With the closure of public comments on DPDPA Rules on 5th march 2025, many organizations and industry associations have already lodged their objections to different aspects of the rules. Most of them are only considering their vested interests and are not looking at the regulation holistically.
The essence of most of the demands is… “We donot want the regulation. Delay it as long as possible”.
It is shameful that even after 5 years of discussions, the industry is not ready to accept the law and move on.
In one of the latest submissions, the following points have been made.
1.”India’s data protection framework may inadvertently disadvantage start-ups and MSMEs compared to large corporations. Compliance to the DPDP Act demands significant financial and technical resources, which large companies, with dedicated legal and IT teams, are better placed to absorb such requirements. In contrast, start-ups and MSMEs, often operating on tighter budgets, may struggle to meet these obligations without diverting resources away from growth and innovation.
This is a canard and the “Start up argument” is being used as an excuse by the larger organizations.
Actually the act creates many opportunities for Start ups and there are reasonable exemptions to notify exemptions to the start ups which need some relief. What industry associations can do is to help MeitY set up a “Sandbox” to make it easy for Start Ups to claim and manage the exemptions.
2. Among the specific concerns is the supposed “Ambiguity” around the designation of Significant Data Fiduciaries. The objection is “Setting a data volume-based criteria for notifying certain Data Fiduciaries as SDFs may inadvertently disadvantage Indian companies against multinational competitors”.
This is a vague and unsubstantiated allegation. The “Sensitivity” and “Volume” based criteria leaves the companies to make their own Risk Assessment and self evaluate if they have to consider themselves as “Significant” Data Fiduciaries or not. Industry should not expect the Government to do the spoon feeding in this regard. If an organization is not able to assess the personal data processing risks, they need to study the law harder. The wise approach in such cases is to “Err on the safer side”.
If an organization considers itself as “Significant Data Fiduciary” there are only three obligations… Designation of DPO, Conducting of DPIA and Conducting of annual Data Audit from an external data auditor. Even if a company wrongly designates itself as a Significant Data Fiduciary, it only strengthens its data privacy profile.
Our organizations are prepared to adhere to EU laws or US laws even when not mandatory but are reluctant to adhere to the Indian laws. Such tendency is avoidable.
3. A push back is suggested on against potential restrictions on cross-border data transfers, stating that such measures could isolate Indian companies from the global data economy and raise compliance costs. It is claimed “The restrictions on cross-border transfer of data could restrict India’s capacity to maximise data-driven activity, particularly considering the substantial GDP contribution from outsourcing and digital export related activities. Such constraints could impede progress toward the ‘Digital India’ vision”
This is also an unacceptable excuse since we are complaining only against a “Empowering” provision and the same industries are fine with EU isolating itself with its “Adequacy” criteria and exercising its “Data Colonization” strategies over India. India needs to assert its sovereignty over personal data of its citizens and insist on data localization within a short time period. This will give a boost to the local services related to data storage and security.
4. Another objection raised is that “Requiring platforms to verify the identity of parents for every user will place a heavy burden on companies and is not aligned with global privacy standards”.
It is not clear if these organizations donot want the protection sought to be offered to Children. If so, they have to state it openly that Children are the biggest attraction for marketing and profiling them and targeting them with advertising is to be freely permitted. If the task is difficult, it only means that there is a huge business opportunity which the service industry should welcome.
5. It is also stated that ” More safeguards are required that businesses are not forced to disclose proprietary information, such as algorithms, trade secrets, or confidential customer data under Rule 22. A mandatory disclosure of this information basis a government request can negatively impact businesses, significantly disregard the financial resources expended, and potentially stifle innovation”
It appears that “Innovation” is the battering ram with which every inconvenient provision is being attacked. “Innovation” is how to accomplish things within a framework and the adversities arising out of law are the essential barriers that needs to be overcome through innovation. Developing DPDPA compliant solutions is the “Innovation” not the “Free for all” approach.
6. The demand is that even after 5 years of waiting, industry wants another 2 years for compliance and perhaps further time later on as an extension. Though the Government has so far been exhibiting a tendency to bend over backwards on every industry demand, I wish that for once the Modi Government shows commitment to implement its promises.
Unless the law starts hurting, industries will not be motivated to comply and hence the penalties should kick in as quickly as possible and within a time frame of 9-12 months .
It is unfortunate that most of our Industry Associations toe the line of MNCs s and ignore what is good for the Country. MeitY should be able to identify the hidden agenda in the recommendations submitted and uphold the interests of India over the proxies of Tech giants.
Naavi
