Tech industry lobbies for 18-24 month DPDP Act compliance extension

Social-media companies, telecom operators, and startups are set to lobby for a transition period of 18-24 months to fully comply with the Digital Personal Data Protection (DPDP) Act, 2023, citing technological complexities in two clauses, Business Standard has learnt.

Major industry bodies representing local and global companies such as social-media companies, big tech platforms, and fintechs are likely to ask for more time as against the government’s call for compliance within 12 months.

Industry stakeholders say requirements such as verifiable parental consent for collecting and processing data on children as well as the new consent manager framework will need at least 18 months to comply with.

“We are going to ask for appropriate and workable timelines of 9-24 months, depending on the architecture our companies need to put in place for compliance with different clauses of the DPDP Act. We as an industry are happy to be partners in every step of implementation for protecting the rights of digital nagariks while maintaining the business continuity,” said Kumar Deep, country director, ITI Council.

According to people familiar with the matter, industry bodies like the US-India Business Council (USIBC), ITI Council, Federation of Indian Chambers of Commerce & Industry (Ficci), and Internet and Mobile Association of India (IAMAI) are collating inputs from companies and startups operating in India on the matter. The formal feedback is likely to be submitted within a few days.
The USIBC, Ficci, and the IAMAI did not respond to Business Standard’s queries till the time of going to press.

“Verifiable parental consent means determining a user’s correct age, validating the parent-child relationship, and confirming that somebody is the parent. It requires collecting a lot of data. Many countries have been grappling with this for around eight years. Nobody has been able to assert it easily and safely,” an industry executive said.

The executive said implementing the age-verification mechanism would require platforms to create internal application programming interfaces (APIs) and advanced digital infrastructure.

“Our product teams say this is not an easy thing. They would first need to create a prototype, and then, more importantly, they have to check the accuracy and security of the system. The third thing is that you will need to scale this system to India’s 800 million internet users,” the source said.

Another executive said: “There has been discussion on using eKYC (know your customer) mechanisms for verified parental consent. That will create more complication. In that case, the platforms will need to figure out not only their own API but the governance framework and technical modalities of third-party apps taking the eKYC service.”

Stakeholders said implementing eKYCs might impose an immense cost for startups and smaller organisations, considering that the number of users is in millions.

The developments come days after the government held a public consultation on implementing the Act, cleared by Parliament in the monsoon session.

Rajeev Chandrasekhar, minister of state for electronics and IT, had said large platforms would need to provide a “strong case” to justify the demand for any transition period.

Some companies are worried about the consent manager framework. “It is not clear how the data will be shared between the consent manager and data fiduciary. The governance framework is unclear at this stage. So basic things need to be ironed out and it will take at least 18 months to figure this out,” the second executive said.

Many telecom-service providers still use legacy systems to store their data and hence are likely to struggle while aligning data management processes to the Act.

According to the government’s proposed plans, a category of data fiduciaries like government entities at the Centre or state, panchayats or micro, small and medium enterprises that do not have the digital readiness for storing or processing data, are likely to get a maximum time for transition, followed by smaller private entities and startups.

“Unless the government comes up with the rulebook, the technical requirements (will not be) clear to us. Going by the Act, non-technical provisions can be complied with within six months. But we need up to 24 months for provisions like parental consent,” a source said. Business Standard