Compliance Timelines Compressed

The Indian government is moving to shorten compliance deadlines for the country's new data protection law. The Ministry of Electronics and Information Technology (MeitY) may reduce the timeline for major technology companies to comply with the Digital Personal Data Protection Act from 18 months to just 12 months. This significant acceleration affects how companies like Meta, Google, and Amazon must handle Indian users' personal data. The change is part of creating a differentiated compliance regime that treats large corporations differently from smaller startups.

Who Gets the Shorter Deadline?

The accelerated timeline specifically targets Significant Data Fiduciaries (SDFs) - companies that process large volumes of sensitive personal data. Tech majors including Meta, Google, Apple, Microsoft, and Amazon are expected to receive this designation. Banks and major financial institutions will also likely be classified as SDFs. The government determines SDF status based on factors including data volume and sensitivity, risks to individual rights, and potential impact on national security and public order. These companies already follow strict regulations like Europe's GDPR, giving them a head start on compliance.

What Must Be Done Faster?

Companies facing the shortened timeline must accelerate implementation of several key obligations. They need to conduct yearly data protection impact assessments and verify that their algorithms don't violate user rights. They must implement systems for collecting verifiable parental consent before processing children's data. For certain data categories the government specifies, data localization requirements will apply, restricting transfers outside India. They also need to establish robust data breach notification systems that alert affected individuals "without delay" and report to authorities within 72 hours.

Industry Pushback Expected

Technology companies are likely to resist the accelerated timeline, citing implementation complexity. An industry executive noted that cutting the timeline "will be very difficult for not just us but any data fiduciary operating in India". Companies argue that India's data landscape presents unique challenges that require substantial preparation time. The government has engaged in stakeholder consultations to gather feedback on the proposed changes. Previous industry feedback led to flexibility in how companies implement parental consent mechanisms, showing government willingness to adjust based on practical concerns.

Why Differentiate Between Companies?

The government's approach creates a "compliance gradient" between large corporations and smaller startups. Union IT Minister Ashwini Vaishnaw explained that big companies already comply with strict laws like GDPR, giving them more institutional capacity to implement India's requirements faster. This differential treatment aims to avoid burdening startups while ensuring major data handlers comply promptly. The minister has publicly stated the government's intention to "compress the timeline" for companies with existing compliance frameworks. This recognizes that multinational tech giants have more resources to adapt quickly compared to emerging domestic companies.

Some Provisions May Take Effect Sooner

Certain provisions could be enforced even more aggressively than the 12-month timeline suggests. The government may require companies to implement data retention rules within 90 days instead of 18 months. Rules allowing the government to request information from data fiduciaries might take effect immediately. Provisions governing cross-border data transfers could also be implemented sooner than originally planned. This indicates a tiered enforcement approach where some high-priority requirements face extremely compressed deadlines while others follow the 12-month schedule.

New Implementation Timeline

If implemented, the new compliance schedule would unfold as follows: Immediate effect for government information request powers. Within 90 days for data retention requirements. By November 2026 for most SDF obligations under the compressed 12-month timeline. This represents a significant acceleration from the original schedule that had major provisions taking effect in May 2027. The phased approach allows companies to prioritize the most urgent requirements while working toward full compliance. The government committee on data localization is also expected to form sooner to define what data must stay in India.