Authors
Introduction
India's data protection and artificial intelligence regulatory landscape is undergoing a significant and deliberate transformation. Historically, India operated under a fragmented, sectoral framework for privacy, primarily anchored in the Information Technology Act, 2000 and its accompanying rules.
With the enactment of the Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and the subsequent issuance of the Digital Personal Data Protection Rules, 2025 (the “DPDP Rules”), India has now taken a decisive step toward a comprehensive data protection framework, while still preserving a degree of flexibility reflective of its broader economic and policy priorities. At the same time, India has approached artificial intelligence by adopting a policy-driven and sector-specific approach, relying on guiding principles and existing legal frameworks to govern the development and deployment of AI technologies.
For organizations operating in or targeting the Indian market, the phased rollout of the DPDP Act introduces a transitional compliance period that requires organizations to manage both existing and forthcoming obligations simultaneously. By May 13, 2027, all covered businesses must comply with the DPDP Act.
This article is part of Reed Smith's ongoing series examining data protection and AI frameworks across major jurisdictions. In this installment, we analyze India's emerging privacy regime, the key compliance obligations under the DPDP Act, and the evolving approach to AI governance.
The Digital Personal Data Protection Act of 2023
Scope and Applicability
The DPDP Act applies to personal data, which is defined broadly, that is collected in digital form, as well as data that is initially collected in non-digital form but subsequently digitized (DPDP Act, Section 3(a)). The DPDP Act incorporates extraterritorial applicability, extending its reach to foreign organizations that process personal data in connection with offering goods or services to individuals located in India (DPDP Act, Section 3(b)).
Data fiduciaries, personal data, and sensitive data
The DPDP Act introduces the concept of a “data fiduciary,” which serves as the functional equivalent of a controller, referring to the entity that determines the purpose and means of processing personal data (DPDP Act, Section 2(i)). A “data processor” processes personal data on behalf of the data fiduciary (DPDP Act, Section 2(k)), while the “data principal” corresponds to the individual whose data is being processed (DPDP Act, Section 2(j)). Although these concepts are familiar, the DPDP Act places primary accountability on the data fiduciary, including responsibility for ensuring that processors comply with applicable requirements.
Notably, unlike many international frameworks, the DPDP Act does not distinguish between categories of personal data (such as “sensitive” or “special category” data), instead applying a uniform set of obligations across all personal data.
In addition, and again unlike some international frameworks, the DPDP Act does not impose direct statutory obligations on data processors, instead requiring data fiduciaries to ensure processor compliance through contractual arrangements and oversight mechanisms.
Processing of personal data
The DPDP Act is largely a consent-based regime of data processing, whereby a data fiduciary may process personal data only if the individual consents to the processing or if the processing is for certain legitimate uses (DPDP Act, Section 6(1)). Consent under Indian law must be free, specific, informed, unconditional, and unambiguous, and must be evidenced through clear affirmative action. Importantly, the DPDP Act departs from frameworks such as the GDPR by not recognizing broad alternative legal bases such as “contractual necessity” or “legitimate interests” (DPDP Act, Section 4(1)). Instead, the DPDP Act provides a narrowly defined list of “legitimate uses,” which function as limited statutory exceptions to the consent requirement (DPDP Act, Section 7). These include, among other things, situations where the data principal has voluntarily provided data without objection, compliance with legal obligations, responses to medical emergencies, certain functions of the State, and processing in the context of employment (DPDP Act, Section 7(a)-(h)).
The DPDP Act and DPDP Rules impose additional and more prescriptive obligations when processing the personal data of children and certain vulnerable individuals. A “child” is defined as any individual under the age of eighteen (DPDP Act, Section 2(f)). Data fiduciaries must obtain verifiable parental consent prior to processing such data (DPDP Act, Section 9(1)). In addition to this consent requirement, the DPDP Act explicitly prohibits certain categories of processing involving children, including tracking or monitoring their behavior and the use of targeted advertising directed at them, as well as any processing that is likely to have a detrimental effect on a child's well-being (DPDP Act, Section 9(3)).
Processing notice
Notice obligations under the DPDP Act are a central component of the statutory consent framework. Data fiduciaries are required to provide a clear, standalone notice to the individual at or before the point of collection, and that notice must be sufficiently detailed to enable the individual to provide informed consent (DPDP Act, Section 5(1)). At a minimum, the notice must include an itemized description of the personal data to be processed, the specific purposes for which such data will be used, and a clear explanation of the goods, services or functionalities that such processing enables (DPDP Act, Section 5(1)). In addition, the notice must include accessible mechanisms—such as links or equivalent tools—through which the data principal can withdraw consent, exercise their statutory rights, and lodge complaints with the Data Protection Board (DPDP Act, Section 5(1)). The requirement that notice be presented independently of other information, in clear and plain language, and in multiple Indian languages underscores the regulator's focus on transparency and usability, rather than formalistic compliance.
Rights of individuals
The DPDP Act provides individuals with a variety of rights, including the right to obtain information about the personal data being processed and the right to correct, complete, or update inaccurate or incomplete data (DPDP Act, Section 11(1), (2)). In addition, the law provides the right to withdraw consent at any time and the right to seek grievance redressal through the data fiduciary and, ultimately, the Data Protection Board (DPDP Act, Section 13).
International data transfers
The DPDP Act adopts a formally permissive approach to international data transfers, but is subject to government oversight powers (DPDP Act, Section 16; DPDP Rules, Section 15). Data fiduciaries are generally permitted to transfer personal data outside India, provided that such transfers comply with any conditions imposed by the Central Government (DPDP Act, Section 16; DPDP Rules, Section 15).
Significant data fiduciaries
However, the government retains the authority to restrict or prohibit transfers to specific jurisdictions or for specific categories of data, particularly where concerns arise regarding access by foreign governments or national security considerations. Under the DPDP Act, certain entities may be designated as “significant data fiduciaries” (DPDP Act, Section 10). Entities may be designated as significant data fiduciaries based on factors such as the volume and sensitivity of personal data processed, the potential impact on individuals' rights, and broader considerations relating to national security, public order, and electoral integrity (DPDP Act, Section 10). Once designated, these entities are subject to enhanced compliance requirements, including the appointment of a data protection officer based in India, the engagement of independent data auditors, and the conduct of periodic data protection impact assessments and compliance audits (DPDP Act, Section 10; DPDP Rules, Section 13). Notably, the framework also introduces an explicit expectation of algorithmic accountability, requiring significant data fiduciaries to ensure that automated processing systems do not result in harm to data principals or produce unfair or discriminatory outcomes. The designation of a significant data fiduciary could result in stricter obligations, requiring organizations to closely monitor regulatory developments and maintain flexibility in their data transfer architectures.
Data breach
In the event of a personal data breach, the DPDP Act and the DPDP Rules impose a structured and time-sensitive notification regime. A data fiduciary is required to notify the Data Protection Board of India without delay upon becoming aware of a breach, providing details regarding the nature, scope, timing, location, and potential impact of the incident, as well as any mitigation measures undertaken. This initial notification must be followed by a more comprehensive report within 72 hours, which includes findings regarding the root cause of the breach, remedial actions implemented, and confirmation that affected individuals have been notified (DPDP Rules, Section 7). While the DPDP Rules do not prescribe a fixed timeline for notifying individuals, they require that such notification be made promptly, without delay, through registered communication channels (DPDP Rules, Section 7).
It should be noted that other rules, guidelines, and laws may impact notification timelines. For example, CERT-In Direction No. 20(3)/2022 requires a strict six-hour notification timeline for breaches involving entities covered by such direction.
Enforcement framework
The DPDP Act establishes the Data Protection Board of India as the central enforcement authority, structured as a digital-first, quasi-judicial body designed to handle complaints and regulatory actions through an online adjudication process. The Board is empowered to investigate contraventions, issue directions, and impose monetary penalties.
The DPDP Act establishes a multi-tier penalty system categorizing violations into different severity levels based on the gravity of the violation (DPDP Act, Section 33). These fines range from approximately USD $6 million for failing to obtain proper consent to approximately USD $30 million for failing to implement reasonable security safeguards (Schedule to the DPDP Act).
India's approach to artificial intelligence
In contrast to its increasingly structured data protection regime, India has not yet enacted a comprehensive statutory framework specifically governing artificial intelligence. At present, there is no legally binding definition of "AI" under Indian law, nor is there a formal risk-based classification system comparable to frameworks such as the EU AI Act. Instead, India has adopted a technology-agnostic regulatory approach, relying on existing legal frameworks, including the Information Technology Act, the DPDP Act, and sector-specific regulations, to govern AI-related risks indirectly.
At the policy level, initiatives such as the National Strategy for Artificial Intelligence and the Principles for Responsible AI articulate a set of guiding values, including safety, transparency, accountability, and non-discrimination, but these remain non-binding and are intended primarily to inform future regulatory development. This approach reflects a deliberate effort to balance innovation and regulatory oversight, allowing AI governance to evolve incrementally while targeting high-risk use cases through sectoral intervention rather than comprehensive horizontal legislation.
Conclusion
India's approach to data protection and artificial intelligence reflects a pragmatic and evolving regulatory philosophy. The DPDP Act establishes a modern, consent-driven framework for personal data protection while preserving flexibility through phased implementation and government oversight. For organizations, the key challenge lies in navigating this dynamic landscape. The phased implementation of the DPDP Act provides an opportunity to build compliance frameworks in advance, but also requires careful attention to evolving requirements and regulatory guidance. In particular, organizations should expect that compliance in India will not be a direct extension of existing EU GDPR or U.S. frameworks, but will instead require jurisdiction-specific adjustments, particularly in relation to consent management, data transfer structuring, and government-facing obligations. For guidance on navigating India's privacy and AI landscape and developing a compliance strategy tailored to your organization's operations, please reach out to your Reed Smith attorneys.