DPDP Rules: India's data protection framework may hinder startups, MSMEs, IAMAI warns MeitY

The last date for submission of comments on the draft Digital Personal Data Protection Rules was March 5

The Internet and Mobile Association of India (IAMAI) has raised concerns that India’s data protection framework could disproportionately disadvantage start-ups and MSMEs when compared to larger corporations.

In its submission on the draft Digital Personal Data Protection (DPDP) Rules, IAMAI warned that compliance with the framework, which includes the DPDP Act and the rules, demand significant financial and technical resources, which smaller businesses may struggle to meet.

IAMAI represents over 600 Indian and global digital companies, making its perspective crucial in shaping country's data policy.

Moneycontrol has reviewed a copy of the submission made to the Ministry of Electronics and Information Technology (MeitY). The last date for submission was March 5.

"India’s data protection framework may inadvertently disadvantage start-ups and MSMEs compared to large corporations. Compliance to the DPDP Act demands significant financial and technical resources, which large companies, with dedicated legal and IT teams, are better placed to absorb such requirements," IAMAI said in the submission.

"In contrast, start-ups and MSMEs, often operating on tighter budgets, may struggle to meet these obligations without diverting resources away from growth and innovation," it said.

Among its specific concerns, IAMAI highlighted ambiguity around the designation of Significant Data Fiduciaries (SDFs). According the DPDP Act, the government can notify any data fiduciary as SDFs based on the volume of personal data that it processes and other thresholds, and such platforms will be liable to additional compliance requirements.

IAMAI said that criteria for classification, such as "volume and sensitivity of personal data processed," remain vague and subjective. "Setting a data volume-based criteria for notifying certain Data Fiduciaries as SDFs may inadvertently disadvantage Indian companies against multinational competitors," IAMAI said.

It recommended that companies be given an opportunity to be heard before being designated as SDFs and called for clearer guidelines on compliance.

IAMAI also pushed back against potential restrictions on cross-border data transfers, stating that such measures could isolate Indian companies from the global data economy and raise compliance costs.

It expressed concern that provisions related to "traffic data" could even apply to non-personal data, exceeding the scope of the DPDP Act.

"The restrictions on cross-border transfer of data could restrict India's capacity to maximise data-driven activity, particularly considering the substantial GDP contribution from outsourcing and digital export related activities. Such constraints could impede progress toward the ‘Digital India’ vision," it said.

On children's data, IAMAI flagged that requiring platforms to verify the identity of every user’s parent or guardian could lead to an onerous data collection approach, increasing compliance burdens and contradicting data minimization principles.

"Requiring platforms to verify the identity of parents for every user will place a heavy burden on companies and is not aligned with global privacy standards," IAMAI noted.

Regarding the government's ability to call for information under Rule 22, IAMAI urged more safeguards to ensure that businesses are not forced to disclose proprietary information, such as algorithms, trade secrets, or confidential customer data.

"A mandatory disclosure of this information basis a government request can negatively impact businesses, significantly disregard the financial resources expended, and potentially stifle innovation," it warned.

In conclusion, IAMAI called for a 24-month implementation period to allow companies to adapt to the regulatory changes. Moneycontrol has reached out to the trade body for further comments and the article will be updated when a response is received.