“Indigo Lesson” for DPDPA

Posted on December 7, 2025 by Vijayashankar Na

The Indigo fiasco is a good education for all organizations and the MeitY regarding DPDPA Compliance  deadline which comes on 13th May 2027.

The problem of INDIGO was directly related to their stubborn attitude to refuse regulatory compliance  and challenging the Government much the same way as Meta, Amazon or Google or X would like to do for the implementation deadline under DPDPA.

Given the fact that  Indigo refused to make arrangements for compliance even though 2 years was available for planning and implementation and tried to stall the implementation with Court cases, the Ministry was unable to foresee the game plan and even now is struggling to force Indigo to take corrective action.

Since there was prima facie evidence of deliberate negligence as claimed by the pilots, there was a case for criminal action against the CEO of the company who should have been arrested immediately (Could have been released on bail to initiate further action after which the case could have been withdrawn). But the Ministry of Civil Aviation was not strong enough to do it.

In the DPDPA case also, though 2 years is available, many of the organizations could raise objections in the court a few months before the deadline and force the Government to extend the due date. There is no guarantee that MeitY will be more committed than the Ministry of Civil Aviation in enforcing compliance.

Hence it is necessary for DPB to keep following how the major companies are moving towards compliance in the interim period from now to next 17 months and push organizations to show their preparations.

The SEBI should indicate  that under Clause 49 declaration, every listed company should declare the “DPDPA Non Compliance Risk” in their annual reports. Those companies who donot come under such listed companies must be pushed by the sectoral regulators to file an Action Taken Report for DPDPA Compliance every quarter from now onwards.

Share holders of companies should also raise this issue in AGMs. Media should try to track the implementation efforts independently so that we donot see a crisis on May 13, 2027 when a company may say “I am not compliant and will cause disturbance in the society if I am forced.”

Hope Meity and DPB will take appropriate Technical and Governance measures to ensure Compliance by the specified date.

FDPPI has a “Privacy Watch” page where public can report any of their observations on apparent violations so that a record can be kept of any deliberate challenge being mounted on the Government rejecting the compliance requirements.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Privacy. Bookmark the permalink.