Authored By: RANVEER SINGH RATHORE
Jaipur National University
INTRODUCTION
In the digital age, personal data act no longer merely as passive record of individual identity rather has become a crucial input for decision-making, market behavior analysis, and expansively for the functioning and training of artificial intelligence (AI) systems. Today, data-driven technologies are reshaping governance, healthcare, finance, and even judicial processes; the importance of robust, adaptive data protection laws has become paramount. India, catering over 750 million internet users, vast biometric databases, and a booming AI startup ecosystem, found itself lagging behind other major jurisdictions in codifying a coherent data privacy regime –until the passage of the Digital Personal Data Protection Act, 2023 (DPDP Act).
The DPDP Act is marked as India’s first full-blown legislative effort to operationalize the right to privacy, recognized as fundamental right by the hon’ble Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India[1] (2017) landmark judgment.[2] Thus, rooting from Article 21 of the Constitution, the Act aims to regulate the collection, processing, and transfer of digital personal data, while laying down safeguards for data principals and duties for data fiduciaries. Moreover, the Act provides a governance framework via the Data Protection Board of India, which outlines penalties for violation and mechanisms for grievance redressal.[3] Having secured all these advances, this Act still draws criticism for vague definitions, limited user rights, and excessive executive control over regulatory functions.[4]
In the following sections, this paper aims to examine the DPDP Act’s compatibility with emerging AI realities. Following the global trend, India is also pushing for AI innovation and digital sovereignty but the Act’s silence on algorithmic decision-making, profiling, and AI accountability is particularly concerning. Unlike the European Union’s General Data Protection Regulation (GDPR)[5] which explicitly offers individuals right not to be subjected to automated decisions with significant effects in Article 22, India’s DPDP Act lacks any explicit protection or transparency requirements for AI systems. The increasing use of AI in multiple sectors like credit scoring, predictive policing, hiring, and social media moderation poses both civil liberty and compliance risks at the expense of the legal omissions in the Act.
Further, the paper undertakes a comparative analysis of the DPDP Act with three major global frameworks: the General Data Protection Regulation (GDPR) of the EU[6], the California Consumer Privacy Act (CCPA)[7], and China’s Personal Information Protection Law (PIPL)[8].[9] This comparative analysis highlights not only India’s alignment with global norms on consent and data subject rights, but also its unique approach to cross–border data flows, surveillance permissibility, and the absence of localized AI governance–a feature present in its counterparts.
The Draft Digital Personal Data Protection Rules, 2025[10], while providing some clarity on the role of Significant Data Fiduciaries, further raises concerns about the lack of safeguards for algorithmic processing of sensitive datasets transferred overseas.[11] The paper thus explores the jurisdictional complexities of cross-border data transfers, especially in the context of cloud-based AI services, where data maybe processed and modeled in multiple geographies simultaneously.
In essence, this paper contends that the DPDP Act, despite being a critical step forward in establishing a foundational privacy regime, falls short of addressing the algorithmic future of data processing. Highlighting suggestion such as mandatory AI audit frameworks, rights and automated decisions, and regulatory oversight for profiling practices–the paper aims to position India’s data protection discourse within the global evolution of AI and privacy law.
THEORATICAL & CONSTITUTIONAL FOUNDATIONS OF PRIVACY IN INDIA
The legal architecture of India’s data protection regime rests firmly upon a constitutional foundation laid down by the judiciary, rather than legislative foresight. Until almost a decade ago, Indian legal framework lacked a codified right to privacy, leaving the whole structure to rely on sectoral regulations such as the Information Technology Act, 2000 and various guidelines issued by regulatory bodies like the Reserve Bank of India and the Telecom Regulatory Authority of India. These frameworks offered piecemeal protections and failed to address the systemic risks posed by modern data ecosystems.
In 2017, the landmark decision in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India brought a transformative shift in the understanding of privacy rights in the country. A nine-judge bench of the Supreme Court unanimously recognized the right to privacy as a fundamental right under Article 21 of the Indian Constitution. The court emphasized informational privacy and autonomy in the ear of intrusive digital surveillance and data capitalism. The court most importantly called for a dedicated data protection framework, leading to the formation of the Justice B.N. Srikrishna Committee, whose recommendations eventually shaped the Digital Personal Data Protection Act, 2023.[12]
The DPDP Act attempts to translate constitutional principles into statutory rights and obligations by establishing consent driven data processing, user control over personal data, and accountability for data fiduciaries. Yet concerns still persist. Despite an exhaustive framework on multiple aspects, the Act lacks explicit protections against state surveillance, omits safeguards against automated decision-making, and does not provide for stronger data subject rights such as the right to data portability or erasure–both of which are central to informational autonomy.
Moreover, with the advent of AI, the constitutional principles of privacy are now under scrutiny and gains spotlight. AI systems, especially those used by state and corporate actors, threaten to erode individual autonomy through opaque profiling and predictive analytics. In a constitutional democracy like India, the absence of AI-specific protections within the data protection framework may ultimately weaken the enforceability of the right to privacy in the actual spirit as was envisioned in Puttaswamy. Not just the Indian regime, these gaps becomes more wider and pronounced when compared to global data regimes, as the next sections will rightfully mention.
DIGITAL PERSONAL DATA PROTECTION ACT, 2023–AN OVERVIEW
The Indian Parliament in August 2023 passed the DPDP act which established a formal data protection legal framework in the country. Behind this Act, remains years of policy debate and public demand for a coherent privacy framework which helped in replacing limited protection provided by the Information Technology Act, 2000 previously.[13]
Scope and Applicability
The DPDP Act is primarily focused on digital personal data, be it collected online or digitzed after offline collection. Governing both private and government agencies, it caters extraterritorial applicability as well. One of the Act’s most significant drawbacks is its inability to distinguish between various dimensions of personal data. For instance, in contrast to GDPR, the DPDP act does not distinguish between personal and ‘sensitive’ personal data, treating all personal data uniformly without providing any additional safeguards for biometric, genetic, or financial information. This omission is all the way more notable provided India’s extensive use of biometric-based public infrastructure such as Aadhaar.[14]
Key Concepts and Stakeholders
The Act introduces the terms Data Principal, referring to the individual to whom the personal data relates, and Data Fiduciary, meaning the entity determining the purpose and means of processing. Significant Data Fiduciaries (SDFs), another new class of entity is also recognized based on factors like volume, sensitivity, and risk. SDFs are subject to heightened obligations including annual data audits, Data Protection Impact Assessments (DPIAs), and appointment of Data Protection Officers (DPOs).
The DPDP Act while focusing significantly on consent mandates data fiduciaries to obtain free, informed, specific, and unambiguous consent from data principles. Despite the requirement being modeled loosely on GDPR’s standards, it lacks a mechanism to verify or audit the quality of such consent. Additionally, the Act does not grant the right to data portability or the right to be forgotten, despite them being mentioned in the earlier drafts like the PDP Bill (2019) and the DP Bill (2021).
Enforcement and Redress
The newly formed Data Protection Board of India (DPB) acts in consonance of the Act to check its enforceability. The DPB is expected to adjudicate violations and impose penalties up to ₹250 crore for certain breaches, yet its independence remains questionable.[15] Concerns with regards to regulatory capture and bias persists considering that its composition, manner of appointment, and oversight are all controlled by the Central Government. Through the DPB the Act provides a platform to file grievances if unresolved firstly with the data fiduciaries, however, it lacks any provision for individual compensation for harm caused by data misuse, or that of a right to collective redress. Rendering the remedial power of the law limited in practice.
COMPARATIVE LEGAL ANALYSIS
Understanding India’s DPDP Act in seclusion does not reveal the complete scenario of its strengths, weaknesses, and strategic choices.[16] In order to analyze crucial insights into how India aligns or diverges from global trends, it is necessary to have a comparative analysis with major global data protection regimes—namely the European Union’s General Data Protection regulation (GDPR), California Consumer Privacy Act (CCPA), and China’s Personal Information Protection Law (PIPL).
1.DPDP vs. GDPR (European Union)
One of the most widely regarded comprehensive and rights-based data protection framework globally is considered to be European Union’s GDPR. India’s DPDP Act despite containing significant differences has also borrowed few structural elements from the GDPR—such as the concepts of data principals (data subjects), data fiduciaries (controllers), and consent-based processing. The key differences between both the regimes are—
- Rights of Individuals: One of the most unique feature of GDPR which lacks in DPDP act is the inclusion of robust rights including right to access, rectification, erasure (right to be forgotten), data portability, and right to object to automated decision-making (Article 22). [17]
- Automated Processing: GDPR explicitly focuses on protection of individuals from decisions made solely by automated means that significantly affects them, whereas in contrast, the DPDP Act misses out on rendering such protection. This lack of algorithmic transparency poses risks to informational self-determination.
- Regulatory Independence: Unlike the Data Protection Board of India, which runs as an executive-appointed body with limited autonomy; the European Data Protection Board (EDPB) operates independently, with strong oversight powers across EU states.
- Penalties and Enforcement: Both DPDP Act and the GDPR include provisions for large monetary penalties which may go upto 4% of global turnover under GDPR and upto ₹250 crore per instance under DPDP. However, its enforceability is much more mature under GDPR than DPDP Act.
2.DPDP vs. CCPA (California, USA)
The California Consumer Privacy Act (CCPA) focuses primarily over consumer’s privacy, following a dedicated consumer-centered model which distinguishes it from both GDPR and the DPDP Act.
- The primary concern of CCPA remains with the sale and monetization of personal data, especially by tech companies and data brokers. It provides rights to the consumers to be allowed by the businesses to opt out of data sales.[18] The DPDP Act in contrast does not explicitly address data monetization or sales and is primarily based on an opt-in consent model.
- Private Right of Action: CCPA offers its consumers limited private rights of action where they face data breaches. While, in contrast, the DPDP relies entirely on the regulatory enforcement through the DPB, which may reduce access to justice for aggrieved individuals.
- Automated Decision-Making: Like India, the CCPA is mostly silent on AI and algorithmic accountability, although California has recently introduced new bills (such as SB 362) that attempts to expand algorithmic transparency.
3.DPDP vs. PIPL (People’s Republic of China)
China’s PIPL, passed in 2021, is one of the most state-centric data protection regimes. It focuses more on localization of data, securing national interest, and access of state authorities to individual’s data. This reflects China’s broader strategic interests.
- Cross-Border Transfers: Cross-border transfer of private data is one of the major concerns in the realm of data protection laws. In contrast to DPDP which allows data transfer to almost all countries freely, the PIPL mandates security assessments and government approvals for transferring personal data to ensure data security.
- AI Regulation and Profiling: PIPL offers rights to individuals to refuse profiling and request explanations in respect to automated decision-making. It reflects their growing concern over AI-based surveillance and consumer manipulation. The absence of such provisions in the DPDP Act becomes stark in comparison.
AI AND FUTURE OF DATA PROTECTION IN INDIA
Silent Statute: AI and Automated Decision-Making
The DPDP Act does not define or regulate automated decision-making—a central issue in contemporary data governance. Unlike GDPR’s Article 22 that grants individuals the right not to be subjected to decisions made solely on automated processing that significantly affect them; the DPDP Act lacks any of such provisions, in fact, the Act does not even define or acknowledge such practices, despite their increasing deployment in India’s public and private sector. This lacuna is critical given India’s use of social benefit distribution (e.g., Aadhaar-linked welfare), predictive policing, facial recognition in surveillance, and algorithmic recruitment. In absence of legal safeguards, individuals have not right to explanation, appeal, or human review, even when algorithmic outcomes are potentially discriminatory or faulty.
The Consent Dilemma
Often AI systems rely on secondary data uses, inferred data, or training data sets repurposed over time —situations where original consent becomes meaningless. However, the DPDP Act remains anchored in informed consent rendering it inefficient in the context of AI. For instance, consent obtained for a loan application cannot reasonably extend to training future fraud detection models or targeting similar users based on predictive analytics[19]. Furthermore, AI models are typically black boxes[20]—not easily explainable to users, undermining the Act’s emphasis on informed, specific, and clear consent, since individuals cannot predict how their data will be used, let alone understand the consequences.
Biometric Surveillance and Profiling Risks
In the recent years, India has observed widespread deployment of Facial Recognition Technologies (FRT) by police and civic authorities, often lacking any legal or regulatory oversight. AI-driven tools use biometric and behavioral data for profiling and predictive purpose. The DPDP Act does not classify biometric data as “sensitive”, nor does it mandate special safeguard or explicit consent for their processing. The Pegasus surveillance scandal, deployment of Clearview AI-type tools, and widespread public CCTV analytics systems illustrate the scale of this regulatory vacuum.[21]
Biasness and Lack of Accountability
AI models trained on biased or incomplete datasets can perpetuate discrimination against vulnerable communities. Yet, the DPDP act contains no provision for auditing AI outcomes, detecting systemic bias, or mandating fairness checks. Indian regime lacks basic requirements for impact assessments, bias audits, or human oversights of algorithmic systems while its counterparts like China’s PIPL mandates that individuals can opt out of profiling and request explanations of automated outcomes.
Regulatory Capacity and Institutional Gaps
The DPB is expected to enforce the DPDP Act, but it lacks statutory independence, technical AI expertise, or clear powers to audit or regulate algorithmic systems. In absence of a dedicated AI Ethics or AI Governance body, enforcement is likely to be reactive, complaint-based, and structurally weak. Without any AI-specific data governance policy despite recommendations in NITI Aayog’s 2021 “Responsible AI for All” strategy[22], the DPDP Act becomes the de facto legal regime for AI data processing, albeit one that is ill-equipped for the task.
CONCLUSION AND RECOMMENDATIONS
The DPDP Act, 2023 is a long-awaited reform that attempts to create a foundational privacy framework in India. However, the Act suffers from significant legal and operational lacunas that expose it to ineffectiveness. From lack of explicit protection against automated decision-making, weak institutional independence, and ambiguous rules on cross-border data transfer to insufficient user rights, its shortcomings have been highlighted throughout the paper not only through comparative lens but also in the context of India’s growing reliance on AI. The law’s inability to tackle challenges posed by algorithmic systems, biometric surveillance, and opaque data processing places individuals at risk in digital economy increasingly shaped by AI and big data.
Today, India must shift its focus from conventional data protection principles towards next generation privacy governance. Incorporating steps such as integrating AI-specific provisions within DPDP framework or enacting a complementary AI Regulation Bill, which clearly defines profiling, mandates algorithmic transparency, and introduces individual rights against automated decisions; could be adopted to make laws more efficient with the evolving technologies.
Like its counterparts, Indian Data Protection Board must also be equipped with autonomy to conduct algorithmic audits, DPIAs, and to enforce necessary standards effectively. Moreover, biometric an inferred data as ‘sensitive’, enabling data portability and creating a multi-tier grievance redress mechanism can make privacy rights more accessible. Above all, India needs to collaborate on an international level to render functional data interoperability standards, drawing from the EU AI Act[23], OECD AI Principles[24], and regional initiatives such as Convention 108+[25].
Ultimately, the Act must evolve from being a baseline compliance statute to a multidimensional right-based instrument that aims to meet the demands of a rapidly digitizing and algorithm driven society. Its success will not only shape India’s digital economy but also its constitutional commitment to autonomy, dignity, and accountability in the 21st century.
Reference(S):
[1] Justice K.S Puttaswamy v Union of India (2017) 10 SCC 1
[2] Mukhija, K., & Jaiswal, S. (2023). Digital Personal Data Protection Act 2023 in light of the European Union’s GDPR. Jus Corpus Law Journal, 4, 638.
[3] Chatterjee, A. (2022, November 19). Grievance redressal board, ₹500 crore fine, key features of new personal data protection draft bill. ThePrint. Retrieved [date you accessed it], from https://theprint.in/india/governance/grievance-redressal-board-rs-500-cr-fine-key-features-of-new-personal-data-protection-draft-bill/1224131/
[4] Bisht, A. K., & Sreenivasulu, N. S. (2024). Information privacy rights in India: A study of the Digital Personal Data Protection Act, 2023. In Data privacy—Techniques, applications, and standards. IntechOpen. https://doi.org/10.5772/intechopen.xxxxxx
[5] iPleaders. (n.d.). GDPR compliance challenges. Retrieved July 5, 2025, from https://blog.ipleaders.in/gdpr-compliance-challenges/
[6] Bharti, S. S., & Aryal, S. K. (2022). The right to privacy and an implication of the EU General Data Protection Regulation (GDPR) in Europe: challenges to the companies. Journal of Contemporary European Studies, 31(4), 1391–1402. https://doi.org/10.1080/14782804.2022.2130193
[7] Evans, A., Singh, A., & Golbin, A. (2025). California Consumer Privacy Act (CCPA). In Routledge eBooks (pp. 70–77). https://doi.org/10.4324/9781003581321-10
[8] Creemers, R. (2022). China’s emerging data protection framework. Journal of Cybersecurity, 8(1). https://doi.org/10.1093/cybsec/tyac011
[9] De La Cruz, M. (2025, July 2). How to build practical compliance Road maps for global Data Privacy. Modern Counsel. https://modern-counsel.com/2025/how-to-build-practical-compliance-road-maps-for-global-data-privacy/
[10] MyGov, Government of India. (2025, January 3). Draft Digital Personal Data Protection Rules, 2025. Innovate India. Retrieved [insert retrieval date], from https://innovateindia.mygov.in/dpdp-rules-2025/
[11] Chaudhary, V. K., & Verma, D. (2025). The new frontier of data protection: Understanding India’s DPDP rules and global compliance. Panjab University Law Magazine – MAGLAW, 4(1).
[12] Supreme Court Observer. (2025, May). K.S. Puttaswamy v. Union of India: Fundamental right to privacy – case background. Supreme Court Observer. Retrieved [insert retrieval date], from https://www.scobserver.in/cases/puttaswamy-v-union-of-india-fundamental-right-to-privacy-case-background/
[13] Bose, R., & Tripathi, R. (2025). Critical analysis of Digital Personal Data Protection Act in relation to social media data aggregation. Indian Journal of Legal Review (IJLR), 5(10), 142–149. APIS–3920–0001.
[14] Shanmugam, V. (2023, September 21). Navigating the Indian data protection law: Highlighting the key misses in the DPDP Act. The CCG Blog. Retrieved [insert retrieval date], from https://ccgnludelhi.wordpress.com/2023/09/21/navigating-the-indian-data-protection-law-highlighting-the-key-misses-in-the-dpdp-act/
[15] Yadav, K. (2025, January 8). Well‑equipped data protection board a must to enforce digital privacy laws, say experts. Mint. Retrieved [insert retrieval date], from https://www.livemint.com/industry/data-privacy-digital-personal-data-protection-digital-privacy-laws-data-protection-board-data-breaches-personal-data-11736312970967.html
[16] Digital Guardian. (2023). What India’s Digital Personal Data Protection (DPDP) Act means: Rights & responsibilities. Digital Guardian. Retrieved, from https://www.digitalguardian.com/blog/what-indias-digital-personal-data-protection-dpdp-act-rights-responsibilities-everything-you
[17] GDPR‑info.eu. (n.d.). Article 22 GDPR: Automated individual decision‑making, including profiling. Retrieved [insert retrieval date], from https://gdpr-info.eu/art-22-gdpr/
[18] Siebel, A., & Birrell, E. (2022). The impact of visibility on the right to opt‑out of sale under CCPA [Preprint]. arXiv. https://doi.org/10.48550/arXiv.2206.10545
[19] Mühlhoff, R. (2021). Predictive privacy: Towards an applied ethics of data analytics. Ethics and Information Technology, 23(4), 675–690. https://doi.org/10.1007/s10676-021-09606-x
[20] DeLong, L. N. (2023). Trapped in a black box: AI interpretability and ethical obligations to patients. Philosophy & Technology, 36, 45–60. https://doi.org/10.1007/s13347-025-00860-1
[21] Human Rights Watch. (2023, March 29). India: Use of facial recognition technology raises rights concerns. https://www.hrw.org/news/2023/03/29/india-facial-recognition-technology
[22] NITI Aayog. (2022, November). Responsible AI for All: Adopting the Framework – Use‑Case Approach on Facial Recognition Technology (Part 3). NITI Aayog. Retrieved from IndiaAI portal
[23] Aboy, M., Minssen, T., & Vayena, E. (2024). Navigating the EU AI Act: implications for regulated digital medical products. Npj Digital Medicine, 7(1). https://doi.org/10.1038/s41746-024-01232-3
[24] Oecd. (2023). The state of implementation of the OECD AI Principles four years on. In OECD Artificial Intelligence Papers. https://doi.org/10.1787/835641c9-en
[25] De Terwangne, C. (2021). Council of Europe convention 108+: A modernised international treaty for the protection of personal data. Computer Law & Security Review, 40, 105497. https://doi.org/10.1016/j.clsr.2020.105497
