As India pushes to position itself as a global AI hub, the implementation of the Digital Personal Data Protection Act (DPDP Act) has surfaced growing unease over whether its consent framework can align with how AI systems are developed and deployed.
Policy experts say the law’s treatment of publicly available data and its compliance architecture could create structural hurdles for AI companies operating at scale.
The DPDP Act was passed in the Parliament in 2023 however it awaited implementation as its rules had not yet been notified. In November 2025, the rules were finally notified, and with it certain clauses of the DPDP Act was implemented.
Section 3 of the Act allows the use of publicly available personal data only if it can be shown that the data was made public voluntarily by the individual concerned or pursuant to law.
Meghna Bal, director at Esya Centre, has argued that this requirement is particularly difficult to operationalise for AI developers, many of whom rely on large, mixed datasets drawn from the public web.
Bal questioned the broader premise of the law’s consent-based approach.
"One fundamental misunderstanding about consent-based privacy architectures is that they are the gold standard of privacy," she said, arguing that such frameworks have repeatedly failed to prevent breaches or meaningfully enhance privacy protections, including under the GDPR.
In her view, the DPDP Act risks becoming a compliance-heavy regime that diverts resources away from innovation, with law firms emerging as its primary beneficiaries.
The notification of the Digital Personal Data Protection Rules, 2025 has added some procedural clarity, but has not resolved these deeper concerns.
According to Kamesh Shekar, associate director at The Dialogue, "The notification of the Digital Personal Data Protection Rules, 2025, introduces greater certainty... However, it also raises substantive concerns for certain legitimate business models."
Shekar points to a range of everyday digital services where users routinely share personal data of third parties. He notes that similar issues arise in AI development, adding: "Similarly, the development and deployment of artificial intelligence models often rely on large-scale scraping of data available on the public web."
Under the DPDP Act, he argues, this creates a mismatch between legal requirements and real-world data flows, because much online data is made public by third parties rather than the data principal themselves.
Both experts also flag the risk of over-regulation in a digital economy driven by scale and experimentation. Shekar cautions that, “For startups and small and medium enterprises, or for firms experimenting with novel business models, an overly rigid compliance regime risks rendering services impractical and innovation commercially unviable,” even as he acknowledges the legitimacy of stronger data protection safeguards.
As the DPDP Act enters its second year, the debate has shifted from whether India needs a data protection law to whether its current design can keep pace with AI-driven innovation—without turning compliance into a brake on growth.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
