Tech companies prepare objections to fast-track rollout of privacy law

Big Tech companies and startups are preparing formal submissions to oppose the IT ministry’s plan to shorten the timeline for implementing key provisions of India’s Digital Personal Data Protection (DPDP) framework, people aware of the matter said.

A closed-door consultation held by the ministry of electronics and information technology (MeitY) on January 22 brought together large firms including Meta, Apple, Amazon, Google and PhonePe, along with several startups. They discussed an accelerated rollout of the DPDP rules notified in November 2025.

According to people familiar with the discussions, the ministry presented proposed changes that would reduce the current 18-month compliance period for several provisions. In some cases, the government proposed bringing rules into force immediately.

A presentation shown at the meeting, seen by HT, suggested rules regarding furnishing information to the government (Rule 23), cross-border transfer of personal data outside India (Rule 15), and the constitution of a government committee to decide restrictions on cross-border transfers (Rule 13(5)) commence immediately. These were originally scheduled to come into force after 18 months.

The presentation also proposed enforcing Rule 8(3), which allows companies to retain personal data for lawful purposes without user consent, within three months rather than 18.

One person aware of the matter said the decision to explore a shorter timeline followed claims that some companies had approached IT minister Ashwini Vaishnaw and argued that 18 months was too long a period for compliance.

“When this was conveyed in the meeting, there was visible confusion in the room,” the person said. “Of the people present, no one in their right mind would have gone to the minister to say this. This is not feasible.”

Vaishnaw had in November, shortly after the notification of the final DPDP rules, stated the government was preparing to reduce the compliance timeline, signalling a faster rollout of the new data protection regime.

An executive at a large technology company said the industry was struggling even with the existing timeline.

“Even 18 months is tough. To reduce that to a minimal period will create further challenges,” the executive said. “Right now, there is no Data Protection Board in place, so that itself is a problem. And mandatory one-year data retention means an insane amount of data. A large company can manage it, but how does a small company do it?”

Under the DPDP framework, the board, comprising four members, is the key authority for hearing complaints, issuing directions and imposing penalties for violations.

Another person stated smaller companies and startups were the most vocal during the consultation.

“They told the ministry that compliance could be make-or-break for their business model,” said one of the people quoted above.

The person added that IT secretary S Krishnan argued many large technology companies already follow similar compliance standards globally and the rules were not entirely new to them.

Ministry officials did not immediately respond to HT’s request for comment.