India Digital Personal Data Protection Act 2023 (DPDPA): AI Compliance Requirements

DPDPA Section 6 requires Data Fiduciaries to give data principals a clear notice before or at the time of seeking consent, describing what personal data is being collected and the purpose. AI systems must present this notice in plain language. Consent must be free, specific, informed, unconditional, and unambiguous. Consent managers may be used for consumer-facing AI applications.

DPDPA Sections 11-13 grant Indian residents rights to access their data summary, correct inaccuracies, erase data (right to be forgotten), and nominate a representative. AI systems must implement mechanisms for data principals to exercise these rights. A grievance officer must be designated and respond within timeframes set by DPBI rules.

DPDPA Section 10 empowers the government to designate high-volume or high-risk processors as Significant Data Fiduciaries. SDFs must: appoint an Indian Data Protection Officer, appoint an Indian-resident MD or CEO as compliance officer, conduct annual Data Protection Impact Assessments, and engage independent data auditors. AI systems with large Indian user bases are likely SDF candidates.

DPDPA Section 9 prohibits processing of children's data (under 18) without verifiable parental consent and prohibits behavioral monitoring or targeted advertising to children. AI systems that may interact with Indian minors must implement age verification and explicit parental consent mechanisms before any data processing.