The trade body representing Big Tech Asia Internet Coalition (AIC), on October 26, wrote to Meity recommending a 12-month extension on the implementation of the Digital Personal Data Protection (DPDP) Act at a time when the government has voiced its urgency to implement the act, passed in August this year.
In the letter addressed to Minister for Electronics and Information Technology Ashwini Vaishnaw and Minister of State for Electronics and Information Technology Rajeev Chandrasekhar, the AIC said that some of the provisions in the act would require structural changes in organisations and recommended a 12-18 month timeline for its implementation.
The trade body represents firms such as Meta, Google, Apple and Microsoft, among others.
Moneycontrol had earlier reported citing sources that various significant internet and technology companies are set to write to the MeitY listing out various provisions of the DPDP Act for which the companies will be requesting a longer transition period.
For obtaining notice and consent, developing the consent manager framework and enforcing the Data Principal’s rights like correction, completion, updating, erasure and access to information, among others, AIC recommended a 12-month timeline.
“They (companies) are likely to face a significant amount of challenges during the course of such transition. Businesses would be required to conduct time-intensive data mapping exercises across all the data sets of the Data Principals in order to comply with Section 5 notice requirements for existing data sets. This would require significant software and hardware upgrades in the infrastructure of the country which is time and financial resource-consuming,” said Jeff Paine, the Managing Director of the trade body.
A data principal is primarily considered to be the natural person or individual to whom the data relates.
AIC also recommended an 18-month delay in the timeline for implementation of other provisions of the act including the Data Principal’s right to withdraw consent and the Data Fiduciary’s obligation with respect to data processors, pointing out complexities arising in terms of compliance.
“Since this is a novel concept where a Data Fiduciary has to ensure the erasure of the Data Principal’s personal data, Data Fiduciaries would not possess such technical requirements for implementing it. This exercise will be fairly new to domestic and international business entities alike since compliance with data laws of other jurisdictions like GDPR do not have such provisions. Hence, businesses would require fundamental changes in the technology architecture of their platform,” said AIC’s representative, in the letter.
To be sure, MeiTY had earlier indicated that it would extend more time to companies on specific clauses of the DPDP Act that would mean significant changes for them.
Earlier, social media and major internet companies had also asked the government for an extended transition period to ensure compliance with the detailed provisions of the DPDP Act, Moneycontrol reported. Moneycontrol