Unveiling Data Privacy Challenges in India’s AI Companies
In the fast-paced world of technology, data privacy is often a whispered concern, briefly acknowledged by tech leaders as they nod towards recently updated privacy policies or the prospective appointment of a Data Protection Officer. However, this superficial compliance is misleading, especially among Indian AI firms. These companies might believe they have addressed the requirements of the Digital Personal Data Protection (DPDP) Act of 2023, but the reality is far from it. The gap between perceived compliance and the stringent demands of the law is alarmingly wide.
Understanding the DPDP Act: Beyond Legal Jargon
The conversation around the DPDP Act is often cloaked in legal terminology, which can overshadow its practical implications. This article aims to cut through the complexity, focusing on the real-world effects of the Act on AI tools and technologies. Consent, a cornerstone of the DPDP Act, is often misunderstood by businesses. Many perceive it as a simple checkbox during registration—an assumption that falls short of legal requirements.
The Consent Conundrum
For consent to be valid under the DPDP Act, it must be explicit and specific. It cannot be buried within lengthy legal documents. Users need to understand precisely what they are consenting to, the reasons behind it, and have the opportunity to decline. This is particularly challenging for AI applications, which often operate unobtrusively. For example, a financial app that quietly accumulates user data over years without explicit consent for each new purpose may violate the Act.
Data Sharing and Legal Implications
Another critical issue is the prevalent culture of data sharing within Indian startups. While this fluid exchange of information can enhance agility and innovation, it poses significant legal risks under the DPDP Act. The principle of purpose limitation requires fresh consent for any new use of personal data, a stipulation many businesses overlook. For instance, if user data collected for technical support is repurposed for marketing without explicit consent, it breaches the law.
Vendor Accountability and Data Fiduciary Responsibilities
The DPDP Act designates businesses as data fiduciaries, holding them accountable for how personal information is used, even when handled by third-party vendors. This means that if an outsourced AI partner mishandles data, the originating company remains liable. Contracts cannot absolve firms of this responsibility, and non-compliance can result in fines up to ₹250 crore per significant breach—a cost that could devastate startups.
Proactive Solutions for Compliance
While most AI firms are not inherently deceitful, they must prove compliance through documented processes rather than intentions. Leading companies treat data governance as an integral part of product development, involving engineers in privacy discussions from the outset. They implement robust permission checks and vet vendors rigorously before formalizing partnerships.
As the DPDP Act continues to shape the data protection landscape, Indian AI companies have a unique opportunity to establish strong data management practices. By proactively addressing these challenges, firms can avoid future penalties and secure their operations against upcoming regulatory hurdles. The time to act is now—before the window for seamless adaptation closes.
Faraz M Siddiqui is a legal professional based in Delhi.
