A Primer on Data Regulation and AI Development in India

-Dr. Deborshi Barat*

[This post is part of the Data Protection Special Blog series: "Beyond Encryption: Tech & Data Protection". This series will feature blogs, such as the present one, which explore and analyse the reshaping of data security and privacy in an era of evolving technology, legal frameworks and regulations.]

Introduction

Defined by the OECD as a machine-based system designed to operate with a certain level of autonomy for the purpose of making predictions, recommendations or decisions for human-defined objectives, artificial intelligence (“AI”) uses technology to automate tasks that normally require sophisticated human-like intelligence. Although AI involves several sub-fields, policymakers mainly focus on automated decision-making or machine learning (“ML”) systems, including on account of the regulatory challenges involved. For instance, there could be concerns about liability, including when automated data processing leads to harm.

Businesses engaged with AI/ML-related processes, products and applications may involve a wide variety of entities, including those which:

a)   build AI systems and platforms, or develop associated technologies;

b)   are involved in research and development (“R&D”) related to AI;

c)   are engaged in generating revenue from a product or service driven mainly through AI/ML-based algorithms;

d)    primarily have AI-enabled business models; or

e)    perform discrete activities within, and/or otherwise operate across, the AI value chain.

The rise of AI/ML has been fuelled by a surge in data availability. The data used for training AI models is a critical asset. Accordingly, potential participants and stakeholders in the AI space should conduct due diligence to ensure that the AI entity concerned has necessary rights to collect and use such data. This includes verifying that such entity has (i) obtained valid consents from relevant individuals and entities; (ii) complied with data protection laws; and (iii) established appropriate data governance and security measures to prevent unauthorized access and breaches.

This note provides a broad overview of the evolving regulatory framework on data protection in India, including its likely impact on AI development.

I. Data

The Digital Personal Data Protection Act, 2023 (“DPDP Act”), published in August 2023, defines ‘data’ similar to the existing Information Technology Act, 2000 (the “IT Act”). However, the DPDP Act introduces certain additional aspects, such as suitability of communication and interpretation, along with elements of human or automated processing.

The DPDP Act is poised to replace the existing personal data protection regime in India (“Existing Regime”). Although not yet in effect, the DPDP Act is expected to come into force soon. In addition, a draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”) was released on January 3, 2025 for public consultation along with an explanatory note. Once notified, the Draft Rules will enable implementation of the DPDP Act. Meanwhile, the IT Act is likely to be replaced by the “Digital India Act”.

For general summaries of the DPDP Act and the Draft Rules, respectively, see here and here. For a discussion on the wide applicability of the DPDP Act, see here.

Since the DPDP Act and the Draft Rules will influence the development of AI models in India, relevant investors, start-ups and other stakeholders should carefully examine and prepare for compliance with applicable laws. The use of data may also be subject to sector-specific regulations, such as those governing the healthcare, financial, or telecommunications sectors. The AI entity concerned should have necessary licenses, approvals and consents to collect, store, process and use data in compliance with such regulations.

According to a December 2017 white paper released by a Government-constituted expert committee, data which is viewed as non-personal information can be combined with other datasets to create personally identifiable information, including via de-anonymization techniques. In this regard, a December 2021 joint parliamentary committee report observed that it is impossible to clearly distinguish between personal and non-personal data.

For a discussion on the distinction between personal and non-personal data, see here.

II. Existing Regime

Distinguishing between ‘personal information’ (“PI”) and ‘sensitive personal data or information’ (“SPDI”), the Existing Regime is based on Section 43A of the IT Act, along with rules framed under such provision (“SPDI Rules”).

The SPDI Rules focus on obligations in relation to safeguarding SPDI – as opposed to ‘personal data’ in general. Although focused specifically on SPDI, the SPDI Rules include provisions similar to the DPDP Act, such as (i) compliance requirements (e.g., on notice and consent, disclosures to third parties based on contract or consent, data transfers (including cross-border transfers)); (ii) data protection principles (e.g., purpose and storage limitation, necessity, data minimization); and (iii) individual rights (e.g., to review the data collected, amend/correct such data, withdraw/withhold consent, grievance redressal).

Obligations under the Existing Regime apply to any ‘body corporate’ or a person acting on its behalf (“Body Corporate”). Since a wide range of entities are covered under this explanation, AI-related businesses may need to comply with the Existing Regime as on date where SPDI is involved. The SPDI Rules require each Body Corporate to implement and maintain reasonable security practices and procedures (“RSPPs”) while handling SPDI. The SPDI Rules also require each Body Corporate to provide and publish on its website a policy for privacy and disclosure of information.

A. Digital India Act and Intermediary Guidelines

While the DPDP Act seeks to omit or amend only certain sections of the IT Act (such as Section 43A), the proposed Digital India Act is expected to repeal the IT Act in its entirety, along with other rules framed under it, such as the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Guidelines”).

Until the rollout of the Digital India Act, the Ministry of Electronics and Information Technology (“MeitY”) may amend the Intermediary Guidelines in connection with AI. Further, the Government has been actively considering the advisability of a dedicated regulation on AI. Such regulation may be introduced through a separate chapter (or via specific provisions) of the Digital India Act. According to media reports from February and March 2023, the Government may frame rules for sharing anonymized personal data and non-personal data under this new law– such as in respect of data captured by invasive gadgets.

For a discussion on the broad themes likely to be included in the Digital India Act, see here.

B. Intermediaries, Safe Harbor and Content

Under the IT Act,  an ‘intermediary’ is any entity that receives, stores or transmits electronic records, messages, data or other content (together, “Content”) on behalf of another entity, or provides any service with respect to such Content.

Being only passive transmitters of Content, intermediaries have been provided immunity from liability under the ‘safe harbor principle’ contained in Section 79(1) of the IT Act. However, safe harbor may be available to intermediaries only if they satisfy certain conditions (e.g., due diligence in respect of hosting third-party information on their platforms).

C. AI Advisories

In March 2024, building on its earlier advisory issued in December 2023, the MeitY issued additional advisories (the “AI Advisories”) on due diligence requirements under the Intermediary Guidelines. The language of the AI Advisories is broad enough to cover all kinds of AI tools and AI-created Content used/generated by users. Such broad-based application could have significant consequences for players in the AI space, given the high standards of due diligence required. While it may still be possible for an intermediary to claim immunity under the safe harbor principle with respect to AI-generated Content, the AI Advisories may impose additional obligations. For a discussion on the AI Advisories (“AI Advisories”), including on intermediary liability, see here.

Media reports from 2023 had suggested that the Digital India Act will distinguish between intermediaries and impose varied responsibilities based on separate business models. It is possible that AI tools or AI-enabled platforms will be treated as an independent category. In that regard, the development and deployment of new technologies (e.g., AI) may be subject to rigorous requirements, including by subjecting high-risk AI systems to quality-testing frameworks, algorithmic accountability, threat and vulnerability assessments, and Content moderation.

D. Transitioning from the Existing Regime to the DPDP Act

Pursuant to Section 44 of the DPDP Act, certain provisions of statutes other than the DPDP Act will be amended or omitted, such as Section 43A of the IT Act. However, until Section 44 of the DPDP Act is notified, the Existing Regime is likely to remain in force. Since different dates may be appointed for different provisions of the DPDP Act to take effect, some sections of the DPDP Act may operate in parallel with the IT Act and the SPDI Rules for a limited duration.

III. Processing Personal Data

The DPDP Act defines “personal data” and “digital personal data” broadly (for a discussion on what such terms entail, see here and here). Unlike the SPDI Rules, the DPDP Act does not recognize ‘sensitive’ PI as a separate/special category (for a discussion on ‘sensitive’ PI, see here). The SPDI Rules define SPDI as PI relating to certain specified items (other than what is freely available or accessible in the public domain), including financial information (e.g., details of bank accounts, credit/debit cards, or other payment instruments), biometric data, information relating to physical, physiological and mental health conditions, as well as details of sexual orientation, medical records and history.

Unlike the SPDI Rules (which do not define the term ‘processing’), the DPDP Act defines ‘processing’ broadly to include any activity among a wide range of operations that AI-related businesses and platforms may routinely and/or systematically perform on digitized PI. Even those operations which involve some amount of human intervention and/or stem from human prompts have been covered under this definition.

A. India’s Regulatory Landscape on AI

Given the rapidly evolving nature of technology, India’s approach to AI governance may change in the future. For a discussion on the challenges with respect to AI regulation in India, see here. For an overview of India’s past initiatives on regulating AI, see here. For a summary of key developments on AI in India over the past year (2024), including in respect of intermediary liability, digital competition and telecommunication law, see here.

B. Main Entities and Responsibilities under the DPDP Act

While obligations under the SPDI Rules are applicable to each Body Corporate, the DPDP Act distinguishes between a data fiduciary and data processor, respectively. AI-related companies may need to check if they fall under the category of a data fiduciary or a data processor in a specific instance. The distinction between the two is important in terms of liability.

In general, a data processor may be engaged by a data fiduciary to process PI on the latter’s behalf. However, since data fiduciaries determine the purpose and means of processing, the DPDP Act may hold them accountable even if a data breach and/or an event of non-compliance arises on account of a negligent data processor.

While processing tasks can be delegated to a third party, such delegation should only be undertaken pursuant to a valid contract if the processing relates to the offering of goods or services. These contracts will need to be negotiated carefully, including on account of the quantum of penalties involved. AI-related organizations should monitor and review existing contractual arrangements with entities in their supply chains. For a discussion on contracts with data processors, see here.

C. Significant Data Fiduciaries

The Government may notify any data fiduciary (or a class thereof) as a “significant data fiduciary” (“SDF”). SDFs are required to comply with additional obligations under the DPDP Act and the Draft Rules. For a discussion on SDFs and their additional obligations, see here.

Among other things, SDFs may need to conduct periodic Data Protection Impact Assessments (“DPIAs”) and data audits. SDF classification can influence how companies develop AI models, including with respect to compliance costs and operational burdens. For an analysis of the key evaluative parameters for making SDF classifications, see here and here.

D. Potential Relaxations

Since the DPDP Act provides for the Government to make certain provisions inapplicable to certain entities for a certain period, AI start-ups may be exempted from some obligations under the DPDP Act for a specified period.

E. Consent Requirements and Challenges

One of the most prominent features of the DPDP Act is its consent-centric approach, requiring explicit permission from individuals before their PI can be processed. Individuals may give, manage, review or withdraw their consent through a ‘consent manager’. For a discussion on the potential use of consent managers through India’s digital public infrastructure, see here and here.

AI developers will need to secure informed consents before using PI for training models. This can complicate the process of data collection, including in cases where extensive and/or curated datasets are required to function effectively (e.g., generative AI systems).

Unlike the EU’s General Data Protection Regulation (“GDPR”), the DPDP Act does not recognize alternative legal bases for processing PI, such as contractual necessity or legitimate interests. This limitation could slow down the pace of AI development in India, especially across sectors that rely heavily on PI, potentially stifling innovation. For a discussion on legal challenges on AI development, see here.

F. Data Minimization and Purpose Limitation

The principles of ‘data minimization’ and ‘purpose limitation’ imply that PI should be collected and used only as necessary, and for specified purposes alone. This may restrict the ability of AI models to leverage large datasets for diverse applications, creating challenges with respect to the development of versatile AI systems which can adapt to multiple use-cases. For a discussion on data minimization requirements under the DPDP Act, including with respect to ‘big data’ analytics and AI/ML, see here.

G. Exemptions for Publicly Available Data

While the DPDP Act requires consent for most kinds of PI (barring certain legitimate uses), it contains an exemption for publicly available data. This exemption could facilitate AI training through the scraping of public information from social media platforms and other online sources.

However, on account of concerns regarding the potential misuse or breach of data, AI organizations may need to ensure that the scraping of publicly available PI complies with other applicable laws and ethical standards.

Unlike the GDPR’s Article 14, the DPDP Act does not impose an obligation on data fiduciaries to inform individuals about the use of their publicly available data. Accordingly, public information may be used by businesses in India – including through, or with respect to, AI platforms – for the purpose of training, analytics, evaluation, targeted advertising and profiling. As a result, AI companies may be able to develop models in India more easily than in some other jurisdictions. However, in the event of misuse or overreach, legislative corrections and/or regulatory scrutiny may follow.

H. Research Exemptions and Implications

Organizations are allowed to process PI for research, archiving, or statistical purposes without adhering to certain obligations of the DPDP Act. However, this exemption is contingent upon compliance with Government-set standards, as currently contained in the second schedule of the Draft Rules.

In contrast, regulations such as the GDPR permit research as a secondary use of PI without requiring a distinct lawful basis for processing, as long as appropriate safeguards are implemented to protect individual rights. Over time, technical and/or ethical standards may evolve in India to ensure that the DPDP Act’s research-related exemption fosters responsible AI development.

I. Compliance Burden and Legal Liabilities

In general, the DPDP Act’s compliance requirements are likely to increase operational costs for AI companies. AI companies may need to invest in robust governance frameworks to ensure adherence to consent management, data retention policies and other obligations. Since non-compliance may result in substantial penalties, AI companies may prioritize compliance over innovation. For an overview on organizational planning for consent management, see here. For an overview of grievance redressal and dispute resolution under the DPDP Act, see here.

AI technologies themselves may be able to assist in managing compliance with the DPDP Act. For example, AI could assist with data mapping. For a discussion on data mapping, see here.

J. Limited Territorial Scope and Consequences

Since the DPDP Act applies extraterritorially only when data processing is connected to offering goods or services to individuals in India, offshore providers of AI systems which do not directly offer goods or services within India may be able to process the PI of Indian citizens without any restrictions, including by profiling Indian citizens without consent.

K. Consent Withdrawal and Data Erasure

The DPDP Act provides data principals with an option to withdraw their consent and requires data fiduciaries to not retain PI once the purpose of processing has been accomplished. When consent is withdrawn, a data fiduciary must ensure that processing stops within a reasonable period, followed by erasure. Further, data principals may ask for their data to be corrected, completed or updated.

In this regard, AI companies may find it challenging to purge or amend PI from their systems. Among potential options to address these requirements, ‘Machine Unlearning’ (“MU”) techniques could prove useful, including for large and cost-intensive AI models that are difficult to re-train. The goal of MU is to create an unlearned model which behaves similar to a model re-trained on the same data minus the information that needs to be forgotten/changed.

IV. Draft National Data Governance Framework Policy

In May 2022, the MeitY released a draft of the ‘National Data Governance Framework Policy’ inviting stakeholder feedback (“Draft NDGFP”). Among other things, the Draft NDGFP aims to ensure that non-personal and anonymized data from both government and private entities are accessible by research and innovation ecosystems, including for the purpose of facilitating AI-based R&D initiatives by Indian start-ups. In this regard, the Draft NDGFP called for the creation of the ‘India Datasets Program’ and seeks to provide an institutional framework for sharing non-personal data. Although reports from 2024 had suggested that a revised and final version of the Draft NDGFP was ready, an official copy is yet to be released.

A. India Datasets Platform

Consistent with the Draft NDGFP, the “IndiaAI Mission” includes the ‘IndiaAI Datasets Platform’ (“IDP”) for the purpose of facilitating access to non-personal data and high-quality AI-ready datasets to empower Indian startups and researchers. For more details on the IDP and the IndiaAI Mission, see here and here.

Recently, the Government launched ‘AI Kosha’, a platform with non-personal datasets, to facilitate the development of AI models and tools.

Conclusion

India’s new laws on data are likely to shape how AI models are developed and deployed in India, including by imposing stringent requirements around consent, data use, and ethical considerations. Balancing compliance with innovation will be crucial for AI-related organizations aiming to thrive under this emerging legal framework.

*Dr. Deborshi Barat is a Counsel at S&R Associates. His areas of practice include data protection and AI, ESG, and regulatory matters. He is also involved in the firm’s knowledge and training initiatives.

Prior to joining S&R, Deborshi was an Associate Professor at the Jindal Global Law School. He holds a Ph.D. from the Fletcher School of Law and Diplomacy, Tufts University.