この記事は現在英語でのみご利用いただけます。
India's DPDP Act and AI: What Organisations Need to Know About the Digital Personal Data Protection Act 2023
India's Digital Personal Data Protection Act 2023 fundamentally changes the data governance landscape for organisations processing data of Indian residents — including through AI systems. Here is the compliance framework to build.
Key Takeaways
India's DPDP Act 2023 was enacted in August 2023. Implementing rules and the Data Protection Board of India are expected to be established by mid-2026. Organisations should build compliance infrastructure now — the rules are widely expected to impose significant compliance timelines.
The DPDP Act applies extraterritorially: overseas organisations processing personal data of Indian residents in connection with offering goods or services to individuals in India are subject to the Act.
Consent under the DPDP Act must be free, specific, informed, unconditional, and unambiguous. Bundled consents — consent to multiple purposes in a single notice — are unlikely to satisfy the specificity requirement for AI training or profiling use cases.
Data principals (individuals) have rights to access personal data, correct and erase inaccurate data, nominate someone to exercise rights in incapacity, and file grievances with the Data Protection Board.
Significant Data Fiduciaries — organisations designated based on volume and sensitivity of data processed — will face elevated obligations including DPO appointment in India, Data Protection Impact Assessments, and independent audits.
The DPDP Act does not include a GDPR-style right to explanation for automated decisions — but consent and access rights create practical mechanisms for individuals to understand and challenge AI-assisted decisions.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
The DPDP Act: India's new data protection landscape
The Digital Personal Data Protection Act 2023 is the first comprehensive personal data protection legislation in India, enacted in August 2023. It creates a new regulatory infrastructure — the Data Protection Board of India — to enforce its provisions. The DPDP Rules 2025 were notified on 13 November 2025, with phased implementation: the Board was established immediately, consent manager registration applies from November 2026, and full substantive obligations take effect from May 2027.
Scope and extraterritorial application
The DPDP Act applies to processing of digital personal data of individuals in India — including data collected in digital form or non-digital form subsequently digitised. It also applies extraterritorially to processing outside India in connection with offering goods or services to data principals in India. An AI tool trained on or processing data of Indian users, operated from anywhere, falls within the Act's scope if it relates to services offered to Indian data principals.
Consent under the DPDP Act
Consent is the primary lawful basis. Consent must be: free (not coerced or conditional); specific (to the purpose for which data is collected); informed (with clear notice about what data is collected and for what purpose); unconditional; and unambiguous (expressed through a clear affirmative action). Bundled consents are unlikely to satisfy the specificity requirement. For AI systems, organisations cannot rely on general terms of service consent to cover AI training or profiling — specific consent or a legitimate use provision must apply to each such purpose.
Significant Data Fiduciaries
The government can designate certain organisations as Significant Data Fiduciaries (SDFs) based on data volume, sensitivity, impact on data principals, and risk to children. SDFs will face elevated obligations: appointment of a Data Protection Officer in India; periodic Data Protection Impact Assessments; and independent data audits. Organisations processing large volumes of Indian consumer data — e-commerce, financial services, healthcare, social media — should assess likelihood of SDF designation and prepare governance infrastructure accordingly.