The Asia Internet Coalition (AIC), an influential industry group representing technology giants such as Meta, Google, Apple, and Microsoft, has formally requested the Ministry of Electronics and Information Technology (MeitY) to extend the compliance deadline for specific provisions of the Digital Personal Data Protection (DPDP) Act, 2023. The AIC is urging an extension of 12 to 18 months to allow organizations to make the necessary structural changes to meet the new data protection requirements.
In a letter addressed to Union IT Minister Ashwini Vaishnaw and Minister of State for Electronics and IT, Rajeev Chandrasekhar, the AIC emphasized the complexity of implementing these provisions, stating that “they are likely to face a significant amount of challenges during the course of such transition.”
The coalition’s letter highlights that the exercise required to comply with the DPDP Act is unique for both domestic and international businesses. Unlike other data protection regulations, such as the European GDPR, the DPDP Act introduces provisions that necessitate fundamental changes to the technology architecture of platforms and businesses.
The AIC’s letter details several key challenges organizations will encounter, including the requirement for businesses to conduct comprehensive data mapping exercises across all datasets to fulfill Section 5 notice requirements for existing data sets. Additionally, consent notices must be stored in an accessible manner for Data Fiduciaries to modify or erase a Data Principal’s personal data. This will demand significant software and hardware upgrades that are both time and resource-intensive.
One novel aspect of the DPDP Act is the introduction of Consent Managers, a concept untested under Indian law. The AIC asserts that the Consent Manager framework will need to be developed, tested, and integrated with Data Fiduciaries’ consent architecture.
The DPDP Act grants Data Principals additional rights, including the right to correct, delete, update, and erase data under Section 12. Section 14 provides the right to nominate another individual in case of the death or incapacity of the Data Principal. Implementing tools to allow Data Principals to exercise these rights in real-time is a significant undertaking for many businesses.
The AIC is calling on MeitY to coordinate the harmonization of all these timelines to ensure a seamless transition experience for Data Principals, Data Fiduciaries, and Data Processors. They emphasize the need to avoid unsynchronized implementation or duplication of efforts while providing different timelines for different entities.
The DPDP Act, which imposes substantial penalties for violations and establishes a Data Protection Board of India, aims to ensure the responsible growth of digital markets while safeguarding citizens’ data. It applies to the processing of digital personal data both within India and abroad, if it is for offering goods or services in India. The government had previously indicated that startups, MSMEs, and establishments such as hospitals handling people’s data may be given additional time to comply with the DPDP Act while industry stakeholders work on detailed rules.