The Ministry of Electronics and IT (MeitY) has asked social media platforms and digital companies to submit their views on advancing the implementation of key provisions of India's Digital Personal Data Protection (DPDP) Act and Rules.
This includes a proposal to shorten the compliance timeline for data fiduciaries from 18 months to 12 months.
In an email sent to platforms following a January 22 meeting, MeitY said three major changes were under consideration and sought industry inputs by February 4.
"The time duration for the obligation on Data Fiduciaries as mentioned in DPDP Act & Rules [is proposed] to be reduced to 12 month from given 18 months," the email stated.
It also proposed that Rules 15 and 23 of the DPDP Rules be commenced immediately, and that Rule 8(3) be brought into force within three months.
While Rule 15 lays down conditions under which personal data may be processed for research, archiving and statistical purposes in a de-anonymised form, Rule 23 contains miscellaneous procedural provisions of the DPDP Rules.
Meanwhile, Rule 8(3), which the ministry has proposed to operationalise within three months, permits data fiduciaries to retain personal data beyond the original purpose in cases where itis required by law, court orders or for investigation and legal proceedings, subject to safeguards.
During the January 22 meeting, officials shared a presentation outlining "suggested recommendations" for reducing timelines.
The slide proposed that some rules relating to cross-border data transfer and classification of personal data be enforced immediately, arguing that these do not require major infrastructural changes by companies.
It also suggested reducing the enforcement timeline for Rule 13 — which governs obligations of Significant Data Fiduciaries — to 12 months, including provisions related to processing certain categories of personal data within India based on recommendations of a government-appointed committee.
Another proposal discussed was to operationalise Section 17 (2) of the DPDP Act with immediate effect, which would require notifying authorised agencies and implementing the exemption framework for specified processing activities.
Tech majors are expected to be classified as Significant Data Fiduciaries once formal designations begin, based on factors such as the volume and sensitivity of data they process and the potential risks posed to sovereignty, public order and electoral democracy.
Under the DPDP framework, SDFs face additional obligations including annual data protection impact assessments, independent audits, and verification that algorithmic systems used for processing personal data do not infringe user rights.
The rules also allow the Centre to specify categories of personal data that SDFs may process subject to restrictions on cross-border transfers.
The government’s move to potentially compress timelines, however, is likely to trigger pushback from industry, which has consistently argued that compliance with the DPDP Act requires significant operational and technical changes across data systems, consent mechanisms and grievance redress processes.
Officials indicated that no final decision has been taken yet and that the ministry is in the process of gathering feedback before bringing any formal amendment to the DPDP Rules.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
