Notes from the Asia-Pacific region: India's data protection, AI governance landscape heats up

As the heat of summer starts marching into India way too early, the average person on the street braces themselves for the brutal temperatures to come in the months ahead by finding solace in small joys like the mango season and the professional cricket Indian Premier League. Folks like me who work in the data privacy and responsible artificial intelligence domains must deal with the additional heat of ensuring compliance with India's Digital Personal Data Protection Act and addressing AI-related risks as these challenges march in with the same accelerated pace.

Various nuances and challenges are beginning to bubble to the surface as DPDPA compliance gets actively underway.

One example is a Public Interest Litigation filed before the Supreme Court by a senior journalist Geeta Seshu and the Software Freedom Law Centre, India raising specific concerns about certain provisions of the DPDPA violating fundamental rights and asking that they be struck or pared down. Subsequently, the Supreme Court issued a Notice to the Government of India 12 March.

Some specific concerns raised include that the DPDPA does not allow for journalistic exemptions, thus impeding press freedom; does not provide for compensation to victims of data breaches with penalties going only to the government; grants the state excessive powers as it can exempt certain departments from the law; and that the Data Protection Board is not truly independent as the government controls member appointments.

None of these concerns are new. Three other petitions have been filed along similar lines. It is the first time the court has issued a Notice to the Government, however.

Down south, the Kerala High Court also saw some action. Concerns around privacy of personal data, including biometrics, being collected from millions of passengers at airports in India and shared further have been discussed from time to time in the media. One such entity that collects and processes this data at airports is Digi Yatra, a not-for-profit foundation that operates infrastructure at Indian airports to facilitate smooth passage for passengers at entry points and security gates using biometrics and other personal data. 

A PIL was filed before the Kerala High Court by C R Neelakandan, invoking the DPDPA and asking, among other requests, for a temporary restraint on the sharing of personal data being collected and exploiting it for commercial purposes without proper authorization.

The Kerala High Court issued a Notice to the Digi Yatra Foundation. It also asked the government to clarify if the Data Protection Board has been set up to oversee such matters.

Meanwhile, the government put forth the country's preparedness from a legal safeguards' standpoint to address the risks arising from AI and related technologies. In the ongoing parliamentary session, Minister for Electronics and Information Technology Ashwini Vaishnaw received a question on the topic.

Vaishnaw listed out the legal safeguards in place — including the Information Technology Act, the DPDPA and downstream rules, published guidelines including those on AI governance, the framework for toy safety and harmful content, initiatives around awareness creation as well as a host of specific measures to address cyber safety and cybercrime.

Speaking of cyber safety, new arenas are beginning to see regulation on the cybersecurity front. The Indian Computer Emergency Response Team, in collaboration with the SatCom Industry Association, issued guidelines 26 Feb. for space, including satellite communications. The intent is to secure India's space communication assets and bringing resilience to India's space ecosystem. The stakeholders under its ambit include "government agencies, satellite service providers, ground station operators, terminal equipment vendors, and private space entities."  

The guidelines lay out principles to be incorporated, controls to be deployed and responsibilities to be carried out. Among the measures outlined, covered entities are required to report incidents to CERT-In within six hours and conduct annual audits. The framework also talks of complying with requirements of the Department of Telecommunications' rules that include data localization, as well as the DPDPA.

Thales released its 2026 Data Threat Report with some interesting statistics. Of organizations surveyed in India, 64% said AI-driven transformation is their biggest security risk, with 55% having had to deal with the reputational damage caused by AI-generated misinformation. Sixty-five percent of organizations reported experiencing deepfake-driven attacks. The disconnect between AI and data is evident. Only 35% of organizations in India have a complete view of their data and only 36% can fully classify their data.

In short, the heat is really on from all sides in this domain.