The Asia Internet Coalition, a powerful industry group representing Apple, Google, Meta, Microsoft and many other technology companies, has asked India’s IT Ministry for an extension of time to comply with certain provisions of a newly-approved privacy regulation governing the processing of user data.
In a letter to India’s IT Minister Ashwini Vaishnaw and Deputy IT Minister Rajeev Chandrasekhar on Thursday, the Asia Internet Coalition recommended an 18-month compliance period for a provision in the new data protection law that requires data controllers to stop processing and delete user data, and requires tech companies to renegotiate contracts with data processors.
“This exercise will be relatively new for both domestic and international businesses, as compliance with other jurisdictions’ data laws, such as the GDPR, do not have such provisions. Therefore, businesses would need to make fundamental changes to the technology architecture of their platform,” the coalition wrote.
India’s Digital Personal Data Protection Act is one of the world’s toughest regulations on technology companies, restricting international data transfers and imposing fines for violations. New Delhi says the modernised rules are essential to protect its citizens’ data and to bring about a “fundamental change in behaviour” among organisations that collect and use personal information.
For many tech giants, including Meta and Google, India represents their largest user base. India’s digital economy is expected to grow to around $1 trillion by 2030, according to projections by Google, Temasek and Bain.
The Asia Internet Coalition has also proposed a 12-month window for companies to comply with a new provision requiring data controllers to provide notice at or before the time they seek consent to process personal data.
Implementing the notice system, which would have to be available in 22 Indian languages, would require “structural changes” within organisations. They expect to face “significant” challenges during this transition period, the industry group said.
The new legislation introduces several new concepts, such as consent managers, and gives data subjects the right to amend, delete or access their personal information. The industry group noted that a 12-month timeframe is needed to comply with these provisions, as some require the creation of new frameworks and tools.
“We urge MEITY to coordinate the harmonisation of all of the above timelines to ensure a seamless transition for data principals, data fiduciaries and data processors alike. This synchronisation becomes even more important if there are provisions for relaxed timelines for certain classes of Data Fiduciaries such as start-ups etc,” the industry body wrote.