インドのDPDP法2023：AIシステムにとっての意味

The DPDP Act and Rules: the accurate timeline as of 2026

India's Digital Personal Data Protection Act was passed by Parliament in August 2023, but the implementation framework that makes it operational was not notified until November 2025. On 13 November 2025, MeitY notified the DPDP Rules 2025 and established the Data Protection Board of India (DPBI). This is the date when India's comprehensive data protection framework became real — not August 2023.

Implementation is phased across three tranches. Phase 1 (effective 13 November 2025): establishment of the Data Protection Board and administrative provisions. Phase 2 (effective 13 November 2026): registration of consent managers and DPBI investigative powers for consent manager obligations. Phase 3 (effective 13 May 2027): all substantive provisions — the consent framework, privacy notices, data principal rights, security obligations, breach notification requirements, and penalties. Full enforcement readiness should be in place by May 2027.

What the DPDP framework requires of AI systems

The DPDP Act's consent-based architecture has direct implications for AI systems. AI systems that process personal data of Indian residents — any person identifiable from the data, wherever that data is processed — must comply with the Act's framework from May 2027.

The consent obligation requires informed, specific, and unambiguous consent before personal data is collected or processed. For AI training pipelines, this means that using existing customer or user data to train AI models requires either valid consent obtained at the time of collection that covers this use, or a statutory exception. The DPDP Act's legitimate use provisions are more limited than GDPR's legitimate interests basis — they cover specific government functions, employment, and medical treatment, but not the broad "legitimate interests" category that many AI training pipelines rely on under European law.

Verifiable parental consent is required before processing personal data of children (under 18). AI systems that may process data about minors — including educational AI, gaming, social platforms, and any consumer service — must implement age verification and parental consent mechanisms. The Rules expand on verification requirements and include specific exemptions for child protection, educational administration, and government welfare services.

Extra-territorial scope

The DPDP Act applies to processing of digital personal data within India, and to processing outside India in connection with offering goods or services to data principals located in India. This extra-territorial reach means global technology companies, including those building or deploying AI systems for Indian users from outside India, are within scope. Cross-border data transfers are permitted to all countries except those specifically restricted by the government — no countries have been restricted as of 2026. Significant Data Fiduciaries (large-scale data processors designated by the government) face additional obligations; the government had not yet published the official list of SDFs as of early 2026.

Penalties and enforcement

The DPDP Act's penalty framework is tiered by violation type with caps up to INR 250 crore (approximately USD 30 million) per breach — significant in absolute terms, though structured differently from GDPR's turnover-based model. The Data Protection Board of India became operational on 13 November 2025 when its governance provisions came into force. Meaningful enforcement — including penalties for violations of the substantive consent and rights provisions — begins from May 2027 when Phase 3 provisions take effect.