News Headline
India tightens the screws on big tech’s data compliance
NEW DELHI: India has flicked the switch on its most muscular data protection regime yet—and the government is already eyeing shorter compliance deadlines for tech behemoths. On 14 November the Digital Personal Data Protection Rules came into force, capping an 18-month public consultation that dragged in 6,915 comments from seven cities across the country.
The framework doesn’t mince words on consequences. Fail to maintain proper security and face fines up to Rs 250 crore. Botch a breach notification or mishandle children’s data and the bill climbs to Rs 200 crore. Even routine violations carry penalties up to Rs 50 crore.
But the initial eighteen-month compliance window—designed to give organisations time to rewire their systems—may shrink for large firms. Ashwini Vaishnaw, minister of electronics and IT, said on Monday the government is in discussions to “compress” timelines for big tech. His logic is sharp: giants like Meta and Google already navigate the European Union’s General Data Protection Regulation. Why can’t they replicate those frameworks faster in India?
“We have been discussing with industry… the first set of rules have been published and this gives reasonable timeframe,” Vaishnaw said. “But we are also in touch with the industry to further compress time required for compliance because exactly the same argument we have given to the industry that you already have compliance framework which is existing in other geographies.”
The minister said industry response has been “quite positive” and promised further amendments once the Data Protection Board—which oversees enforcement—is operational.
The rules themselves enshrine seven principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability. Every organisation hoovering up digital personal data must issue a separate consent notice in plain language. Consent managers—platforms helping people grant or yank permissions—must be based in India.
Citizens get crisp rights: know what data is collected, access it, correct it, update it or demand its erasure. They can nominate someone else to wield these rights on their behalf. Data fiduciaries must respond within ninety days. When breaches happen, affected individuals must be told immediately in plain language with clear guidance on next steps.
Enforcement runs through a digital-first Data Protection Board with four members. Citizens file complaints online and track them through a portal or mobile app. Appeals go to the Telecom Disputes Settlement and Appellate Tribunal.
The compliance calendar is staggered: the Data Protection Board provisions kick in immediately, the consent manager framework activates after twelve months, and core obligations like user consent notices, security safeguards and breach notifications apply after eighteen months—though that last deadline may soon look very different for the platform giants.
Special protections cover children, requiring verifiable parental consent except for essential services like healthcare or education. Significant data fiduciaries face tougher scrutiny: independent audits, impact assessments and stricter checks on new technologies.
The framework bills itself as “Saral”—simple, accessible, rational and actionable. No legalese fog. No compliance theatre. Just a country hurtling deeper into the digital age, determined to grow its economy without auctioning off its citizens’ privacy. And if the tech titans drag their feet, the government has made clear it won’t wait around.
