On January 16, the Indian government held a closed-door meeting with startup founders to address concerns about the Digital Personal Data Protection (DPDP) Rules. The meeting, part of the Startup Baithak event under the Startup Policy Forum, included executives from Mobikwik, Ixigo, Razorpay, Oyo, Dream11, and others. MeitY Secretary S. Krishnan chaired it.
Key Concerns Raised
Founders voiced several issues, including:
- Cross-Border Data Transfer Restrictions: The DPDP Rules restrict significant data fiduciaries (SDFs) from transferring specific personal data outside India, as per Rule 12(4). The rule allows a government-appointed committee to decide on such restrictions. Founders from industries like e-commerce and travel, where cross-border data transfer is crucial, expressed concerns about operational challenges.
- Sectoral Overlaps: Questions arose about how the DPDP Rules would align with existing regulations in highly regulated sectors like fintech and insurance, governed by RBI and IRDAI, respectively. Experts have often highlighted overlaps between the DPDP Act and other sector-specific regulations.
- Consent Manager Operations: The rules introduce consent managers as intermediaries for managing data processing consent. These managers must be registered with the Data Protection Board and meet financial and technical requirements, including a Rs 2 crore net worth. Startups have asked whether consent managers should be independent third parties or tied to data fiduciaries.
Government’s Assurances
During the meeting, MeitY Secretary S. Krishnan clarified and assured the founders of further consultations. According to one founder, the secretary indicated that caveats would be added to address sector-specific operational needs.
The government also highlighted its efforts to simplify the rules while maintaining a balance between innovation and regulation. At an earlier consultation, IT Minister Ashwini Vaishnaw assured stakeholders of focused discussions to address their concerns.
Global Concerns on Ambiguity
International experts have raised concerns about the ambiguity in the rules, particularly regarding data localization and overlapping regulations. Jacob Gullish, Executive Director for Digital Policy at the US-India Business Council (USIBC), warned that such uncertainties could deter investment in India.
Next Steps and Feedback Timeline
The DPDP draft rules, released for public consultation on January 3, had an initial feedback deadline of February 18. However, during a public meeting on January 14, IT Minister Vaishnaw indicated that the deadline might be extended to gather comprehensive input.
The government plans to conduct focused consultations with startups and other stakeholders to refine the rules and address specific concerns. Startups have also called for greater efforts to increase public awareness about the data protection law. The government aims to strike the right balance between fostering innovation and ensuring robust data protection regulations by addressing these challenges. To stay updated for daily news reach out to Founderlabs.
