The Central government is reportedly aiming to notify the final rules of the Digital Personal Data Protection (DPDP) Act in April. The Ministry of Electronics and Information Technology (MeitY) has reviewed two-thirds of the comments received during the consultations on the draft DPDP Rules 2025, which began on January 3.
The DPDP rules are crucial for operationalising the DPDP Act, which was passed by Parliament two years ago. These rules will bring the Act into effect, allowing a transition period for the industry to implement the required changes.
Further, Rule 12(4) related to data localisation which empowers the government to mandate data localisation for Significant Data Fiduciaries (SDFs) remains a major concern for the industry, along with issues related to verifiable parental consent (VPC) or processing children’s data (Rule 10). However, these concerns are unfounded and that the provision may be applied sparingly by the government, if at all.
Furthermore, most industry bodies, including the Information Technology Industry (ITI) Council, Nasscom, Business Software Alliance (BSA), and Internet and Mobile Association of India (IAMAI), have submitted their feedback to MeitY. They have flagged issues regarding data localisation and VPC requirements in the draft rules.
