Part 4.4 of 7

India DPDP Act & AI Governance

📚 2-2.5 hours 🎯 Intermediate 📅 Updated January 2026

The Digital Personal Data Protection Act, 2023

India's Digital Personal Data Protection Act (DPDP Act), enacted in August 2023 and progressively coming into force, establishes India's first comprehensive data protection framework. While not AI-specific, its provisions significantly impact AI systems processing personal data of Indian residents.

💡 Regulatory Context

India currently lacks AI-specific legislation. AI governance operates through the DPDP Act, Information Technology Act 2000, sectoral regulations (RBI, SEBI, IRDAI), and industry self-regulation. The MeitY has issued guidance on Responsible AI but without binding legal force.

Key Concepts

  • Digital Personal Data: Personal data that is in digital form or digitized from non-digital form
  • Data Principal: The individual to whom personal data relates (equivalent to GDPR's data subject)
  • Data Fiduciary: Person who determines purpose and means of processing (equivalent to GDPR's controller)
  • Data Processor: Person who processes data on behalf of Data Fiduciary
  • Consent Manager: Person registered with the Board to manage consent on behalf of Data Principal
  • Significant Data Fiduciary (SDF): Data Fiduciary designated by Central Government based on assessment criteria

Territorial Scope

The DPDP Act applies to:

  • Processing of digital personal data within India where collected online or digitized from offline
  • Processing outside India if related to offering goods or services to Data Principals within India

Consent Framework and AI Systems

The DPDP Act establishes consent as the primary lawful basis for processing personal data, with significant implications for AI systems.

Valid Consent Requirements (Section 6)

  • Free: Not obtained through coercion, undue influence, or deception
  • Specific: Related to specified purpose(s) of processing
  • Informed: Data Principal given itemized description of processing purpose, personal data categories, and rights
  • Unconditional: Not bundled with unrelated terms
  • Unambiguous: Clear affirmative action indicating agreement
⚠ AI Training Data Challenge

The specific and informed consent requirements pose challenges for AI development. Consent for training data must specify AI training as a purpose. Broad, general-purpose consent may not suffice, particularly for evolving AI applications.

Legitimate Uses Without Consent (Section 7)

Processing without consent is permitted for certain "legitimate uses":

  • Voluntary provision by Data Principal for specified purpose (deemed consent)
  • State functions: subsidy, benefit, service, certificate, license, permit
  • Compliance with legal obligations (judgment, decree, order)
  • Response to medical emergency or public health threat
  • Employment purposes (safeguards apply)
  • Public interest purposes specified by regulations

Consent Withdrawal and AI Implications

Data Principals may withdraw consent at any time. Upon withdrawal:

  • Data Fiduciary must cease processing within reasonable time
  • Withdrawal does not affect lawfulness of prior processing
  • AI Challenge: Withdrawal may require model retraining or "machine unlearning" - technically complex
  • Consequences of withdrawal must be communicated to Data Principal

Data Fiduciary Obligations in AI Context

General Obligations (Section 8)

  • Lawfulness: Process only for lawful purposes with valid consent or legitimate use
  • Purpose Limitation: Use only for consented or legitimate purposes
  • Data Minimization: Collect only data necessary for specified purpose
  • Accuracy: Ensure completeness, correctness, and consistency
  • Storage Limitation: Retain only as long as necessary for purpose (unless required by law)
  • Security: Implement reasonable security safeguards

Notice Requirements (Section 5)

Before or at time of requesting consent, Data Fiduciaries must provide notice containing:

  • Itemized description of personal data sought and processing purpose
  • Manner in which Data Principal rights may be exercised
  • Manner of making complaint to the Data Protection Board
💡 AI Transparency Requirement

When AI processes personal data, the notice should describe AI-based processing. While DPDP Act doesn't mandate Article 22-style automated decision-making disclosures, transparency about AI use is implicit in the "itemized description" requirement.

Significant Data Fiduciary (SDF) Obligations

Organizations designated as SDFs face enhanced obligations:

  • Data Protection Officer: Appoint DPO based in India representing Fiduciary to Board and Data Principals
  • Independent Data Auditor: Appoint auditor to evaluate compliance
  • Data Protection Impact Assessment: Conduct DPIA periodically
  • Algorithmic Audit: May be required to conduct periodic audit of algorithms used in processing
✓ Algorithmic Audit Requirement

The DPDP Act explicitly contemplates algorithmic audits for SDFs - a significant requirement for AI systems. This creates an audit obligation specifically targeting AI decision-making systems used by large data processors.

Cross-Border Data Transfers

The DPDP Act adopts a flexible approach to cross-border transfers, departing from the earlier draft's data localization requirements.

Transfer Framework (Section 16)

  • Personal data may be transferred to any country/territory except those restricted by Central Government
  • Central Government may restrict transfers based on assessment of data protection standards
  • Negative list approach: all transfers permitted unless specifically prohibited
  • No adequacy decisions or standard contractual clauses required (unlike GDPR)

AI Training Data Implications

  • Data for AI model training can flow to permitted jurisdictions
  • AI services provided from abroad can process Indian data (subject to restrictions)
  • Cloud-based AI processing in permitted jurisdictions is allowed
  • Monitor restricted country list - transfers to restricted jurisdictions prohibited
⚠ Evolving Restrictions

The Central Government has power to restrict transfers to any country at any time. Organizations must monitor notifications and be prepared to adjust data flows. Some sectors (banking, healthcare) may face additional localization requirements.

Sectoral AI Regulations in India

While India lacks horizontal AI legislation, sectoral regulators have issued guidance affecting AI in their domains:

🏦

RBI (Banking)

  • AI/ML models for credit scoring require explainability
  • Algorithmic trading regulations
  • Digital lending guidelines
  • Data localization for payment data
  • Outsourcing guidelines for AI vendors
📈

SEBI (Securities)

  • AI/ML in automated trading systems
  • Algo trading registration requirements
  • Risk management for AI systems
  • Disclosure requirements for AI use
  • Robo-advisory regulations
💉

IRDAI (Insurance)

  • AI in underwriting and claims
  • Telematics data usage
  • Fair pricing requirements
  • Anti-discrimination provisions
  • Data handling guidelines
🩺

MeitY (IT Ministry)

  • Responsible AI guidance (non-binding)
  • National AI Strategy (NITI Aayog)
  • AI ethics framework
  • Government AI procurement guidelines
  • Data governance framework

RBI Guidelines: AI in Banking

Key RBI requirements affecting AI:

Area Requirement
Credit Scoring Models must be explainable; reasons for adverse decisions must be provided to applicants
Digital Lending Disclosure of use of algorithms in lending decisions; fair practices code compliance
Outsourcing Due diligence on AI vendors; banks remain responsible for AI system outputs
Data Localization Payment system data must be stored only in India
Model Risk Banks must have model risk management framework for AI/ML models

Penalties Under DPDP Act

The DPDP Act establishes significant penalties for non-compliance:

Violation Maximum Penalty
Failure to take security safeguards resulting in breach INR 250 crore (~USD 30M)
Failure to notify Board and affected persons of breach INR 200 crore (~USD 24M)
Non-compliance with children's data provisions INR 200 crore (~USD 24M)
Non-compliance with SDF obligations INR 150 crore (~USD 18M)
Non-compliance with other provisions INR 50 crore (~USD 6M)
Breach of voluntary undertaking Extends to breach amount
💡 Penalty Determination Factors

The Board considers: nature, gravity, and duration of non-compliance; type and nature of personal data affected; repetitive nature of default; whether gain or loss avoided; action taken to mitigate effects; proportionality to turnover.

AI Compliance Checklist for India

  1. Consent Management: Implement robust consent collection, recording, and withdrawal mechanisms for AI processing
  2. Notice Requirements: Provide clear notice describing AI processing purposes and data subject rights
  3. Purpose Limitation: Document AI use cases and ensure data used only for consented purposes
  4. Data Minimization: Collect only necessary data for AI training and inference
  5. Security Safeguards: Implement appropriate technical and organizational measures for AI systems
  6. Cross-Border Compliance: Verify data transfer destinations are not restricted
  7. SDF Assessment: Determine if organization qualifies as Significant Data Fiduciary
  8. DPIA: Conduct Data Protection Impact Assessments for AI systems (mandatory for SDFs)
  9. Sectoral Compliance: Comply with RBI, SEBI, IRDAI requirements as applicable
  10. Breach Response: Establish breach notification procedures (72 hours to Board)

📚 Key Takeaways

  • India's DPDP Act is consent-centric with limited legitimate use exceptions - AI training requires specific consent
  • Significant Data Fiduciaries face enhanced obligations including mandatory DPIAs and algorithmic audits
  • Cross-border transfers are permitted to all countries except those specifically restricted by Central Government
  • Sectoral regulators (RBI, SEBI, IRDAI) impose additional AI-specific requirements in their domains
  • RBI requires explainability for AI credit scoring models and fair practices in digital lending
  • Penalties can reach INR 250 crore (approximately USD 30 million) for serious violations
  • Organizations should monitor sectoral guidance as India's AI regulatory framework continues to evolve
← Part 4.3: GDPR & AI Part 4.5: US Federal & State →