Verified regulatory developments, MeitY notifications, and legislative milestones — sourced directly from official government publications and established legal reporting.
On January 23, 2026, MeitY held stakeholder discussions with industry leaders proposing two significant changes: (1) shortening the general compliance deadline from May 13, 2027 to November 13, 2026 — a reduction of six months; and (2) fast-tracking the notification of Significant Data Fiduciaries (SDFs) immediately upon notifying an amendment, rather than waiting for the 18-month window. MeitY sought written feedback from industry stakeholders by February 4, 2026. This proposal has not yet been formally notified in the Official Gazette and remains subject to change.
If adopted, e-commerce entities, social media intermediaries, and online gaming platforms would need to implement data retention obligations (1–3 years under Schedule 3 of the Rules) within 90 days of the amendment notification, rather than May 2027.
Four days after the Rules notification, Union Minister for Electronics and IT Ashwini Vaishnaw publicly indicated that the Government intends to compress the DPDPA compliance timeline for large businesses that already comply with stricter global regulations such as GDPR. This statement preceded the formal January 2026 stakeholder consultation on the proposal.
The Ministry of Electronics and Information Technology officially notified the Digital Personal Data Protection Rules, 2025 via Gazette Notification G.S.R. 846(E) on November 13, 2025 (published November 14, 2025). This activated a three-phase enforcement structure:
Phase 1 — Immediate (November 13, 2025): Rules 1, 2 and 17–21 came into force. Sections 18–26 of the DPDPA — establishing the Data Protection Board of India (DPBI), its powers, and its composition — became operative. The Board was notified as a four-member body (Chairperson + Members), with appointments to follow via Search-cum-Selection Committees.
Phase 2 — November 13, 2026: Rule 4 governing Consent Manager registration and obligations comes into force.
Phase 3 — May 13, 2027: All remaining substantive obligations — consent, privacy notice, rights, security safeguards, breach notification, children's data — become enforceable. This followed a public consultation process that received 6,915 inputs from stakeholders including startups, industry bodies, civil society groups, and citizens.
MeitY released the draft Digital Personal Data Protection Rules, 2025 for public consultation via Gazette Notification G.S.R. 02(E), inviting comments and feedback until February 18, 2025 through the MyGov portal. An explanatory note in plain language accompanied the draft to facilitate public understanding. The consultation subsequently received 6,915 inputs — a significant volume that informed the final Rules notified in November 2025.
The Digital Personal Data Protection Bill, 2023 was passed by the Lok Sabha on August 7, 2023 and by the Rajya Sabha on August 9, 2023. President Draupadi Murmu gave her assent on August 11, 2023, enacting the Digital Personal Data Protection Act, 2023 — India's first standalone comprehensive data protection legislation. The Act replaced the IT (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 under Section 43A of the IT Act, 2000.
A nine-judge Constitution Bench of the Supreme Court of India unanimously held, in Justice K.S. Puttaswamy (Retd.) v. Union of India, that the right to privacy is a fundamental right protected under Article 21 and Part III of the Indian Constitution. The judgement directly directed the Government to establish a formal data protection framework — the constitutional foundation upon which the DPDPA 2023 was built.
Rule 4 of the DPDP Rules 2025 — governing the registration, obligations, and oversight of Consent Managers — is scheduled to come into force on this date (12 months after the Rules notification). From this point, entities wishing to operate as Consent Managers must be registered with the Data Protection Board. Eligibility requires incorporation in India and a minimum net worth of ₹2 crore (approx. ₹20 million). Consent Managers must avoid conflicts of interest with Data Fiduciaries and implement independent certification requirements for platform interoperability.
All remaining substantive provisions of the DPDPA and DPDP Rules become enforceable on this date (18 months after notification), unless the proposed amendment compressing the deadline to November 2026 is formally adopted. This includes: standalone consent notice requirements (Rule 3), Data Principal rights workflows (access, correction, erasure, grievance, nomination), security safeguard obligations, 72-hour breach notification procedures, children's data protections (verifiable parental consent), and Significant Data Fiduciary obligations. Penalties of up to ₹250 crore apply from Day 1 of enforcement.