SUMMARY
In a letter, the industry association explained that putting the DPDP Act's rules into action will demand structural alterations in organisations and businesses
Big tech companies, in order to adhere to several provision, would need to make structural alterations to their organisations and operations, the letter added
AIC stated that this process will be quite new for both local and global businesses, as other data laws like GDPR lack similar provisions
The Asia Internet Coalition, a group with members like Meta, Google, Amazon, and other US tech companies, has asked for a time of up to 12-18 months to put into action different provisions of the Digital Personal Data Protection Act.
In a letter to Union and state electronics and information technology minister Ashwini Vaishnaw and Rajeev Chandrasekhar, the industry association explained that putting the DPDP Act’s rules into action will demand structural alterations in organisations and businesses, as per reports. They anticipate encountering various difficulties during these changes.
Big tech companies, in order to adhere to provisions like securing consent from Indian users for personal data processing and crafting a consent management READ framework, would need to make structural alterations to their organisations and operations, as per the industry group’s letter.
AIC stated that this process will be quite new for both local and global businesses, as other data laws like GDPR lack similar provisions. Consequently, businesses will need to make fundamental alterations to their platform’s technology architecture.
“Consent notices would be required to be stored in an accessible manner for Data Fiduciaries to modify or erase Data Principal’s personal data,” the group said.
AIC pointed out that certain sections of the DPDP Act introduce a new idea called “Consent Managers.” The group emphasised that this model hasn’t been tried and tested under Indian law.
Creating, testing, and eventually implementing the Consent Manager framework within the ecosystem would be necessary. Additionally, integration with the Data Fiduciary’s consent structure would also be required.
Last month, MoS Chandrasekhar said that some government entities like those at the panchayat level, micro, small, and medium enterprises (MSMEs), and early stage startups may be granted exemption and will not come under the purview of the DPDP Act immediately.
The ministry may also come up with necessary rules under the Act within this period, he added. While all rules under the data protection code will not be immediately notified, essential ones will be prioritised for initial implementation.
The DPDP Act became law after being passed in the Lok Sabha on August 7 and in the Rajya Sabha two days later. President Droupadi Murmu gave her consent to the Bill on August 11.
The DPDP Bill directs setting up a Data Protection Board of India to ensure its implementation. In case of any personal data breach, the board will be responsible for looking into the matter, inquiring into the breach, and imposing penalties.
It was reported last month that the Data Protection Board, to be set up under the new Digital Personal Data Protection (DPDP) Act, 2023, would be in place within 30 days. However, there is no update yet on the formation of the board.
The law also applies to data processing activities outside India if they relate to offering goods or services to residents in India. It defines key terms, including ‘personal data’ and ‘processing.’ Under the DPDP Act, ‘personal data’ refers to any information that could identify an individual, either directly or in relation to the data.
