The Broadband India Forum (BIF) and the India Cellular and Electronics Association (ICEA) have urged the Ministry of Electronics and Information Technology (MeitY) against accelerating enforcement timelines of the Digital Personal Data Protection (DPDP) framework, saying a compressed rollout could undermine regulatory certainty and lead to uneven compliance across the digital ecosystem.
BIF counts global technology and telecom companies among its members including Apple India, Google, and Samsung. Members also include satellite operators, internet service providers, multi-system operators, startups, and small and medium enterprises.
TV Ramachandran, president, BIF, told ET that a key strength of the DPDP framework lies in its phased and consultative rollout designed to allow organisations across sectors and sizes to transition in a structured manner following due process and public consultation. "This approach helps support effective compliance," he said.
Ramachandran however said any advancement of the earlier agreed enforcement timelines, especially relating to data retention, erasure, cross-border transfer restrictions would be quite disruptive as it would force companies to return to the starting point for redesigning internal compliance timelines and reassess planned investments. This could be retrograde for customer interests, he said.
In its submission to the ministry, a copy of which was seen by ET, BIF said the strength of the DPDP Act, 2023 and the DPDP Rules, 2025 lies in their phased and consultative implementation, which was designed to give firms adequate time to rework systems, processes, and governance structures.
Echoing similar concerns, Pankaj Mohindroo, chairman of ICEA, said global experience shows that effective data protection depends not only on the strength of the law, but on the realism of its implementation. "Phased transition timelines and clear operational guidance are vital to enable organisations to build durable, auditable compliance systems," he said.
ICEA is the apex industry body for mobile and electronics manufacturing in India, with members including top global and domestic companies like Apple, Xiaomi, Huawei, and Vivo.
BIF said companies are already complying with lawful data access and law-enforcement requests under existing IT laws, and these mechanisms continue to operate during the transition to the DPDP regime.
Industry estimates suggest DPDP compliance could raise technology and governance costs by 10–30% for many firms, with large platforms requiring to re-engineer hundreds of databases and storage environments across multiple geographies.
Infrastructure constraints were flagged as a major bottleneck. BIF pointed out that procurement, deployment and testing of additional server capacity and data-centre upgrades typically take 12-18 months, timelines that are difficult to compress without risking system instability. Smaller companies and MSMEs, while operating at lower scale, face their own challenges due to limited budgets, dependence on third-party vendors and lack of in-house expertise.
The submission to Meity also raised concerns over breach notification and data principal rights. Large digital services may need to process thousands of breach alerts and user requests each month, requiring sophisticated monitoring tools and trained teams. Shortened timelines, BIF said, could lead to incomplete monitoring, delayed notifications, and inadvertent non-compliance, ultimately eroding user trust.
Citing a January 2026 EY industry readiness study, BIF said about 83% of companies haven’t yet reached even an intermediate level of DPDP preparedness. Many are still assessing gaps and designing controls, while the ecosystem of DPDP-ready vendors and skilled privacy professionals remains nascent.
BIF urged the government to preserve the originally-planned phased rollout, arguing that meaningful compliance requires time for development, testing and stabilisation. Rushing the process, it said, could increase the risk of errors, higher long-term costs and unintended privacy breaches, outcomes at odds with the objectives of the DPDP framework itself.
BIF counts global technology and telecom companies among its members including Apple India, Google, and Samsung. Members also include satellite operators, internet service providers, multi-system operators, startups, and small and medium enterprises.
TV Ramachandran, president, BIF, told ET that a key strength of the DPDP framework lies in its phased and consultative rollout designed to allow organisations across sectors and sizes to transition in a structured manner following due process and public consultation. "This approach helps support effective compliance," he said.
Ramachandran however said any advancement of the earlier agreed enforcement timelines, especially relating to data retention, erasure, cross-border transfer restrictions would be quite disruptive as it would force companies to return to the starting point for redesigning internal compliance timelines and reassess planned investments. This could be retrograde for customer interests, he said.
In its submission to the ministry, a copy of which was seen by ET, BIF said the strength of the DPDP Act, 2023 and the DPDP Rules, 2025 lies in their phased and consultative implementation, which was designed to give firms adequate time to rework systems, processes, and governance structures.
Echoing similar concerns, Pankaj Mohindroo, chairman of ICEA, said global experience shows that effective data protection depends not only on the strength of the law, but on the realism of its implementation. "Phased transition timelines and clear operational guidance are vital to enable organisations to build durable, auditable compliance systems," he said.
ICEA is the apex industry body for mobile and electronics manufacturing in India, with members including top global and domestic companies like Apple, Xiaomi, Huawei, and Vivo.
BIF said companies are already complying with lawful data access and law-enforcement requests under existing IT laws, and these mechanisms continue to operate during the transition to the DPDP regime.
Industry estimates suggest DPDP compliance could raise technology and governance costs by 10–30% for many firms, with large platforms requiring to re-engineer hundreds of databases and storage environments across multiple geographies.
Infrastructure constraints were flagged as a major bottleneck. BIF pointed out that procurement, deployment and testing of additional server capacity and data-centre upgrades typically take 12-18 months, timelines that are difficult to compress without risking system instability. Smaller companies and MSMEs, while operating at lower scale, face their own challenges due to limited budgets, dependence on third-party vendors and lack of in-house expertise.
The submission to Meity also raised concerns over breach notification and data principal rights. Large digital services may need to process thousands of breach alerts and user requests each month, requiring sophisticated monitoring tools and trained teams. Shortened timelines, BIF said, could lead to incomplete monitoring, delayed notifications, and inadvertent non-compliance, ultimately eroding user trust.
Citing a January 2026 EY industry readiness study, BIF said about 83% of companies haven’t yet reached even an intermediate level of DPDP preparedness. Many are still assessing gaps and designing controls, while the ecosystem of DPDP-ready vendors and skilled privacy professionals remains nascent.
BIF urged the government to preserve the originally-planned phased rollout, arguing that meaningful compliance requires time for development, testing and stabilisation. Rushing the process, it said, could increase the risk of errors, higher long-term costs and unintended privacy breaches, outcomes at odds with the objectives of the DPDP framework itself.
