Tech companies seek 12-18 month extension for India data-protection law compliance

The Asia Internet Coalition, a powerful industry group that represents Apple, Google, Meta, Microsoft and many other tech companies, has requested India’s IT Ministry for an extended deadline to comply with certain provisions of a newly approved data protection regulation governing user data processing.

In a Thursday letter to India’s IT Minister Ashwini Vaishnaw and Deputy IT Minister , the Asia Internet Coalition recommended an 18-month compliance period for a provision in the new data protection law that requires data fiduciaries to halt processing and delete user data, and obliges tech firms to renegotiate contracts with data processors.

“This exercise will be fairly new to domestic and international business entities alike, since compliance with data laws of other jurisdictions like GDPR do not have such provisions. Hence, businesses would require fundamental changes in the technology architecture of their platform,” the coalition wrote.

India’s Digital Personal Data Protection Act ranks among the world’s most stringent regulations on technology firms, curbing international data transfers and levying fines for violations. New Delhi contends that the modernized rules are essential for safeguarding its citizens’ data and instigating a “fundamental behavior change” in organizations that collect and utilize personal data.

For many tech giants, including Meta and Google, India represents their largest user base. India’s digital economy should grow to approximately $1 trillion by 2030, according to projections by Google, Temasek, and Bain.

The Asia Internet Coalition has also proposed a 12-month window for companies to adhere to a new provision requiring data fiduciaries to issue a notice when, or before, seeking consent for personal data processing.

Implementing the notice system, which must be available in 22 Indian languages, would necessitate “structural changes” within organizations. They anticipate facing “significant” challenges during this transitional period, the industry group said.

The new legislation introduces various novel concepts such as consent managers and grants Data Principals the rights to modify, delete, or access their personal information. The industry group indicated that a 12-month timeframe would be necessary to comply with these stipulations, as some require creating new frameworks and tools.

“We request MEITY to coordinate harmonization of all the above timelines to provide seamless transition experience to Data Principals, Data Fiduciaries and Data Processors alike. This synchronization becomes even more significant when there are provisions for relaxed timelines for certain classes of Data Fiduciaries such as startups etc,” the industry body wrote.

Leave a Comment