NEW DELHI: Major technology firms, including Google, Amazon, Meta and Apple, plan to engage with the ministry of electronics and IT (MeitY) over concerns regarding the consent manager framework and a proposed government-appointed committee overseeing cross-border data transfers. These discussions will be a part of the public consultations on the draft rules under the Digital Personal Data Protection (DPDP) Act, sources said.
The draft rules, released last week, establish a framework for consent managers – entities that help individuals manage their digital consent. However, industry executives, speaking on condition of anonymity, highlighted operational and regulatory challenges tied to the framework.
“Registered consent managers face strict obligations, with potential suspension or cancellation of registration for non-compliance. This could introduce operational uncertainty and stifle innovation in the sector,” said an executive from a leading tech firm.
Under the DPDP Act, a consent manager is a registered entity with the Data Protection Board, serving as a single platform for users to give, manage, review and withdraw consent in a transparent, accessible and interoperable manner.
The draft rules empower the Data Protection Board to suspend or revoke a consent manager’s registration if it deems such action necessary to protect users’ interests. Consent managers must meet stringent registration criteria, including being based in India with a minimum net worth of `2 crore and implementing robust security measures to prevent data breaches.
Big Tech companies are also wary of the proposed guidelines for significant data fiduciaries – entities collecting and processing data. The draft rules prohibit the transfer of specific personal or traffic data outside India if identified by the government based on recommendations from a newly-constituted committee.
“This committee-based approach conflicts with the DPDP Act, which does not mention such a body. It introduces unnecessary bureaucracy and regulatory overreach,” an executive noted.
But the government argues that the DPDP Act’s Section 16 allows the Centre to restrict data transfers to specific countries or territories via notification. However, executives argue that the draft rules go beyond this provision by imposing additional conditions.
“Such broad discretionary powers create unpredictability, making compliance challenging for businesses,” another executive said, pointing out that ambiguous rules could lead to inconsistent enforcement.
In response, the government defended the committee framework, emphasising its necessity to address sector-specific data localisation needs.
Electronics and IT minister Ashwini Vaishnaw told FE, “The intent is not to disrupt cross-border data flows but to cater to specific sectoral requirements where localisation is essential for citizen safety.”
He added, “Selective restrictions are a global best practice. The committee framework ensures balanced regulation, preventing disruptions while safeguarding citizens’ rights.”
Section 16 of the DPDP Act stipulates that any restriction on data transfer must align with existing laws providing higher levels of data protection. The government assured that the rules complement the Act and must be read in conjunction for a holistic understanding.
The committee, envisioned as a consultative body, will evaluate localisation requirements proposed by sectoral ministries and engage with industry stakeholders before issuing recommendations.
While the government emphasises balance and clarity, Big Tech firms remain cautious, seeking further dialogue to ensure the draft rules foster innovation without imposing undue compliance burdens.
Source: The Financial Express
The Global Far Right’s Dangerous Game Is On In Full Force In 2025 