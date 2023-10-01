Social media companies, telecom operators, and Indian startups are set to lobby for a transition period of 18-24 months to fully comply with the Digital Personal Data Protection (DPDP) Act, 2023, citing technological complexities in two clauses, Business Standard has learnt.

Major industry bodies representing local and global companies such as social media companies, big tech platforms, and fintechs are likely to demand an extended time against the government’s call for compliance within 12 months. The industry stakeholders believe the requirements such as verifiable parental consent for collecting and processing children's data as well as the new consent manager framework would need at least 18 months to comply with.

“Verifiable parental consent means determining a user’s correct age, validating the parent-child relationship and confirming that somebody is the parent. It requires the collection of a lot of data. Many countries have been grappling with this for around eight years. Nobody has been able to assert it easily and safely,” an industry executive said on the condition of anonymity.

The executive said that the implementation of the age verification mechanism would require the platforms to create internal application programming interfaces (APIs) and advanced digital infrastructure for collecting and processing parental consent.

“What I am hearing from our product teams is that this is not an easy thing. They would first need to create a prototype, and then more importantly, they have to check the accuracy and security of the system. The third thing is that you will need to scale this system to India’s 800 million internet users. That will complicate it to pull off,” the source said.

Another executive said: “There are discussions on using eKYC (Know Your Customer) mechanisms for verified parental consent. That will create more complications. In that case, the platforms will need to figure out not only their own API but the governance framework and technical modalities of third-party apps availing the eKYC service.”

The stakeholders also said that implementation of eKYCs may create an immense cost burden for startups and smaller organisations, considering that the number of users is in millions.

According to people familiar with the matter, industry bodies like the U.S.-India Business Council (USIBC), ITI Council, the Federation of Indian Chambers of Commerce and Industry (FICCI), and IAMAI are currently collating the inputs from various companies and startups operating in India on the matter. The formal feedback is likely to be submitted within a few days.

"We are going to ask for appropriate and workable timelines of around 9-24 months depending on the architecture our companies need to put in place for compliance with different clauses of the DPDP Act. We as an industry are happy to be partners in every step of implementation for protecting the rights of Digital Nagariks while maintaining business continuity," said Kumar Deep, Country Director of ITI Council.

USIBC, FICCI, and IAMAI did not respond to Business Standard’s queries till the time of going to press.

The developments come days after the government held a public consultation on the implementation of the Act cleared by Parliament in the Monsoon session. Rajeev Chandrasekhar, Minister of State for Electronics and IT, had said large platforms would need to provide a “strong case” to justify any demand for any transition period.

Some companies are also worried about the consent manager framework. “It is not clear how the data will be shared between the consent manager and data fiduciary. The governance framework is unclear at this stage. So, basic things need to be ironed out and it will take at least 18 months to figure this out,” the second executive said.

Many telecom service providers still use legacy systems to store their data and hence are likely to struggle while aligning data management processes to the Act.

As per the government’s proposed plans, a category of data fiduciaries like government entities at the Centre or state, panchayats or MSMEs that do not have the digital readiness for storing or processing data, are likely to get maximum time for transition, followed by smaller private entities and startups.

“Unless the government comes up with the rulebook, the exact technical requirements are not clear to us. Going by the Act, non-technical provisions can be complied with within six months. But we need up to 24 months for provisions like parental consent, which require complex technical changes,” a source said.