'Compliance burden': Telcos seek 2-year extension to implement DPDP rules
What's the story
Telecom operators in India have sought a two-year extension from the Department of Telecommunications (DoT) to comply with the Digital Personal Data Protection (DPDP) Act.
The request was made during preliminary discussions about the DPDP rules earlier this month.
The telecom industry flagged several concerns such as consent management responsibilities, compliance burdens, and process duplication.
Implementation concerns
Telecom industry highlights need for adequate implementation time
Moneycontrol reports that a telecom executive present at the DoT meeting said, "the industry needs the requisite amount of time to implement the changes, as there are many aspects to address."
They stressed that at least two years would be required for effective implementation.
The Ministry of Electronics and Information Technology (MeitY) released draft rules for public feedback on January 3, with a deadline likely extended beyond February 18.
Regulatory challenges
Telcos call for synergy and unified solution
As part of license agreements, the telecom executive also emphasized the need for synergy between DoT and MeitY to prevent rule duplication.
They raised concerns over growing compliance requirements and regulatory overreach.
"Today, telcos offer multiple services besides mobile, such as DTH and broadband. There has to be a unified solution," the executive added.
Data responsibilities
DPDP Act classifies telecom operators as significant data fiduciaries
Under the DPDP Act, telecom operators will likely be classified as significant data fiduciaries (SDFs) considering the huge volumes of personal data they deal with.
This classification covers all entities processing personal data of people in India.
The proposed 24-month timeline would give these operators time to revise their customer application forms and modify their existing tech frameworks for effective user consent management for data usage/processing.
Operational impact
New act necessitates significant operational changes
The new Act will affect telecom operators' practices of using personal data for marketing communications and sharing data with third parties.
Explicit user consent will be required for these activities under the new rules.
Implementation of new technical frameworks will also require significant operational changes.
A second executive revealed these issues were discussed with DoT officials during the meeting, including consent management, data erasure processes, handling past customer data, redressal mechanisms, etc.
Potential impact
DPDP Act's data localization norms could affect international services
Shreya Suri, a partner at law firm IndusLaw, told Moneycontrol that data localization requirements under the DPDP Act could have a major effect on international calling and messaging services.
"If the draft rules are finalized in their current form, it could be operationally challenging for telecom service providers to implement them," she said.
The draft rules prohibit transferring specific personal or traffic data outside India if identified by the government based on recommendations from a newly constituted committee.