Does the DPDP Act lay new guardrails for India’s AI ecosystem

The Digital Personal Data Protection Act (DPDPA) is a significant milestone in India’s digital transformation journey, establishing a comprehensive legal framework for safeguarding personal data.

By defining clear rules for data usage, privacy protection, and technology-enabled compliance, the Act is poised to strengthen India’s AI mission by fostering greater trust, accountability, and innovation across the rapidly expanding AI ecosystem.

Decoding the DPDP Act?

Enacted in August 2023, the DPDPA is India’s first holistic legislation governing the protection of digital personal data. It outlines the principles and requirements for how organisations collect, process, store, and transfer the personal data of Indian citizens.

The Act grants individuals, the “data principals”, rights such as consent, correction, erasure, and grievance redressal, while simultaneously placing obligations on organisations or data fiduciaries to ensure lawful data processing, maintain adequate safeguards, and report data breaches in a timely manner.

Provisions for Data Privacy and AI

For AI companies, the DPDPA’s rules on consent and lawful processing require that personal data used for training or model development be collected with explicit consent or on a legal basis. This ensures that AI systems do not rely on datasets obtained without user awareness or approval.

Organisations operating at scale or handling sensitive or high-risk data may be classified as Significant Data Fiduciaries (SDFs). This designation comes with additional governance measures, including mandatory Data Protection Impact Assessments to evaluate risks, independent audits, and stronger technical safeguards—all vital for AI models that rely on vast, diverse datasets.

The Act also acknowledges the importance of research by offering controlled exemptions for scientific, statistical, and archival work. This means AI researchers may study anonymised or minimally intrusive data, provided privacy is not compromised.

Further, the government can impose conditions or restrictions on the sending of personal data outside India. This has direct implications for AI systems trained on global datasets, making compliance planning essential for companies that rely heavily on cross-border infrastructure.

At the same time, the DPDPA introduces graded compliance requirements, which are particularly beneficial for startups. By tailoring obligations to an organisation’s size and data-use risks, the Act encourages innovation without overwhelming smaller AI firms with heavy regulatory burdens.

How the DPDPA Supports India’s AI Mission

The DPDPA strengthens public confidence in AI systems by ensuring that data used for training or deployment is handled ethically and transparently. This is especially important in sensitive areas such as digital health, fintech, or public service delivery, where AI systems frequently rely on personal or behavioural data.

The Act’s structured approach to research and differentiated compliance for SDFs encourages responsible experimentation, model training, and deployment of AI technologies while ensuring robust safeguards.

By aligning with international data protection standards such as the GDPR, the DPDPA also improves India’s global competitiveness. Indian AI companies can collaborate more easily with overseas partners, access global markets, and reinforce the country’s position as a trusted AI innovation hub.

The Act further accelerates the adoption of privacy-enhancing technologies, including AI-driven tools for compliance automation, monitoring, governance, and cybersecurity. This push not only improves organisational efficiency but also promotes responsible data usage by embedding principles of fairness, accountability, and transparency into AI workflows. Reducing the risks of data misuse or algorithmic bias ultimately improves the credibility of India’s AI ecosystem.

Key Challenges and What Lies Ahead

Despite its strengths, the DPDPA presents several practical challenges. One of the biggest is managing consent at scale, particularly for AI models that train on millions of data points sourced from diverse platforms.

Ensuring that every piece of personal data is processed with valid, verifiable consent will require new operational workflows and possibly new technologies. Much will also depend on the government’s detailed rules and notifications, which are still forthcoming.

The clarity—or lack thereof—on research exemptions, cross-border data policies, and SDF thresholds will significantly influence how organisations interpret and implement the Act.

Another challenge lies in balancing innovation with compliance. If regulations are interpreted too conservatively, organisations may hesitate to invest in new AI models or data-driven products. Conversely, loose interpretation may expose users to privacy risks. The success of the DPDPA will therefore depend on how effectively the ecosystem navigates this balance in the early years of implementation.

The DPDPA marks a pivotal advancement in India’s regulatory landscape, offering essential clarity for data-driven technologies while safeguarding individual privacy and ethical standards. Its balanced and forward-looking approach can significantly bolster India’s AI mission—accelerating innovation, strengthening trust, and positioning Indian enterprises to lead globally in responsible AI development.

Jaspreet Singh is a Partner and Chief Revenue Officer of Grant Thornton Bharat.