MeitY May Cut DPDP Compliance Timeline From 18 to 12 Months

India’s Ministry of Electronics and Information Technology (MeitY) is considering reducing the compliance timeline for key provisions of the Digital Personal Data Protection (DPDP) Act from 18 months to 12 months, signalling a faster rollout of privacy obligations for major digital platforms, banks, and tech companies. 

The proposal, discussed in late January 2026, reflects the government’s intent to accelerate enforcement of India’s landmark privacy law. According to officials, the shortened timeline would apply to Significant Data Fiduciaries (SDFs). These are large platforms and financial institutions that handle vast amounts of personal data. These entities would be required to implement stricter compliance measures within a year of the rules being notified, rather than the previously expected 18-month window. 

MeitY has also suggested that certain provisions of the DPDP Act, such as data subject rights, grievance redressal mechanisms, and cross-border transfer obligations, could be enforced immediately upon notification. Additionally, data retention rules may be implemented within 90 days, requiring companies to delete inactive or unnecessary personal data promptly. 

Industry stakeholders have been invited to provide feedback on the proposed changes by early February. While many privacy advocates welcome the accelerated timeline as a step toward stronger consumer protection, businesses, particularly startups and mid-sized firms, have expressed concerns about the operational burden. Compliance with the DPDP Act requires significant investment in data governance frameworks, consent management systems, and privacy-by-design practices, which may be challenging to achieve within a compressed schedule. 

The DPDP Act, passed in 2023, establishes a comprehensive framework for personal data protection in India, modelled partly on the EU’s General Data Protection Regulation (GDPR). It introduces obligations for data fiduciaries, rights for individuals, and penalties for violations. Under the law, fines can reach up to ₹250 crore for serious breaches. 

📰 Mini Headlines 

• European Commission Proposes EU Digital Networks Act 

The European Commission has unveiled its proposal for an EU Digital Networks Act, introducing seven major changes to strengthen cybersecurity and resilience. Key reforms include expanding obligations for telecom operators, enhancing supply chain security, and imposing stricter riskmanagement requirements on critical infrastructure providers. The proposal also introduces clearer rules for cross-border cooperation, mandatory incident reporting, and stronger enforcement powers for regulators. Industry stakeholders will face higher compliance costs but benefit from harmonised standards across the EU. The Act aims to modernise Europe’s digital framework, ensuring secure connectivity while addressing emerging threats from AI, cloud services, and 5G networks. 

EU Digital Networks Act 

Read More → https://www.insideprivacy.com/data-security/seven-major-changes-in-the-european-commissions-proposal-for-an-eu-digital-networks-act/  

• China Issues New Standards on Personal Data Portability 

China has introduced new national standards governing personal data portability, aimed at strengthening consumer rights and aligning with global privacy practices. The rules, released in January 2026 by the National Information Security Standardisation Technical Committee, set technical and procedural requirements for how companies must allow individuals to transfer their personal data between platforms. The standards cover consent mechanisms, secure transmission protocols, and interoperability guidelines to prevent misuse during transfers. Regulators emphasised that portability enhances user control while promoting competition in digital markets. 

Personal Data Portability 

Read More →  https://www.mlex.com/mlex/data-privacy-security/articles/2434396/china-issues-new-standards-governing-personal-data-portability  

•  Google Settles $68 Million Privacy Lawsuit Over Assistant 

Google has agreed to pay $68 million to settle a lawsuit alleging its Google Assistant unlawfully recorded private conversations without user consent. The case, filed in the U.S., claimed that Assistant devices were triggered inadvertently, capturing sensitive audio data and violating privacy rights. Plaintiffs argued that Google failed to adequately disclose the risks of accidental activation. Under the settlement, Google will compensate affected users and commit to stronger safeguards, including clearer disclosures and enhanced privacy controls.  

Privacy Lawsuit  

Read More → https://www.analyticsinsight.net/news/google-to-pay-68-million-to-settle-data-privacy-lawsuit-over-assistant-recording-private-talks