Author: Astha Keshri , BBA LL.B., Sister Nivedita University
To the Point
Artificial Intelligence (AI) has transformed the way personal data is collected, processed, stored, and analysed. From chatbots and facial recognition systems to healthcare and financial technologies, AI depends on large volumes of personal data. While AI offers innovation and economic growth, it also raises concerns regarding privacy, surveillance, profiling, and misuse of personal information.
India addressed these concerns by enacting the Digital Personal Data Protection Act, 2023 (DPDP Act). With the notification of the Digital Personal Data Protection Rules, 2025, the country entered the implementation phase of its comprehensive privacy framework in 2026. The Act seeks to balance technological advancement with the constitutional right to privacy while ensuring accountability for organisations processing digital personal data.
—
Use of Legal Jargon
The DPDP Act introduces several important legal concepts:
– Data Principal: The individual to whom the personal data relates.
– Data Fiduciary: Any person or organisation that determines the purpose and means of processing personal data.
– Significant Data Fiduciary: A class of data fiduciaries notified by the Central Government based on factors such as volume and sensitivity of data processed.
– Consent: Free, specific, informed, unconditional, and unambiguous indication of the Data Principal’s agreement.
– Consent Manager: A registered entity that enables individuals to give, manage, review, and withdraw consent.
– Personal Data Breach: Any unauthorised processing, disclosure, acquisition, or loss of personal data.
– Data Protection Board of India: The adjudicatory body established under the Act to investigate complaints and enforce compliance.
These concepts establish a legal framework that places responsibility on organisations while empowering individuals with greater control over their digital information.
—
The Proof
The implementation of the DPDP Act has become increasingly significant due to the rapid adoption of AI-powered services across sectors such as banking, healthcare, education, e-commerce, and government administration.
The Digital Personal Data Protection Rules, 2025 operationalised the Act through a phased implementation process. The Rules establish mechanisms for consent management, data breach reporting, and the constitution of the Data Protection Board of India. Certain provisions came into force immediately, while core compliance obligations are being implemented in stages through 2026 and 2027.
Key features of the implementation include:
– Mandatory notice before collecting personal data.
– Clear and informed consent from individuals.
– Right to access, correct, erase, and withdraw consent.
– Appointment of Consent Managers.
– Mandatory reporting of personal data breaches.
– Special safeguards for processing children’s data.
– Heavy financial penalties for non-compliance, extending up to ₹250 crore in specified cases.
– Greater accountability for organisations using AI systems to process personal information.
Despite these developments, implementation challenges remain. Businesses continue to adapt their compliance systems, while legal debates persist regarding the balance between privacy, innovation, and transparency.
—
Abstract
Artificial Intelligence has fundamentally changed the digital economy by enabling automated decision-making, predictive analytics, and personalised services. However, AI relies heavily upon personal data, making privacy protection an essential legal concern.
The Digital Personal Data Protection Act, 2023 represents India’s first comprehensive legislation governing digital personal data. Its implementation during 2026 marks a significant milestone in establishing a rights-based privacy regime. The Act provides individuals with enforceable rights while imposing statutory obligations upon entities processing personal data.
Although the implementation of the Act is progressing through a phased approach, several challenges remain, including AI transparency, algorithmic bias, cross-border data transfers, cybersecurity, and regulatory preparedness. The effective enforcement of the Act will determine whether India can successfully balance technological innovation with the constitutional guarantee of privacy.
—
Case Laws
1. Justice K. S. Puttaswamy (Retd.) v. Union of India (2017)
The Supreme Court unanimously recognised the Right to Privacy as a Fundamental Right under Article 21 of the Constitution. This landmark judgment laid the constitutional foundation for India’s data protection regime and directly influenced the enactment of the DPDP Act.
2. Anuradha Bhasin v. Union of India (2020)
The Court emphasised transparency, proportionality, and procedural safeguards while restricting fundamental rights. These principles guide lawful collection and processing of personal data in the digital environment.
3. State of Maharashtra v. Dr. Praful B. Desai (2003)
The Supreme Court recognised the use of technology in judicial proceedings, demonstrating that technological advancement can coexist with constitutional safeguards when implemented responsibly.
4. Karmanya Singh Sareen v. Union of India
The litigation concerning WhatsApp’s privacy policy highlighted growing judicial concern over informed consent, data sharing, and protection of users’ personal information in the digital ecosystem.
—
Conclusion
The implementation of the Digital Personal Data Protection Act, 2023 marks a transformative phase in India’s digital governance framework. In an era where Artificial Intelligence increasingly depends upon large-scale data processing, the Act provides a much-needed legal structure for protecting individual privacy while promoting responsible innovation.
The success of the legislation will depend upon effective enforcement, awareness among citizens, corporate compliance, and the independence of the Data Protection Board. Simultaneously, lawmakers must continue updating the legal framework to address emerging challenges such as generative AI, automated profiling, biometric surveillance, and algorithmic discrimination.
Ultimately, data protection is not merely a legal obligation but an essential component of democratic governance, digital trust, and constitutional liberty. The DPDP Act has laid the foundation for a safer and more accountable digital future for India.
—
FAQ
Q1. What is the objective of the Digital Personal Data Protection Act, 2023?
The Act regulates the processing of digital personal data while protecting the privacy rights of individuals and ensuring accountability of organisations handling such data.
Q2. What is the relationship between AI and the DPDP Act?
AI systems process large amounts of personal data. The DPDP Act ensures that such processing is lawful, transparent, secure, and based on valid consent wherever required.
Q3. Who is a Data Fiduciary?
A Data Fiduciary is any person or organisation that determines the purpose and means of processing personal data.
Q4. What rights are available to Data Principals?
Individuals have the right to receive information, correct inaccurate data, erase personal data where applicable, withdraw consent, and seek grievance redressal.
Q5. What penalties can be imposed for violations?
Depending upon the nature of the violation, the Act provides financial penalties that may extend up to ₹250 crore for specified breaches.
—
References
1. Digital Personal Data Protection Act, 2023.
2. Digital Personal Data Protection Rules, 2025.
3. Justice K. S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
4. Anuradha Bhasin v. Union of India, (2020) 3 SCC 637.
5. State of Maharashtra v. Dr. Praful B. Desai, (2003) 4 SCC 601.
