Digital payment companies Google Pay, PhonePe and Amazon Pay as well as the National Payments Corporation of India (NPCI) have sought exemption from Digital Personal Data Protection (DPDP) Act provisions that require user consent for each transaction, arguing that this will be too onerous, people aware of the development told ET.
The mandate will also be applicable on recurring payments and will lead to a rise in cost and complexity, the companies said in submissions to the Ministry of Electronics and Information Technology (MeitY). The issue will be more pronounced in the case of smaller companies and startups, they said.
The law hasn’t been operationalised yet since rules floated in January for stakeholder consultation are yet to be notified. Representatives of the companies met MeitY in this regard last week.
Google Pay, PhonePe, Amazon Pay and NPCI declined to respond to queries.
“The core of the issue lies in the Act’s emphasis on explicit consent for every data processing activity,” said one of the persons cited.
Data Flow Challenges
“While seemingly straightforward, industry players argued that the current interpretation and implementation of this clause could significantly disrupt existing digital payment workflows,” the person said.
Recurring payments such as electricity bills or subscriptions are typically debited automatically after initial permission. Under the DPDP Act‘s consent requirements, industry’s worry is that this will necessitate fresh user consent.
“This multi-level authentication and consent process, while enhancing security, introduces significant friction and incremental costs,” said the person cited. “Smaller players and startups, in particular, may struggle to bear these costs and adapt their technical infrastructure, potentially hindering their growth and competitiveness.”
They may also face data flow challenges.
“The data processing is going to become all the more tougher for the smaller players if every time they have to get a consent,” said the person. “It’s going to impact the digital data flow. Whereas the larger bigger companies would be able to manage… there would be incremental costs, yes, but they will be compliant. But some of the smaller and newer players will find it tougher.”
There also appears to be ambiguity in how the law’s provisions are being interpreted by government and industry, leading to uncertainty about compliance, the person said.
The original debate over data localisation engendered by the legislation, where the government focused on volume of data and industry on its criticality, foreshadows the current consent-related discussions, experts said.
Section 17, subsection 5, of the DPDP Act empowers the central government to exempt certain data fiduciaries or classes of data fiduciaries from specific provisions for a specified period. This exemption can be granted through a notification before the expiry of five years from the law’s commencement.
The industry is aiming for a time window through this clause to develop and implement alternative solutions that align with the spirit of data protection without stifling digital innovation, according to the companies.
“The exemption period is seen as a window for the industry to collaborate with the government and propose viable alternatives that balance data protection with ease of digital transactions,” said the person cited. “While no concrete alternatives have been finalised, discussions are ongoing, with some proposals reportedly in advanced stages and expected to be discussed in early August.”
NPCI view
While Google Pay and PhonePe, as market leaders, are seeking relief for their own operations, NPCI’s submission primarily advocates for small startups and other industries that rely on the UPI framework. Its concerns stem from the potential impact on a vast ecosystem of smaller businesses that may not have the resources to overhaul systems to meet new compliance burdens.
The financial implications of noncompliance are substantial, with heavy fines stipulated under the Act. This incentivises companies to bake compliance costs into their operational models, which could eventually be passed on to consumers, sources said.
The submissions were made toward the end of June or early July, with others following suit after NPCI’s initial representation.
