India Digital Personal Data Protection Act (DPDPA)
India
In Effect (rules pending)
indiaasiadata-protectionconsentai-adjacenthigh-impact
Overview
| Jurisdiction | India |
|---|---|
| Status | In Effect (rules pending) |
| Signed Date | Aug 11, 2023 |
| Effective Date | TBD (rules notification pending) |
| Enforcement Body | Data Protection Board of India (to be constituted) |
| Affected Entities | All entities processing Indian citizens' personal data, including AI companies using Indian data |
Scope
Data protection law with direct AI implications — regulates processing of personal data used in AI training and deployment. Requires consent, purpose limitation, and data principal rights. India's primary AI-adjacent regulation until a dedicated AI law is enacted.
Key Requirements
- Consent for processing personal data (including AI training data)
- Purpose limitation for data use
- Data principal rights: access, correction, erasure, grievance redressal
- Data breach notification requirements
- Data protection impact assessments for high-risk processing
- Appointment of Data Protection Officer
- Restrictions on processing children's data
Penalties
Up to INR 250 crore (approximately $30M) for non-compliance with data protection obligations.