The DPDP Act: India's new data protection landscape
The Digital Personal Data Protection Act 2023 is the first comprehensive personal data protection legislation in India, enacted in August 2023. It creates a new regulatory infrastructure — the Data Protection Board of India — to enforce its provisions. The DPDP Rules 2025 were notified on 13 November 2025, with phased implementation: the Board was established immediately, consent manager registration applies from November 2026, and full substantive obligations take effect from May 2027.
Scope and extraterritorial application
The DPDP Act applies to processing of digital personal data of individuals in India — including data collected in digital form or non-digital form subsequently digitised. It also applies extraterritorially to processing outside India in connection with offering goods or services to data principals in India. An AI tool trained on or processing data of Indian users, operated from anywhere, falls within the Act's scope if it relates to services offered to Indian data principals.
Consent under the DPDP Act
Consent is the primary lawful basis. Consent must be: free (not coerced or conditional); specific (to the purpose for which data is collected); informed (with clear notice about what data is collected and for what purpose); unconditional; and unambiguous (expressed through a clear affirmative action). Bundled consents are unlikely to satisfy the specificity requirement. For AI systems, organisations cannot rely on general terms of service consent to cover AI training or profiling — specific consent or a legitimate use provision must apply to each such purpose.
Significant Data Fiduciaries
The government can designate certain organisations as Significant Data Fiduciaries (SDFs) based on data volume, sensitivity, impact on data principals, and risk to children. SDFs will face elevated obligations: appointment of a Data Protection Officer in India; periodic Data Protection Impact Assessments; and independent data audits. Organisations processing large volumes of Indian consumer data — e-commerce, financial services, healthcare, social media — should assess likelihood of SDF designation and prepare governance infrastructure accordingly.
