IndiaIn Effect Enforced: 2025-01-01Last updated: May 20, 2026

India AI Regulation: DPDPA 2023 and the Proposed Digital India Act

How to comply with India's evolving AI and data governance framework: the Digital Personal Data Protection Act 2023 (DPDPA, in force), MeitY advisories on AI labelling (2023 - 2024), the Data Protection Board, Significant Data Fiduciary (SDF) obligations, and the proposed Digital India Act (DIA, draft principles). Penalties up to INR 250 crore.

Non-compliance penalty: Up to INR 250 crore (approximately USD 30 million) per instance of breach under the DPDPA 2023. Penalties imposed by the Data Protection Board of India following inquiry. The proposed Digital India Act could introduce additional algorithmic-harm and platform-accountability penalties once enacted.

How Areebi helps you comply

Obtain DPDPA Section 5 consent for AI processing of personal dataDPDPA 2023, Section 5

Areebi: Purpose-Aware Policy Engine and Consent State Tracking

Areebi's policy engine enforces declared-purpose use of personal data and tracks consent state per data principal, model, and purpose. The audit log records the consent basis for each inference, providing the Board with verifiable evidence on inquiry.

Provide notice in clear and plain language before processingDPDPA 2023, Section 5(3)

Areebi: Configurable Notice Surfaces with Multi-Language Support

Notice templates can be configured to describe AI processing as a stated purpose and translated into the Eighth Schedule languages. Areebi tracks notice versions delivered, providing evidence that the notice preceded the consent.

Implement reasonable security safeguards for personal data processed by AIDPDPA 2023, Section 8(5)

Areebi: AI DLP, Encryption, Access Control, and Audit-Grade Logging

Personal data is protected end to end: AI DLP redacts or blocks sensitive content at the prompt boundary, encryption protects data at rest and in transit, role-based access control enforces least privilege, and audit-grade logging documents the safeguards as evidence for the Board.

Honour data principal rights (access, correction, erasure)DPDPA 2023, Sections 11-13

Areebi: Data Lineage Tracking and Erasure Workflows

Areebi tracks personal data lineage from source through training, fine-tuning, inference, and logging. Erasure requests trigger workflow that deletes the data from training sets, inference logs, and (where required) initiates model retraining.

Conduct DPIAs for Significant Data Fiduciary AI use casesDPDPA 2023, Section 10

Areebi: DPIA Templates Aligned with DPDPA and NIST AI RMF

Pre-built DPIA templates support SDF obligations, capturing data flows, lawful bases, risk assessments, and mitigations. Templates are cross-mapped to NIST AI RMF MAP function evidence so the same assessment satisfies multiple frameworks.

Label synthetic content (MeitY advisory)MeitY Advisory, March 15, 2024

Areebi: Output Watermarking and C2PA Content Credentials

Generative AI outputs are automatically labelled with provenance metadata, supporting the MeitY synthetic content labelling expectation. Watermarks are detectable by downstream platforms, supporting originator identification.

Notify the Board of personal data breachesDPDPA 2023, Section 8(6)

Areebi: Incident Response Workflow with India-Specific Templates

Breach detection triggers an incident response workflow with pre-built notification templates aligned with the Board's expected format. Evidence collection is automated; the affected data principals and the Board can be notified within the statutory window.

What Are India's AI and Data Governance Rules?

India's AI governance framework is layered and still maturing. As of May 2026, the operational baseline is the Digital Personal Data Protection Act 2023 (DPDPA), which received presidential assent on August 11, 2023, with the Ministry of Electronics and Information Technology (MeitY) phasing in operative provisions through 2025. The DPDPA is the primary statute that already applies to AI systems that process personal data of Indian residents. Alongside the DPDPA, MeitY has issued a series of advisories on generative AI labelling, deepfakes, and platform due diligence in December 2023 and March 2024, and is consulting on a broader Digital India Act (DIA), a proposed successor to the Information Technology Act 2000 that would introduce platform accountability, algorithmic-harm, and AI-specific obligations.

Two framings matter for AI governance leaders. First, the DPDPA is in force: penalties can be imposed today by the Data Protection Board of India, and AI processing that touches personal data must already satisfy DPDPA consent, notice, and data fiduciary obligations. Second, the Digital India Act remains draft: MeitY released principles in 2023 - 2024 but the bill has not been introduced in Parliament. References to "the DIA" in compliance documents should be framed conditionally and revisited as the proposed legislation evolves.

India's approach contrasts with both the EU AI Act's risk-tiered regulation and the United States' patchwork of state laws. The Indian framework leans on a data-protection statute backed by sectoral advisories and a national AI strategy (the IndiaAI Mission, approved by the Union Cabinet in March 2024 with a five-year outlay of approximately INR 10,372 crore). Organisations that operate in India or that process personal data of Indian residents should treat DPDPA compliance as the operational floor and prepare an adaptable AI control plane that can absorb DIA obligations when (or if) they are enacted.

Areebi is designed for exactly this layered context: DPDPA-aligned consent and data fiduciary controls operate today, and Areebi's AI control plane architecture accommodates additional algorithmic-harm and labelling obligations as MeitY guidance and the DIA mature.

India AI and Data Governance Instruments in Scope

The Indian AI legal landscape consists of one in-force statute, multiple operative advisories, a draft framework bill, and a national AI strategy document. Each layer carries different legal weight and should be tracked separately.

Digital Personal Data Protection Act 2023 (DPDPA)

The DPDPA was enacted on August 11, 2023, after multiple draft iterations across 2018, 2019, 2021, and 2022. MeitY notified the Digital Personal Data Protection Rules 2025 in January 2025, beginning the phased commencement of operative provisions. The Data Protection Board of India was constituted in 2025 to enforce the Act.

Key DPDPA provisions that touch AI processing:

Section 5 (notice and consent): Data fiduciaries must give a notice to the data principal before processing personal data. Consent must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. For AI training and inference using personal data, this typically requires purpose-specific consent rather than a blanket consent buried in a privacy policy.
Section 7 (legitimate uses): A limited set of legitimate uses permit processing without consent - the voluntary provision of data for a specified purpose, employment-related processing, medical emergencies, and certain state functions. Most enterprise AI uses still require consent under Section 5.
Section 8 (obligations of data fiduciaries): Data fiduciaries must implement reasonable security safeguards, notify the Board of personal data breaches, ensure data accuracy where used for decisions that affect the data principal, and erase data when consent is withdrawn. AI systems that make or assist consequential decisions are subject to the accuracy and erasure obligations.
Section 9 (children's data): Verifiable parental consent is required to process the personal data of children under 18. The DPDPA prohibits behavioural monitoring of and targeted advertising directed at children. AI use cases involving minors face heightened restrictions.
Section 10 (Significant Data Fiduciaries): The Central Government may designate any data fiduciary or class of data fiduciary as a Significant Data Fiduciary (SDF) based on volume and sensitivity of data processed, risks to data principal rights, potential impact on the sovereignty and integrity of India, and risks to electoral democracy. SDFs face enhanced obligations including the appointment of an India-based Data Protection Officer, an independent Data Auditor, and periodic Data Protection Impact Assessments.
Schedule (penalties): Civil penalties imposed by the Board can reach INR 250 crore per instance for failure to take reasonable security safeguards, INR 200 crore for failure to notify the Board of a breach or for child-data violations, and INR 150 crore for failure to fulfil additional SDF obligations.

Status: Enacted August 11, 2023. Rules notified January 2025. Phased commencement through 2025. The Board is operational; enforcement actions can be brought today.

MeitY Advisories on AI, Deepfakes, and Platform Due Diligence

MeitY has used its powers under the Information Technology Act 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 to issue advisories that operationally regulate AI in advance of dedicated legislation. The most consequential advisories:

Deepfake advisory (December 26, 2023): MeitY issued an advisory directing intermediaries and platforms to comply with existing IT Rules 2021 obligations, with explicit reference to deepfake content. The advisory referenced Rule 3(1)(b)(v) (which prohibits hosting content that impersonates another person) and Rule 3(2)(b) (which requires removal within 36 hours of notice). The advisory was framed as a clarification, not a new legal obligation.
Generative AI advisory (March 1, 2024): MeitY's first March 2024 advisory required intermediaries deploying "under-testing" or "unreliable" generative AI models to obtain explicit prior permission from the Government of India before deployment, label outputs as potentially unreliable, and ensure outputs do not violate the IT Act or constitutional provisions. The advisory was widely criticised by industry as overbroad and was substantially revised within two weeks.
Revised generative AI advisory (March 15, 2024): The revised advisory dropped the prior-permission requirement, retained labelling obligations for "synthetically generated information," required intermediaries to take action against deepfake content that impersonates individuals, and asked platforms to identify the originator of AI-generated synthetic content using "unique metadata" or identifiers. Major intermediaries (including social media platforms and search engines) are the primary addressees.

The advisories are operative but not statutory: they carry the weight of MeitY's regulatory authority under the IT Act and the Intermediary Guidelines Rules, but they are not themselves statutes and can be revised or rescinded administratively. Organisations should treat the advisories as enforceable while tracking that the underlying framework is under active negotiation.

Status: The March 15, 2024 advisory remains the most recent comprehensive guidance. MeitY has signalled that further guidance may follow as the IndiaAI Mission's Safe and Trusted AI pillar matures.

Proposed Digital India Act (Draft)

The Digital India Act is a proposed successor to the Information Technology Act 2000. MeitY released a set of principles for the DIA in March 2023 and held stakeholder consultations through 2023 and 2024. The DIA bill has not been introduced in Parliament as of May 2026. References to specific DIA provisions in compliance documents should be framed conditionally.

Based on MeitY's published principles and public consultations, the DIA is expected to address:

Platform accountability: Differentiated obligations for intermediaries, "significant" intermediaries (proposed analogue to Significant Data Fiduciaries), AI service providers, and emerging categories like AI agents.
Algorithmic harm: Obligations to identify, assess, and mitigate harms arising from algorithmic systems, with a particular focus on systems that recommend, rank, or moderate content.
AI labelling and provenance: Statutory backing for the synthetic-content labelling obligations currently embedded in MeitY advisories.
User rights against algorithmic systems: A potential right to know that an algorithm is being used, a right to appeal an algorithmic decision, and a right to seek redress for algorithmic harms.
Online safety and harms: Obligations focused on online safety, particularly for children, women, and other vulnerable groups.
Interoperability with the DPDPA: The DIA is expected to defer to the DPDPA on personal data processing while imposing additional obligations specific to platforms and algorithmic systems.

Status: Draft principles released. No bill introduced. Specific obligations should be treated as illustrative until a bill text is published. AI governance leaders should design control planes that can accommodate algorithmic harm assessment and provenance labelling without rebuilding when the bill arrives.

Information Technology Act 2000 and Intermediary Guidelines Rules 2021

The IT Act 2000 and the Intermediary Guidelines and Digital Media Ethics Code Rules 2021 continue to operate as India's foundational technology law and as the source of MeitY's advisory authority. Key AI-relevant provisions:

Section 79 of the IT Act: Safe harbour for intermediaries, conditional on observance of due diligence. AI-driven platforms must satisfy Section 79 conditions to retain safe harbour, including the obligations introduced by the 2021 Rules and subsequent advisories.
Rule 3 of the IT Rules 2021: Due diligence obligations including a publicly accessible code of practice, grievance redressal mechanisms (with a Grievance Officer), and content removal obligations within specified timeframes.
Rule 4 of the IT Rules 2021: Additional due diligence for "Significant Social Media Intermediaries" - the analogue at the platform tier to the DPDPA's SDF designation at the data tier.

For AI governance, the IT Act and Rules are most relevant where AI is deployed on intermediary platforms (recommendation systems, content moderation, generative AI features). The DPDPA governs the personal data processing layer; the IT Rules govern the intermediary obligation layer; the advisories sit on top.

IndiaAI Mission and the Safe and Trusted AI Pillar

The Union Cabinet approved the IndiaAI Mission in March 2024 with a five-year outlay of approximately INR 10,372 crore (roughly USD 1.25 billion). The Mission is administered through the IndiaAI Independent Business Division within Digital India Corporation under MeitY. It is a strategy and investment programme rather than a statutory regime, but it sets the direction for India's AI regulatory development.

The Mission has seven pillars: IndiaAI Compute Capacity, IndiaAI Innovation Centre, IndiaAI Datasets Platform, IndiaAI Application Development Initiative, IndiaAI FutureSkills, IndiaAI Startup Financing, and Safe and Trusted AI. The Safe and Trusted AI pillar is the most relevant for governance leaders: it funds the development of indigenous tools for AI testing, evaluation, watermarking, model audits, and risk frameworks.

Areebi tracks the Safe and Trusted AI pillar closely because its outputs (testing toolkits, evaluation benchmarks, watermarking standards) are likely to be referenced in future MeitY guidance and the eventual DIA implementation rules. Investments aligned with the Safe and Trusted AI pillar's direction are likely to translate into eventual compliance value.

What the DPDPA Requires of AI-Using Organisations

The DPDPA does not single out AI by name, but its data fiduciary obligations apply to any system that processes personal data. AI training, fine-tuning, and inference that touch personal data of Indian residents are all in scope.

Practical DPDPA requirements for AI break into five categories:

1. Lawful basis and consent

For most AI processing, consent under Section 5 is the operative lawful basis. The consent must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. For AI training, this typically means consent that specifies the training purpose, the categories of data used, and the model or system trained. Reusing data collected under a generic privacy policy for a new AI training purpose typically requires fresh consent.

2. Notice obligations

A notice in clear and plain language must precede consent. The notice must describe the personal data being processed, the purpose, the rights available to the data principal, and the manner of withdrawing consent. AI notices typically need to include language describing AI processing as a purpose ("we use this data to train and operate an AI assistant") and any automated decision-making implications.

3. Data principal rights

The DPDPA grants data principals rights to access information about processing, correct or update inaccurate data, erase data when consent is withdrawn, and nominate another individual to exercise rights in the event of death or incapacity. AI systems that incorporate personal data into model weights face the practical challenge of honouring erasure requests; the operational response usually involves data lineage tracking, training set deletion, and (where required) model retraining.

4. Data fiduciary obligations under Section 8

Data fiduciaries must implement reasonable security safeguards, notify the Board of breaches, maintain accuracy of data used for decisions that affect data principals, and erase data when consent is withdrawn. For AI, this implicates the entire pipeline - data sourcing, training, fine-tuning, inference, logging, and audit. AI DLP, runtime policy, and audit-grade logging are the operational mechanisms.

5. SDF obligations (if designated)

Organisations designated as Significant Data Fiduciaries must appoint an India-based Data Protection Officer, engage an independent Data Auditor, conduct periodic Data Protection Impact Assessments, and undertake other measures the Central Government may notify. Large AI platforms processing significant volumes of personal data are realistic SDF candidates.

Areebi maps these obligations directly:

DPDPA requirement	Areebi capability
Section 5 purpose-specific consent	Policy engine with declared-purpose enforcement and consent state tracking
Section 8 reasonable security safeguards	AI DLP, encryption, access control, audit-grade logging
Data principal erasure rights	Data lineage tracking, training-set deletion workflows, model version pinning
Section 10 SDF DPIA obligations	Pre-built DPIA templates aligned with DPDPA and NIST AI RMF MAP function
MeitY synthetic content labelling	Output watermarking and content credentials applied automatically
Breach notification to the Board	Incident response workflow with India-specific notification templates

Penalties and Enforcement

The DPDPA's enforcement model centres on the Data Protection Board of India. The Board has the authority to inquire into complaints, investigate breaches, and impose civil penalties up to the statutory caps. There is no private right of action under the DPDPA; remedies are pursued through the Board.

Penalty tiers under the DPDPA Schedule

Violation type	Maximum penalty (per instance)
Failure to take reasonable security safeguards (Section 8(5))	INR 250 crore (approximately USD 30 million)
Failure to notify the Board of a personal data breach	INR 200 crore
Failure to fulfil children's data obligations (Section 9)	INR 200 crore
Failure to fulfil additional SDF obligations (Section 10)	INR 150 crore
Breach of duties under Section 15 (data principal duties)	INR 10,000
Breach of any other provision of the Act or Rules	INR 50 crore

Enforcement procedure

A complaint, a Board-initiated inquiry, or a Government referral triggers the Board's process.
The Board conducts an inquiry, with powers analogous to those of a civil court for summoning, document production, and on-site inspection.
The Board issues findings. Where a breach is found, the Board may impose civil penalties up to the statutory caps and may direct corrective measures.
Appeals lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which the DPDPA designates as the appellate authority.

Advisory enforcement (MeitY directly)

For the MeitY advisories, enforcement runs through the Intermediary Guidelines Rules 2021 and Section 79 of the IT Act 2000. Failure to comply with due diligence obligations can result in loss of intermediary safe harbour, which exposes the platform to direct liability for third-party content under generally applicable laws. Major intermediaries that fail to honour the synthetic content labelling expectations risk both reputational consequences and potential loss of safe harbour.

Cross-cutting considerations

The Board, the TDSAT, and MeitY operate under separate authorities but address overlapping conduct. Organisations should expect that a single incident (for example, an AI-generated deepfake that leaks personal data) could attract both DPDPA enforcement and MeitY action. Coordinated incident response is essential.

Who Is Covered

The DPDPA applies broadly to processing of personal data of Indian residents, regardless of where the data fiduciary is headquartered. The Act's extraterritorial reach is similar in shape to the GDPR's.

DPDPA covered entities

Data fiduciaries: Any person (including companies, partnerships, government bodies) who determines the purpose and means of processing personal data of Indian residents.
Data processors: Persons processing personal data on behalf of a data fiduciary. AI vendors that operate models on behalf of customers typically sit in this category.
Significant Data Fiduciaries: Designated by the Central Government based on volume, sensitivity, risk to data principals, sovereignty considerations, and electoral integrity factors. SDF designation triggers DPO, auditor, and DPIA obligations.
Cross-border data fiduciaries: The DPDPA applies to processing of personal data outside India where the processing is in connection with offering goods or services to data principals in India. Global SaaS AI providers that serve Indian customers are in scope.

MeitY advisory covered entities

Intermediaries under the IT Act: Social media platforms, search engines, e-commerce platforms, messaging services, and other intermediaries are covered by the 2021 Rules and the AI advisories.
Significant Social Media Intermediaries: Platforms above the user threshold notified by MeitY face enhanced obligations.
AI service providers operating on intermediary platforms: Where generative AI is offered through an intermediary platform, the AI service provider and the intermediary share responsibility for advisory compliance.

Practical scope notes

Data localisation: The DPDPA does not impose blanket data localisation. The Central Government may notify countries to which personal data transfers are restricted, but the default position is that cross-border transfers are permitted subject to compliance with the Act.
Sectoral regulators: Sector-specific regulators (RBI for financial services, IRDAI for insurance, TRAI for telecoms) maintain their own data and AI guidance. The DPDPA operates alongside these regimes rather than displacing them.
Public sector: The Central Government may exempt state instrumentalities from specific DPDPA provisions where necessary for sovereignty, integrity, security, foreign relations, public order, or to prevent incitement to cognisable offences.

Implementation Roadmap for India AI Compliance

Organisations that operate in India or that process personal data of Indian residents should treat DPDPA compliance as the operational floor and stage additional controls for the MeitY advisories and the eventual DIA. A practical ten-week roadmap:

Weeks 1-2: AI inventory and India scope mapping

Inventory all AI systems that process personal data of Indian residents - including shadow AI tools.
For each system, document the personal data categories, the lawful basis, and the purpose. Flag any system relying on a generic privacy policy consent for a new AI purpose.
Assess potential SDF designation: data volume, sensitivity, risk to data principal rights, sovereignty considerations, electoral integrity factors.

Weeks 3-4: Consent and notice rebuild

Rebuild consent flows to satisfy Section 5: free, specific, informed, unconditional, unambiguous, with a clear affirmative action.
Rewrite notices in clear and plain language describing AI processing as a stated purpose. Translate notices into the eighteen Eighth Schedule languages where required.
Implement consent state tracking that can demonstrate the consent basis for every AI inference involving personal data.

Weeks 5-6: Data fiduciary controls

Deploy AI DLP to prevent personal data exposure to third-party models. Block, redact, or route as policy requires.
Implement reasonable security safeguards: encryption, access control, key management, audit-grade logging. Document the safeguards as evidence for the Board.
Stand up the data principal rights workflow: access, correction, erasure, nomination. Map the data principal identity to the AI training set, inference logs, and model versions affected.

Weeks 7-8: MeitY advisory compliance (where applicable)

Implement synthetic content labelling for any generative AI output that could be confused with non-AI content. Use C2PA content credentials or equivalent provenance metadata.
Build deepfake detection and takedown workflows aligned with the 36-hour timeline in Rule 3(2)(b) of the IT Rules 2021.
For intermediaries, review the grievance redressal mechanism and ensure the Grievance Officer's contact details are accessible to Indian users.

Weeks 9-10: SDF preparation (if applicable) and DIA readiness

If SDF designation is likely, appoint an India-based DPO, engage an independent Data Auditor, and conduct a DPIA for each high-risk AI use case.
Build a DIA-readiness register: track expected algorithmic-harm assessment obligations, provenance labelling statutory backing, and platform accountability tiers.
Conduct a tabletop exercise simulating a Board inquiry into an AI breach. Validate that evidence can be produced within the timeframes the Board typically requires.

Organisations seeking to accelerate India AI compliance can request a demo to see how Areebi operationalises DPDPA obligations alongside the broader AI control plane.

Relationship to Other AI Frameworks

India's AI governance regime sits alongside global frameworks. Organisations subject to the DPDPA will typically also be subject to one or more of:

GDPR (EU): The DPDPA shares structural similarities with the GDPR (data fiduciary / controller, data principal / data subject, consent-based defaults, breach notification). Organisations with both EU and India operations can typically extend GDPR programmes with India-specific overlays rather than building a separate Indian compliance stack from scratch.
NIST AI RMF: A practical AI risk management framework that aligns well with DPDPA Section 8 reasonable security safeguards. NIST GOVERN, MAP, MEASURE, MANAGE functions all map to DPDPA accountability expectations.
ISO/IEC 42001: The AI management system standard provides a certifiable management framework. Indian SDFs that need an externally validated AI governance system can use ISO/IEC 42001 certification as evidence.
Singapore Model AI Governance Framework: Singapore's framework is principles-based and complementary to the DPDPA's rights-based approach. Pan-Asian organisations often align programmes across Singapore, India, and Japan.
Japan AI Guidelines: Japan's soft-law approach contrasts with India's statutory baseline. Organisations operating in both jurisdictions typically design to the higher Indian floor.
Australia AI governance: Australia's voluntary AI Ethics Principles and proposed mandatory guardrails sit at a different point in the regulatory life cycle. India's experience with phased commencement is informative for Australian programme design.

Smart organisations build a single, framework-agnostic AI governance programme that satisfies the DPDPA as the floor and produces evidence packages that can be repurposed for SDF audits, MeitY inquiries, and future DIA obligations. Areebi's Compliance Hub provides cross-mapped templates for the major frameworks.

What Is Still Uncertain

Several elements of India's AI legal landscape remain fluid. Good governance practice is to track them closely:

DPDPA Rules and notifications: While the core Rules were notified in January 2025, additional notifications - including SDF designations, restricted-country lists for cross-border transfers, and Board procedural rules - will continue to refine the operative framework.
Digital India Act timing: The DIA has been at the principles stage since 2023. The timing of bill introduction and parliamentary passage is uncertain. Organisations should prepare adaptable controls rather than designing to a specific draft.
Generative AI advisory evolution: The MeitY advisories have changed materially within short windows (March 1 to March 15, 2024). Future advisories may impose additional labelling, originator-identification, or model-registration obligations.
SDF designation criteria: The Central Government has broad discretion in designating SDFs. As enforcement matures, the criteria are expected to become more concrete through notifications and Board guidance.
IndiaAI Mission outputs: The Safe and Trusted AI pillar is expected to produce evaluation toolkits, watermarking standards, and risk frameworks that may eventually be referenced in MeitY guidance or DIA implementation rules.
Sectoral regulators and AI: The Reserve Bank of India, SEBI, IRDAI, and TRAI are each developing sector-specific AI guidance. The interaction with the DPDPA and the eventual DIA is still being clarified.

For organisations that prefer not to track legislative developments themselves, Areebi maintains a compliance hub with status tracking and last-updated dates for every framework we support. At Areebi, we treat regulatory tracking as part of the platform, not a separate consulting engagement.

Compliance Checklist

Inventory all AI systems that process personal data of Indian residents, including shadow AI tools

Document the lawful basis and purpose for each AI processing activity

Rebuild consent flows to satisfy DPDPA Section 5 (free, specific, informed, unconditional, unambiguous, clear affirmative action)

Rewrite notices in clear and plain language including AI processing as a stated purpose

Implement consent state tracking that can demonstrate the consent basis for every AI inference involving personal data

Deploy AI DLP to prevent personal data exposure to third-party models

Implement reasonable security safeguards (encryption, access control, key management, audit-grade logging)

Stand up the data principal rights workflow (access, correction, erasure, nomination)

Map data principal identity to training set, inference logs, and model versions for erasure handling

Implement synthetic content labelling for generative AI outputs (MeitY March 15, 2024 advisory)

Build deepfake detection and 36-hour takedown workflows for intermediary platforms

Assess Significant Data Fiduciary candidacy and prepare DPO appointment if likely

Conduct DPIAs for high-risk AI use cases and cross-map to NIST AI RMF MAP function evidence

Maintain a DIA-readiness register tracking expected algorithmic-harm and provenance obligations

Establish coordinated incident response that addresses both the Board and MeitY when a single incident triggers both

Frequently Asked Questions

Is the Digital India Act in force?

No. The Digital India Act is a draft framework. MeitY released principles in 2023 - 2024 and held consultations, but the DIA bill has not been introduced in Parliament as of May 2026. The operative law for AI processing of personal data is the Digital Personal Data Protection Act 2023 (DPDPA), which is in force. References to the DIA in compliance documents should be framed conditionally.

Does the DPDPA apply to AI systems?

Yes, indirectly. The DPDPA does not single out AI by name, but its data fiduciary obligations apply to any system that processes personal data of Indian residents. AI training, fine-tuning, and inference using personal data are all in scope. Section 5 consent, Section 7 legitimate use, Section 8 data fiduciary obligations, and Section 10 SDF obligations all reach AI processing.

What are the DPDPA penalties for AI-related breaches?

The DPDPA Schedule sets maximum civil penalties of INR 250 crore (approximately USD 30 million) per instance for failure to take reasonable security safeguards, INR 200 crore for failure to notify the Board of a breach or for children's data violations, INR 150 crore for failure to fulfil SDF obligations, and INR 50 crore for general breaches of the Act or Rules. The Data Protection Board of India is the imposing authority, with appeals to the TDSAT.

What is a Significant Data Fiduciary?

Under Section 10 of the DPDPA, the Central Government may designate a data fiduciary as a Significant Data Fiduciary based on volume and sensitivity of personal data processed, risks to data principal rights, potential impact on the sovereignty and integrity of India, and risks to electoral democracy. SDFs face enhanced obligations including the appointment of an India-based Data Protection Officer, engagement of an independent Data Auditor, and periodic Data Protection Impact Assessments. Large AI platforms processing significant personal data volumes are realistic candidates.

Are the MeitY AI advisories legally binding?

The advisories carry the operational weight of MeitY's regulatory authority under the IT Act 2000 and the Intermediary Guidelines Rules 2021. They are not themselves statutes and can be revised or rescinded administratively, but failure to comply with the due diligence expectations they articulate can result in loss of intermediary safe harbour under Section 79 of the IT Act. In practice, major intermediaries treat the advisories as enforceable. The March 1, 2024 advisory was revised on March 15, 2024, illustrating that the substantive obligations can change quickly.

What does the MeitY synthetic content labelling expectation require?

The March 15, 2024 advisory asks intermediaries to label synthetically generated information such that the synthetic nature is identifiable, and to identify the originator of AI-generated synthetic content using unique metadata or identifiers. The advisory does not prescribe a specific technical standard; major platforms have adopted C2PA content credentials, embedded watermarking, or comparable provenance metadata. Areebi applies provenance labelling automatically to generative AI outputs.

How does the DPDPA compare with the GDPR?

The DPDPA shares structural similarities with the GDPR: a data fiduciary / controller framing, data principal / data subject rights, consent-based defaults, and breach notification to a supervisory authority. The DPDPA is narrower in some respects (it focuses on personal data, not the broader GDPR data protection regime) and broader in others (the SDF designation can be applied at the Central Government's discretion). Organisations with mature GDPR programmes can typically extend them to India with overlays rather than building from scratch.

How does Areebi help with India AI compliance?

Areebi maps directly to the DPDPA operating model: the policy engine enforces declared-purpose processing and tracks consent state, AI DLP prevents personal data exposure to third-party models, audit-grade logging documents reasonable security safeguards, and pre-built DPIA templates support SDF obligations. Output watermarking and C2PA content credentials support the MeitY synthetic content labelling expectation. The control plane architecture is designed to absorb additional DIA obligations as the bill matures without requiring a platform rebuild.

Related Resources

Ready to achieve India AI Regulation: DPDPA 2023 and the Proposed Digital India Act compliance?

See how Areebi maps to India AI Regulation: DPDPA 2023 and the Proposed Digital India Act requirements with a personalized demo.

Get a Demo Free AI Risk Assessment

Taking longer than expected.

Reload the page