The rapid advancement of generative artificial intelligence (AI) technologies has transformed various sectors, including healthcare, finance, and entertainment. However, this evolution brings significant challenges regarding data privacy, particularly for Indian corporations. With the implementation of the Digital Personal Data Protection Act (DPDPA) and its accompanying rules — the Digital Personal Data Protection Rules (DPDPR) — organizations must navigate a complex legal landscape while leveraging these innovative technologies.
Overview of the DPDPA and DPDPR Framework
The DPDPA, enacted in August 2023, established a comprehensive framework for data privacy in India. The recently introduced DPDPR provides detailed guidelines for compliance under the DPDPA. Key components include:
- Notice Requirements: Data fiduciaries must provide clear notices to data principals (individuals whose data is collected), detailing the types of personal data collected, the purposes of processing, and the methods for withdrawing consent.
- Consent Management: Organizations are required to implement robust consent management systems to ensure individuals can easily manage their consent preferences.
- Data Retention Policies: Specific entities must delete user data after three years unless users actively maintain their accounts. This applies to e-commerce platforms with over 20 million users and social media platforms with similar user bases.1,2
- Data Protection Impact Assessments (DPIAs): Significant data fiduciaries are mandated to conduct annual DPIAs to identify and mitigate risks associated with their data processing activities.3
Challenges Posed by Generative AI
Generative AI systems require extensive datasets for effective operation, leading to several privacy concerns:
- Data Collection and Consent: The vast amounts of data needed for generative AI can result in the collection of sensitive information without proper consent, posing risks of non-compliance with the DPDPA.
- Anonymization Risks: While anonymization is crucial for protecting personal information, it may not be foolproof against sophisticated attacks that can re-identify individuals from anonymized datasets.
- Bias and Discrimination: Generative AI can inadvertently perpetuate biases present in training datasets, leading to discriminatory outcomes that raise ethical concerns and potential legal ramifications under the DPDPA.
Legal Implications for Corporations
As Indian corporations adopt generative AI tools, they must address several legal implications:
- Compliance with DPDPA: Organizations must align their data collection practices with the requirements outlined in the DPDPR under the DPDPA. This includes implementing effective consent mechanisms and maintaining comprehensive records of data processing activities.
- Penalties for Non-compliance: Non-compliance with the DPDPA can result in substantial penalties. Violators may face fines ranging from INR 50 crores to INR 250 crores (approximately $6 million to $30 million), depending on the nature and severity of the breach. For instance, failing to implement security safeguards or notify a breach can lead to significant financial repercussions. 4
- Collaboration with Legal Teams: Legal heads and general counsels should work closely with IT departments to develop comprehensive data governance policies that address legal obligations while considering ethical implications surrounding generative AI use.
Ethical Considerations
Beyond legal compliance, corporations must confront ethical challenges associated with generative AI:
- Transparency in Data Use: Organizations should prioritize transparency by clearly communicating how personal data is utilized within generative AI systems. This includes labeling AI-generated content and informing users about their contributions to model training.
- Responsible Innovation: Companies must embed ethical considerations into their AI development processes. Engaging interdisciplinary teams — including ethicists and legal advisors — can help evaluate the societal impacts of their technologies.
Action Points for Corporations
To effectively navigate the complexities of data privacy in the age of generative AI, Indian corporations should consider the following action points:
- Develop a Comprehensive Data Privacy Strategy: Establish a clear roadmap that outlines compliance measures under the DPDPA while integrating best practices for generative AI usage.
- Invest in Training and Awareness Programs: Equip employees with knowledge about data privacy laws and ethical considerations related to AI technologies. This helps foster a culture of responsibility within organizations.
- Engage with Regulatory Bodies: Stay informed about evolving regulations and actively participate in discussions surrounding data privacy practices. Collaboration with regulatory bodies can provide valuable insights into compliance strategies.
In conclusion, as Indian corporations embrace generative AI technologies, they must prioritize legal compliance under the DPDPA and DPDPR as well as ethical considerations surrounding data privacy. By taking proactive steps to address these challenges, organizations can build trust with stakeholders while harnessing the transformative potential of generative AI.
1 https://www.businesstoday.in/technology/news/story/indias-dpdp-act-draft-rules-mandate-e-com-gaming-social-media-platforms-to-delete-personal-user-data-after-3-years-459591-2025-01-04
2 https://trilegal.com/dataprotection/the-draft-digital-personal-data-protection-rules-2025-operationalising-indias-data-protection-law/
3 https://usercentrics.com/knowledge-hub/india-digital-personal-data-protection-act-dpdpa/
4 https://usercentrics.com/knowledge-hub/india-digital-personal-data-protection-act-dpdpa/
Sign up to receive all the latest insights from Ankura. Subscribe now
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
