Editor's note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
These are my first notes of 2025 and already so much has happened in India. Early January was busy with the release of the much-awaited draft Digital Personal Data Protection Act rules as well as the draft artificial intelligence governance guidelines report.
In another realm, the once-in-144-years Maha Kumbh Mela — a holy gathering in Prayagraj, formerly Allahabad, began 13 Jan. with technology extensively deployed to manage the expected 400 million visitors over a 45-day period.
Much has already been written about the draft DPDPA rules. The IAPP has covered the draft rules extensively as have various other think tanks and bodies. In summary, the draft rules, published 3 Jan., were as anticipated on most aspects like elaborating on consent managers, verification of children online and content of privacy notices, while unexpected on a few aspects — such as provisions to enable the central government to impose restrictions on data transfers outside India for certain types of organizations and/or under certain conditions.
The draft rules also remain silent on timelines although the Union Minister for Electronics and Information Technology Ashwini Vaishnaw, has indicated a two-year implementation timeframe in media interactions. He has also indicated the rules would be finalized and rolled out by mid-2025.
On a relatively quieter note, the Report on AI Governance Guidelines Development was released 6 Jan. for public consultation by the Subcommittee on "AI Governance and Guidelines Development," established 9 Nov. 2023 under the office of the Principle Scientific Advisor of India.
The report recommends a principles-based approach to AI governance in India. Further, given the current stage of AI development in India, it recommends "activities-based" regulations, meaning a focus on regulating specific activities like consumer safety, employment and taxation irrespective of the entity undertaking such activity. Overall, the subcommittee suggests India should regulate AI through a combination of voluntary commitments and standards plus a sectoral and/or risk-based regulation.
This is in line with what Minister Vaishnaw and Union Minister of State for Commerce and Industry Jitin Prasada have been saying over the last few months.
Meanwhile, regulators have started taking action on management of AI risks. The Reserve Bank of India announced 26 Dec. 2024 the formation of a committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence in the Financial Sector. During its 18 Dec. 2024 meeting, the Securities and Exchange Board of India approved a proposal to amend various regulations under its ambit to "require persons regulated by SEBI … who use artificial intelligence tools, either designed by them or procured from third-party technology service providers, to take full responsibility for their use of such tools. The Regulations shall be applicable irrespective of the scale and scenario of adoption of such tools for conducting its business and servicing its investors."
On 1 Feb. 2025, India's Minister of Finance and Corporate Affairs Nirmala Sitharaman presented the government's proposed 2025-26 budget in Parliament — a critical exercise for the central government. The budget increases the allocation to the Data Protection Board of India from INR20 million to INR50 million. Even then, it remains a small sum compared to what may be required. However, it is a good start to emphasize this critical pillar of the DPDPA.
The budget also proposes establishing a Centre of Excellence for AI with a budgetary allocation of INR5 billion and extending broadband connectivity to all primary and secondary government schools, as well as primary health centers in rural areas through the telecommunications project BharatNet.
While the policy front has been busy in general, attracting media attention in January and February has been the Maha Kumbh Mela, a one-of-its-kind holy gathering on the banks of the confluence of three rivers: the Ganga, Yamuna and (mythical) Saraswati. It has been interesting to me to watch the deployment of technology to manage what is considered the largest gathering in the world and, in parallel, wonder about its implications of privacy.
According to the Ministry of Culture, some of the security measures deployed include: AI-powered crowd density monitoring with more than 340 experts at key locations; thousands of CCTV cameras and drones, including those underwater, for surveillance; facial recognition technology at entry points; and cybersecurity professionals to monitor online threats.
Shivangi Nadkarni is senior vice president and general manager, digital governance at Persistent Systems.
