AI Regulation ReferenceDigital Personal Data Protection Act 2023 (DPDP)
Obligations Covered
Provisions (1)
Data Governance and Processing Obligations #
India's foundational data protection law applies to all automated processing of personal data — including AI inference, profiling, and recommendation systems. No explicit ADM opt-out right (unlike GDPR Article 22), but data accuracy and consent obligations bind AI deployers handling Indian user data. Penalties reach ₹250 crore (~$30M USD) per breach.
Requirements
| Requirement | Details |
|---|---|
| Lawful basis | Personal data may only be processed for lawful purpose with explicit consent or specified legitimate use (Section 4) |
| Purpose limitation | Data must be used only for the purpose for which consent was given (Section 6) |
| Data accuracy | Data fiduciaries must ensure personal data is accurate and complete for the purpose of processing, including automated decisions affecting data principals (Section 8) |
| Security safeguards | Implement reasonable security measures to prevent data breach (Section 8) |
| Breach notification | Report personal data breaches to Data Protection Board and affected data principals; 72-hour indicative timeline under Rules (Section 8) |
| Data minimization | Process only data necessary for the stated purpose (Section 6) |
| Erasure on withdrawal | Upon consent withdrawal or purpose completion, data must be erased unless retention is legally required (Section 8) |
Penalties
| Violation | Fine |
|---|---|
| Failure to implement security safeguards | Up to ₹250 crore |
| Failure to notify breach | Up to ₹200 crore |
| Non-fulfilment of data principal rights | Up to ₹50 crore |