Back to Blog
AILegal TechDPDP ActLegal AnalysisAI & Data

The Impact of the DPDP Act on Artificial Intelligence in India

Pentapati SriramsaiApril 23, 20264 min read

India's DPDP Act profoundly reshapes artificial intelligence by mandating explicit consent and prioritizing data governance over data hoarding. While enforcing strict accountability and precision in automated decisions, the legislation leaves distinct regulatory gaps concerning algorithmic bias. Ultimately, this act serves as a crucial driver to establish sustainable artificial intelligence innovations

The Impact of the DPDP Act on Artificial Intelligence in India

Introduction

Artificial Intelligence, being a technology-based novelty, has become an important foundation stone of contemporary governance and business practices. Artificial Intelligence (AI) has made significant progress within a short period of time. Whether in finance or medicine, AI relies heavily on data. The availability of large, continuous personal data drives the evolution of today's advanced AI systems. The enactment of India's Digital Personal Data Protection Act, 2023 (DPDP Act) marks the beginning of a new era in regulation that seeks to provide protection of this data and promote a vibrant digital economy. But the DPDP Act impacts AI much more fundamentally than mere data protection.

AI and Data: An Indispensable Union

Machine learning algorithms, a subset of AI technologies, are known for being heavily dependent on large datasets to discern trends, improve accuracy, and evolve. Datasets used to train the algorithm are often composed of personal data, including behavioral and even biological data. Under the DPDP Act, a systematic legislative framework for regulating the use of these data is provided. The first point of conflict, therefore, arises between the two as the former requires copious amounts of data, whereas the latter emphasizes data protection.

Consent: The Pillar of Data Practices

Perhaps one of the most revolutionary changes brought about by the DPDP Act concerns free, informed, and explicit consent, which makes it difficult for AI software companies to indiscriminately gather information. Explicit and informed consent must be obtained regarding how one's personal data may be used. If the company is to reapply the collected information using AI software, additional consent is required. Overall, AI companies would need to switch their focus from data hoarding to data governance, which might increase costs.

Accountability of AI-driven decision-making

The decisions made by Artificial Intelligence stand out among other mechanisms for regulating AI technologies. Although the DPDP Act does not prohibit automated decision-making processes, it explicitly requires that any decision regarding personal data, irrespective of whether it was made automatically or manually, should be justifiable, precise, and accountable. This implies that when AI technologies are used to evaluate one's creditworthiness, filter through employment candidates, estimate insurance premiums, or grant access to state services, the entity applying the technology cannot resort to an explanation like 'it was done by the computer. Instead, it should provide proof that the processing was compliant with all legal requirements, that the utilized personal data was truthful, and that there were mechanisms in place to facilitate an appeal against any unfavorable decision. One of the key requirements for using personal data in an automated manner according to the DPDP Act is their accuracy and completeness. For example, if an AI tool rejects a loan application on the grounds that it incorrectly classified the applicant's income, employment, and payment history, then the damage done would be tangible. To make sure that the data processed by AI technologies are up-to-date and reliable, the DPDP Act obligates data fiduciaries

Regulatory Gaps and the Need for AI Laws in India

While the DPDP Act provides a strong foundation for data protection, it does not fully address key AI-specific concerns such as algorithmic bias, automated decision-making, profiling, and broader ethical issues in AI deployment. The law focuses on how personal data is collected, used, and safeguarded, leaving model-level risks like discriminatory outcomes, opaque high-impact decisions, or harmful applications largely outside its scope. This creates a regulatory gap where AI governance remains fragmented and only partially addressed. Without clear standards on fairness, explainability, human oversight, and ethical use, organisations may comply with data-protection rules while still deploying high-risk AI systems. Future legislative or policy interventions, an AI-specific framework or AI-governance regime will be necessary to create a coherent, comprehensive structure that complements the DPDP Act and ensures AI is developed and used in a fair, accountable, and rights-respecting manner in India.

Conclusion

The Digital Personal Data Protection Act, 2023 is one of the important landmarks in India’s evolution into an advanced digital state. The impact of this piece of legislation on artificial intelligence is immense. It introduces crucial protective mechanisms that challenge traditional modes of creating intelligent systems. As opposed to treating the Digital Personal Data Protection Act as a hurdle in the way of AI development, it is important to embrace the Act as a driver that will lead to the establishment of sustainable innovations. The future depends on finding the perfect equilibrium between protecting individuals’ rights and ensuring technological advancements within the domain of artificial intelligence.

See Lexi in Action

Explore how Lexi can help your team