India's DPDP Act and AI: What Organisations Need to Know About the Digital Personal Data Protection Act 2023

India's Digital Personal Data Protection Act 2023 fundamentally changes the data governance landscape for organisations processing data of Indian residents — including through AI systems. Here is the compliance framework to build.

Key Takeaways

India's DPDP Act 2023 was enacted in August 2023. Implementing rules and the Data Protection Board of India are expected to be established by mid-2026. Organisations should build compliance infrastructure now — the rules are widely expected to impose significant compliance timelines.
The DPDP Act applies extraterritorially: overseas organisations processing personal data of Indian residents in connection with offering goods or services to individuals in India are subject to the Act.
Consent under the DPDP Act must be free, specific, informed, unconditional, and unambiguous. Bundled consents — consent to multiple purposes in a single notice — are unlikely to satisfy the specificity requirement for AI training or profiling use cases.
Data principals (individuals) have rights to access personal data, correct and erase inaccurate data, nominate someone to exercise rights in incapacity, and file grievances with the Data Protection Board.
Significant Data Fiduciaries — organisations designated based on volume and sensitivity of data processed — will face elevated obligations including DPO appointment in India, Data Protection Impact Assessments, and independent audits.
The DPDP Act does not include a GDPR-style right to explanation for automated decisions — but consent and access rights create practical mechanisms for individuals to understand and challenge AI-assisted decisions.

"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."

The DPDP Act applied to AI — what Indian organisations must now do

The Digital Personal Data Protection Act 2023 (DPDPA) became operational through the Digital Personal Data Protection Rules 2025, notified by the Ministry of Electronics and Information Technology (MeitY) on 13 November 2025. This single notification brought approximately 800 million Indian internet users — roughly 15% of the world's digital population — under a comprehensive privacy law for the first time. For organisations using AI to process personal data of Indian residents (Data Principals), the DPDP Act creates compliance obligations that became substantive from the notification date and reach full effect by 13 May 2027.

MeitY's IndiaAI Governance Guidelines (November 2025) explicitly addressed how AI fits within the DPDPA framework: rather than creating a separate AI law, India's approach is to extend existing law to AI systems. The crux of the guidelines is that obligations of consent, purpose limitation, and data minimisation under the DPDPA apply directly to AI model training and deployment. This is a major statement of regulatory intent — and it converts the DPDPA into the primary AI compliance framework for India.

The DPDPA compliance timeline

Phase I — effective 13 November 2025. Provisions relating to the Data Protection Board of India (DPB) came into force. The DPB is operational and accepting complaints. Organisations cannot be enforced against until full provisions take effect, but the Board can begin investigating practices.

Phase II — effective 13 November 2026. Provisions pertaining to consent managers (intermediaries that handle consent capture and management for Data Principals) take effect. Consent managers must be registered with the DPB and meet defined requirements.

Phase III — effective 13 May 2027. All substantive provisions of the DPDPA come into force, including specific compliance obligations on Data Fiduciaries. Significant Data Fiduciaries (SDFs) face enhanced obligations including mandatory DPIAs, audits, and DPO appointments.

Core DPDPA obligations for AI deployments

Consent (Section 6). Personal data processing requires explicit, informed consent unless processing falls within specific legitimate uses defined in Section 7 (which includes provision of services requested, employment purposes, medical emergencies, and certain public interest activities). AI training on personal data requires a valid lawful basis — typically consent for commercial AI, or specific legitimate use exemptions for narrower scenarios. The DPDP Rules establish detailed requirements for how consent must be obtained, recorded, and withdrawn.

Notice (Section 5). Data Fiduciaries must provide notice to Data Principals about: the personal data being collected and processed; the purpose of processing; how to exercise Data Principal rights; how to lodge complaints with the DPB. For AI specifically, the notice must address AI-driven processing in clear language understandable to the Data Principal.

Purpose limitation. Personal data may only be used for purposes specified in the notice. This creates significant constraints on AI training: training data must have been collected with consent or notice that contemplated AI training. Retrospective AI training on historical personal data without renewed consent creates legal risk.

Data minimisation. Data Fiduciaries must collect only personal data necessary for the specified purpose. AI training data sets that include unnecessary personal data violate this principle. AI systems must be designed for minimal personal data use.

Security safeguards (Rule 6). Reasonable security safeguards must protect personal data from unauthorised access, use, disclosure, modification, or destruction. For AI systems, this includes safeguards covering model training, inference, and storage of training data.

Data Principal rights. Data Principals can request: access to their data, correction of inaccurate data, erasure when no longer necessary, and grievance redressal. For AI systems, the access right covers data used to train models that affect the individual, and the correction right requires Data Fiduciaries to respond to corrections including those affecting AI inputs.

Significant Data Fiduciaries — additional AI-specific obligations

The DPB will classify certain entities as Significant Data Fiduciaries (SDFs) based on volume and sensitivity of data processed, risk to Data Principal rights, and risk to electoral democracy, public order, or sovereignty. For AI-intensive organisations processing personal data at scale (large-scale consumer platforms, fintechs, healthcare AI providers, AI-driven advertising platforms), SDF designation is likely.

SDFs must: appoint a Data Protection Officer based in India; conduct annual Data Protection Impact Assessments (DPIAs); audit data practices periodically; and where AI-driven decision-making is involved, document the audit trail and impact assessment specifically for AI processing. The IndiaAI Governance Guidelines emphasise that SDFs handling AI systems carry enhanced accountability — the DPB can investigate harms caused by AI-driven profiling.

Cross-border data transfer and AI

The DPDPA Section 16 governs cross-border transfer of personal data. The default rule allows transfer to any jurisdiction unless the Central Government specifically restricts it through notification — a notable departure from GDPR's adequacy framework. For AI specifically, this means: Indian Data Principal data may be processed by global AI services (OpenAI, Anthropic, Google, AWS) without country-specific restrictions, subject to general DPDPA obligations on the Indian Data Fiduciary. However, the Central Government retains power to restrict transfers to specified countries, which could affect AI vendor selection over time.

Sector-specific overlays

The DPDPA operates alongside sectoral legislation that already addresses AI in specific contexts. The RBI's FREE-AI (Framework for Responsible and Ethical Enablement of Artificial Intelligence) Committee report shaped broader IndiaAI guidelines and addresses banking AI. The Pre-Conception and Pre-Natal Diagnostic Techniques (PC-PNDT) Act requires review for AI models analysing radiology images. The Telecommunications Act 2023 includes cybersecurity, critical infrastructure, and incident reporting provisions extending to AI systems. The Information Technology Act 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 govern online platform accountability including for AI-generated content.

Penalties and enforcement

The DPDPA establishes penalties up to ₹250 crores (approximately USD 30 million) for serious breaches. Penalty tiers cover: failure to take reasonable security safeguards (up to ₹250 crores); failure to notify the DPB of personal data breaches (up to ₹200 crores); failure relating to children's data (up to ₹200 crores); failure to comply with SDF obligations (up to ₹150 crores); and other contraventions (up to ₹50 crores). The DPB can investigate and impose penalties; appeals lie with the Telecom Disputes Settlement and Appellate Tribunal.

Practical roadmap for AI-using organisations

Conduct an AI inventory and map AI systems against DPDPA scope: which AI systems process personal data of Indian Data Principals? What lawful basis (consent or legitimate use) supports each? Review and update privacy notices to clearly disclose AI-driven processing in language Data Principals can understand. Update consent mechanisms to capture meaningful, informed consent for AI training and inference. Assess potential SDF designation and prepare for enhanced obligations — DPO, DPIAs, audit cycles. Implement security safeguards aligned with Rule 6 and the IndiaAI Governance Guidelines' technical safeguards. Document data minimisation in AI training data set composition. Update third-party AI vendor contracts to align with DPDPA obligations the vendor's processing creates. For AI systems that influence significant decisions (credit, hiring, admissions, eligibility), establish algorithmic transparency processes and grievance redressal mechanisms.

Primary sources: MeitY — Data Protection Framework · EY India — DPDP Act Guide