India's DPDPA Faces Legal Challenges and AI Risks

IAPP Privacy News

Published March 26th, 2026

Detected March 27th, 2026

Summary

India's Digital Personal Data Protection Act (DPDPA) is facing legal challenges, including petitions to the Supreme Court and Kerala High Court concerning fundamental rights, data breach compensation, and state exemptions. The government also outlined legal safeguards for AI risks, referencing existing acts and new guidelines.

View original document View source feed page

What changed

India's Digital Personal Data Protection Act (DPDPA) is encountering significant legal scrutiny. Public Interest Litigations have been filed before the Supreme Court and the Kerala High Court, raising concerns about provisions related to journalistic exemptions, compensation for data breach victims, excessive state powers, and the independence of the Data Protection Board. The Supreme Court has issued a notice to the government regarding these challenges, marking a critical development in the enforcement and interpretation of the DPDPA.

In parallel, the government has addressed concerns regarding Artificial Intelligence (AI) risks, outlining existing legal safeguards such as the Information Technology Act, the DPDPA, and published AI governance guidelines. While these actions indicate ongoing regulatory activity and public engagement with data protection and AI, the legal challenges highlight potential areas of contention and may necessitate further clarification or amendments to the DPDPA. Regulated entities should monitor these legal developments closely as they could impact compliance strategies and the interpretation of data protection obligations.

What to do next

Monitor legal challenges to India's DPDPA, particularly those before the Supreme Court and Kerala High Court.
Review existing data processing practices for compliance with DPDPA provisions, especially concerning data breach compensation and state exemptions.
Stay informed on government updates regarding AI governance and legal safeguards.

Penalties

Penalties going only to the government (as per one PIL concern)

Source document (simplified)

OPINION Published

26 March 2026

Subscribe to IAPP Newsletters

Contributors:

Shivangi Nadkarni

Senior Vice President and General Manager, Digital Governance

Persistent Systems

Editor's note

The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.

As the heat of summer starts marching into India way too early, the average person on the street braces themselves for the brutal temperatures to come in the months ahead by finding solace in small joys like the mango season and the professional cricket Indian Premier League. Folks like me who work in the data privacy and responsible artificial intelligence domains must deal with the additional heat of ensuring compliance with India's Digital Personal Data Protection Act and addressing AI-related risks as these challenges march in with the same accelerated pace.

Various nuances and challenges are beginning to bubble to the surface as DPDPA compliance gets actively underway.

One example is a Public Interest Litigation filed before the Supreme Court by a senior journalist Geeta Seshu and the Software Freedom Law Centre, India raising specific concerns about certain provisions of the DPDPA violating fundamental rights and asking that they be struck or pared down. Subsequently, the Supreme Court issued a Notice to the Government of India 12 March.

Some specific concerns raised include that the DPDPA does not allow for journalistic exemptions, thus impeding press freedom; does not provide for compensation to victims of data breaches with penalties going only to the government; grants the state excessive powers as it can exempt certain departments from the law; and that the Data Protection Board is not truly independent as the government controls member appointments.

None of these concerns are new. Three other petitions have been filed along similar lines. It is the first time the court has issued a Notice to the Government, however.

Down south, the Kerala High Court also saw some action. Concerns around privacy of personal data, including biometrics, being collected from millions of passengers at airports in India and shared further have been discussed from time to time in the media. One such entity that collects and processes this data at airports is Digi Yatra, a not-for-profit foundation that operates infrastructure at Indian airports to facilitate smooth passage for passengers at entry points and security gates using biometrics and other personal data.

A PIL was filed before the Kerala High Court by C R Neelakandan, invoking the DPDPA and asking, among other requests, for a temporary restraint on the sharing of personal data being collected and exploiting it for commercial purposes without proper authorization.

The Kerala High Court issued a Notice to the Digi Yatra Foundation. It also asked the government to clarify if the Data Protection Board has been set up to oversee such matters.

Meanwhile, the government put forth the country's preparedness from a legal safeguards' standpoint to address the risks arising from AI and related technologies. In the ongoing parliamentary session, Minister for Electronics and Information Technology Ashwini Vaishnaw received a question on the topic.

Vaishnaw listed out the legal safeguards in place — including the Information Technology Act, the DPDPA and downstream rules, published guidelines including those on AI governance, the framework for toy safety and harmful content, initiatives around awareness creation as well as a host of specific measures to address cyber safety and cybercrime.

Speaking of cyber safety, new arenas are beginning to see regulation on the cybersecurity front. The Indian Computer Emergency Response Team, in collaboration with the SatCom Industry Association, issued guidelines 26 Feb. for space, including satellite communications. The intent is to secure India's space communication assets and bringing resilience to India's space ecosystem. The stakeholders under its ambit include "government agencies, satellite service providers, ground station operators, terminal equipment vendors, and private space entities."

The guidelines lay out principles to be incorporated, controls to be deployed and responsibilities to be carried out. Among the measures outlined, covered entities are required to report incidents to CERT-In within six hours and conduct annual audits. The framework also talks of complying with requirements of the Department of Telecommunications' rules that include data localization, as well as the DPDPA.

Thales released its 2026 Data Threat Report with some interesting statistics. Of organizations surveyed in India, 64% said AI-driven transformation is their biggest security risk, with 55% having had to deal with the reputational damage caused by AI-generated misinformation. Sixty-five percent of organizations reported experiencing deepfake-driven attacks. The disconnect between AI and data is evident. Only 35% of organizations in India have a complete view of their data and only 36% can fully classify their data.

In short, the heat is really on from all sides in this domain.

This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here .

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs