Notes from the Asia-Pacific region: India looks to DPDPA compliance

I am excitedly writing this on a very special day — Data Privacy Day — also, just two days after India celebrated its 77th Republic Day with much pomp and splendor.

In general, since the Digital Personal Data Protection Act Rules were released in November, there has been a plethora of action and news around data privacy in India, having practitioners in a generally upbeat state of mind.

As expected, activity around DPDPA compliance has exploded. Almost daily, there is a news item or two about what the industry is up to, the challenges organizations are facing on the ground and reports of government happenings regarding the DPDPA.

A few days ago, several media outlets reported on a 22 Jan. closed door consultation held by the Ministry of Electronics and Information Technology about shortening compliance timelines for some key DPDPA provisions to 12 months, from the current 18 months. As expected, this created anxiety in the industry as many organizations think even 18 months is not enough time. 

The Advertising Standards Council of India released a report titled "Navigating Cookies: Recalibrating your cookie strategy in light of the DPDPA" — a much needed push for advertisers to start looking at cookies and device identifiers seriously in the context of the DPDPA.

Discussion around the proposed Digital Information Security in Healthcare Act has resurfaced again. Still in its draft form, the DISHA was first introduced by the Ministry of Health and Family Welfare a few years ago — before the DPDPA — but it never saw the light of day. The aim was to regulate and protect digital health data, important as it was expected to complement the roll out of the Ayushman Bharat Digital Mission, a nationwide initiative to create an interoperable digital health ecosystem. 

While the ABDM gained momentum across India, the DISHA languished. With the DPDPA coming into effect, there is discussion again around a focused effort to regulate health data — whether under the umbrella of the DPDPA or otherwise. This is heartening to hear.

AI governance and other updates

India is currently gearing up to host the India AI Impact Summit 2026, 19-20 Feb., in New Delhi. There is much excitement with several pre-summit events being organized in the lead up to the event, including the 13 Dec. 2025 IAPP Pan-India KnowledgeNet.

Talking of artificial intelligence, there have been multiple discussions about India's approach to AI governance. The Indian government has, time and again, reinforced its stance that India does not plan to bring forward AI-specific legislation.

In mid-December, at the Associated Chambers of Commerce and Industry of India's 8th Global AI Leadership Meet 2025, Electronics and IT Secretary S Krishnan said, "As it is, we are a country with many laws... So my own inclination always is to avoid putting in a new law, a new regulation, unless you absolutely have to. Try to see what we can do with existing law. … Our approach to regulation of AI thus far has been very, very grounded and has been very, very clear that under no circumstances do we want to get in the way of innovation."

Reinforcing this direction, the Office of the Principal Scientific Adviser to the Government of India recently published a white paper titled "Strengthening AI Governance Through Techno-Legal Framework." The Office of the PSA stated this outlines "India's approach to building a trusted, accountable, and innovation-aligned artificial intelligence (AI) ecosystem."  In the foreword of the paper, PSA Ajay Kumar Sood, calls this a "pro-innovation approach that combines baseline legal safeguards, sectoral regulatory norms, technical measures and institutional mechanisms to safe and trusted Al."

The paper defines this techno-legal approach to AI governance as "the integration of legal instruments, rule-based conditioning, regulatory oversight and technical enforcement mechanisms embedded with the technical architecture by design." It states this approach "ensures that governance is not merely a set of external constraints (or post-facto rules) but an intrinsic feature of any AI system, adaptable to evolving risks and contexts."

This is the second PSA white paper to help foster understanding around critical aspects of AI that impact policy. The first paper, released in December 2025, focused on democratizing access to AI infrastructure, looking at AI Infrastructure as a shared national resource and identifying key enablers.

Cisco released a report on the state of AI governance among Indian organizations and how it positively impacts data privacy investments. The Cisco study surveyed over 5,200 IT and security professionals across 12 countries. It found that about 97% of surveyed organizations in India have expanded their privacy programs, while 96% plan to invest further in scaling AI responsibly and with trust.

Meanwhile, Australia's social media ban for teens seems to have some states in India thinking, as well. The state of Goa, located in the west of India, is considering banning children under age 16 from using popular social media platforms like Instagram, Facebook and Twitter, according  to its Tourism and Information Technology Minister Rohan Khaunte. The state of Andhra Pradesh, located in the south, is proposing a similar ban, according to its Minister of Information Technology, Electronics and Communications Nara Lokesh. While this topic has been discussed and debated for a while, concrete action has not yet been taken.

The next few years will be very interesting for those of us working in the digital trust and governance arena, with laws and regulations evolving to ensure guardrails are instituted as AI rapidly explodes around us.

Shivangi Nadkarni is senior corporate vice president, digital trust at Persistent Systems.