle of data minimization.
Call for a Balanced Approach to DPDP Compliance
Industry stakeholders are urging MeitY to adopt a balanced approach that protects individuals’ privacy while fostering innovation and economic growth. They’ve called for further consultations to ensure the final rules are clear, implementable, and aligned with the DPDP Act.
The finalization of the DPDP rules will play a key role in shaping India’s data protection landscape, and businesses and individuals alike eagerly await their implementation.
Source: The Economic Times