AI and Your Rights in India: DPDP Act, Consumer Protection, and What You Can Do When AI Affects You

India's Digital Personal Data Protection Act 2023 creates data rights for Indian residents — including rights over personal data used in AI systems. Here is what those rights are and how to use them.

Key Takeaways

India's DPDP Act 2023 gives individuals (data principals) rights including: access to personal data held about you, correction of inaccurate data, withdrawal of consent, and the right to file complaints with the Data Protection Board.
Organisations must tell you what personal data they collect and for what purposes before or at the time of collection. Consent must be specific — you cannot be required to consent to AI training as a condition of a basic service.
If an AI system has made a decision affecting you, you can request access to the personal data the organisation holds about you and request correction of any inaccurate data.
The Consumer Protection Act 2019 applies to unfair trade practices and product liability for AI-driven consumer products — defective AI products that cause consumer harm may give rise to consumer court claims.
RBI regulations require banks and NBFCs to give specific reasons for credit rejections including AI-driven ones. The Banking Ombudsman Scheme provides a free complaint mechanism for banking-related AI decisions.
The Data Protection Board (to be established under DPDP Act rules) will be the primary complaint authority for data protection violations. Until then, existing consumer and financial regulators provide complaint mechanisms.

"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"

Your AI rights in India — the DPDP regime and beyond

India's approach to AI regulation is distinctive: instead of a single AI law, India operates a multi-layered regulatory architecture combining the Digital Personal Data Protection Act 2023 (DPDPA), the DPDP Rules 2025 (notified 13 November 2025), MeitY's IndiaAI Governance Guidelines (November 2025), the Consumer Protection Act 2019, sectoral legislation, and the Bhartiya Nyaya Sanhita (BNS) which replaced the IPC. The crux of MeitY's guidelines is that the Government intends to extend existing law to AI rather than enact a new AI law.

As of November 2025, roughly 800 million Indian internet users — about 15% of the world's digital population — came under the DPDP regime when the Rules were notified. The phased rollout means full compliance becomes mandatory by 13 May 2027, giving entities 18 months to prepare. The Data Protection Board of India is operational and accepting complaints from 13 November 2025.

The DPDPA — your rights as a Data Principal

The DPDP Act establishes a "social contract" between Data Principals (individuals) and Data Fiduciaries (organisations processing personal data). Your core rights as a Data Principal include:

Right to consent. Personal data may only be processed if you give explicit, informed consent, or if processing falls within specific legitimate uses defined in Section 7. Consent must be free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action. AI training on personal data is allowed only under clear legal bases with safeguards.

Right to information and access. You can request a copy of the personal data being processed about you, the purpose of processing, and identities of other Data Fiduciaries with whom your data has been shared.

Right to correction and erasure. You can request correction of inaccurate or misleading data, completion of incomplete data, updating of out-of-date data, and erasure of personal data no longer necessary for the purpose collected.

Right of grievance redressal. You can file complaints with the Data Protection Board of India, which has been operational since 13 November 2025 and can investigate and impose penalties.

Right to nominate. You can nominate another individual to exercise your rights in the event of death or incapacity.

How DPDPA applies to AI systems

MeitY's IndiaAI Governance Guidelines (November 2025) explicitly addressed AI regulation under existing law. Key provisions for AI: use of personal data without user consent to train AI models is governed by DPDPA; obligations of consent, purpose limitation, and data minimisation apply to AI model training and deployment; processing of personal data without consent is prohibited unless covered by specific exemptions; sensitive data requires additional safeguards; the Data Protection Board can investigate harms caused by misuse of AI-driven profiling.

Where AI systems influence significant decisions — creditworthiness, hiring, admissions, eligibility, ranking — transparency and fairness expectations substantially increase. Significant Data Fiduciaries (SDFs), classified based on volume, sensitivity, and risk of personal data processing, face additional obligations including mandatory Data Protection Impact Assessments (DPIAs), audits, and appointment of Data Protection Officers.

Consumer Protection Act 2019 — your AI consumer rights

The Consumer Protection Act 2019 protects against unfair trade practices, misleading advertisements, and service deficiencies — and applies fully to AI-enabled commercial activity. The Central Consumer Protection Authority (CCPA) can order corrective measures and levy penalties on misleading AI-related claims. Specific consumer rights enforceable under the Act:

Right against unfair trade practices. Misleading claims about AI capabilities, false representations about AI-driven products or services, and deceptive AI-generated marketing content are unfair trade practices. Recent enforcement priorities have included AI-driven dark patterns and undisclosed automated decision-making.

Right to information. Consumers have a right to information about the quality, quantity, purity, standard, and price of goods and services — extending to AI-enabled products where the AI component materially affects the offering.

Right to choose and be heard. Consumers have rights to make informed choices and to have grievances addressed. This applies to AI-driven recommendations and decisions affecting consumer choices.

IndiaAI Governance Guidelines — seven foundational principles (sutras)

MeitY's guidelines (November 2025) are grounded in seven foundational principles adapted from the Reserve Bank of India's FREE-AI Committee report. These apply across all sectors:

Trust as the Foundation; Innovation as a Priority; Inclusivity as the Compass; Empowerment of People; Human Welfare and Safety; Accountability and Transparency; and Sustainability and Adaptability. The guidelines deliberately favour principle-based governance over prescriptive rules — reflecting India's approach of pragmatic enablement combined with sector-specific oversight where needed.

Sectoral AI governance — additional rights in specific contexts

Healthcare AI. The Pre-Conception and Pre-Natal Diagnostic Techniques (PC-PNDT) Act requires review for AI models analysing radiology images. The Indian Council of Medical Research (ICMR) has issued guidelines on ethical conduct of biomedical research using AI, including "Human in the Loop" requirements, pre-deployment testing standards, informed consent in the context of AI-driven research, and the "Right to be Forgotten" in healthcare AI contexts.

Financial services AI. The Reserve Bank of India (RBI) has issued progressive guidance on AI use in banking and financial services. The RBI's FREE-AI (Framework for Responsible and Ethical Enablement of Artificial Intelligence) Committee report shaped the broader IndiaAI guidelines. Banking and NBFC customers benefit from RBI consumer protection frameworks including grievance redressal mechanisms.

Telecommunications AI. The Telecommunications Act 2023 includes provisions on cybersecurity, critical infrastructure protection, and incident reporting extending to AI systems used in telecoms infrastructure.

Synthetic media. Rules under development for intermediaries on synthetic media labelling and deepfake reporting create additional rights for individuals affected by AI-generated content depicting them.

The BNS — criminal offences relevant to AI misuse

The Bhartiya Nyaya Sanhita (BNS), which replaced the IPC, contains provisions relevant to AI misuse including: criminal liability for impersonation (relevant to AI deepfakes); cyber stalking and online harassment provisions; criminal liability for distributing intimate images without consent (extending to AI-generated content); and provisions on theft and cheating that apply where AI is used for fraud. The Information Technology Act 2000 and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 provide additional frameworks for online platform accountability.

How to exercise your rights

For DPDPA violations: file a complaint with the Data Protection Board of India through the prescribed mechanism. The Board can investigate, order corrective action, and impose penalties up to ₹250 crores for serious breaches. For consumer rights violations under the Consumer Protection Act 2019: file complaints with the consumer commission at district, state, or national level depending on the value involved; alternatively, file with the Central Consumer Protection Authority for systemic issues. For sectoral issues: approach the relevant sectoral regulator (RBI for banking, TRAI for telecom, IRDAI for insurance). For criminal matters involving AI misuse (deepfakes, impersonation, fraud): file an FIR at the relevant police station or with the cyber crime unit.

Civil society organisations and digital rights groups including the Internet Freedom Foundation (IFF), Software Freedom Law Centre (SFLC), and Centre for Internet & Society (CIS) provide assistance with digital rights matters and can help individuals navigate the regulatory landscape.