Express Computer
Home  »  Guest Blogs  »  India’s DPDP Act and the GenAI paradox in the context of sovereignty 

India’s DPDP Act and the GenAI paradox in the context of sovereignty 

0 10
By Rajesh Dangi
In the ancient Indian philosophical tradition, the concept of dharma speaks to a universal order, a set of duties and laws that transcend individual kingdoms. Today, we face a modern dharma: the governance of data in an age where it flows as freely as water and is as potent as fire. The notification of India’s Digital Personal Data Protection (DPDP) Rules, 2025, in November of that year marked a pivotal moment in this quest. It is India’s bold assertion of digital sovereignty, an attempt to build a citadel of privacy for its 1.4 billion citizens. Yet, this citadel is being constructed in the path of a digital tsunami, Generative AI, whose very nature defies geographical borders. This is the central paradox of our time: how can a law rooted in physical jurisdiction regulate technologies that exist everywhere and nowhere at once?
The Citadel Takes Shape
The notification of the DPDP Rules, following a nationwide consultation that gathered thousands of inputs from stakeholders across industry, civil society, and government, has operationalised a framework that is ambitious in its scope. The Act is built on what policymakers have termed the SARAL approach, meaning Simple, Accessible, Rational, and Actionable, designed to be understood by the common citizen rather than remaining confined to legal circles. Its core principles represent a fundamentally citizen centric vision of data governance in the digital age.
At the heart of the framework lies the principle of consent and transparency, which mandates that data fiduciaries must obtain explicit and informed consent from data principals, providing clear and standalone notices that explain the specific purpose for which data is being collected. This is complemented by the principles of purpose limitation and data minimisation, which together ensure that data collected can only be used for the stated purpose and that only the bare minimum necessary for that purpose can be collected. The framework further establishes accountability as a cornerstone, holding fiduciaries responsible for their actions and requiring them to implement robust security safeguards, appoint Data Protection Officers, and for Significant Data Fiduciaries, conduct annual audits and Data Protection Impact Assessments.
The government has adopted a phased implementation model, providing a crucial eighteen month runway until May 2027 for businesses to align their systems with these substantive obligations. This transition period acknowledges the immense operational overhaul required across sectors. However, in a sign of the urgency felt by the government to secure the digital environment, the Ministry of Electronics and Information Technology has proposed compressing this timeline to just twelve months for certain core provisions, particularly those relating to cross border data flows and national security. This tension between giving industry adequate time to comply and the pressing need for data protection reflects the broader challenges of implementing such ambitious legislation.
The GenAI Challenge
This carefully constructed framework now faces its most formidable test in the form of Generative AI. GenAI models, by their very architecture, are the antithesis of principles like data minimisation and purpose limitation. They are data vacuums, trained on massive and indiscriminate datasets to perform a multitude of tasks that are often unknown at the time of collection. This creates a fundamental and perhaps irresolvable conflict between the letter of the law and the nature of the technology.
The first and most obvious challenge is what might be termed the consent paradox. How can a data principal give explicit and informed consent for their data to be used in ways that the fiduciary itself cannot fully foresee? For instance, a user who consents to a GenAI platform summarising their emails might not be consenting to that data being used to improve a model that later generates a business plan for a competitor or writes a political speech. The DPDP Act’s requirement for itemized and purpose specific consent is a square peg in the round hole of large language model training, where the ultimate utility of data is often discovered only through the training process itself.
The second major challenge concerns the right to erasure. The Act empowers data principals to request the correction or erasure of their data, a fundamental right that underpins individual control over personal information. However, data used to train a GenAI model is not stored in a simple and retriable database. It is embedded in billions of mathematical parameters, the weights that form the model’s neural network, and is effectively transformed beyond recognition. Forgetting a specific piece of data is not a simple deletion operation; it would likely require retraining the entire model from scratch, a prohibitively expensive and resource intensive process that most organisations cannot feasibly undertake. This raises profound questions about how the right to erasure can be meaningfully implemented in an AI driven world.
The third challenge is the lack of transparency in AI decision making. When a GenAI system produces an output, it is often impossible to trace back through the billions of parameters to determine exactly which pieces of training data influenced that particular result. This opacity directly conflicts with the DPDP Act’s emphasis on transparency and accountability, creating a situation where data fiduciaries may be unable to demonstrate compliance even when they are acting in good faith.
National Security and Inference Risk
These theoretical challenges have manifested in real world anxiety within the highest levels of government. A growing debate within the Union government has emerged around the inference risk posed by foreign GenAI platforms. The core concern is not just data privacy in the conventional sense, but strategic inference. The question being asked is whether these systems, by analysing patterns in prompts from senior bureaucrats, policy advisers, and scientists, can derive sensitive insights into government priorities, timelines, and organisational weaknesses.
This debate has already led to concrete action. In early 2025, the Finance Ministry issued a directive prohibiting the use of GenAI tools like ChatGPT and DeepSeek on official workstations, citing risks to the confidentiality of government data and documents. This directive is a stark illustration of the conflict between the convenience of global AI tools and the imperatives of national sovereignty. It also underscores the government’s parallel push for swadeshi alternatives, funding the development of indigenous Large Language Models under its substantial India AI Mission. The strategic dimension of AI governance has thus moved from theoretical discussion to operational reality.
Compliance in Practice
For businesses operating in India, the DPDP Act is no longer an abstract concept. It is a tangible operational reality that requires immediate and sustained attention across organisational functions.
The banking sector, with its vast repositories of sensitive customer data, has taken the lead in spearheading compliance efforts. Major banks have partnered with privacy technology firms to implement comprehensive DPDP compliance frameworks. These implementations cover the entire spectrum of requirements, from providing privacy notices in multiple languages to collecting and maintaining consent artifacts and creating dashboards for Data Protection Officers to monitor and track customer consent activities in real time. This demonstrates how a proactive approach to compliance can serve as a strategic pillar for building customer trust in an increasingly privacy conscious market.
The financial services sector more broadly has seen some of the first large scale implementations of DPDP compliance platforms, covering everything from consent lifecycle governance and data discovery to data impact assessment and audit ready policy workflows. These examples illustrate that organisations are now viewing DPDP compliance not as a mere checkbox exercise but as a core component of their digital infrastructure and risk management framework.
The impact of the DPDP Act on the AI industry is particularly profound. Startups building foundational AI models face a significant challenge because they need access to larger datasets to train their models effectively. The compliance overhead, while potentially manageable, forces a strategic rethink of data acquisition and processing strategies. The alternative to using user consent approved data is to rely on synthetic data or computer generated AI datasets, which are becoming increasingly cost effective options for startups navigating this new terrain. This shift may accelerate the adoption of synthetic data generation techniques across the industry.
The Rise of Privacy Tech
On the positive side, the DPDP era is spawning a new generation of privacy technology and compliance technology startups. The Act explicitly creates a role for Consent Managers, which are Indian companies registered with the Data Protection Board to act as trusted intermediaries for managing consent on behalf of data principals. This has opened a new field of opportunity for companies building tools to make consent management, data governance, and compliance more efficient and accessible.
The Consent Manager model is particularly innovative because it creates an intermediary layer between data principals and data fiduciaries, potentially addressing some of the power imbalances inherent in data relationships. By registering with the Data Protection Board and subjecting themselves to regular audits, these entities must demonstrate trustworthiness and compliance, providing an additional layer of protection for data principals. This model could become a template for other jurisdictions grappling with similar challenges.
The Cyber Threat Landscape
The urgency of this transition is underscored by the deteriorating cyber threat landscape. Reports from 2025 paint a stark picture of shadow AI and identity breaches becoming increasingly prevalent. Shadow AI, the use of unsanctioned AI tools by employees, has become one of the top cost contributors to data breaches in India, adding significantly to the average breach cost. Over seventy percent of enterprise GenAI usage was found to be through personal accounts, with employees often copying and pasting sensitive data into public large language models without a second thought.
This behaviour directly contravenes the DPDP Act’s security safeguards and breach notification requirements. Organisations that fail to implement robust controls around AI usage are not only exposing themselves to regulatory penalties but are also creating significant operational risks. The Act’s requirement for data fiduciaries to implement security measures such as encryption and audit logs becomes particularly critical in this context. Making robust compliance a critical defence against financial and reputational damage is no longer optional.
The Special Provisions
The DPDP Act includes special provisions for children’s data and the data of persons with disabilities, requiring verifiable parental or guardian consent for processing. This is a noble and necessary step to protect the most vulnerable segments of society, recognising that certain categories of individuals require additional safeguards in the digital environment. However, the borderless nature of the internet makes enforcement a logistical nightmare. A GenAI platform based in a jurisdiction with less stringent protections can easily collect, process, and train on data from Indian children and disabled persons without ever being subject to the DPDP Act’s consent requirements. This is the crux of the sovereignty problem in the digital age.
The cross border data restrictions contained in the rules further complicate this picture. While the Act allows for data localisation in certain circumstances, a complete ban on cross border data flow would isolate India from the global AI ecosystem. For Indian startups and enterprises to leverage the best GenAI tools, they often need to transmit data to foreign servers. The restriction is a double edged sword: it protects the data but risks stifling innovation. This tension between protection and participation is one that regulators worldwide are grappling with.
The Penalty Regime
The Act establishes a significant penalty regime, with fines of up to INR 250 crore per instance of non-compliance. This creates a substantial deterrent effect, but it also raises questions about proportionality and enforcement. The Data Protection Board, established as the primary regulatory body responsible for oversight and enforcement, must adjudicate complaints and impose penalties. The Board’s effectiveness will be crucial to the Act’s success. Its ability to handle the volume of complaints that will inevitably arise, particularly given India’s population and digital footprint, will be tested from the outset. The Board must also develop a coherent approach to interpreting the Act’s provisions in novel situations, particularly those involving emerging technologies.
The concept of Significant Data Fiduciaries, subject to additional obligations including DPIAs and annual audits, introduces a tiered approach to compliance. This recognises that not all data processing activities pose the same level of risk and that regulatory resources should be focused on the highest risk activities. However, determining which entities qualify as Significant Data Fiduciaries will require careful consideration and ongoing review as the digital landscape evolves.
The Path Forward
The path forward is one of careful choreography between regulation and innovation. The DPDP Act and its Rules are a declaration of intent, a statement that India will not be a passive observer in the global data economy. The eighteen month implementation phase is not just a timeline for compliance. It is a crucial period for regulators, industry, and innovators to navigate a complex and ever evolving landscape. The recent proposals to shorten enforcement timelines signal a growing urgency to address the national security and public order implications of rapid digitisation and AI proliferation.
The sovereign and the global are not destined to be enemies. They are perhaps dance partners in a complex ballet. The DPDP Act provides the music. It is now up to the data fiduciaries, the innovators, the Consent Managers, and the Data Protection Board of India to learn the steps, balancing the rights of the citizen with the boundless potential of the machine. The success of this endeavour will be measured not by how effectively it stops the flow of data, an impossible task, but by how effectively it shapes the behavior of the global actors who wish to participate in the Indian market.
The challenge of regulating GenAI in a way that respects both sovereignty and innovation is not unique to India. Jurisdictions worldwide are grappling with similar questions, and the answers that emerge will shape the future of the digital economy. India’s approach, with its emphasis on consent, accountability, and the protection of vulnerable populations, offers a distinctive model that other nations may look to for inspiration. However, the proof of the framework’s effectiveness will lie in its implementation and enforcement, a task that has only just begun.
The DPDP Act represents a significant step forward in data governance, establishing clear rights for data principals and obligations for data fiduciaries. Yet the rapid evolution of GenAI technology continues to challenge the assumptions underlying the legislation. As models become more sophisticated and their capabilities expand, the gap between the law’s intent and its practical application may widen. Ongoing dialogue between regulators, industry, and civil society will be essential to ensure that the framework remains relevant and effective in protecting citizen rights while enabling responsible innovation. This is the great challenge of our digital age, and India has placed itself at the forefront of the effort to meet it.
Leave A Reply

Your email address will not be published.