What DPDPA Actually Covers
The Digital Personal Data Protection Act 2023 doesn't specifically mention AI โ but its definitions of 'personal data', 'data fiduciary', and 'data processor' sweep up almost every enterprise AI deployment. If your AI system processes any data that can identify an Indian citizen โ voice recordings, financial transaction patterns, health records โ you are a data fiduciary under DPDPA with the full set of obligations that entails.
The Act's consent requirements are particularly significant. You need specific, informed, purpose-limited consent for each distinct use of personal data. Using customer call recordings to train an STT model is a different purpose from using them for quality assurance โ and requires separate consent.
The Data Localisation Question
DPDPA enables the central government to restrict cross-border transfer of certain categories of personal data. The specific restricted categories haven't been finalized, but the regulatory direction is clear: financial data, health data, and government ID-linked data are likely to face restrictions on transfer outside India.
This creates an immediate problem for enterprises running AI workloads on US or EU cloud infrastructure. 'We process it in the cloud' is not a DPDPA-compliant answer if the cloud is in Virginia.
Consent Architecture for AI Systems
Building DPDPA-compliant AI systems requires rethinking consent architecture from the ground up. The standard 'I agree to Terms of Service' checkbox doesn't meet the Act's requirements for granular, purpose-specific, withdrawable consent.
For voice AI: you need consent to record, separate consent to transcribe, separate consent to analyze the transcript, and separate consent to retain data for any duration. Each must be independently withdrawable. This requires consent state management built into your data pipeline architecture from day one.
What 'Reasonable Security' Requires
DPDPA requires data fiduciaries to implement 'reasonable security safeguards' โ a standard interpreted in light of your organization's size, data sensitivity, and evolving industry norms. For AI systems, encryption at rest and in transit is a baseline, not a differentiator.
Model security matters too: an LLM fine-tuned with customer personal data is itself a form of data storage. If it can be queried in ways that extract training data โ a known attack vector โ you have a security gap regulators will not be sympathetic about.
Practical Steps for AI Teams
Start with a data flow audit: map every place personal data enters, is processed by, or exits your AI stack. For each touchpoint, document the legal basis for processing, the consent state, and data residency. This audit will reveal gaps you didn't know existed.
Then prioritize sovereign infrastructure for sensitive categories. Running STT, LLM inference, and document processing on India-hosted compute removes the cross-border transfer risk entirely. EngineAI's full stack runs on India-based infrastructure with no foreign data egress โ built specifically for this regulatory environment.