Enforcement Over Optics

India’s move to consider shortening the compliance window for Big Tech companies under the Digital Personal Data Protection Act, 2023, from 18 months to 12 months is not merely an administrative adjustment. It reflects a deeper shift in how the Indian state now perceives the balance of power between sovereign regulation and global technology platforms. For years, India’s digital economy grew faster than its legal frameworks, creating a landscape where platforms harvested vast amounts of personal data while operating in regulatory grey zones. The notification of data protection rules last year was meant to close that gap, eight years after privacy was recognised as a fundamental right by the Supreme Court. Compressing timelines for the largest data handlers signals that the government is no longer willing to allow prolonged transition periods to become a substitute for accountability. In an era where data shapes markets, elections and public opinion, regulatory hesitation carries its own risks.

The logic behind differentiated compliance timelines is difficult to fault. Companies likely to be designated as “significant data fiduciaries” are not fragile startups navigating survival; they are among the most capitalised and legally sophisticated corporations in the world. Most already comply with stringent privacy regimes in Europe and other jurisdictions, maintain dedicated data governance teams, and conduct regular impact assessments as part of global best practice. To argue that these firms need extended accommodation in India risks conflating convenience with necessity. A graded framework that imposes stricter obligations on those processing large volumes of sensitive personal data is consistent with the principle of proportional regulation. It also reflects a maturing regulatory philosophy—one that recognises that equal treatment does not always produce equitable outcomes. If the state believes that certain platforms pose higher risks to electoral integrity, public order or national security, it is reasonable for them to face faster and tighter oversight.

However, speed alone does not make regulation effective. The most sensitive element of the proposed fast-tracking is data localisation, a provision that has long divided policymakers and industry. Keeping certain categories of personal and traffic data within India’s borders may strengthen domestic enforcement and reduce exposure to foreign surveillance, but it also introduces costs, technical complexity and potential friction with global data flows. The plan to empower a government committee to decide which data must remain local places enormous responsibility on executive discretion. If these decisions are opaque or expansive, they could undermine confidence and invite legal challenges. For localisation to work, it must be narrowly tailored, technologically informed and transparently justified. Otherwise, it risks becoming an instrument of control rather than protection, weakening the very trust that privacy law is meant to build.

Beyond corporate compliance, the credibility of India’s data protection regime rests on its symmetry. The DPDP Act has faced sustained criticism for granting wide exemptions to government agencies on grounds such as national security, public order and friendly relations with foreign states. These categories are not unique to India, but their breadth, coupled with the absence of strong independent oversight, raises legitimate concerns. A privacy framework that holds private platforms to rigorous standards while allowing the state sweeping latitude risks appearing selective. This concern is amplified by fears that the law could dilute the Right to Information framework by restricting access to personal data held by public authorities. If citizens are to trust that their data is protected, the state must demonstrate restraint, proportionality and transparency in its own data practices. Strong laws gain legitimacy not through enforcement alone, but through consistent application.

Ultimately, the challenge before India is not whether it can compel Big Tech to comply faster, but whether it can sustain a regulatory culture that is firm, fair and predictable. The temptation to announce tough measures is often stronger than the capacity to enforce them over time. Corporate pushback, diplomatic pressure and fears of dampening investment will test the government’s resolve. Yet the larger stakes extend beyond any single timeline. Data protection is foundational to digital citizenship, economic trust and democratic resilience. If India can enforce its law without dilution, resist exemptions that weaken its moral authority, and refine its rules through consultation rather than confrontation, it has an opportunity to shape a distinct regulatory path—one that reflects both its scale and its constitutional values. The decision to shorten the compliance clock may be the right one. But in digital governance, what matters more than how fast the clock runs is whether the rules hold when the pressure mounts.