Tech group coalition seeks extended compliance timeline for India’s new data protection act

Asia Internet Coalition urges India’s Ministry of Electronics and Information Technology to extent the deadline for the transition period to comply with the new DPDP Act.

 Person, Security

The Asia internet Coalition (AIC), which comprises major tech companies like Meta, Google, Apple, and Microsoft, has called upon the Indian Ministry of Electronics and Information Technology to consider extending the deadline for the transition to comply with specific provisions of India’s Digital Personal Data Protection Act (DPDP Act).

AIC’s primary concern is that these DPDP Act provisions may pose challenges for companies during the transition phase, especially those lacking experience with data advisory roles. Of particular concern to the AIC are the new provisions related to the roles of Consent Manager, Data Principals, Data Processors, and Data Fiduciaries.

According to the DPDP Act, the Consent Manager would be ‘the person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.’

The Data Principal is ‘the individual to whom the personal data relates.’ The Data Processor would be ‘any person who possesses personal data on behalf of the Data Fiduciary, which is ‘any person alone or in conjunction with other persons determines the purpose and means of processing personal data.’

AIC emphasized that these frameworks require significant time for development, testing, and implementation on their platforms. Consequently, they have formally requested a 12-18 month extension to ensure full compliance with the DPDP Act.

Why does it matter?

As AIC pointed out, the challenge in adapting to the novel provisions under India’s DPDP Act is not only the fact that businesses may lack the expertise to implement the new law but also because there is no similar legislation in other jurisdictions, including the General Data Protection Regulation (GDPR), that could serve as an example. This means that businesses would have to ‘experiment’ and test how these provisions would be applied in the technology structure of their platform.