Our Terms & Conditions | Our Privacy Policy
AI is being rapidly adopted in India, transforming industries. The Internet and Mobile Association of India projects India’s AI market will reach USD8 billion by 2025 due to this accelerated adoption. This integration spans beyond large enterprises, incorporating AI productivity tools into organisational workflows. These tools are trained on extensive datasets, including personal information, raising risks of inadvertently inputting sensitive data. Consequently, this poses significant privacy, security and compliance concerns, which must be assessed within India’s evolving data protection legal landscape.
Ameet Datta
Managing Counsel
ADP Law Offices
E: ameet@adplawoffices.com
While the Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted in 2023, it has not come into force yet. Several provisions of the DPDP Act will be operationalised through delegated legislation, or “rules”. The Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules, 2025 (draft DPDP rules) in January 2025 for public consultation. Until the new law and its rules come into force, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI rules) of the Information Technology Act, 2000, will remain in force. However, the SPDI rules and the DPDP Act do not apply to non-personal data.
AI tools/applications will be governed under the DPDP Act. Since the DPDP Act applies to the “processing” of digital personal data, which includes “a wholly or partly automated operation or set of operations performed on digital personal data”, it is likely to apply to any AI-based processing of personal data, requiring data fiduciaries to comply with the DPDP Act while deploying AI tools.
Given the broad definition of the term “processing”, the DPDP Act will also apply to instances where personal data is collected and processed for the development and training of AI models.
Jasman Dhanoa
Senior Associate
ADP Law Offices
E: jasman@adplawoffices.com
Exemption from the applicability of the DPDP Act. The DPDP Act does not apply to personal data made publicly available by the data principal, or any other person under a legal obligation to make personal data publicly available. Accordingly, the DPDP Act and any obligations thereunder would not apply to personal data sourced by AI applications/tools from web scraping (of publicly available online resources).
The DPDP Act will also not apply in cases where the AI tool is processing personal data for “research, archiving or statistical purposes”, and is not using such data to take any decision specific to a data principal, provided that such processing is carried on per prescribed standards.
Basis of processing of personal data. Personal data can be processed based on two grounds under the DPDP Act: consent, or non-consent, based on “certain legitimate uses” identified in the DPDP Act, namely, compliance with legal obligations, fulfilment of statutory duties by government agencies, medical emergencies, threat to public health, employment purposes, etc.
This will apply to the development and use of AI and AI-powered tools as well. For this purpose, it is imperative to distinguish between the stages and determine the purpose of processing personal data in the context of AI tools, namely the collection of personal data, structuring, training, user input/prompts and generation of output.
Rishikaa
Senior Associate
ADP Law Offices
E: rishikaa@adplawoffices.com
To effectively utilise AI tools, it is essential to prioritise consent requirements unless the processing is justified by “certain legitimate uses”. When consent is the basis for processing, obtaining explicit and informed consent through clear affirmative action from data principals will be mandatory. Merely updating the privacy policy to pre-select opt-in options will be insufficient. Data principals must have the chance to give their consent clearly and unambiguously. Additionally, the ability to withdraw consent must be as easy as the initial consent process.
The DPDP Act will not apply if the personal data is anonymised before processing.
AI tools present challenges, notably the “black box” issue that undermines transparency. The opaqueness in AI processing and decision making impedes appropriate disclosures about personal data handling, hindering informed consent. A significant challenge is the right to withdraw consent, which requires the deletion of personal data unless retention is legally mandated. Therefore, retention policies must align with withdrawal requests.
Determine the relationship between data fiduciaries and data processors. Determining the relationship between the entities that develop and deploy AI tools is imperative, particularly when an entity integrates third-party tools into its workflows. This is because the DPDP Act holds a data fiduciary responsible for compliance with the provisions of the law, including any processing undertaken by a data processor engaged by it under a valid contract.
According to the DPDP Act, a data fiduciary is an entity that, alone or in conjunction with another entity, determines the means and purpose of processing personal data. While the DPDP Act does not specifically recognise joint data fiduciaries, the definition of a data fiduciary is broad enough to include joint data fiduciaries within its scope.
Accordingly, if one entity determines the purpose and another determines the means of processing personal data, then both entities would be considered data fiduciaries and would be responsible for complying with the provisions of the law. This determination is crucial for attributing legal obligations and responsibilities, and for allocating risk between the parties involved in the development, deployment, and use of AI and AI productivity tools.
Obligations of data fiduciaries and significant data fiduciaries (SDFs). The DPDP Act imposes various obligations on a data fiduciary. For instance, the data fiduciary is responsible for implementing appropriate technical and organisational measures, reasonable security safeguards, and notifying the affected data principal and the Data Protection Board of India in the event of a personal data breach, retention of personal data in accordance with the DPDP Act, among other responsibilities.
These obligations are increasingly pertinent in the context of AI tools. Entities must ensure that AI tools are trained on high-quality, representative datasets to prevent bias. Furthermore, privacy enhancing technologies should be adopted to avoid the reinforcement of bias in any form, and to safeguard datasets from tampering or adversarial manipulation to ensure fairness.
Entities notified by the government as SDFs would be required to comply with additional obligations such as conducting periodic algorithmic audits and data protection impact assessments (DPIAs) to detect and mitigate bias. The draft DPDP rules propose that SDFs should also observe due diligence to verify that any algorithmic software they deploy for processing personal data is unlikely to pose risks to the data principals.
Exercise of rights by data principals. The DPDP Act affords certain rights to the data principals if their personal data is processed by any AI or AI-productivity tool. In instances of consent-based processing of personal data, the data principal will have the right to access information, as well as the right to correction, completion, updating and erasure.
Given the complexities of AI-driven processing, facilitating the exercise of these rights can be challenging in certain situations depending on the deployment stage and use of AI tools. For instance, AI tools, particularly GenAI tools, may potentially process the personal data of a vast number of people during the development of their foundational models, making it almost impossible to determine whose personal data is being processed within the model’s learned outputs.
For example, the right to erasure or rectification of personal data would require the data fiduciary to deploy AI tools to identify the specific data set containing the personal data of the data principal concerned, which may not be feasible. Other issues such as processing personal data dynamically on a real-time basis, processing within the black box, hallucinations, and generating inaccurate or biased outputs further complicate how rights can be exercised by data principals.
The inability to facilitate the exercise of rights may also lead to a situation where the operation of an entire model and the algorithms that it trained on may be compromised because they do not comply with data protection law. This necessitates implementing effective AI governance mechanisms and appropriate measures while determining the means of processing and, during the processing, to effectively comply with the law and protect individual rights.
Conclusion
As the adoption of AI tools surges across various industries in India, it will be crucial to strike a balance between fostering innovation and addressing the pressing concerns of data privacy. The DPDP Act lays a strong foundation for safeguarding personal data in India.
However, to truly evaluate its effectiveness in the context of AI technologies, we must observe the law’s application in real-world scenarios and expedite the finalisation of the accompanying delegated legislation.
While the government is taking various initiatives in respect of AI, the concerns regarding the applicability of existing regulatory frameworks in India, or the adoption of a new law to govern the adoption and use of AI by proactively addressing these concerns, we can ensure that India’s legal and regulatory landscape keeps pace with the rapid evolution of this transformative technology.
ADP Law Offices
B-809, ATS Bouquet, Sector 132, Noida
Uttar Pradesh – 201 304, India
T: +91-120-4462881
E: info@adplawoffices.com
Images are for reference only.Images and contents gathered automatic from google or 3rd party sources.All rights on the images and contents are with their legal original owners.
Aggregated From –
Comments are closed.