In a notable shift, the Ministry of Electronics and Information Technology (“MeitY”) is considering compressing the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Act Rules, 2025 (“DPDP Act & Rules”) compliance timelines, from the originally notified 18 months to immediate, 3-month, or 12-month windows for select provisions. The closed-door meeting held on January 22, 2026 proposed acceleration targets for areas with direct state interface.

Specifically, Rule 23 (power to call for information from data fiduciaries and intermediaries), Rule 15 (transfer of personal data outside India), and Rule 13(5) (constitution of a government committee to recommend restrictions on overseas data transfers by Significant Data Fiduciaries) are proposed to be enforced immediately, signalling the government’s intent to retain early control over information flows and regulatory oversight. Rule 8(3) mandating retention of all personal data, traffic data and logs for at least one year to enable government access faces the sharpest cut, from 18 months to just 3 months. Further, Rule 13, which imposes additional compliance obligations on Significant Data Fiduciaries, may be brought forward to 12 months, while Section 17(2), the exemption framework allowing the Centre to exempt certain agencies or classes of processing from DPDP obligations, is also proposed for immediate notification.

MeitY argues that many provisions do not require heavy infrastructural changes. However, there is evident industry pushback, especially on mandatory one-year data retention within just three months, which highlights the operational and technical strain such truncation may cause, particularly for entities that were mapping compliance based on the 18-month horizon.

The move raises larger questions:

1. Can regulatory certainty be preserved if timelines shift post-notification?

2. Will accelerated enforcement disproportionately impact smaller data fiduciaries; and

3. Should enabling provisions be enforced before institutional mechanisms (like the Data Protection Board)?

From an industry perspective, the proposed truncation has been met with clear concern. Stakeholders noted that most compliance roadmaps were designed around the originally notified 18-month window, and abrupt acceleration would necessitate significant technical reconfiguration, storage expansion, and internal policy recalibration. Executives also flagged the absence of clarity on identified Significant Data Fiduciaries, cross-border data restriction criteria, and the operational status of the Data Protection Board, arguing that early enforcement without these guardrails risks regulatory uncertainty.

As feedback is invited until 4^th February 2026, this moment may prove pivotal in shaping the character of India’s data protection regime, whether it evolves into a measured compliance framework or a swift enforcement-first model. The outcome will not only affect immediate compliance burdens but also set the tone for regulatory certainty, trust between the state and data fiduciaries, and the long-term credibility of India’s data protection enforcement.