Telecom firms request 2-year extension for compliance with DPDP Act rules

MeitY released the draft rules for the DPDP Act for public consultation on January 3 and invited feedback until February 18. However, the deadline is likely to be extended

Don't want to miss the best from Business Standard?

Private telecom operators have requested an extension of two years to comply with the provisions of the Digital Personal Data Protection (DPDP) Act after the rules are notified, citing concerns over the compliance burden, according to a report by Moneycontrol. 

 

Earlier this month, telecom companies held discussions with officials from the Department of Telecommunications (DoT) to address concerns regarding the DPDP rules. Key issues raised included the roles and responsibilities of consent managers, the compliance challenges, and the duplication of processes, according to sources familiar with the matter.

 

The Moneycontrol report cited a telecom executive who participated in the meeting as saying that the industry needed sufficient time to implement the necessary changes, as many aspects needed to be addressed. He mentioned that there needed to be better coordination between the DoT and the Ministry of Electronics and Information Technology (MeitY).

 

The operators also expressed concerns about the growing regulatory requirements and potential overreach associated with the new rules, the report noted.

 

What is the DPDP Act? 

On January 3, MeitY released the draft rules for the DPDP Act for public consultation and invited feedback until February 18, though the deadline is expected to be extended. The draft includes additional obligations for significant data fiduciaries (SDFs), such as restrictions on transferring specific personal data, with a yet-to-be-formed committee set to decide on the matter.

 

Telecom operators are likely to be classified as SDFs under the DPDP Act due to the large amounts of personal data they process. Data fiduciaries, which include telecom companies, are entities that handle personal data of individuals in India.

 

The telecom operators are expected to include their requests in their feedback on the draft rules. The proposed 24-month timeline would provide telecom operators the necessary time to adjust their customer application forms (CAFs) and upgrade their technological frameworks to manage user consent for data usage and processing.

 

Stricter data rules for telcos

 

The new Act will also require explicit user consent for telecom operators’ practices around using personal data for marketing communications and sharing data with third parties, such as for bundled services offering OTT subscriptions or digital payment add-ons. Telecom operators will need to implement new technical frameworks, which will require significant operational changes.

 

The report stated that provisions like the requirement to promptly notify users in case of a data breach and the data localisation norms would lead to intensive discussions between telecom operators, DoT, and MeitY.

 

The draft rules propose that certain personal or traffic data cannot be transferred outside India if the government, following recommendations from a newly formed committee, deems the data sensitive. Union Minister for Electronics and IT (MeitY), Ashwini Vaishnaw, on January 23, highlighted India’s stance on cross-border data transfers under the DPDP Rules, 2025, calling it a model of “free transfer with trust”.