16 months on, Centre issues draft Digital Personal Data Protection Rules
The draft rules propose that provisions related to the selection and functioning of Data Protection Board come into force with immediate effect
NEW DELHI: The ministry of electronics and information technology on Friday evening released the draft of Digital Personal Data Protection Rules – sixteen months after the law was notified in August 2023.

Comments on the draft rules can be submitted within the next 45 days through the MyGov portal.
These rules are key to operationalising the Digital Personal Data Protection Act that had been in the making since an expert group, formed under the chairpersonship of former chief justice of the Delhi high court AP Shah in 2011, recommended that India must enact a privacy legislation. Since then, before eventually becoming an act in 2023, the legislation had seen at least four major iterations as a bill.
The draft rules have proposed staggered implementation of the rules. It said five rules (rules 16-20) related to the selection and functioning of Data Protection Board (DPB) come into force with immediate effect and all other rules (such as notice requirements, functioning of consent manager, government access to data) come into effect at a later date.
This is because the DPB, under the Act, is vested with the powers of a civil court, and is meant to adjudicate and inquire into reports of personal data breaches by a user (data principal), or the central government. It is empowered to impose monetary penalties that may go up to ₹250 crore. Complaints can be escalated to the Appellate Tribunal only when the DPB is in place.
To be sure, the DPDP Act only applies to data that is processed digitally. It does not apply to analogue processing of data. This means that, for instance, when guests turn over their government IDs to check into a hotel and a note is made in a physical register, the data is not protected under DPDPA. However, if this data is scanned and stored in a computer, it would be covered.
When the DPDP Bill, 2022 was released for public consultation in December 2023, on asking about the exclusion of non-digital personal data from the ambit of the bill, the then minister of state Rajeev Chandrasekhar had said that neither the Shah committee, nor the Supreme Court had said that MeitY had to be the nodal ministry for a privacy legislation, and that there could only be one law for protecting citizens’ privacy. At that time, he had said that other ministries could also come out with privacy legislation.
In the right to privacy judgment of 2017, a nine-judge bench of the Supreme Court unanimously recognised the fundamental right to privacy as guaranteed under the Constitution .
The rules had seen significant back and forth between the industry over one major issue – verifiable parental consent and how to operationalise it.