IAMAI seeks two-year extension to comply with Data Protection Act
The Internet and Mobile Association of India (IAMAI), representing over 550 domestic and international tech firms, has asked the Indian government for a two-year extension to comply with specific provisions of the Digital Personal Data Protection (DPDP) Act. This legislation, which outlines a structure for handling citizens' personal information, was approved by Parliament in August but has not yet been enforced.
IAMAI's request is in line with other industry bodies
IAMAI's request is similar to other industry groups who believe that the Act contains provisions that require significant changes in technology, products, policies, and processes. They are asking for more time to make these changes and become compliant with DPDP regulations. Last week, the Asia Internet Coalition, representing Big Tech companies like Meta, Google, Apple and Microsoft, urged the Centre to extend the deadline by 12-18 months.
Government's stance on compliance timeline
The government seems reluctant to grant platforms an extended period to achieve compliance. Just last week, Minister for Electronics and Information Technology (MeitY) Ashwini Vaishnaw stated, "Why should people ask for so much time for data protection? Practically, the entire industry is attuned to it, given that the GDPR, Singapore Data Protection Act and so on are in effect."
IAMAI's initial request
In its submission to MeitY, IAMAI initially requested a 12-24 month timeframe to meet the DPDP Act's mandate of notifying citizens about the processing of their personal data. The association pointed out the absence of clear guidelines on how to deliver such notices and urged the government to establish specific rules.
IAMAI's concerns regarding notice and consent managers
IAMAI has asked for 24 months to set up consent managers, who act on behalf of users when granting, managing, reviewing, or withdrawing consent. The submission highlighted that consent managers are a relatively novel concept that necessitates longer implementation timelines. IAMAI has also requested a "minimum" 24-month extension to fulfill the additional responsibilities imposed on significant data fiduciaries (SDFs) by the DPDP Act. The government has not yet determined which entities will be designated as SDFs, the submission read.
Extension requests for additional obligations and children's data
Additionally, the industry sought a two-year extension to comply with personal data erasure and an 18-month period to adhere to provisions concerning consent withdrawal and processing children's data. The latter involves the creation of age-gating mechanisms, which require time for development, testing, and secure implementation.
