Big Tech propose 18-month compliance window to implement the DPDP Act

Summarize with:

New Delhi: The Asia Internet Coalition, which represents big tech companies like Meta, Google, Amazon and other US-based companies among its members, has requested a period of up to 18 months for the implementation of various aspects of the Digital Personal Data Protection (DPDP) Act.

In a letter addressed to IT Minister Ashwini Vaishnaw and Minister of State for Electronics and IT Rajeev Chandrasekhar, the Asia Internet Coalition has put forward a recommendation for a one-year compliance period. This period is suggested to allow companies to adequately prepare their systems for the issuance of consent notices to users.

The letter read, “Since implementing these provisions would require structural changes in organisations and businesses, they are likely to face significant amount of challenges during the course of such transition.” Furthermore, the coalition has proposed an 18-month compliance window for enabling the right to data erasure as prescribed by the law.

The rationale behind this request is that the concept of data fiduciaries ensuring the erasure of a data principal’s personal data is a novel one. Data fiduciaries are not expected to possess the necessary technical requirements for its implementation.

“This exercise will be fairly new to domestic and international business entities alike, since compliance with data laws of other jurisdictions like GDPR do not have such provisions,” the latter further said.

The Digital Personal Data Protection Act of 2023 was officially enacted earlier this year, but several of its provisions are yet to be put into practice. The government is contemplating a phased approach to enforce the law, with a focus on large technology companies as the initial targets.

The law relies heavily on a set of at least 25 subordinate rules, which are still pending approval by the government. These rules are deemed essential for the complete enforcement of the law.

It’s noteworthy that the law retains many elements from its original version proposed in November, including provisions that raised concerns among privacy experts, such as exemptions for the central authority. Furthermore, the revised law grants significant censorship powers to the central government.