In the era of the digital economy, the increasing use of AI has become a threat to data privacy. The safety of personal information and building trustworthy applications is not just a regulatory necessity but a democratic right of the people. The Digital Personal Data Protection (DPDP) Act 2023 was introduced as a milestone attempt by India to maintain a balance between digital innovation and personal privacy. The recent revamp of the Act and the Draft Rules of 2025 indicate a significant shift in AI governance of data, the architecture of cyberspace, and ethical use of Artificial Intelligence (AI).
Growing Efforts to Strengthen Privacy Protection
The DPDP Act was passed in 2023 and has been revised several times, which indicates that with technological changes and feedback from the stakeholders, efforts have been made to keep the rules relevant. The 2025 rules were introduced on the Innovate India-MyGov platform and expanded their implementation by outlining obligations for data fiduciaries, consent management processes, and grievance redressal mechanisms.
One of the changes seen is the operationalization of the Data Protection Board of India (DPBI), which acts as a backbone of enforcement under the act. It manages data breaches and works to adjudicate them and take direct corrective actions. The revamp also enforced the concept of “deemed consent”, which clarifies the situations where personal data can be processed without explicit permission, particularly for the public interest or medical emergencies. The updated rules also mention Significant Data Fiduciaries and subject them to additional obligations, such as independent audits and Data Protection Impact Assessments (DPIAs), to ensure that platforms are prepared and efficient in handling large and sensitive datasets.
India has adapted to the digital environment quickly, thanks to greater mobile internet use, data-based services, and cross-border movement of technology. However, this exponential growth has a bad impact as it increases the risk of data breaches, identity theft, the spreading of misinformation, and so on. The revised rules attempt to address these vulnerabilities by establishing accountability and procedural transparency to ensure that people are safe from these digital attacks.
Another significant point is that the Act promotes data minimization and purpose limitation, meaning it platforms are allowed to collect only the information which is necessary for their functioning and use it strictly for the intended purpose, avoiding unnecessary sharing with other platforms. This helps resolve the issue of data misuse as India’s legal framework begins to align with global data protection regimes, which also ensures data protection.
Moreover, the cross-border data transfer provision of the DPDP ensures that data is allowed to be transferred only to trusted countries notified by the Central Government of India. This offers a flexible mechanism to preserve national security concerns while maintaining healthy relations. However, due to this, businesses working with tech companies may consider using external storage solutions that align with the DPDP Act. This act makes it a lot easier for those who are managing the internet to attract authentic investment.
Navigating the risk of AI systems
As we discuss digital governance, we must acknowledge that the rise of AI has become one of the most pressing issues today. Its association with ethical, legal, and operational complexities makes it a risky tool to use. Even though the DPDP Act does not regulate AI technologies, it sets important rules for the data ecosystems that AI uses.
First, it strengthens the consent architecture to ensure that AI systems relying on mass volumes of personal data do not engage in opaque practices, especially those platforms involving automated decision-making systems. If an AI model is based on user consent, with an option to withdraw at any point if a person does not feel safe, the framework becomes naturally safer and discourages exploitative data practices.
Second is the principle of purpose limitation and mandatory risk assessment, offering a structured response to concerns related to algorithmic bias and data misuse. The provision mandates the independent audits and risk assessments before deploying AI systems, which encourages ethical AI systems and prevents any misuse of data.
Third, it focuses on transparency and grievance redressal, providing mechanisms through which AI developers and deployers can be held accountable. Notifications to users in the event of data breaches and complaint resolution systems ensure a sense of responsibility within the AI ecosystem.
As India progresses towards drafting its National Strategy for AI, the DPDP Act is a useful reference point for establishing norms around data pipelines used by generative AI systems and surveillance technologies. These laws need to be amended periodically to stay relevant over time to protect the rights related to data privacy.
Leakages within the Act
The solid system faces various difficulties when applied in practice. The success of the Data Protection Board depends entirely on its independent, technical expertise and ability to enforce decisions promptly without any partiality. To implement these laws, other regulatory bodies such as the Telecom Regulatory Authority of India (TRAI) and the Reserve Bank of India (RBI) can also take a stand for coherent enforcement.
Digital literacy and awareness among users and small enterprises remain limited. Without widespread efforts to spread awareness about rights and responsibilities under the Act, it loses its significance and also dilutes the importance of the consent-based model.
As India progresses towards drafting its National Strategy for AI, the DPDP Act stands as a useful reference point for establishing regulatory norms around data pipelines used by generative AI systems, recommendation algorithms, and surveillance technologies. While laws for each unique field may be necessary in the future, the regulations under the current framework are key to rights-protected and accountable AI development. Additionally, there is an ambiguity in the categorization of trusted foreign jurisdictions with which data can be shared without any defined guidelines, which could impact the global growth of multinational firms and start-ups. Hence, we need AI-focused regulations to be upgraded as the current framework is data-centric but lacks sector-specific guidelines for AI governance, so that growth is not dampened.
Conclusion
India’s revamped DPDP Act is a forward-looking foundation for the digital economy, which is built on trust, transparency, and ethical innovation. It is designed with flexibility by incorporating delegated legislation, which makes it well-suited to adapt to any technological evolution and other developments. In the upcoming years, the timely operationalization of institutions such as the Data Protection Board will take it forward to ensure that the Act is enforced efficiently and effectively. Along with that, the current framework of the DPDP Act, with upcoming sector-specific regulations, will help in creating a unified data governance framework.
Besides that, India should take part in global discussions about digital standards so that our regulations are aligned internationally. Bilateral or multilateral cooperation can smooth the implementation of cross-border data transfers. The inclusion of stakeholders is equally important to understand their perspective- consultation with civil society, academic institutions, and industry bodies also helps ease the rule-making process while maintaining democratic legitimacy.
As Artificial Intelligence becomes increasingly embedded in decision-making processes, it will be crucial to develop AI-related data laws to integrate principles like transparency, fairness, and non-discrimination into the data protection framework to ensure that AI deployment is safer, which will also increase people’s trust in new technologies. Ultimately, the successful and honest implementation of the DPDP Act will determine whether India can emerge as a global leader in managing data privacy.
Written by- Shweta Verma
Edited by- Devangee Kedia
The post Revamp of DPDP Act appeared first on The Economic Transcript.
