IT Ministry extends data protection feedback deadline to March 5

One of the key provisions in the draft rules is the requirement for parental consent when processing the personal data of children

The Ministry of Electronics and Information Technology (MeitY) has announced a 15-day extension for submitting public comments on the draft rules under the Digital Personal Data Protection (DPDP) Act 2023. The new deadline for feedback is now set for March 5, 2025. Initially, stakeholders had until February 18, 2025, to provide their input, but following requests from several parties, the ministry decided to grant more time for review.

The DPDP Act, which was passed in 2023, aims to ensure the protection of personal data in a rapidly digitizing world. The Act introduces a comprehensive framework to safeguard individual privacy and prevent the misuse of personal data through unauthorized access or processing. It requires entities to obtain explicit consent from individuals before processing their personal data and limits the use of data strictly to necessary purposes.

Also Read: MeitY doubles budget for Data Protection Board to enhance oversight

One of the key provisions in the draft rules is the requirement for parental consent when processing the personal data of children. To validate this consent, the identity and age of parents will need to be verified through government-approved identity documents. This is part of the Ministry’s broader efforts to protect vulnerable groups, including children, from the potential harms of data misuse.

New obligations for data fiduciaries

The DPDP Act also imposes significant responsibilities on data fiduciaries—the entities that collect and process personal data. These entities must ensure they only collect data essential for their services, such as a simple torch app not being allowed to access a user's microphone or contact list. Failure to comply with these rules could lead to penalties under the Act.

While the draft rules outline the establishment of a Data Protection Board (DPB) that will be responsible for levying fines for non-compliance, they do not specify the exact penalties. Under the DPDP Act, data fiduciaries could face penalties of up to ₹250 crore depending on the nature of the breach, the scale of the violation, and whether any preventive measures were taken.

The draft rules also introduce a graded approach to compliance, with higher obligations for large data fiduciaries and lighter burdens for startups. Additionally, data fiduciaries may have the opportunity to resolve cases through voluntary undertakings, which could result in the dropping of proceedings if accepted by the DPB.

The ministry’s decision to extend the deadline reflects its commitment to ensuring that all stakeholders have ample opportunity to participate in shaping the data protection framework, which is expected to play a crucial role in safeguarding digital privacy in India.