As India moves to operationalize its first comprehensive data protection regime, the government is quietly recalibrating timelines and compliance burdens for global technology firms and domestic startups alike — a shift that reflects both regulatory ambition and political caution.
A Law Years in the Making
When India’s Supreme Court declared privacy a fundamental right in 2017, it set off a long and halting effort to craft a legal framework that could govern how personal data is collected, processed and stored in the world’s second-most populous country. That effort culminated in August 2023, when the Digital Personal Data Protection (DPDP) Act received presidential assent.
But the law itself was only the beginning. The detailed rules needed to make it enforceable — spelling out obligations, timelines and penalties — arrived much later. The Ministry of Electronics and Information Technology (MeitY) notified the long-awaited data protection rules last year, nearly two years after the Act was passed, laying the groundwork for what officials described as India’s first functional privacy law.
From the start, the Act drew scrutiny. Civil society groups warned that its wide-ranging exemptions for the government and its agencies — particularly for reasons of national security, public order and foreign relations — risked undermining the very right to privacy the law was meant to protect. Critics also argued that certain provisions could dilute the Right to Information Act by placing new limits on access to personal data held by the state. Even NITI Aayog, the government’s own policy think tank, had raised concerns about the potential weakening of transparency safeguards.
Those debates continue to hover over the implementation phase, even as regulators turn their attention to the practical mechanics of enforcement.
A Shortened Clock for Big Tech
One of the most consequential changes under consideration is a compressed compliance timeline for large technology companies. MeitY is weighing a plan to reduce the window for compliance with the DPDP Act and its associated rules from 18 months to 12 months for so-called “significant data fiduciaries” — firms that process large volumes of sensitive personal data or pose heightened risks to national interests.
Companies likely to fall into this category include Meta, Google, Apple, Microsoft and Amazon, according to officials familiar with the discussions. The designation would be based on factors such as the scale and sensitivity of data processed, as well as potential risks to India’s sovereignty, electoral democracy, security and public order.
Union IT Minister Ashwini Vaishnaw signaled this direction last year, noting that many large technology companies already comply with stringent regimes like the European Union’s General Data Protection Regulation.
“It is right that big companies already follow laws like Europe’s GDPR,” he said in response to a question from The Indian Express. “We will compress the timeline. We will amend the law.”
The idea, officials say, is to create a compliance gradient — one that recognizes the greater institutional capacity of multinational firms while giving smaller startups more time to adapt. Queries sent to the IT Ministry on the proposed changes remained unanswered until publication
New Obligations, Limited Guidance
Under the notified rules, technology companies are required to put in place mechanisms for obtaining “verifiable” parental consent before processing children’s personal data. Rather than prescribing a single method, the government has left it to companies to design their own systems — a decision taken after social media platforms warned that rigid requirements could be difficult to implement at scale.
The rules also impose strict breach notification requirements. In the event of a data breach, data fiduciaries must inform affected individuals “without delay,” providing details about the nature, extent, timing and location of the breach, the likely consequences for users, and the measures taken — or being taken — to mitigate risks. Failure to maintain adequate safeguards against breaches can attract penalties of up to Rs 250 crore
For significant data fiduciaries, the obligations go further. These firms must conduct annual data protection impact assessments and ensure that their technical systems, including algorithmic software used to process personal data, do not violate users’ rights. The Centre will also specify categories of personal data that such entities may process, subject to restrictions on cross-border transfers.
Notably, certain personal and traffic data related to these entities may be required to remain within India’s borders. A government committee tasked with defining which types of personal data must be localized could be formed sooner than expected, officials said, signaling an acceleration of decisions that have long been politically sensitive and closely watched by global companies.
Balancing Enforcement and Flexibility
The push to operationalize the rules within 12 months marks a departure from the earlier 18-month timeline envisioned when the rules were first notified. Officials argue that the shorter window reflects both urgency and pragmatism — an attempt to move past years of delay while differentiating between companies with vastly different capacities to comply.
At the same time, the government has shown restraint in other areas. By declining to mandate a single model for parental consent verification, and by leaving key definitions to future notifications, regulators appear to be buying time and flexibility as the ecosystem adjusts.
