On 22 January 2026, the Ministry of Electronics and Information Technology (MeitY) convened consultations with major technology firms, including Meta, Google, YouTube, and Apple, to propose substantial reductions in compliance timelines under the Digital Personal Data Protection Act (DPDPA) Rules. The existing framework provides 0-18 months for implementation, varying by provision. The new proposal seeks immediate or significantly shortened timelines for select rules, pending approval.
The affected provisions include:
- 18 months to immediate implementation: Rule 23 (requests for information from data fiduciaries or intermediaries); Rule 15 (cross-border personal data transfers); Rule 13(5) (committee descriptions for Significant Data Fiduciaries’ transfers); and Section 17(2) exemptions.
- 18 months to 3 months: Rule 8(3) (data retention for governmental access).
- 18 months to 12 months: Rule 13 (additional obligations for Significant Data Fiduciaries).
This development, though foreshadowed by the Union Government in November 2025, has nonetheless elicited surprise across the sector. Notably, the proposal applies indiscriminately to all data fiduciaries, irrespective of enterprise scale, thereby imposing disproportionate challenges on small and medium-sized enterprises (SMEs).
The proposed truncation of DPDPA compliance timelines is a high-risk move that prioritises regulatory speed over operational feasibility, potentially destabilising India’s tech ecosystem. By shifting from an 18-month window to “immediate” or three-month requirements, the Ministry imposes a nearly impossible burden on firms to re-engineer legacy systems and perform complex data mapping without sufficient lead time. This is particularly damaging for SMEs, who lack the capital to meet sudden mandates. Ultimately, forcing compliance before technical and legal frameworks are ready risks creating security vulnerabilities through rushed implementation and could stifle innovation by diverting resources toward frantic administrative survival.
Moreover crucial clarifications remain pending, including criteria for designating countries as restricted under Rules 15 and 13(5), thresholds for Significant Data Fiduciary classification, and parameters for exemptions. Such ambiguities may hinder effective compliance.
The initiative is bound to receive significant opposition from data fiduciaries, potentially undermining its viability. Technology enterprises have highlighted risks to operational continuity, innovation, and global competitiveness, while SMEs emphasise resource limitations. MeitY’s impetus stems from India’s fast-growing data ecosystem and recent data breaches that underscore the urgency for data protection. However, effective compliance necessitates proper implementation of measures such as comprehensive data mapping and governance enhancements.