By Anuradha Gandhi and Rachita Thakur
Introduction
On January 23, 2026, the Ministry of Electronics and Information Technology (hereinafter referred to as ‘MeitY’) held stakeholder discussions with various industry leaders and proposed certain measures to fast track implementation of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDPA’).[1] MeitY has sought comments and feedback on these proposal from industry stakeholders by February 4, 2026. The Proposal seeks to cut short compliance deadline from 18 months to 12 months which means that the last date for complying with the DPDPA will change to November 13, 2026, which was earlier May 13, 2027.[2] Notably, on November 17, 2025, Shri Ashwini Vashnaw had indicated the intention of the Government to compress the time line of enforcing the DPDPA for large businesses which already comply with stricter global regulations.[3]
What has MeitY Proposed?
Fast tracking notification of Significant Data Fiduciaries
Section 10(1) of the DPDPA gives the Central Government the power to notify Significant Data Fiduciaries (hereinafter referred to as ‘SDF’) based on the volume and sensitivity of the personal information (hereinafter referred to as ‘PI’) processed, risk to the rights of Data Principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the state or public order.
Earlier this provision was supposed to enforced after 18 months from the notification date of the Digital Personal Data Protection Rule, 2025 (hereinafter referred to as ‘DPDPR’) i.e., by May 13, 2026. However, MeitY has now proposed the enforcement of the provision from the date of notifying the proposed amendment. This means that the Central Government seeks to notify the list of SDFs or criteria of being classified as SDFs under the DPDPA as soon as possible.
Cross Border Transfer Restrictions to be enforced immediately.
Rule 13(4) and Rule 15 deal with the transfer of personal data outside the territory of India. SDFs are required to comply with restriction notified by the Central Government on the advice a recommendation committee constituted by it. MeitY has proposed that these provisions shall be enforced immediately.
Immediate Notification of Central Government’s Power to Exempt.
Under Section 17(2), the Central Government can notify and exempt an instrumentality of the State for processing PI in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence. Additionally, any PI shared by such instrumentality with the Central Government shall also be exempt from the provisions of the DPDP Framework. This provision is also proposed to be the enforced immediately.
Who are SDFs?
The exact classification of which Data Fiduciaries will be notified as SDFs remains to be seen. However it is likely that Data Fiduciaries operating in sensitive sectors such as Defense, Healthcare and Finance would supposedly fall within the purview of being classified as SDFs.
Additionally, entities which operate AI systems, search engines, ecommerce market places, and social media platforms could also be categorized as SDFs considering the volume of PI and potential risks to the rights of Data Principals.
Cutting short the Compliance time line for SDFs
MeitY has proposed to cut short the compliance deadline under DPDPA for SDFs by 6 months. The SDFs will be required to fulfill compliance with the DPDPA latest by November 13, 2026, which was earlier set to be May 13, 2026.
Additional Obligations of SDFs under the DPDPA
Section 10(2) of the DPDPA and Rule 13 of the DPDPR prescribe additional compliance measures to be implemented and fulfilled by the SDFs. These include:
- Appointment of a Data Protection Officer
- Appointment of an independent Data Auditor
- Conduct periodic Data Protection Impact Assessment (hereinafter referred to as ‘DPIA’) every 12 months
- Conduct periodic Data Audit
- Furnish the report of the Data Audit and DPIA to the Data Protection Board.
- Observe due diligence to verify and ensure that the technical measures adopted by it (including algorithmic softwares) does not pose risk to the rights of the Data Principals
- Comply with the restrictions prescribed by the Central Government for transferring PI outside India
Penalty for Non-compliance with these Obligations
Section 33 along with the Schedule of the DPDPA prescribes a penalty of up to INR 150 Crores for breach of the prescribed additional obligations by the SDFs.
Implementing the Data Retention Requirements within 90 Days
Rule 8(3) of the DPDPR mandates that the Data Fiduciaries and their Data Processors are required to retain PI for minimum period of 1 year from the last date of processing. This period is 3 years for E-commerce entities, online gaming intermediaries and social media intermediaries under Schedule 3 of the DPDPR.
These provisions were slated to come into force on May 13, 2026 i.e., 18 months from the notification date of the DPDPR. However, MeitY now seeks to enforce these provision within the 90 days of notifying the proposed amendment.[4]
It remains to be seen that if these provisions would be enforced for Data Fiduciaries across the board or only for SDFs.
(To read more about the DPDP Framework, refer to –
- https://ssrana.in/articles/meity-notifies-final-digital-personal-data-protection-rules-2025/
- https://ssrana.in/articles/ensuring-child-safety-under-the-dpdpa/
- https://ssrana.in/articles/effect-of-digital-personal-data-protection-rules-2025-on-ai-regulation/
- https://ssrana.in/articles/data-breach-reporting-in-india-legal-obligations-and-best-practices/ )
Prateek Chandgothia , Former Junior Associate at S.S.Rana & Co. has assisted in the research of this article.