Digital
India’s DPDP Bill – a win-win for consumer tech platforms
Mumbai: India’s Digital Personal Data Protection (DPDP) Bill, is expected to be implemented over the next six to eight months in a phased manner; hefty penalties have been imposed for breach of data. This Bill will have a positive impact on companies/platforms that use first party data, whereas players using or sharing third party data (Google cookies, publisher platforms) could see a negative impact; this could potentially mean that sourcing data may become an expensive proposition for programmatic companies like Affle, as they may need to invest in enhancing their own database (first party). This Bill mirrors UK’s GDPR (General Data Protection Regulation) in terms of the major norms mentioned therein. Internet platforms like Zomato, Nykaa, Paytm etc may have relatively lesser monthly active users (MAU’s) as compared to social/search giants like YouTube, Meta, however the former has a detailed understanding of their limited customer base, with more intelligence around their purchasing/consumption patterns; e-commerce giants like Amazon, Flipkart too will have a big edge due to data protection, as they can earn ad. revenue with the help of their first party data, which will help provide better monetisation and profitability over the medium term.
Long haul for implementation of the DPDP Bill (six to eight months)
The DPDP (Digital Personal Data Protection) act, which has been highly anticipated, has been in the works for the past four to five years. Numerous drafts have been exchanged and extensive input has been gathered from the industry stakeholders. Although the Bill is set to take effect on 11 August 2023, its actual implementation has not yet occurred. Currently, the sections have not been enforced, but there are plans to assign specific dates for the phased implementation of these sections.
The scope of its applicability extends to all forms of digitised or digital personal data. Notably, the act also holds extraterritorial jurisdiction. This means that all entities, including those located outside of India, that process data to offer data services within the country, will be obligated to adhere to the provisions of the act. The Bill is anticipated to bring about a positive impact. India is undergoing rapid digital transformation, and with such swift digitization, there’s a substantial amount at risk. Considering the challenges posed by data leaks, the implementation of this law is crucial. It will establish a regulatory framework that offers a cleaner environment for the transmission and processing of personal data.
Substantial penalties for non compliance/data privacy breach
The entirety of the act’s liability is placed upon the data fiduciary. The responsibility for implementing safeguards to ensure data protection also falls solely on the data fiduciary. Implementing the requirements should not pose a significant challenge for data fiduciaries, provided they approach it with seriousness and a willingness to comply. The Bill makes it obligatory to report breaches of the principles, regardless of whether the breach is categorized as a high-security breach or not. Entities will undoubtedly feel apprehensive about the substantial penalties, given their magnitude. Data fiduciaries have a responsibility to uphold reasonable security measures for personal data when processing such information. Failure to inform both the board and the principle in case of a data breach can lead to significant fines being imposed. Rather than waiting for the possibility of never being reported and taking on the associated risks, companies could proactively reach out to a wider customer base about the data leak. This approach would involve enhancing compliance efforts and demonstrating a commitment to addressing the issue.
Contents of the DPDP Act have been drawn heavily from EU’s GDPR
The Indian legislation has drawn significant inspiration from the EU’s General Data Protection Regulation (GDPR) and is built upon its framework. The authorities have analysed the real-world challenges that arose with GDPR and incorporated those insights into the crafting of this Bill. The primary objective is to ensure the responsible processing of personal data and establish robust data privacy rights for individuals. Both regulations emphasize the handling of personal data through consent, although there are specific scenarios where consent might not be obligatory. The Government has skilfully navigated the task by avoiding excessive amendments and appropriately identifying areas of overlap with other laws.
Ad-tech players could face challenges in accessing third-party data
It is believed that targeted advertising technology companies operating in this domain and relying on third-party data for tailored advertisements will encounter additional challenges. Since they don’t directly gather the data, using third-party data will demand heightened attention. Employing third-party data should make you more cautious, vigilant, and well-informed about the methods of data collection. Ensuring the integrity of the data used for crafting targeted advertisements becomes imperative to prevent any form of contamination. Well-established players involved in collecting, distributing, or selling data would undoubtedly need to swiftly adapt to the provisions of this new act. These programmatic ads. tech players could resort to either 1) Investing into their own database or 2) Recover the higher the costs from clients via higher pricing.
Broad based implementation – across small and large enterprises
Small businesses, lacking substantial resources to engage established players, are focusing on diligently ensuring proper compliance. They recognize that firsthand data collection is significantly preferable to relying on third-party data access. Bigger technology companies might be required to establish compliance requirements slightly ahead of smaller players and startups. The law takes a somewhat more lenient stance toward startups. It’s anticipated that there will be a window of around six to ten months before full implementation is expected.
Safety of consumers/children an added benefit apart from privacy
Companies operating multiple businesses might find common ground internally, where data exchange occurs among their various segments or units by following proper compliance. This aspect should be regarded as a protective measure for sharing information securely. In the case of large tech giants, they will have to adhere to the supplementary data requirements. These companies heavily rely on technology, so many of the obligations are likely already integrated into their operations. The introduction of this regulation could bring about a positive impact, leading to an enhanced safety net. Regarding children’s data, obtaining verifiable parental consent is a requisite. The act has established a mechanism for addressing grievances within its provisions. The composition of the board is explicitly outlined in the act.
The credit of this article goes to Elara Capital senior vice president- research analyst Karan Taurani.
Digital
Govt tightens the screws on AI content with sharper IT rules
New norms bring labelling mandates and faster compliance timelines for platforms
NEW DELHI: Govt has moved sharply to police the fast-expanding world of AI content, amending its IT rules to formally regulate synthetically generated media and slash takedown timelines to as little as two hours.
The Union ministry of electronics and information technology (MeitY) notified the changes on February 10, with the new regime set to kick in from February 20, 2026. The amendments pull AI-generated content squarely into India’s intermediary rulebook, widening due-diligence, takedown and enforcement obligations for digital platforms.
At the heart of the change is a legal clarification: “information” used for unlawful acts now explicitly includes synthetically generated material. In effect, AI-made content will be treated on par with any other potentially unlawful information under the IT Rules.
Platforms must also step up user warnings. Intermediaries are now required to remind users at least once every three months that violating platform rules or user agreements can trigger immediate suspension, termination, content removal or all three. Users must also be warned that unlawful activity could invite penalties under applicable laws.
Offences requiring mandatory reporting, including those under the Bharatiya Nagarik Suraksha Sanhita, 2023 and the Protection of Children from Sexual Offences Act, must be reported to authorities.
AI-generated content defined
The amendments introduce the term “synthetically generated information”, covering audio-visual material that is artificially or algorithmically created, modified or altered using computer resources in a way that appears real and could be perceived as indistinguishable from an actual person or real-world event.
However, routine and good-faith uses are carved out. Editing, formatting, transcription, translation, accessibility features, educational or training materials and research outputs are excluded so long as they do not create false or misleading electronic records.
Mandatory labelling and metadata
Intermediaries enabling AI content creation or sharing must ensure clear and prominent labelling of such material as synthetically generated. Where technically feasible, the content must carry embedded, persistent metadata or provenance markers, including unique identifiers linking it to the generating computer resource.
Platforms are barred from allowing the removal or tampering of these labels or metadata, a move aimed at preserving traceability.
Fresh duties for social media firms
Significant social media intermediaries face tighter obligations. Users must be required to declare whether their content is AI-generated before upload or publication. Platforms must deploy technical and automated tools to verify these declarations.
Once confirmed as AI-generated, the content must carry a clear and prominent disclosure flagging its synthetic nature.
The takedown clock speeds up
The most dramatic shift lies in timelines. The compliance window for lawful takedown orders has been cut from 36 hours to just 3 hours. Grievance redressal timelines have been halved from 15 days to 7.
For urgent complaints, the response window shrinks from 72 hours to 36. In certain specified cases, intermediaries must now act within 2 hours, down from 24.
Platforms are required to act swiftly once aware of violations involving synthetic media, whether through complaints or their own detection. Measures can include disabling access, suspending accounts and reporting matters to authorities where legally required.
Importantly, the government has clarified that removing or disabling access to synthetic content in line with these rules will not jeopardise safe-harbour protection under Section 79(2) of the IT Act.
The message is unmistakable. As AI blurs the line between real and fabricated, the state is racing to keep pace. For platforms, the era of leisurely compliance is over. In India’s digital marketplace, synthetic content now comes with very real consequences.
