The Indian Express: New Delhi: Friday, 23 January 2026.
Under the rules, tech companies are required to implement a mechanism for collecting “verifiable” parental consent before processing children’s personal data. A government committee, to be set up to prescribe the types of personal data that would have to be localised within India, could be formed much sooner, it is understood.
The Ministry of
Electronics and IT (MeitY) may shorten the timeline for Big Tech companies such
as Meta, Google, and Amazon to comply with India’s Digital Personal Data
Protection Act, 2023 and other related rules to 12 months from the current 18
months, as the government looks at creating separate compliance regimes for
large companies and startups, The Indian Express has learnt. The move, though,
could spark a wave of pushback from tech companies.
In particular, provisions that place additional obligations on ‘significant data fiduciaries’ could see fast tracking in terms of compliance timelines, the ministry is understood to have communicated to the industry during a meeting Thursday. A significant data fiduciary will be determined on the basis of the volume and sensitivity of personal data they process, and the risks they might have on India’s sovereignty and integrity, electoral democracy, security, and public order. Tech majors including Meta, Google, Apple, Microsoft, and Amazon are expected to be classified as significant data fiduciaries.
These specific provisions require tech companies to carry out a yearly data protection impact assessment, and verify that technical measures including their algorithmic software that deal with handling personal data don’t violate users’ rights. More notably, under the rules, the Centre will specify the kind of personal data which can be processed by “significant data fiduciaries” subject to the restriction that such personal data and traffic data related to its flow is not transferred outside the territory of India. All these provisions could now be operationalised in 12 months, as opposed to the earlier prescribed 18 months, with the ministry expected to bring an amendment to the data protection rules.
A government committee, to be set up to prescribe the types of personal data that would have to be localised within India, could be formed much sooner, it is understood.
The changes are being made to create a compliance gradient between bigger companies and smaller startups, with the idea being that the former already comply with strict privacy laws like those in Europe, and as a result have more institutional bandwidth to comply with India’s law. Last year, responding to a question by The Indian Express, Union IT Minister Ashwini Vaishnaw had said, “It is right that big companies already follow laws like Europe’s General Data Protection Regulation (GDPR). We will compress the timeline. We will amend the law”.
Queries sent to the IT Ministry remained unanswered until publication.
Last year, the IT Ministry had notified the long awaited data protection rules, paving the way for India to have a functional privacy law, eight years after the Supreme Court ruled it as a fundamental right. The notification of the rules came over two years after the Digital Personal Data Protection (DPDP) Act received the President’s assent in August 2023.
Under the rules, tech companies are required to implement a mechanism for collecting “verifiable” parental consent before processing children’s personal data.
Effectively, the government has refrained from proposing a mechanism from its side, and has left it to the companies to adopt a system of their choice, after social media companies complained that it could be a difficult provision to implement.
In the event of a data breach, data fiduciaries will have to intimate impacted individuals “without delay” a description of the breach, including its nature, extent and the timing and location of its occurrence; the consequences relevant to the impacted user, that are likely to arise from the breach; and the measures implemented and being implemented to mitigate risk among other things. The penalty for failing to have adequate safeguards for preventing a data breach could go as high as Rs 250 crore.
The Act had come under scrutiny for granting wide-ranging exemptions to the government or its agencies while processing citizens’ personal data on grounds of ‘national security’, ‘friendly relations with other states’, and ‘public order’, among other things. It was also called into question over allegedly diluting the RTI Act. The Indian Express had earlier reported that apart from the civil society, even government’s think tank NITI Aayog had also raised concerns over the potential weakening of the RTI Act.
Under the rules, tech companies are required to implement a mechanism for collecting “verifiable” parental consent before processing children’s personal data. A government committee, to be set up to prescribe the types of personal data that would have to be localised within India, could be formed much sooner, it is understood.
In particular, provisions that place additional obligations on ‘significant data fiduciaries’ could see fast tracking in terms of compliance timelines, the ministry is understood to have communicated to the industry during a meeting Thursday. A significant data fiduciary will be determined on the basis of the volume and sensitivity of personal data they process, and the risks they might have on India’s sovereignty and integrity, electoral democracy, security, and public order. Tech majors including Meta, Google, Apple, Microsoft, and Amazon are expected to be classified as significant data fiduciaries.
These specific provisions require tech companies to carry out a yearly data protection impact assessment, and verify that technical measures including their algorithmic software that deal with handling personal data don’t violate users’ rights. More notably, under the rules, the Centre will specify the kind of personal data which can be processed by “significant data fiduciaries” subject to the restriction that such personal data and traffic data related to its flow is not transferred outside the territory of India. All these provisions could now be operationalised in 12 months, as opposed to the earlier prescribed 18 months, with the ministry expected to bring an amendment to the data protection rules.
A government committee, to be set up to prescribe the types of personal data that would have to be localised within India, could be formed much sooner, it is understood.
The changes are being made to create a compliance gradient between bigger companies and smaller startups, with the idea being that the former already comply with strict privacy laws like those in Europe, and as a result have more institutional bandwidth to comply with India’s law. Last year, responding to a question by The Indian Express, Union IT Minister Ashwini Vaishnaw had said, “It is right that big companies already follow laws like Europe’s General Data Protection Regulation (GDPR). We will compress the timeline. We will amend the law”.
Queries sent to the IT Ministry remained unanswered until publication.
Last year, the IT Ministry had notified the long awaited data protection rules, paving the way for India to have a functional privacy law, eight years after the Supreme Court ruled it as a fundamental right. The notification of the rules came over two years after the Digital Personal Data Protection (DPDP) Act received the President’s assent in August 2023.
Under the rules, tech companies are required to implement a mechanism for collecting “verifiable” parental consent before processing children’s personal data.
Effectively, the government has refrained from proposing a mechanism from its side, and has left it to the companies to adopt a system of their choice, after social media companies complained that it could be a difficult provision to implement.
In the event of a data breach, data fiduciaries will have to intimate impacted individuals “without delay” a description of the breach, including its nature, extent and the timing and location of its occurrence; the consequences relevant to the impacted user, that are likely to arise from the breach; and the measures implemented and being implemented to mitigate risk among other things. The penalty for failing to have adequate safeguards for preventing a data breach could go as high as Rs 250 crore.
The Act had come under scrutiny for granting wide-ranging exemptions to the government or its agencies while processing citizens’ personal data on grounds of ‘national security’, ‘friendly relations with other states’, and ‘public order’, among other things. It was also called into question over allegedly diluting the RTI Act. The Indian Express had earlier reported that apart from the civil society, even government’s think tank NITI Aayog had also raised concerns over the potential weakening of the RTI Act.
.JPG)
.JPG)
