Big Tech coalition seeks 12-18 month extension to comply with India’s DPDP Act

The Asia Internet Coalition (AIC), an industry group representing Big Tech companies like Meta, Google, Apple and Microsoft, on Thursday urged the Ministry of Electronics and Information Technology (MeitY) to extend the deadline by 12-18 months to comply with certain provisions under the Digital Personal Data Protection (DPDP) Act, 2023.

 

In a letter addressed to Union IT Minister Ashwini Vaishnaw and Minister of State for Electronics and IT, Rajeev Chandrasekhar, the group said that since implementing these provisions would require structural changes in organisations and businesses, “they are likely to face significant amount of challenges during the course of such transition”.

 

“This exercise will be fairly new to domestic and international business entities alike, since compliance with data laws of other jurisdictions like GDPR do not have such provisions. Hence, businesses would require fundamental changes in the technology architecture of their platform,” the coalition wrote in the letter.

 

The government had said last month that some entities (like startups and MSMEs and establishments like hospitals that handle people’s data) may be given a year’s time to fine-tune their systems to comply with the DPDP Act, 2023, as the government officials work with industry stakeholders to formulate detailed rules.

 

According to the AIC letter, businesses would be required to conduct time-intensive data mapping exercises across all the datasets of the Data Principals in order to comply with Section 5 notice requirements for existing data sets.

 

“Consent notices would be required to be stored in an accessible manner for Data Fiduciaries to modify or erase Data Principal’s personal data. This would require significant software and hardware upgrade in the infrastructure of the country which is time and financial resource consuming,” the letter read.

 

Some sections of the DPDP Act introduce a novel concept of the Consent Managers.

 

“This is not a tested model under Indian law. The Consent Manager framework would have to be developed, tested and finally deployed in the ecosystem. It would also be required to integrate the Consent Manager framework with the Data Fiduciary’s consent architecture,” the AIC letter further argued.

 

The DPDP Act provides certain additional rights to the Data Principals such as the right to correct, delete, update and erase data under Section 12.

 

Section 14 of the DPDP Act provides a right to nominate another individual in case of death or incapacity of the Data Principal.

 

According to the letter, Data Fiduciaries will be required to implement tools that allow Data Principals to enjoy their rights on a real time basis.

 

“Many businesses may not have the ability to build internal tools and may need to rely on third parties to develop such processes. Such activities are likely to take significant time,” it said.

 

The AIC requested MeitY “to coordinate harmonization of all the above timelines to provide seamless transition experience to Data Principals, Data Fiduciaries and Data Processors alike”.

 

“We request that unsynchronised implementation or duplication of efforts be avoided while providing different timelines for different entities with necessary provisions for uninterrupted transition,” the letter read.

 

From hefty penalties ranging from a minimum of Rs 50 crore to a maximum of Rs 250 crore on social media platforms for violating rules to enabling digital markets to grow more responsibly while safeguarding citizens’ data, the data protection bill envisages the creation of a Data Protection Board of India.

 

The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.

 

It will also apply to such processing outside the country, if it is for offering goods or services in India.