Listen to this article in summarized format
Loading...
××
Subscribe to
Unlock AI Briefing and Premium Content
Subscribe NowWhat's Included
- Exclusive Stories
- Daily ePaper Access
- Smart Market Tools
- Curated Investment Ideas
- Ad-lite Experience
Subscription
The Internet and Mobile Association of India (IAMAI) has urged the government to slow down the clock on the Digital Personal Data Protection (DPDP) framework, warning that an accelerated enforcement could disrupt businesses.
The association represents firms including Google India, Meta (Facebook India), Microsoft, Amazon Pay, Apple India and Netflix.
ET reported earlier this week that industry bodies including The Broadband India Forum (BIF) and the India Cellular and Electronics Association (ICEA) had also urged the electronics and information technology ministry against accelerating enforcement of the DPDP framework, saying a compressed roll-out could undermine regulatory certainty and lead to uneven compliance across the digital ecosystem.
In a detailed submission to the ministry, a copy of which was seen by ET, the IAMAI responded to proposals that would advance compliance deadlines under the DPDP Act, 2023 and the DPDP Rules, 2025. When the rules were notified, companies were given an 18-month transition period to align their systems, contracts and governance structures. The industry body argued that compressing this window to 12 months or, in some cases, just three months, would introduce serious operational and legal risks.
The IAMAI said that the DPDP Rules marked the end of nearly a decade of policymaking and consultation. Businesses, it said, had already begun restructuring their data systems and renegotiating contracts on the assumption that the original timeline would hold. A sudden change now would create policy uncertainty and leave organisations scrambling to meet obligations that depend heavily on third-party vendors, global cloud providers and complex software development cycles, it said.
One of the central concerns highlighted is contractual realignment. Many Indian data fiduciaries operate within global digital ecosystems, relying on cloud infrastructure, software-as-service platforms and overseas data processors. Updating these contracts to include new data protection obligations is a time-consuming exercise and most vendors have planned their own compliance around the original 18-month window, it said. Accelerating enforcement by six months, the IAMAI argued, risked creating unavoidable compliance gaps.
The submission also flagged technical and security risks. Implementing the DPDP framework requires re-engineering data architectures, mapping data flows, building granular consent systems and deploying automated data erasure tools. Rushing these changes could compromise testing and security, increasing the risk of data corruption or unintended exposure, outcomes that would run counter to the purpose of the law, it said.
Special emphasis was placed on the challenge of processing children’s data. The law requires verifiable parental consent, operationalised through mechanisms that are still evolving and depend on market readiness. The IAMAI warned that expecting companies to fully implement these systems within a compressed timeline was unrealistic.
Beyond the general timeline, the association raised red flags over proposals to bring certain rules into force almost immediately. Requirements to retain personal data along with associated traffic data and logs, for instance, would require major system overhauls and expanded storage capabilities, changes that cannot be reliably completed in three months, it said. Similar concerns were expressed about fast-tracking obligations for significant data fiduciaries, especially when thresholds for classification had not yet been notified.
The IAMAI also cautioned against the immediate commencement of rules governing cross-border data transfers and information-sharing obligations with the government, pointing out that supporting guidance was still awaited. Enforcing these provisions without clarity, it said, could push well-intentioned organisations into inadvertent non-compliance.
The association urged the ministry to retain the originally notified 18-month transition period, arguing that regulatory certainty and phased implementation were essential for a robust and sustainable data protection ecosystem. It also recommended that companies designated as significant data fiduciaries be granted a separate transition period once they are formally notified.
The association represents firms including Google India, Meta (Facebook India), Microsoft, Amazon Pay, Apple India and Netflix.
ET reported earlier this week that industry bodies including The Broadband India Forum (BIF) and the India Cellular and Electronics Association (ICEA) had also urged the electronics and information technology ministry against accelerating enforcement of the DPDP framework, saying a compressed roll-out could undermine regulatory certainty and lead to uneven compliance across the digital ecosystem.
In a detailed submission to the ministry, a copy of which was seen by ET, the IAMAI responded to proposals that would advance compliance deadlines under the DPDP Act, 2023 and the DPDP Rules, 2025. When the rules were notified, companies were given an 18-month transition period to align their systems, contracts and governance structures. The industry body argued that compressing this window to 12 months or, in some cases, just three months, would introduce serious operational and legal risks.
The IAMAI said that the DPDP Rules marked the end of nearly a decade of policymaking and consultation. Businesses, it said, had already begun restructuring their data systems and renegotiating contracts on the assumption that the original timeline would hold. A sudden change now would create policy uncertainty and leave organisations scrambling to meet obligations that depend heavily on third-party vendors, global cloud providers and complex software development cycles, it said.
One of the central concerns highlighted is contractual realignment. Many Indian data fiduciaries operate within global digital ecosystems, relying on cloud infrastructure, software-as-service platforms and overseas data processors. Updating these contracts to include new data protection obligations is a time-consuming exercise and most vendors have planned their own compliance around the original 18-month window, it said. Accelerating enforcement by six months, the IAMAI argued, risked creating unavoidable compliance gaps.
The submission also flagged technical and security risks. Implementing the DPDP framework requires re-engineering data architectures, mapping data flows, building granular consent systems and deploying automated data erasure tools. Rushing these changes could compromise testing and security, increasing the risk of data corruption or unintended exposure, outcomes that would run counter to the purpose of the law, it said.
Special emphasis was placed on the challenge of processing children’s data. The law requires verifiable parental consent, operationalised through mechanisms that are still evolving and depend on market readiness. The IAMAI warned that expecting companies to fully implement these systems within a compressed timeline was unrealistic.
Beyond the general timeline, the association raised red flags over proposals to bring certain rules into force almost immediately. Requirements to retain personal data along with associated traffic data and logs, for instance, would require major system overhauls and expanded storage capabilities, changes that cannot be reliably completed in three months, it said. Similar concerns were expressed about fast-tracking obligations for significant data fiduciaries, especially when thresholds for classification had not yet been notified.
The IAMAI also cautioned against the immediate commencement of rules governing cross-border data transfers and information-sharing obligations with the government, pointing out that supporting guidance was still awaited. Enforcing these provisions without clarity, it said, could push well-intentioned organisations into inadvertent non-compliance.
The association urged the ministry to retain the originally notified 18-month transition period, arguing that regulatory certainty and phased implementation were essential for a robust and sustainable data protection ecosystem. It also recommended that companies designated as significant data fiduciaries be granted a separate transition period once they are formally notified.
