Is MeitY planning to shorten DPDP compliance for big tech and banks to 12 months?

India has made a significant move to strengthen digital privacy by bringing the Digital Personal Data Protection Act, 2023 (DPDP Act) into force—the country’s first comprehensive law governing digital personal data. However, the government is now reviewing the timeline for compliance with some of the Act’s key provisions, particularly for large technology companies, banks, and other major data handlers. A key proposal under discussion is to reduce the compliance window for these entities from 18 months to 12 months.

What is the DPDP Act, and what is the current compliance timeline?

India’s Digital Personal Data Protection Act, 2023, along with the DPDP Rules, 2025, lays down how organizations must protect people’s personal data when it is handled online by companies, apps, banks, or other entities.

The law is being rolled out in phases:

• Some provisions, such as the establishment of the Data Protection Board of India, take effect immediately after the rules are notified.
• Other provisions—mainly those that require organizations to change their data collection, storage, processing, and security practices were originally given a compliance period of up to 18 months from the notification date.

This 18-month timeframe was intended to give companies enough time to make the necessary technical, legal, and organizational changes without disrupting their regular operations.

What is the proposed change?

The Ministry of Electronics and Information Technology (MeitY) is in talks with industry bodies and technology companies about reducing the time given to some organizations to comply with the DPDP law. For large companies in particular, the compliance period may be cut from 18 months to 12 months.

This would mean that instead of having time until mid-2027, big tech firms (such as Meta, Google, Amazon, and Microsoft) and large banks or financial institutions may need to meet key data protection requirements by late 2026, just one year after the DPDP Rules were notified.

The aim is to make India’s data protection system more effective and faster, so people’s privacy rights are protected sooner, and companies adopt stronger data protection practices earlier. Some requirements, such as the government’s ability to request information from companies and certain data retention rules, could even take effect immediately or within a short period, such as 90 days, under this proposal.

Why is MeitY thinking about a shorter deadline?

The government, through MeitY and Union IT Minister Ashwini Vaishnaw, wants the DPDP Act to be enforced more quickly. There are a few key reasons for this:

• Many large companies already follow strict data protection laws in other countries, so the government believes they can meet India’s requirements in less time.
• Faster implementation would give Indian citizens stronger privacy protection sooner, especially as digital services are growing rapidly.
• A shorter deadline would reduce confusion and uncertainty about when the law will be fully enforced.

To make a balanced decision, the government has asked digital platforms and companies to share their views on whether a 12-month compliance period is workable or too demanding.

Who would be affected?

If this proposal is approved, it will mainly impact Significant Data Fiduciaries (SDFs). These are organizations identified under the DPDP Act as handling huge volumes of personal data, sensitive information, or data that could pose higher risks to people’s rights.

This group usually includes:

• Large social media and technology companies (such as Meta and Google).
• Major banks, financial services firms, and insurance companies.
• Possibly big e-commerce platforms, fintech companies, and other businesses that rely heavily on personal data.

Since these organizations already deal with massive amounts of data and are closely regulated worldwide, the proposal would require them to comply with DPDP rules sooner than originally planned.

Reactions from industry and other stakeholders

The proposal has received mixed reactions. Several industry groups and experts have expressed concerns that shortening the compliance timeline may be too demanding.

• Industry bodies like the Broadband India Forum (BIF) and the India Cellular and Electronics Association (ICEA) have said that speeding up implementation could create uncertainty and lead to uneven compliance.
• Some business leaders and legal experts have warned that tighter deadlines could put pressure on smaller companies and startups and may also affect investor confidence.
• The Internet and Mobile Association of India (IAMAI), representing several digital companies, has urged caution, warning that a hurried rollout could interfere with routine business operations.

These stakeholders feel that the original 18-month timeline was reasonable and important, as it gives organizations sufficient time to properly update their systems, contracts, security controls, and internal processes.

What comes next?

Right now, the proposal to shorten the compliance timeline is still under discussion and has not been finalized. MeitY has asked companies and other stakeholders for their views and is reviewing the feedback received.

After this consultation process, the government may:

• Finalize revised rules that reduce the compliance period to 12 months for significant data fiduciaries.
• Decide to retain the original 18-month timeline if feedback strongly supports it.
• Choose a mixed approach, where some requirements are implemented earlier while others continue with a longer deadline.

The final decision, along with clear timelines and dates, will be officially announced through amended DPDP Rules published in the Gazette of India. Once published, these rules will be legally enforceable.

Conclusion

India’s approach to data privacy is moving fast. The DPDP Act and its rules aim to protect people’s personal data. As part of this effort, MeitY is considering reducing the compliance timeline from 18 months to 12 months for large technology companies, banks, and other significant data fiduciaries.

This proposal shows the government’s intent to enforce data protection rules sooner. At the same time, it has raised concerns among industry players about whether such a short timeline is practical. The final decision will depend on the feedback MeitY receives from companies and industry groups.

Regardless of whether the deadline is set at 12 months or remains at 18 months, it is clear that India is committed to building a strong data protection framework, and DPDP compliance will be a key focus for all businesses operating in the digital space.

Five Key Takeaways

• Shorter compliance timeline proposed: MeitY is considering reducing the DPDP compliance period for large data fiduciaries from 18 months to 12 months.
• Big tech and banks are most affected: Major technology companies and large banks are likely to be the primary targets of this change.
• Industry consultations ongoing: The government is gathering feedback from companies and industry groups before taking a final decision.
• Industry reactions are mixed: Some industry bodies have raised concerns about the shorter timeline, pointing to implementation challenges.
• No final decision taken: The 12-month deadline is still only a proposal; the final compliance timelines will be announced after consultations are completed.