When do the substantive obligations of the DPDP Act actually bite?

Per the Schedule to the DPDP Rules 2025, Rules 1, 2, and 17 to 21 came into force on 13 November 2025. Rule 4, governing Consent Manager registration, comes into force on 13 November 2026. Rules 3 and 5 to 16 and 22 to 23, which carry the operative consent, notice, breach-notification, transfer, and verifiable-consent regime, come into force on 13 May 2027. Schedule penalties attach from that date.

India DPDP Act 2023 for AI agents, line by line

01 · § 1 + § 2 · THE ACT IN ONE PARAGRAPH

The statute, in its own words.

The Digital Personal Data Protection Act, 2023 was enacted by Parliament as Act 22 of 2023 and received the assent of the President on 11 August 2023. The short title and territorial scope sit at Section 1. The operative definitions sit at Section 2. The two together describe what the Act calls itself, where it reaches, and on what it acts.

This Act may be called the Digital Personal Data Protection Act, 2023. It extends to the whole of India and applies to—(a) the processing of digital personal data within the territory of India where the personal data is collected (i) in digital form; or (ii) in non-digital form and digitised subsequently; (b) the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India. DPDP Act 2023 · § 1(1) and § 1(2) · 11 August 2023

The four definitional terms the rest of the Act turns on are all in Section 2. Each is short. Each is loaded.

§ 2(t)

"personal data" means any data about an individual who is identifiable by or in relation to such data. NOTE · the test is identifiability by or in relation to the data, not direct naming.

§ 2(n)

"digital personal data" means personal data in digital form. NOTE · paper-only personal data is outside scope unless and until digitised.

§ 2(i)

"Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. NOTE · the controller analogue. Joint-fiduciary structures attach joint accountability.

§ 2(j)

"Data Principal" means the individual to whom the personal data relates, and includes the parent or lawful guardian of a child and the lawful guardian of a person with disability. NOTE · the data-subject analogue. Children's data carries Section 9 layer.

The Act has nine chapters. Chapter I, preliminary, runs Sections 1 and 2. Chapter II, obligations of Data Fiduciary, runs Sections 4 to 10. Chapter III, rights and duties of Data Principal, runs Sections 11 to 15. Chapter IV, special provisions, runs Sections 16 and 17. Chapter V, the Data Protection Board of India, runs Sections 18 to 26. Chapters VI to IX cover appellate procedure, penalties, miscellaneous, and the Schedule.

02 · §§ 4–7 · THE CONSENT REGIME

The consent regime, verbatim.

Sections 4 to 7 set the lawful-basis architecture. Section 4 is the gating clause. Section 5 attaches notice. Section 6 attaches the qualifications on consent. Section 7 enumerates the legitimate uses that operate without consent.

A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,—(a) for which the Data Principal has given her consent; or (b) for certain legitimate uses. DPDP Act 2023 · § 4(1)

Section 5 governs notice. Every request for consent must be accompanied or preceded by a notice giving the Data Principal the personal data and purpose, the manner in which the Data Principal may exercise her rights under Sections 11 to 13, and the manner in which the Data Principal may make a complaint to the Board. The notice must be available in English and in any of the twenty-two languages specified in the Eighth Schedule to the Constitution.

Section 6 is the load-bearing definition of consent and its qualifications.

The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. DPDP Act 2023 · § 6(1)

Section 6(4) gives the Data Principal the right to withdraw her consent at any time, and the consequences of withdrawal must follow. Section 6(5) requires that the ease of withdrawal be comparable to the ease of giving consent. Section 6(7) introduces the Consent Manager: an entity registered with the Board through which a Data Principal may give, manage, review, or withdraw her consent. The Consent Manager is not a Data Fiduciary in respect of the consent it manages. It is a fiduciary to the Data Principal.

Section 7 enumerates the legitimate-uses pathway. The pathway is exhaustive, not illustrative. The named uses include voluntary specified-purpose disclosure, performance of any function under any law, response to medical emergency, services in the event of disaster or breakdown of public order, and processing in employment-related contexts. Outside Section 7 and outside Section 6 consent, processing is unlawful.

03 · § 8 · OBLIGATIONS OF DATA FIDUCIARY

Section 8, walked through.

Section 8 is the operating spine of the Act for every business that processes personal data in India. Eleven sub-sections. Each one names a deliverable. Each one attaches Schedule penalty exposure once the Schedule comes into force on 13 May 2027. I will quote each in full and mark the implication for an AI agent or automated decision system.

A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. DPDP Act 2023 · § 8(1)

Sub-section (1) does two things at once. It puts accountability on the Data Fiduciary irrespective of contract. It puts accountability on the Data Fiduciary for processing performed by its Data Processor. The processor is not a shield. The contractual chain is read past, not read around.

A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. DPDP Act 2023 · § 8(2)

Sub-section (3) is the accuracy clause. It is narrower than the headline "completeness, accuracy, and consistency" reading sometimes given. The trigger is not all processing. The trigger is processing likely to feed a decision that affects the Data Principal, or disclosure to another Data Fiduciary.

Where personal data processed by a Data Fiduciary is likely to be—(a) used to make a decision that affects the Data Principal; or (b) disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. DPDP Act 2023 · § 8(3)

Sub-section (4) is the technical-and-organisational-measures clause. It is the closest analogue in DPDP to GDPR Article 32(1).

A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. DPDP Act 2023 · § 8(4)

Sub-section (5) is the security-safeguards clause. The Schedule attaches a ceiling of Rs 250 crore to its breach. It is the highest fine ceiling in the Act.

A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. DPDP Act 2023 · § 8(5)

Sub-section (6) is the breach-intimation clause. The Act delegates the form and manner. The Rules supply it. The clock that compliance teams are now planning around is in Rule 7 of the DPDP Rules 2025, not in Section 8(6) itself.

In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. DPDP Act 2023 · § 8(6)

Sub-section (7) is the erasure clause. It runs against a default of erasure on consent withdrawal or on the specified purpose ceasing to be served, with a carve-out for retention required by law. Sub-section (8) defines when the specified purpose is "deemed no longer to be served." Sub-section (11) supplies the test of non-engagement.

A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,—(a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and (b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor. DPDP Act 2023 · § 8(7)

Sub-sections (9) and (10) are the surface-area clauses. They name the contact and the redress mechanism the Data Fiduciary owes the Data Principal in real time, not on request.

A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. DPDP Act 2023 · § 8(9)

A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. DPDP Act 2023 · § 8(10)

Sub-section (11) is technical. It clarifies the test for whether the Data Principal has approached the Data Fiduciary for the performance of the specified purpose. The Act treats non-initiation, in person or by communication, as non-engagement. Combined with Section 8(7) and Section 8(8), this is an automatic erasure trigger after the prescribed period of dormancy.

"Eleven sub-sections in Section 8. Two of them carry Rs 250 crore exposure. Three of them name a deliverable an AI agent must produce on every run."Warrant Compliance · 2026-05-09

04 · §§ 11–14 · RIGHTS OF THE DATA PRINCIPAL

The rights of the Data Principal.

Chapter III of the Act runs Sections 11 to 15. The first four sections are rights. The fifth is duties. The architecture is intentional. The Data Principal carries duties as well as rights, and Section 33 read against Section 15 makes false or frivolous grievance a fineable matter.

The Data Principal shall have the right to obtain from the Data Fiduciary, to whom she has previously given consent … (a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and (c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed. DPDP Act 2023 · § 11(1)

Section 12 grants the right to correction, completion, updating, and erasure. The Data Fiduciary must correct inaccurate or misleading personal data, complete incomplete data, update data on request, and erase personal data on request unless retention is required for the specified purpose or by law.

Section 13 grants the right to grievance redressal. The Data Principal may approach the Data Fiduciary or Consent Manager. Internal remedy must be exhausted before approach to the Board. Section 13(3) requires response within such period as may be prescribed; Rule 13(3) of the DPDP Rules 2025 fills this in.

Section 14 grants the right to nominate. The Data Principal may, in such manner as may be prescribed, nominate any other individual who shall, in the event of death or incapacity, exercise the rights of the Data Principal. Incapacity, in this context, means inability to exercise the rights due to unsoundness of mind or infirmity of body.

Section 15 is the duties clause. The Data Principal must comply with applicable laws while exercising rights, must not impersonate, must not suppress material information when providing data for any document of identity issued by the State, must not register a false or frivolous grievance, and must furnish only verifiably authentic information when exercising rights of correction or erasure. The Schedule attaches a Rs 10,000 cap on penalty for breach of Section 15.

05 · § 8(6) + RULE 7 · BREACH NOTIFICATION

The breach clock, read carefully.

Earlier compliance commentary, including some prior Warrant content, has compressed Section 8(6) into a single "72-hour" claim. The text does not say 72 hours. It says intimation in such form and manner as may be prescribed. The 72-hour clock lives in Rule 7 of the DPDP Rules 2025, where MeitY has now prescribed the form and manner.

Rule 7(1) requires the Data Fiduciary to give intimation of a personal data breach to each affected Data Principal without delay, and in concise, clear, and plain language. Rule 7(2) requires the Data Fiduciary to give intimation to the Board, in two stages. First stage: without delay, with the description of the nature, extent, timing, and location of the breach and its likely impact. Second stage: within 72 hours of becoming aware of the breach, or such longer period as the Board may, on a request made in writing, allow, with the broad facts and the cause, mitigation taken, identification of persons responsible, and a summary of intimations given to affected Data Principals.

The Rule does not introduce a materiality threshold. Any unauthorised acquisition, access, use, disclosure, alteration, or loss of personal data is a personal data breach for the purposes of the obligation. The defensive posture is now: detect, notify both populations within the prescribed window, document the cause and the corrective action, and preserve the chain back to the source event.

T₀

DETECT

Data Fiduciary becomes aware of a personal data breach. The clock starts.

T₀

FIRST INTIMATION

Without delay: nature, extent, timing, location, likely impact. Both to the Board and to affected Data Principals.

+72h

DETAILED REPORT

To the Board: broad facts, cause, mitigation, identification of persons responsible, summary of intimations to Data Principals.

RS 200cr

CEILING

Schedule item against Section 8(6). Sized under Section 33(2). Effective from 13 May 2027.

06 · § 1(2)(b) · TERRITORIAL APPLICATION

Where the Act reaches.

The extra-territorial application of the DPDP Act is in Section 1, not Section 16. Earlier Warrant content cited Section 16 as the extra-territorial section. That is a regression. Section 16 governs the onward transfer of personal data outside India, which is a different question. The reach of the Act onto a foreign-established data fiduciary is the Section 1(2)(b) clause.

It extends to the whole of India and applies to—… (b) the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India. DPDP Act 2023 · § 1(2)(b)

The hook is "in connection with any activity related to offering of goods or services to Data Principals within the territory of India." The construction is broad. A US-incorporated lender taking applications from Indian residents is in. A Singapore-incorporated SaaS vendor processing employee data of an Indian customer's workforce is in. Establishment in India is not the predicate. Targeting of Data Principals in India is.

Section 16, by contrast, governs transfer. Sub-section (1) permits transfer of personal data by a Data Fiduciary outside India, subject to such restrictions as the Central Government may, by notification, impose in respect of any country or territory outside India. Sub-section (2) clarifies that nothing in Section 16 restricts the applicability of any law for the time being in force in India that provides for a higher degree of protection on transfer. The architecture is permissive-with-blacklist, not whitelist-with-adequacy as under GDPR Articles 44 to 49. Sibling privacy reading across regimes: GDPR Article 22, China PIPL, and HIPAA read against AI agents.

07 · CHAPTER V · THE BOARD

The Data Protection Board of India, per Sections 18 to 26.

The Data Protection Board of India is the regulator. The earlier Warrant content cited Chapter VIII and Section 27 onwards for the Board. That is a regression. The Board is established under Section 18 in Chapter V of the Act. Chapter VIII is Penalties and Adjudication, where Section 33 sits. The two are different chapters and answer different questions.

The Central Government shall, by notification, establish, for the purposes of this Act, a Board to be called the Data Protection Board of India. DPDP Act 2023 · § 18(1)

Section 19 governs composition. The Board is to consist of a Chairperson and such number of other Members as the Central Government may notify. Members must be persons of ability, integrity, and standing with special knowledge or practical experience in data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful. At least one member must be an expert in the field of law.

Section 20 sets the term at two years with eligibility for re-appointment. Section 21 lists disqualifications. Section 27 sets out the powers and functions of the Board, the most operative being directing remedial or mitigation measures in the event of a personal data breach, inquiring into a breach of the provisions of the Act, and imposing penalties as provided under the Act.

The operational status of the Board, as at 9 May 2026, is the half-step. By the MeitY notification of 13 November 2025, Sections 1, 2, and 18 to 26 of the Act, and Rules 1, 2, and 17 to 21 of the DPDP Rules 2025 came into force. The Board has legal existence. It has the power to set its procedure under Section 23. Public reporting through April 2026 indicates the Chairperson and full slate of Members had not yet all been appointed. The search-cum-selection committee process under the Rules has been initiated. The Board's substantive enforcement clock is running quietly. It does not yet bite. It bites on 13 May 2027, when the Schedule penalties attach.

08 · DPDP RULES 2025

What the Rules added.

The DPDP Rules 2025 were notified by the Ministry of Electronics and Information Technology by Gazette notification on 13 November 2025. They run twenty-three rules in seven schedules. The Rules are not new obligations. They are the prescribed form and manner for the obligations the Act delegates. Each "as may be prescribed" in the Act points to a Rule.

The Schedule to the Rules sets a phased commencement. Three groups.

PHASE I

In force on 13 November 2025: Rules 1, 2, and 17 to 21. The Board apparatus, search-cum-selection committee, and procedural rules. EFFECT · the Board exists. The Chairperson and Members can be appointed. Procedures can be set.

PHASE II

In force on 13 November 2026: Rule 4. Registration and obligations of Consent Managers. EFFECT · Section 6(7) becomes operationally available. Data Principals get a registered intermediary route to consent.

PHASE III

In force on 13 May 2027: Rules 3 and 5 to 16, and 22 to 23. Notice form, verifiable consent, breach intimation form, retention duration, contact information, processing of children's data, Significant Data Fiduciary obligations, transfer restrictions, and exemptions. EFFECT · the substantive obligations under Sections 4 to 17 of the Act, and the Schedule penalties under Section 33, become enforceable.

The most operationally consequential rules to know now, in advance of 13 May 2027:

Rule 3. Form and content of notice under Section 5. The notice must be in clear and plain language, accessible independently of any other information, and itemised against the personal data, the specified purpose, the goods or services involved, the description of rights of the Data Principal, and the manner of complaint to the Board.

Rule 7. Form and manner of intimation of personal data breach. First intimation without delay. Detailed report to the Board within 72 hours of awareness, or such longer period as the Board may allow on a written request. Intimation to each affected Data Principal without delay, in concise, clear, and plain language, and in any of the languages specified in the Eighth Schedule to the Constitution.

Rule 8. Time period for retention by certain Data Fiduciaries and the deemed-erasure trigger. For Data Fiduciaries falling within the prescribed classes (operationally, large e-commerce, social media intermediaries, and online gaming intermediaries above prescribed user thresholds), the deemed-erasure window under Section 8(8) is three years from the last engagement, after which Section 8(7) erasure applies.

Rule 12. Additional obligations of Significant Data Fiduciaries. Annual Data Protection Impact Assessment, annual audit by an independent data auditor, observation of due diligence by the Significant Data Fiduciary in respect of any algorithmic software it deploys, and verification that personal data flowing into algorithmic decisioning is not used in a manner that poses a risk to rights of Data Principals.

Rule 15. Restrictions on transfer of personal data outside India. The Data Fiduciary must meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of, or any agency of, such a foreign State. The Rule does not enumerate countries; the architecture is permissive-with-future-blacklist.

09 · FIELD MAPPING

Where Warrant maps DPDP.

§ 8(3)

Completeness, accuracy, and consistency for personal data feeding a decision affecting the Data Principal. FIELD · trace.actions[*].input_quality (completeness_score, freshness_ts, source_provenance, decision_relevance) bound to model-output validation gate.

§ 8(4)

Appropriate technical and organisational measures. FIELD · per-trace record mapped to the § 8(4) technical-and-organisational-measures obligation, independently verifiable without contacting Warrant.

§ 8(5)

Reasonable security safeguards to prevent personal data breach. FIELD · per-trace control_state (encryption_at_rest, encryption_in_transit, access_control_list, key_rotation_age_days, processor_subcontract_hash).

§ 8(6) + Rule 7

Intimation to Board and Data Principals; first intimation without delay, detailed within 72 hours. FIELD · breach_event.first_intimation_ts and breach_event.detailed_report_ts, each independently verifiable without contacting Warrant, against breach_event.detected_at as T₀.

§ 8(7)

Erasure on consent withdrawal or specified purpose ceasing. FIELD · trace.actions[*].retention_basis and trace.lifecycle.erasure_event with proof of deletion that is independently verifiable without contacting Warrant.

§ 11

Right to access summary, identities of recipients, and prescribed information. FIELD · trace.lineage[] and trace.disclosure_log[] addressable by data_principal_id, with redaction policy inherited from Rule 3 notice.

§ 16 + Rule 15

Cross-border transfer subject to Central Government order. FIELD · trace.actions[*].destination_jurisdiction and per-jurisdiction policy_check_ts against current MeitY notification list.

Sample DPDP evidence package · Warrant registerA RECORD MAPPED TO SECTION 8 · INDEPENDENTLY VERIFIABLE

→ /v/dpdp-sample-2026

10 · SECTORAL STACK

DPDP, RBI FREE-AI, and the sectoral overlay.

The DPDP Act applies to every Data Fiduciary processing digital personal data in India, full stop. The sectoral regulators do not displace it. They stack on top. A regulated bank deploying an AI agent in retail credit operates under at least three concurrent obligation layers.

The first layer is the DPDP Act and Rules. Section 8 obligations on accuracy, security, breach, and erasure attach. Section 16 transfer restrictions attach. The Board is the supervisor for the personal-data dimension.

The second layer is the Reserve Bank of India guidance. The RBI Framework for Responsible and Ethical Enablement of AI (FREE-AI) report, released by the FREE-AI Committee in 2025, sets out seven sutras and twenty-six recommendations across six strategic pillars covering infrastructure, capacity, governance, protection, assurance, and policy. The recommendations land on regulated entities through subsequent RBI Master Directions and circulars. The FREE-AI overlay does not weaken Section 8; it strengthens it for regulated entities and adds explainability, model risk management, and human override duties beyond the DPDP floor.

The third layer is sector-specific. SEBI's retail algo framework and AI/ML disclosure norms attach to brokers and asset managers. IRDAI's information and cyber security guidelines and outsourcing directions attach to insurers. CERT-In's six-hour incident notification rule of 28 April 2022, made under Section 70B(6) of the Information Technology Act 2000, runs alongside the DPDP 72-hour clock for cyber-security incidents. Six hours to CERT-In. Without delay then 72 hours to the Board. Both apply. Both must be evidenced.

11 · AI IMPLICATIONS

What Section 8 means for an AI agent.

Read Section 8(3) at the speed of an automated decision system. The clause attaches when personal data is "likely to be used to make a decision that affects the Data Principal." For a credit-scoring agent, an underwriting agent, a fraud-screening agent, or a hiring-shortlist agent, that condition is satisfied on every run. The accuracy obligation, "completeness, accuracy and consistency," is then the obligation. Three elements. Each separately enforceable.

Completeness reads as: did the agent see the personal data the specified purpose required. A credit-decision agent that decided on a partial bureau pull, where the full bureau pull would have changed the outcome, may fail this leg even if the partial data the agent saw was internally accurate. The Section 33(2) sizing factors include the gravity of the breach. A wrong credit decline made on incomplete data is graver than one made on bad-format data.

Accuracy reads as: was the personal data the agent saw faithful to the source. This is the field where input-validation and source-provenance attestation pay back. A lineage from bureau API to model input, independently verifiable without contacting Warrant, is the answer.

Consistency reads as: did the agent's view of the personal data agree with the same data held by the same Data Fiduciary in adjacent systems. A Data Fiduciary maintaining one address in CRM and another in the credit decisioning system, on the same Data Principal, with no reconciliation, fails the consistency leg even if both are individually accurate.

Section 8(4) reads, for an AI agent, into the technical and organisational measures around the agent itself. The Significant Data Fiduciary regime in Section 10, read with Rule 12, attaches additional duty of due diligence on algorithmic software. The combination is: maintain evidence, on every decision, that the input was complete, accurate, and consistent at the time of decision, and that the model was within its approved purpose.

This is what an attestation layer does. One artefact per decision, a record mapped to the relevant Section 8 sub-section and retrievable by Data Principal identifier, independently verifiable without contacting Warrant. The DPDP Act does not require this artefact by name. The Schedule penalty exposure for failure to evidence the obligation makes its absence expensive on 13 May 2027.

12 · FAQ

Questions a compliance officer asks first.

Does the DPDP Act apply to a company established outside India?

Yes. Section 1(2)(b) extends the Act to processing of digital personal data outside the territory of India if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India. Extra-territorial scope sits in Section 1, not Section 16. Section 16 governs onward transfer.

What is the breach-notification window under the DPDP regime?

Section 8(6) of the Act requires intimation to the Board and to each affected Data Principal in such form and manner as may be prescribed. Rule 7 of the DPDP Rules 2025 prescribes the manner. First intimation to the Board and to affected Data Principals without delay. Detailed report to the Board within 72 hours of becoming aware, or such longer period as the Board may, on written request, allow.

What is the maximum monetary penalty under the DPDP Act?

The Schedule to the Act caps the penalty for breach of Section 8(5), failure to take reasonable security safeguards, at Rs 250 crore. Failure to give breach intimation under Section 8(6) is capped at Rs 200 crore. Section 33(2) instructs the Board to size the penalty against gravity, repetitiveness, gain realised, mitigation taken, and proportionality.

Is the Data Protection Board of India operational as of May 2026?

Sections 18 to 26 of the Act, governing the establishment of the Board, were brought into force by MeitY notification on 13 November 2025 alongside Rules 1, 2, and 17 to 21 of the DPDP Rules 2025. Public reporting through April 2026 indicates that the Chairperson and full slate of Members had not yet all been appointed. Substantive Section 8 obligations and Schedule penalties become enforceable on 13 May 2027.

What does Section 8(3) require for an AI agent that decides about a person?

Section 8(3) requires that where personal data processed by a Data Fiduciary is likely to be used to make a decision that affects the Data Principal, or disclosed to another Data Fiduciary, the Data Fiduciary shall ensure its completeness, accuracy, and consistency. For an AI agent making automated decisions, the obligation extends past input data into the decision-relevant feature space and any inter-fiduciary handoff.

How does the DPDP Act sit alongside RBI, SEBI, and IRDAI guidance?

The DPDP Act is the cross-sector floor on personal data processing for every Data Fiduciary in India. Sectoral regulators stack on top. RBI's FREE-AI framework, SEBI's retail algo and AI/ML disclosure norms, and IRDAI's IT and outsourcing directions add domain-specific obligations on Significant Data Fiduciaries operating in regulated finance and insurance. CERT-In's six-hour cyber-incident clock runs in parallel.

What is a Significant Data Fiduciary?

Section 10 empowers the Central Government to notify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary, having regard to the volume and sensitivity of personal data, risk to rights of Data Principals, sovereignty and integrity of India, security of the State, electoral democracy, and public order. SDFs carry additional obligations to appoint a Data Protection Officer based in India, an independent data auditor, and to undertake periodic Data Protection Impact Assessment and audit.

How do i produce a DPDP evidence package today?

Drop the agent's execution trace at warrant.build/demo. Warrant produces a PDF mapped to Section 8(3), 8(4), 8(5), 8(6), 8(7), and Section 11 per action — a record mapped to each specific DPDP obligation, independently verifiable without contacting Warrant. The artefact survives a Section 27 Board inquiry by being retrievable by Data Principal identifier and verifiable independently of the producer's infrastructure.

13 · READ THE SOURCE

Read the source directly.

Authored by Warrant Compliance, the regulatory-analysis function at Warrant. [email protected]. Editorial commentary on regulatory text. Not legal advice. Verbatim quotations of Sections 1, 2, 4, 6, 8, 11, 16, and 18 of the Digital Personal Data Protection Act, 2023 reflect the official English-language text published by the Ministry of Electronics and Information Technology, Government of India. References to the DPDP Rules, 2025 reflect the Gazette notification of 13 November 2025 and the phased commencement Schedule attached to the Rules. Operational status of the Data Protection Board of India is stated as of 9 May 2026; subsequent appointments may have changed the position.

India DPDP Act 2023, line by line.