Founders of several new-age tech companies such as MobiKwik, OYO, ixigo and Razorpay met with government officials and voiced concerns about the Digital Personal Data Protection (DPDP) rules
The discussion was largely centred around provisions of cross-data transfer and the role of consent managers
Questions were also raised about the potential overlap between existing regulations and the upcoming DPDP rules as sectors such as fintech and insurance are already regulated under RBI and IRDAI regulations
Founders of several new-age tech companies such as MobiKwik, OYO, ixigo and Razorpay among others, reportedly met with government officials on Thursday (January 16) and voiced concerns about the Digital Personal Data Protection (DPDP) rules.
The discussion was centred around provisions of cross-data transfer, the role of consent managers, and overlap with other sectoral regulations, Bussiness reported.
Chaired by MeitY secretary S Krishnan, the closed-door meeting also saw executives from startups such as Dream 11, Mobile Premier League, Fampay, Freo, Khatabook and Progcap in attendance.
A government official reportedly said that the DPDP rules would also entail caveats after a startup founder pointed out that cross-border transfer of certain data sets was vital for the operations of companies operating in sectors such as ecommerce and travel.
As per Rule 12(4) of the DPDP Rules, significant data fiduciaries (SDF) can be barred from transferring certain specific personal data beyond domestic borders.
Questions were also raised about the potential overlap between existing regulations and the upcoming DPDP rules as sectors such as fintech and insurance are already regulated under the RBI and IRDAI regulations, respectively, as per the report.
The Centre reportedly assured that separate consultations would be held for startups in light of the concerns raised by the stakeholders.
The government released the draft DPDP Rules 2025 on January 3, laying out the tentative terms of implementing the DPDP Act, which was passed in the Parliament in 2023.
The yet-to-be-enforced DPDP Act provides a legal framework for “data fiduciaries” — internet companies and social media platforms that collect personal data from users — to prevent misuse and penalise companies that flout data protection rules.
The rules state that a data fiduciary shall protect personal data in its possession by implementing reasonable security measures to avert a data breach. In the event of a breach, the Data Protection Board of India (DPBI) must be notified within 72 hours.
The rules further say that if a user is not using an ecommerce platform, social media platform or online gaming service anymore for a prolonged period, their data must be deleted after giving out an advance notice of 48 hours.
The draft also sets out rules for the registration of so-called consent managers, who work with data fiduciaries to obtain users’ consent. The government and its “instrumentalists” can collect data for doling out subsidies and “statistical” purposes, the rules say.
This comes against the backdrop of union minister Ashwini Vaishnaw saying that the DPDP rules will be refined further in order to protect children from the dangers posed by the digital space.
Comments are closed.