IAMAI urges MeitY for 24-month implementation period of DPDPA Rules

In its recommendations to the Ministry of Electronics and Information Technology (MeitY), the Internet and Mobile Association of India (IAMAI) has also highlighted that the Act could hinder the startups and MSMEs because of the financial and technical burden.

By
  • Storyboard18,
 | March 7, 2025 , 9:31 am
The public feedback period on draft DPDPA rules was accepted till March 5, 2025. While businesses continue to strengthen their internal structure to comply with the rules, many industry bodies have pointed out the difficulties in achieving so- especially by the small-scale startup and businesses.
The public feedback period on draft DPDPA rules was accepted till March 5, 2025. While businesses continue to strengthen their internal structure to comply with the rules, many industry bodies have pointed out the difficulties in achieving so- especially by the small-scale startup and businesses.

The Internet and Mobile Association of India (IAMAI) has raised concerns that the compliance framework of the draft Digital Personal Data Protection (DPDP) Rule demands significant technical and financial resources, which can hinder the growth of startups and MSMEs in the country.

In its recommendations to the Ministry of Electronics and Information Technology (MeitY), IAMAI (which represents over 600 Indian and global digital companies) said, “India’s data protection framework may inadvertently disadvantage start-ups and MSMEs compared to large corporations. Compliance to the DPDP Act demands significant financial and technical resources, which large companies, with dedicated legal and IT teams, are better placed to absorb such requirements.

“In contrast, start-ups and MSMEs, often operating on tighter budgets, may struggle to meet these obligations without diverting resources away from growth and innovation.”

The Ministry extended the public feedback period on draft rules by 15 days and accepted till March 5, 2025.

IAMAI also called for a 24-month implementation period to allow companies to adapt to the regulatory changes, according to a Moneycontrol report.

IAMAI pushed back against potential restrictions on cross-border data transfers.

It said, “The restrictions on cross-border transfer of data could restrict India’s capacity to maximise data-driven activity, particularly considering the substantial GDP contribution from outsourcing and digital export related activities. Such constraints could impede progress toward the ‘Digital India’ vision.”

The body also highlighted ambiguity around the designation of Significant Data Fiduciaries (SDFs). IAMAI said that criteria for classification, such as volume and sensitivity of personal data processed, remain vague and subjective. Additionally, it recommended that companies be allowed to be heard before being designated as SDFs and called for clearer guidelines on compliance.

On children’s data, IAMAI stated that requiring platforms to verify the identity of every user’s parent or guardian could lead to an onerous data collection approach. “Requiring platforms to verify the identity of parents for every user will place a heavy burden on companies and is not aligned with global privacy standards,” IAMAI said.

Leave a comment