Author : Jaya Falod
College: ICFAI University
Abstract
The combination of generative Artificial Intelligence (AI) with international data regimes has triggered a significant challenge in terms of technological progression against privacy rights. The current paper studies the regulatory conflicts caused by large-scale data processing under India’s Digital Personal Data Protection Act (DPDPA), 2023. Specifically, it looks at the dilemma of using personal datasets obtained improperly for training complex AI systems, considering the strict, stringent consent requirements that the Act imposes. In addition, it considers India’s move toward a permissive “negative list” approach concerning international data flows under Section 16. The study is based on Article 21 and the case of Puttaswamy and maps the liabilities of Data Fiduciaries regarding profiling and cross-border processors.
To the Point
The main issue in the realm of modern data governance is creating a balance between the development of algorithms and the boundaries imposed by law on the processing of personal data.
The Paradox of Consent in Artificial Intelligence: AI models depend on a large quantity of unstructured web data to create training datasets. The problem lies in the fact that under Section 6 of DPDPA, 2023, it is necessary to have consent from the individual before performing any actions with the personal data of that individual. The problem is that web scraping methods used by AI violate this condition and create conflict with the law.
The Decline of Data Sovereignty: The introduction of Section 16 of DPDPA allowed India to shift from strict data localization to a liberal “negative-list” type model. This shifts allows data to flow freely from India to any country, unless otherwise prohibited by the government. This creates vulnerabilities for India and opens the door for misuse of data by foreign companies and governments.
A Change in Article 21: Article 21 of the Constitution pertains to the Right to Privacy, which has now gone beyond just being about the invasion of privacy by the state. In the age of AI, this right now includes the concept of “informational self-determination,” which refers to an individual’s right to manage how their data is used commercially as well as how it is profiled and processed in various jurisdictions around the globe.
Third-Party Responsibility: As per the current regulations, the Data Fiduciary, that is, the entity collecting the person’s data remains fully accountable for any breach of data or bias in the use of algorithms resulting from its foreign third-party data processors.
Use of Legal Jargon
Informational Self-Determination: Self-determination in information means that people have an absolute right to control the collection, processing, use and transfer of their own personal data outside of their own country, as established by Article 21 of the Constitution of India.
Data Fiduciary vs. Data Principal: The terms data fiduciary and data principal form the basis of various provisions of the Digital Personal Data Protection Act of 2023. According to the Act, the data principal is the person whose personal data has been collected after seeking consent whereas data fiduciary refers to any organization that decides how to process the information and is held fully accountable for adhering to the rules set forth by the regulations.
Un-bundled Consent: The term unbundled consent refers to the legal requirement of ensuring fairness with regard to data processing when soliciting consent for personal data processing without hiding the request to collect the data in long and convoluted terms of service agreements.
Negative-List Approach: A regulatory mechanism allowing cross-border data flows to all international territories except for those that have been specifically banned or restricted by the government.
Automated Profiling and Algorithmic Bias: The utilization of artificial intelligence solutions to crunch data related to users and predict their behavior through the assessment of preferences.
Adequacy Decision: An official legal conclusion made by a regulatory agency, such as the European Commission under GDPR, stating that the domestic regulations of a third country provide a similar degree of personal data protection.
Case Laws
- Justice K.S. Puttaswamy (Retd.) v. Union of India ((2017) 10 SCC 1)
The Decision: The nine-judge bench of the Supreme Court unanimously recognized the Right to Privacy as an essential element of the Right to Life and Personal Liberty under Article 21. Importantly for the age of AI, the decision acknowledged the concept of informational self-determination, which means that individuals have control over their digital information. Furthermore, the judgment established a strict three-fold test for justifying an intrusion upon privacy (Legality, Legitimate Aim, and the Proportionality Principle).
2. In Re: Alarming Trends in AI-Generated Judicial Pleadings & Data Security (Supreme Court of India, 2026)
The Decision: Given the sudden emergence of untested automation systems, the Supreme Court recognized the dangers associated with the use of predictive algorithms and data mining. The decision was based upon the concepts set out in the Court’s 2025 AI White Paper. The Court pointed out that automated profiling and data mining of citizens’ information without human involvement pose serious threats to the Rights of Individuals. The Bench underlined that according to the Article 21, the use of citizens’ data by private algorithms has to be governed by strict institutional accountability and data protection mechanisms.
3. Data Protection System and Cross-Border Flow Rules (Based on Puttaswamy and Intermediary Cases)
The Judgment: Even though the courts of law affirm that the executive have the authority to govern international trade and diplomacy through data transfers, the application of judicial standards has constantly stated that the transfer of citizens’ data to jurisdictions that do not have similar guarantees of privacy must not take place without limitations. The Indian judiciary has asserted that the liability of a Data Fiduciary does not get lessened or made ineffective through the passing of data through servers located abroad.
The Proof
Data lineage and server logs: In making a case that a citizen’s data was taken up by an AI model without their approval, complainants use Section 63 of the Bharatiya Sakshya Adhiniyam (BSA). This means that authenticated server logs, API requests, and metadata can be produced in order to prove the route taken in the ingestion process.
Routing and geolocation tracking: Any unauthorised transfer of data across borders can be proved from network infrastructure. Data on IP address geolocation lookup, Border Gateway Protocol (BGP) routing tables, and cloud storage will be able to prove that the data was delivered or stored in the places it was not allowed to be.
The shifting burden of proof: The burden of proof falls on the Data Fiduciary as soon as the complainant has established the offense of automated profiling or leaking of data. The Data Fiduciary must provide data logs to circumvent severe punishment
Conclusion
The intersection between AI and international data flows is a significant test for India’s data regulation system. While the Digital Personal Data Protection Act (DPDPA), 2023 establishes stringent requirements such as separate consent, this “negative list” method of international transfer can lead to discrepancies concerning data sovereignty and foreign spying.
In order to shield businesses from exploitation and not inhibit the advancements in AI technologies, the courts must uphold the proportionate principles from the Puttaswamy case when it comes to ML data. Eventually, protection of informational autonomy laid out in Article 21 should motivate Data Fiduciaries to transform from passive regulation compliance into active implementation of privacy-by-design systems.
FAQs
Q1. Are firm owners able to make use of the data available on the public internet for training their models according to the DPDPA?
Ans. No, unlike the international laws that offer exemption for legal interference in data usage under legitimate interests, Section 6 of DPDPA stipulates that consent should be specific and clear and not bundled. The processing of public information containing personal data for the sake of AI model training without the explicit consent of the Data Principal is a breach of the law.
Q2. What exactly does Negative-List meant under the Data Protection Bill, 2023?
Ans. According to Section 16 of the DPDPA, India adopts a neutral approach of idea facilitation when it comes to the transfer of personal information outside the country. Unlike legal requirements of “adequacy decision” in GDPR, the notion of Negative-List allows for the free flow of data unless the given territory is explicitly banned off by the Central Government.
Q3. Is the Data Fiduciary held responsible in case of any data leak occurring in a third-party processing services?
Ans. Yes. The DPDPA states that the original Data Fiduciary is held solely responsible for all data processing activities. In spite of the transferred personal data being processed by some third-party AI or other service in a cloud data warehouse abroad, the laws of the DPDPA refer to the original Data Fiduciary as being responsible.
Q4. What is the significance of the Puttaswamy case in respect of algorithmic profiling?
Ans. The case of Justice K.S. Puttaswamy v. Union of India has acknowledged “informational self-determination” as a significant aspect of the Right to Privacy stated in Article 21. This infers that secret or covert usage of algorithmic profiling or predictive behaviour analysis which exploits a person’s data profile violates the individual’s basic fundamental rights.
