Industry groups asks IT ministry to not shorten compliance timeline under DPDP

India’s two digital industry groupings — the Internet and Mobile Association of India (IAMAI), which represents big tech companies such as Meta, Bharti Airtel and Amazon; and the startup body Empower India — have formally asked the IT ministry not to shorten the compliance timeline under India’s new data protection law, warning that doing so would strain businesses and disrupt operations.

February 4 was the last day for stakeholders to submit their recommendations to the Ministry of Electronics and Information Technology (MeitY) on the proposed changes.

Both bodies have urged the government to retain the originally notified 18-month transition period for implementing the Digital Personal Data Protection (DPDP) Act and its rules, instead of advancing enforcement to immediate, three-month, or 12-month deadlines.

In its submission seen by HT, IAMAI said compressing timelines would hit even companies that have already begun preparations. It added, “The decision to significantly compress compliance timelines shortly after the notification of the DPDP Rules introduces a high degree of policy uncertainty for organisations.”

The final DPDP Rules were notified in November 2025, nearly a year after MeitY released the draft for public consultation. The parent Act itself was enacted in August 2023, marking a long wait to operationalise India’s long-promised data protection law aimed at safeguarding citizens’ personal data.

Third-party dependencies slow compliance

IAMAI said most companies depend on a web of global vendors like cloud providers, CRM platforms and SaaS firms, and would first need to renegotiate contracts to insert new privacy safeguards. Cutting six months from the transition period would create a compliance gap, as the vendors’ systems and timelines are not aligned, making it difficult for businesses to meet the new deadlines.

It also warned that companies must fundamentally redesign how their systems handle personal data. “Compressing the transition timeline… is likely to compromise critical testing and security measures. Such an accelerated timeline may also introduce severe systemic risks, including the potential for accidental data corruption or exposure.”

IAMAI further said implementing “verifiable consent” for children’s data under the rules involves technical and market-readiness challenges that cannot be resolved within a compressed 12-month timeline.

At a closed-door consultation on January 22, MeitY met representatives from large technology companies including Meta, Apple, Amazon, Google and PhonePe, along with startup and industry bodies. According to people familiar with the discussions, the ministry presented slides proposing to shorten the currently notified 18-month compliance window for several provisions. These included bringing into force Rule 23 (furnishing information to the government), Rule 15 (cross-border transfer of personal data), Rule 13(5) (constitution of a government committee to determine restrictions on overseas data transfers) immediately. These were originally scheduled to come into force after 18 months. The ministry also asked for Rule 8(3) (mandatory one-year data retention) to be implemented within three months rather than 18 months.

According to people present at the meeting, MeitY was of the view that compliance shouldn’t be an issue since several large global technology companies already comply with international privacy standards such as Europe’s General Data Protection Regulation (GDPR).

Legal experts that HT spoke to drew comparisons with the GDPR rollout, which allowed nearly two years for compliance and was accompanied by detailed regulatory guidance and awareness campaigns. Even then, smaller businesses struggled to meet requirements. India’s ecosystem, which includes a large number of small and medium enterprises with limited compliance capacity, may require a phased or graded approach, they added.

One-year data retention ‘technically infeasible’

Both IAMAI and Empower India flagged concerns about Rule 8(3), which would require companies to retain personal data, traffic data and logs for at least one year. IAMAI said meeting this within three months would be “technically and operationally infeasible within a three-month timeframe” and would require “significant system re-architecture”.

Empower India, which represents several startups with ₹100 crore-plus revenues, echoed the concern, calling the three-month window overly harsh. The group also warned smaller firms would struggle the most.

Both bodies have also sought more time and clarity for Significant Data Fiduciaries (SDFs), which are companies that handle large volumes of personal data and are subject to additional compliance requirements under Rule 13 of the DPDP Rules. IAMAI said data fiduciaries are still awaiting clarity from MeitY on the thresholds for SDF classification, and argued that once entities are designated, they should be given a separate transition period to meet the extra obligations.

Data localisation and cross-border flows

On rule 15, that could restrict overseas transfers of Indian data, IAMAI said immediate enforcement without guidance could lead to “a high likelihood of organisations inadvertently falling out of compliance.” Moreover, complying with cross-border data restrictions would require companies to work with foreign partners, renegotiate contracts, modify technical systems and build new infrastructure. Such operational changes take time, and shorter deadlines would make compliance difficult.

Empower India added that localisation would require companies to “re-orient existing data architectures” and migrate infrastructure, a process that needs “substantial time and resources.” It also cautioned that enforcing cross-border restrictions immediately, without first naming restricted countries, would be “unduly onerous for businesses.”

On Rule 23, which deals with furnishing information to the government, IAMAI said immediate enforcement would require companies to first set up formal internal systems to receive, assess and respond to official data requests within prescribed timelines. This would involve creating secure processes, confidentiality safeguards, restricted access controls and audit trails. The industry body said such mechanisms require adequate preparation time and cannot be implemented overnight.

MeitY will now read the responses received from the stakeholders before taking its next steps, a senior official said.