The Ministry of Electronics and Information Technology (MeitY) has confirmed that the final rules for the Digital Personal Data Protection Act, 2023, will be published by September 30. Officials say the drafting process was deliberate, shaped by nearly 7,000 responses from citizens, companies, and civil society groups. Information Technology Minister Ashwini Vaishnaw earlier set a September 28 deadline, but the government chose to extend consultations before finalizing the text.
According to S. Krishnan, secretary at MeitY, the final version will be phased in, reflecting the government’s intent to balance regulatory ambition with operational feasibility. Still, the absence of amendments or detailed guidelines, insiders suggest, may mean the law is clarified only through FAQs—a move that alarms both media watchdogs and industry associations.
A Law Balancing Privacy and State Power
At its core, the DPDPA enshrines the principle that “one’s data is one’s own.” Section 7 requires explicit consent before personal information can be collected, while Section 16 governs cross-border transfers, restricting them to countries not flagged by New Delhi. Draft Rule 14, however, extended restrictions even to entities indirectly controlled by restricted states—raising fears of a sweeping extraterritorial net.
Another point of contention is Section 36, which empowers the government to call for information from data fiduciaries. Draft Rule 22 broadened this power under “sovereignty” and “security,” requiring fiduciaries to defer to government directions when disclosures might affect national interest. Critics say this creates compliance uncertainty and risks conflating privacy protections with state surveillance.
Industry Resistance and Media Fears
India’s powerful technology lobbies have pushed back. NASSCOM and the Internet and Mobile Association of India (IAMAI) warn that restrictions on cross-border data flows could isolate Indian firms from global markets, increase compliance costs, and hurt competitiveness. IAMAI has also called for a 24-month grace period for companies to adapt.
Journalists, meanwhile, fear erosion of press freedom. Media groups argue that vague disclosure provisions could compel reporters to reveal confidential sources, diluting protections under the Right to Information Act. The Editors Guild and other bodies have sought explicit safeguards, but none have been introduced. Penalties under the law—running up to ₹200 crore—further add to their unease.
The Road Ahead: Trust, Compliance, and Uncertainty
While the government frames the DPDPA as a foundation for secure and accountable digital governance, its rollout has been fraught with tension. Smaller enterprises say compliance is simply unaffordable, while larger firms brace for complex reporting requirements. Free speech advocates warn of chilling effects on journalism, even as policymakers insist the law will empower individuals and protect sovereignty.
As one former senior official at MeitY put it, the law is both radical and unfinished: “This act gives the individual the right to their data. But whether that right will be exercised freely—or overshadowed by state control—depends entirely on how the final rules are enforced.”
