The Information Technology Industry Council (ITI), representing global tech giants such as Apple, Google, Amazon, Meta, and OpenAI, has urged the Indian government to delay the implementation of the Digital Personal Data Protection (DPDP) Rules, 2025, particularly the provisions restricting the processing of children’s data. The industry body warns that stringent age verification and parental consent requirements could pose significant operational and compliance challenges for digital platforms.
“The asks of multinational technology corporations to defer the implementation of data protection regulations must be understood not as a logistical necessity, but resistance to comply with required framework, which presently they operate with minimal regulatory oversight. The invocation of ‘operational and compliance challenges’ is, in reality, a means of prolonging an environment conducive to unregulated data monetization,” says Kunal Sharma, Partner at Singhania & Co.
Experts feel that citing “international alignment” as a reason for delay is an effort to weaken jurisdictional sovereignty in legislative policymaking. While regulatory consistency across borders is a worthwhile goal, domestic data protection laws must reflect the unique socio-legal realities of the jurisdiction in which they are implemented. A nation’s right to legislate in the best interests of its citizens should not be undermined by the operational preferences of global corporations.
“While regulatory adaptation incurs costs, these must be weighed against the significant economic and social risks of inadequate data protection. Arguing that immediate compliance would cause financial strain on multinational corporations generating billions in revenue is neither reasonable nor responsible,” says Sharma.
Strategic move by the Big Tech
Big Tech’s push for delaying India’s Draft DPDP Rules, 2025 is more of a strategic move to safeguard their operational flexibility and save on the huge compliance expense they would need to commit to, for being compliant with the DPDP Rules. By citing challenges in age verification, parental consent requirement, government’s access to data, data breach reporting, and cross-border transfers, these companies are attempting to influence regulations that could impose stricter accountability measures.
“This move is intended to enhance data security and privacy, ensuring that the government has better control over data flows and can enforce regulations effectively. However, it is expected to face serious opposition from large MNCs, who rely on a global infrastructure of data centres; forcing them to build or maintain local data centres in India, could incur significant operational costs. Additionally, the complexity of managing multiple localised data systems might pose logistical and financial challenges for businesses with a global user base,” says Salman Waris, Managing Partner, TechLegis.
Waris stressed that concerns regarding the interference of local laws with international standards could arise, particularly for companies that operate in regions with stringent data protection regulations, such as the EU’s GDPR. Balancing the need for national security and privacy with the demands of global businesses will be a key challenge as India moves forward with these data localisation requirements.
“While they argue for alignment with global norms, the delay also gives them more time to adapt their business models and lobby for more favorable provisions. Ultimately, this reflects a broader trend where large corporations seek to shape digital policies in ways that balance regulatory compliance with their commercial interests and have a lasting impact on their global digital trade relations,” says Nazneen Ichhaporia, Partner, ANB Legal.
The penalties and liability exposures that may be faced due to non compliance of the DPDP Rules are significant, ranging up to ₹200 crores in case of certain violations. This would be another discouraging factor for the tech giants to push for delay.
Key Concerns Raised by Big Techs
1. Challenges in Age Verification :
ITI has highlighted that ensuring accurate age verification remains a global challenge. It urged the government to postpone Rule 10 and Section 9(1) until the industry can adapt cost-effectively and without disruption.
2. Call for International Alignment :
ITI suggests aligning India’s framework with international best practices, where most countries set the age of consent for online services between 13-16 years. If a postponement is not feasible, ITI proposes that verifiable parental consent (VPC) should apply only to users under 13, while for 13-17-year-olds, the requirement should be limited to high-risk processing activities.
3. Concerns Over Data Breach Reporting :
India Inc is raising concerns over the stringent data breach timelines under the DPDP Rules and is advocating for a risk-based approach to reporting. Identifying the nature, scope, and impact of a breach within 72 hours is particularly challenging for large organizations with complex systems. Industry stakeholders are urging alignment with the GDPR, which exempts breach notifications if the incident is unlikely to pose a risk to individuals’ rights and freedoms.
4. Government Access to Data :
The group has raised concerns about excessive government access under the current draft rules and has called for globally recognized transparency standards. The central government holds overarching powers to demand information from data fiduciaries for purposes specified in Schedule VII of the DPDP Rules. The listed purposes—such as the use of personal data by the State or its instrumentalities in the interest of sovereignty, integrity of India—are broadly defined, leaving companies vulnerable to inquiries at any time.
5. Cross-Border Data Transfers :
ITI fears that Rules 12 and 14 could introduce uncertainty around international data transfers, contradicting the DPDP Act’s stated commitment to unrestricted data flows.Several industry bodies, including Nasscom, IAMAI, USIBC, AIGF, BIF, and CUTS International, have echoed concerns regarding data localization and the compliance burden on smaller players.
The DPDP Rules introduce considerable ambiguity regarding cross-border data transfers, causing unintended uncertainty for businesses engaged in international data flows. The central government has been empowered to establish checks and balances on cross-border transfers; however, the specifics of these restrictions remain undefined.
Moreover, significant data fiduciaries face additional restrictions on transferring specific types of personal data abroad, as may be notified by the central government. Yet, the rules do not clearly specify the categories of data that would fall within this purview. Industry stakeholders speculate that payment-related or insurance data might be affected, hinting at potential data localisation requirements. This lack of transparency adds to the compliance challenges faced by businesses, particularly smaller companies with limited resources to navigate such complexities.
Policy Implications and Future Course:
The draft DPDP Rules were released on January 3 2025, and the last date for submitting comments was March 5 2025. The US-India Business Council (USIBC) has cautioned that uncertainty over data localization rules could deter foreign investments. With mounting pressure from global tech firms and Indian industry bodies, policymakers now face a crucial decision—whether to revise the DPDPRules to accommodate industry concerns or proceed with the current framework. The outcome will have a lasting impact on India’s data protection landscape and global digital trade relations.
The sole idea behind the consultation process for any Rules or act is to gather industry insights and understand the operational challenges that may be faced by businesses and the overall economy on its implementation . Post-consultation of the DPDP rules , several critical concerns have emerged that must be addressed to ensure both data protection and business continuity. “It’s clear that the rules will need to be revised to strike a balance—prioritizing citizens’ safety while facilitating a business-friendly environment. A holistic approach is essential, as the revised framework will not only define India’s data ecosystem but also influence global digital trade and investment in the years to come,” said Ankita Singh, Co-Founder & Partner, A&P Partners.
Experts say that the DPDP Act 2023, and the draft DPDP Rules, 2025 require a fundamental overhaul of existing systems, aligning India’s data protection laws with global standards. Given the vast personal data repositories of tech companies with millions of active users, compliance is both complex and resource intensive. “Meeting obligations like age verification, parental consent, data security, and cross-border data restrictions demands significant investment in structured mechanisms. Non-compliance carries steep penalties, making it understandable why industry players are seeking a phased implementation to ensure robust and effective compliance,” says Nidhish Mehrotra, Founder and Managing Partner, ANM Global.
One of the most contentious aspects of the DPDP Rules is the requirement for verifiable parental consent when processing children’s data. However, the DPDP Rules do not specify how to accurately verify parental relationships, as government-approved IDs in India do not link parents to children. This creates a critical gap, making the verification process cumbersome and impractical. Additionally, there is a significant risk of children falsifying their age to access digital services, particularly social media platforms.
“U.S.-based companies face compliance hurdles as the rules require parental consent for those under 18 years, unlike COPPA’s threshold of 13 years of age, forcing costly system overhauls. Industries like gaming and social media, which thrive on quick onboarding, may see user engagement decline due to lengthy verification processes,” says Navaneeta Kanjilal, Independent Legal Consultant.
