Data privacy protections need to study how AI is trained with a focus on the data it uses
India is emerging as a global hub for artificial intelligence (AI) development, with government initiatives like the AI for All Program and the IndiAI mission driving growth across healthcare, finance, and agriculture. These programs reflect India’s vision of, ‘Making AI Work for India’.
AI systems operate by learning from vast amounts of data, identifying patterns, and making decisions that improve through continuous data processing. It is therefore necessary to test AI growth against personal data protection.
The data protection framework in India
India’s data protection regulations has been developed in tandem with technological advancements, starting with the Information Technology Act, 2000 (Technology Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI), which outline broad obligations for handling sensitive personal data.” The SPDI Rules remain in force as on date, and any strict implementation of these rules does not appear to have been a priority, with compliance also being sporadic and generally not meeting the required standards.
As per the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Ethics Code), the grievance redressal mechanism requires intermediaries to take all reasonable and practicable measures to remove or disable access to any content hosted, stored, published or transmitted by it which inter alia exposes the private area of an individual, shows an individual in full or partial nudity or shows or depicts an individual in any sexual act or conduct, including in the nature of impersonation in an electronic form such as artificially morphed images of such individual.
Sectoral regulations broadly address AI and personal data interdicts in the financial services, insurance, and e-commerce sectors. The Reserve Bank of India’s Guidelines on Digital Lending govern AI powered digital lending decisions and stipulate customer protection measures and data privacy and security obligations on regulated entities.
The Insurance Regulatory and Development Authority of India (IRDAI) has introduced the Regulatory Sandbox Regulations, 2025, to foster innovation in the insurance sector while ensuring its structured growth and safeguarding policyholders’ interests. Additionally, with the increasing adoption of digital technologies and the rise in cybersecurity incidents, the IRDAI has reinforced data privacy standards for insurers and recommended risk assessment frameworks under the Information and Cybersecurity Guidelines. These measures aim to enhance the security posture of insurance firms and strengthen governance mechanisms to address emerging cyber threats.
Additionally, the Consumer Protection (E-Commerce) Rules, 2020 (E-Commerce Rules) mandate explicit consumer consent at the time of data collection, prohibiting e-commerce entities from pre-selecting consent options, such as pre-ticked checkboxes. Further, e-commerce entities are required to explain the parameters which are most significant in determining the ranking of goods or sellers on its platform in plain and intelligible language, to prevent platforms from using technological means to manipulate platform rankings based on customer personal data.
The rapid technological advancements of the 2000s called for a more comprehensive regulatory approach, culminating in the Digital Personal Data Protection Act (DPDPA), India’s primary data protection legislation. The DPDPA was published on August 11, 2023, followed by the draft Digital Personal Data Protection Rules, 2025 (Rules), which were released for public consultation on January 3, 2025, in alignment with the DPDPA. Both the DPDPA and the Rules are yet to come into force.
While the DPDPA is a significant step toward a stronger data protection framework, it does not explicitly address AI. However, its core principles—such as informed consent, transparent disclosure of data processing, and restrictions on data storage durations—should also apply to personal data handled by AI models. Effective enforcement of the DPDPA will be particularly crucial in ensuring AI does not process personal data for opaque purposes without the data principal’s full awareness of how and to what extent their information is being used.
AI requires vast amounts of historical data to improve its accuracy, whereas the DPDPA imposes restrictions on the storage of personal data for long periods. Adequate enforcement could encourage AI models to process deanonymized data and prevent unnecessary retention of personal data.
The DPDPA has also empowered the Data Protection Board (Data Board) to investigate complaints, conduct audits and impose penalties for any violations of the Act. Since there is no specific authority regulating AI in India, the Data Board, once established, may become the first port of call to make such enquiries in respect of all personal data violations by AI.
Current Challenges and pending developments
Since technology continues to evolve at a very rapid pace, it is necessary for both regulations and implementation to keep pace. The use of AI will lead to unique and complex requirements across sectors.
The AI training and data collection process also requires greater transparency and balanced regulation. Large language models (LLMs), for example, are trained on vast datasets, often without clear disclosure on how this data is gathered, utilized, or stored, and the extent to which personal data is involved. While the DPDPA addresses data localization by restricting certain data to India, it does not specifically address LLMs hosted or developed outside the country, creating gaps in cross-border data protection.
Since personal data protection in India is at a nascent stage, and is fragmented across multiple regulations, and there are severe gaps in AI-specific oversight. While the Government is making broad guidelines with NITI Aayog’s National Strategy for Artificial Intelligence or Ministry of Electronics and Information Technology’s Sub-committee report on Principles for Governance of AI, no legislation or single regulator is presently positioned to tackle the unique implications that involves AI. In March 2023, the Indian government announced the long pending Digital India Act which intends to replace and upgrade the Technology Act and intends to inter alia regulate AI and set out obligations for AI-enabled platforms.
The European Union (EU) has notified the Artificial Intelligence Act in 2021 which sets out a risk-based classification system for AI —ranging from minimal to unacceptable—and imposes strict requirements on high-risk AI applications, particularly in sensitive sectors like healthcare and law enforcement. The General Data Protection Regulation (GDPR) also integrates with the AI law, and provides robust protections for personal data, including explicit consent requirements, the right to be forgotten, and strict rules on cross-border data transfers. Together, these frameworks create a comprehensive regulatory environment that balances AI innovation with individual rights and privacy.
Policy Development and Implementation Priorities
To effectively regulate AI—especially in managing cross-border data flows—existing regulations must be harmonized, and all pending frameworks should be integrated while accounting for sector-specific needs. Establishing a single AI regulator could further streamline the process, provide clear guidelines for development and deployment, and enhance inter-regulatory coordination. A cohesive, well-structured approach is essential to foster innovation, ensure compliance, and position India as a global leader in AI governance.
