
























India’s new data protection regime is going to reshape how AI developers collect, train, and retain data, as the Digital Personal Data Protection (DPDP) Act, 2023, together with the DPDP Rules, 2025, introduces a consent-centric framework that applies to all digital personal data processed in India.
It requires Data Fiduciaries to obtain free, specific, and informed consent for each specified purpose, and to present notices that clearly itemise the personal data collected and the exact purpose behind its use. Consequently, AI companies building training datasets must explain why they are collecting each data field, how they will process it, and how users can withdraw consent.
Moreover, the Act mandates that data be erased once consent is withdrawn or when the specified purpose is no longer served. This requirement could force developers to design systems capable of selectively removing data from training pipelines and logs, especially for models updated continuously.
However, the law also draws important boundaries. It expressly excludes personal data made publicly available by the individual or under a legal obligation, offering AI firms some flexibility in sourcing publicly posted information.
Additionally, the DPDP Rules introduce a research exemption: which covers processing necessary for research, archiving, or statistical purposes, provided that such work complies with standards in the Second Schedule. Importantly, this carve-out may ease constraints on non-commercial and academic AI work.
India’s DPDP Rules regime forces AI firms to reconceive basic personal data collection flows with consent and purpose to be specified to users. Dhruv Garg, a technology lawyer of the Indian Governance And Policy Project research group framed the law’s core aim, saying, “The idea of this Act is to create a regime where the users know what all they have said ‘yes’ to in terms of processing of their personal data and access, and what they have said ‘no’ to, and what their rights are and how they can access those rights.”
Consequently, companies must map services to purposes, and then map purposes to the precise data they collect and generate. As Garg explained, firms will “map all their services, the purposes for those services, what data they collect for those services, and what data they generate through those services”.
Meanwhile, Nikhil Jhanji, Senior Product Manager at IDfy, pushed the operational implications further, arguing that “traceability and explainability is now non-negotiable”. He also recommended that teams should “embed logging directly into the data pipeline so every ingestion, preprocessing, or training event leaves a verifiable trail”.
Additionally, Jhanji noted that robust provenance “builds trust with regulators without exposing proprietary model design and allows for clear, transparent, and accessible communication to Data Principals”.
Furthermore, he argued that meaningful purpose specification sits at the centre of consent, noting that “purpose need not mean narrow” and that “purpose statements will become the privacy policies of the AI era”.
Several major companies offering consumer-facing chatbots, such as OpenAI, Anthropic, and Google, offer mechanisms that let users opt out of having their personal data or content used in future model training, and exclude past conversations from influencing chatbot outputs. These opt-outs gain legal force under the DPDP framework, especially once erasure becomes a statutory right tied directly to consent withdrawal.
However, Garg explained that erasure sits within a broader lifecycle of consent, retention, and use. He pointed out that privacy centres will need reworking under the DPDP framework to give users easy-to-understand information and choices about data collection from obtaining “consent till the retention” stage. Garg also remarked that users must be able to decide whether certain interactions, including sensitive or emotional disclosures, are stored at all.
Furthermore, he points out that a user who does not want a particular interaction kept “should have the right” to ensure it is not retained. Garg also highlighted that some categories of data cannot be erased despite a request, pointing to mandatory log-retention rules where a person cannot delete data as the law requires its preservation.
Jhanji framed the erasure challenge specifically for AI systems. He stated that “erasing influence from trained models is technically impossible, but compliance is not”, arguing that companies must stop any future use of the data, delete all identifiable inputs, and retrain where possible from earlier checkpoints.
Furthermore, he added that clear documentation and logging of retention periods, as well as communication with third parties would help to “demonstrate transparency” and define a standard for responsible AI governance.
Notably, Jhanji also stressed post-release limits, remarking that “once a model is public, full deletion is unrealistic, but accountability is not.” He noted that the fair remedy is to ensure that the data “never enters future training cycles” and that the process is logged.
While India’s DPDP Rules framework offers a research exemption, AI companies using it as a route to large-scale training might find it difficult for commercial ventures. To begin with, the exemption applies only in tightly defined circumstances, and it does not dilute the broader duties around purpose, transparency, or safeguards.
Garg explains that exemptions in the Act “are given based on purpose”, and that research is only one of the limited categories. Moreover, he emphasises that the DPDP is “not saying you cannot process this data”, only that processing must be anchored in clarity, except in the few places where there’s “an absolute no-no”.
Furthermore, he adds that users must still understand “what all they have said ‘yes’ to”, even if an exemption is involved. Therefore, companies invoking the research category must still respect transparency and meet the standards set out in the Second Schedule.
Meanwhile, Jhanji warned that “research exemptions are not a loophole”. He remarked that such exemptions apply only when training “serves public-interest innovation”, uses anonymised data, and avoids “any form of profiling or targeting”.
Additionally, he noted that companies must “prove intent” and structure their work like genuine open research rather than “disguised commercial ventures”. Thus, merely labelling a training project as research is insufficient.
AI firms will increasingly need to prove the origin of each data point and the legal basis for collecting it, which is why Jhanji argued that a future-proof approach must move beyond vague provenance logs and toward cryptographic verification.
He noted that “a provenance layer built on verifiable consent tokens would give AI builders the missing piece – a way to prove lawful collection at scale”. Moreover, this model would allow each data point to carry its own audit trail, since “each data point could carry a cryptographic stamp of its origin and consent state”.
This, in effect, transforms provenance into a machine-verifiable system rather than a set of internal claims. Consequently, regulators would be able to demand concrete proof of lawful collection, with companies demonstrating compliance without revealing proprietary model architecture.
Pertinently, Jhanji warned that provenance must also account for intermediate representations. He explained that “embeddings sit in a grey zone between anonymity and identification” and therefore must be treated as pseudonymised rather than anonymised data. As such, it is amply clear that even transformed features require responsible handling.
India’s DPDP framework arrives at a moment when AI firms are expanding rapidly but often rely on opaque data pipelines, unclear provenance, and retention practices that users rarely see.
In this context, India’s data protection law mandates companies to disclose what they collect, why they collect it, and how long they keep it. And in doing so, it brings a degree of structural clarity – something that has been absent from most commercial model-training pipelines – to AI models’ development.
Moreover, the Act makes consent reversible and meaningful, pushing companies to design systems that should stop using data when users withdraw permission. At the same time, the DPDP legal framework introduces mandatory log retention and purpose-mapping obligations that require firms to justify every step of the data journey. This directly affects how AI companies ingest, store, fine-tune, and reuse information, and limits reliance on casual scraping or undocumented datasets.
Furthermore, the research exemption and public data carve-out provide narrow but important pathways for innovation. Yet, these routes demand evidence of intent, strong safeguards, and traceable provenance.
Ultimately, the DPDP framework matters because it compels AI companies to operate with a level of transparency, accountability, and restraint that will shape the future of model development in India.
Also Read:
For You
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。