An overview of the key legal developments in the AI and Data Privacy/Data Protection space in India – since January 2024.
1. Introduction
Importance of AI and Data Privacy
Initially started as an help for the better functioning of machines and collecting or compiling plethora of data for fast statistics, AI has evolved drastically in the past few years. Humans are surrounded by Artificial Intelligence nowadays. From healthcare to finance and e-commerce, AI systems analyze vast amounts of data to deliver personalized experiences, optimize operations, and predict outcomes. Be it Technologies like Alexa or Siri, Introduction of ChatGPT and Gemini that work on Algorithms by collecting Data from different sources.
However, concerns raise when the Artificial Intelligence while holding so much of data may mishandle it and misuse could take place. AI works on algorithms that give the commands to function accordingly, Algorithms can be tampered with easily, leading to a breach of someone’s private data that could have been used for a medical purpose or so. Apps like OpenAI leads to the issues of Protection of Copyright and protection of original work. Moreover, there are so many social Media apps and platforms in the contemporary world where Data privacy has been an issue.
For Example, Deepfakes of famous public figures and celebrities are circulated on daily basis, infringing upon their Right to Privacy. It leads to the demand for stringent laws that can regulate the AI while respecting the Data Privacy of Individuals.
Personal data is the information that relates to an identified or identifiable individual. Businesses as well as government entities process personal data for delivery of goods and services. Processing of personal data allows understanding preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendations. Processing of personal data may also aid law enforcement. Unchecked processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right.[1] The Supreme Court of India recognised privacy as a fundamental right and highlighted the need for a comprehensive framework for data protection.
In order to curb down the misuse of information and protect the Personal or Private data, The government adopted The Digital Personal Data Protection Act, 2023 in July, 2023.
Page Contents
2. Purpose
The purpose of this Document is to provide a comprehensive overview of the key legal developments in the fields of Artificial Intelligence and Data Privacy/Data Protection in India since January 2024. It aims to analyze recent legislative changes, judicial pronouncements, and regulatory updates.
3. Key Legal Developments
3.1 The Digital Personal Data Protection Act, 2023[2]
The Digital Personal Data Protection Act, 2023 (DPDP Act), was enacted in August 2023 in order to regulate the data fudiciaries and their actions in respect of maintaining the privacy of Data Principles (Users), however, just the enactment of the act was not enough since it did not provide clear rules establishing the proper guidelines until 3rd of January 2025. ‘
The Union Government released the Draft Digital Personal Data Protection Rules 2025 on 3rd January 2025, the motive behind is to enforce the provisions of the DPDP act, 2023. They were floated for public consultation and Feedback till March 05, 2025 on the Portal.
3.2 Key features of Draft Digital Personal Data Protection Rules 2025[3]
The Draft Digital Personal Data Protection Rules aim to safeguard citizens’ rights for the protection of their personal data. These rules seek to operationalize the Digital Personal Data Protection Act, 2023 (DPDP Act), in line with India’s commitment to create a robust framework for protecting digital personal data.[4]
The rules provide that if there is any breach in an individual’s personal data that takes place through any cyber-attack, the data fiduciary, be it a social media entity of any website , must inform the affected person. The Details of the breach including its nature, timing and location must also be shared. They must also notify the Data Protection Board with detailed updates within 72 hours.
The rules empower citizens by giving them greater control over their data. Provisions for informed consent, the right to erasure and grievance redressal enhance trust in digital platforms. [5]
3.3 Protecting Children’s Data
Children below the age of 18 will need Parental Consent to open social media accounts. The organisation must verify that the person giving consent is indeed the parent or guardian and is an adult. ‘
To verify Consent, Fiduciaries will use Government IDs or digital identity tokens such as digital lockers. However, Education Institutions and child welfare organisations may be exempted from some provisions.
3.4 Data Protection board of India
Section 18 of DPDP Act, 2023, provides for establishing a board by the central government. It will act as an independent body tasked with overseeing the implementation and enforcement of the DPDP Act. The Board has been envisaged as an online complaint resolution mechanism, with all its proceedings being conducted online. Once established, the Board will conduct inquiries based on complaints, address personal data breaches, and issue directions and impose penalties for non-compliance.[6] On July 24, 2024, the Press Information Bureau has announced that an amount of INR 20 Million has been granted to MeitY for setting up the Data protection board but the Government is yet to establish the Board.
4. Global Partnership on Artificial Intelligence[7]
Launched in June 2020, GPAI (“gee-pay”) is a multistakeholder initiative bringing together leading experts from science, industry, civil society, international organizations and government that share values to bridge the gap between theory and practice on AI by supporting cutting-edge research and applied activities on AI-related priorities.[8]
Its goal is to bring together research from different fields and highlight important issues for AI experts. It aims to encourage global teamwork, avoid repeated efforts, serve as a central resource for AI-related topics, and build trust in AI to support its responsible use and adoption.
Recently on 3rd July 2024, the 6th meeting of GPAI ministerial council was held in New Delhi in a hybrid mode.’
Key Findings of GPAI ministerial council
It recognized AI’s potential to shape the future of our societies and economies.
Acknowledged the risks and challenges AI systems can pose, such as spreading false information and creating harmful biases that lead to discrimination.
Reiterated the Commitment towards safe, secure, and trustworthy AI that puts people first through a collaborative and inclusive approach. It also Welcomed Serbia’s election as the Lead Chair of GPAI for 2024-25.’
5. TRAI Directions to Curb Misuse of Messaging Services[9]
In August 2024, the Telecom Regulatory Authority of India (TRAI) introduced new rules to prevent the misuse of messaging services and protect user data. ‘ These rules aim to tackle spam, fraud, and phishing attacks while ensuring user privacy. Here’s what TRAI implemented:
5.1 Tracking Message Senders:
TRAI now requires telecom companies to make promotional messages traceable to their original sender. This ensures accountability and discourages spam and fraudulent messages.
5.2 Monitoring Message Content:
Service providers must watch over the use of message headers (the title or sender ID) and templates (pre-set message formats). If these are misused, the providers must stop the sender from sending further messages until the issue is resolved.
5.3 Blocking Dangerous Links:
Messages containing harmful links, such as those leading to phishing websites or malware downloads, are now banned. This helps protect users from online scams and cyberattacks.
5.4 Strict Enforcement:
Telecom companies must follow these rules strictly. TRAI can penalize violators by suspending their messaging services or blacklisting them.
These measures strengthen data privacy by reducing spam and fraudulent messages, making communication services safer for users. By holding message senders accountable and protecting users from harmful content, TRAI has taken an important step toward building a secure and trustworthy digital environment in India.
6. Some of the Significant Cases that dealt with the issue of Data Privacy in the year 2024.
- ANI VS OPENAI
This case underscores the complexities at the intersection of artificial intelligence, copyright law, and data privacy. It highlights the challenges in protecting proprietary content from unauthorized use in AI training models and raises questions about the adequacy of existing legal frameworks to address such issues in the digital age.[10]
Facts: In November 2024, Asian News International (ANI), a prominent Indian news agency, filed a lawsuit against OpenAI in the Delhi High Court, alleging unauthorized use of its copyrighted content for training AI models, particularly ChatGPT. ANI accused OpenAI of Unauthorized Use of ANI’s Content that OpenAI utilized its news articles, including those behind subscription paywalls, without obtaining proper authorization or licenses, thereby infringing on ANI’s intellectual property rights.
ANI alleges that ChatGPT has generated fabricated news stories falsely attributed to ANI, including fictitious interviews, which could damage the agency’s reputation and credibility.
Stance of OpenAI: OpenAI asserted that its AI models operate within the bounds of fair use principles, arguing that the utilization of publicly available data for training purposes is both legal and transparent. OpenAI also questioned the applicability of Indian law, noting its lack of physical presence in India as a jurisdictional Constraint and the fact that its servers and training operations are located elsewhere.
Delhi High Court: The Court conducted an initial hearing on November 19, 2024, during which ANI’s counsel argued that OpenAI’s actions violated India’s copyright laws. In its January response, OpenAI requested the Delhi High Court to dismiss the case, asserting that only courts in California had jurisdiction over the matter. However, on January 28, the Delhi High Court rejected OpenAI’s jurisdiction argument and opted to hear both jurisdictional and substantive arguments together.
The next hearing is set for March 28, during which the court will continue deliberations on ANI’s copyright infringement claims against OpenAI.
WHATSAPP FACEBOOK PRIVACY CONTROVERSY
On 18th of November 2024, The Competition Commission of India imposed a penalty of 213 Crores on Meta, Company that owns WhatsApp, for abusing its Dominant Position in the Market by creating a ‘ Take it or Leave it ’ basis approval from the end users.[11]
Meta Platforms said that it disagreed with the order by India’s competition watchdog that placed data-sharing restrictions between WhatsApp and its other applications and said it would legally challenge the order.[12]
Backdrop
WhatsApp Privacy Policy 2021 Case ( Karmanya Singh Sareen vs Union of India )[13]
Facts: In January 2021, WhatsApp introduced a new privacy policy that allowed data sharing between WhatsApp and its parent company, Facebook (now Meta). The data shared included User phone numbers, Transaction details, Device-related information etc. This raised concerns that personal data would be used for targeted advertising and profiling on Facebook and other Meta-owned platforms.
Users were required to accept the updated privacy policy to continue using WhatsApp. This “take-it-or-leave-it” approach drew criticism, as it offered no meaningful choice or opt-out option for data sharing and the matter reached the court.’
Supreme Court’s take: As of January 2025, the Supreme Court of India has not yet issued a final judgment on the WhatsApp-Facebook privacy policy case. In the interim, the Supreme Court has directed WhatsApp to allow users to continue using the application without accepting the updated privacy policy. This directive ensures that users who have not agreed to the 2021 policy can still access WhatsApp’s services without any restrictions.
7. Conclusion
The legal landscape surrounding AI and data privacy in India has evolved significantly since January 2024, driven by the implementation of the Digital Personal Data Protection Act, 2023 and the regulatory, judicial, and legislative measures that followed. The introduction of the Data Protection Board of India and sector-specific guidelines emphasizes India’s commitment to safeguarding personal data and ensuring accountability. Additionally, landmark cases such as ANI vs. OpenAI and the WhatsApp Privacy Policy controversy highlight the complexities of data privacy in the age of AI and digital transformation.
Moving forward, it is crucial to strike a balance between fostering innovation in AI technologies and upholding individual privacy rights. Strengthening the legal framework, promoting ethical AI use, and encouraging global collaboration will be vital in building a secure, trustworthy, and human-centric digital ecosystem in India.
[1] “Justice K.S. Puttaswamy (Retd) vs. Union of India, W.P. (Civil) No 494 of 2012, Supreme Court of India, August 24, 2017”
[2]“https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf”
[3] “https://innovateindia.mygov.in/dpdp-rules-2025/”
[4]“https://pib.gov.in/PressReleasePage.aspx?PRID=2090271#:~:text=The%20draft%20Digital%20Personal%20Data,for%20protecting%20digital%20personal%20data.”
[5]“https://pib.gov.in/PressReleasePage.aspx?PRID=2090271#:~:text=The%20draft%20Digital%20Personal%20Data,for%20protecting%20digital%20personal%20data.”
[6]“https://www.dlapiperdataprotection.com/index.html?t=authority&c=IN#:~:text=About,been%20established%20under%20this%20regime.”
[7] “https://indiaai.gov.in/article/india-s-vision-for-ai-shri-jitin-prasada-at-the-gpai-summit-2024#”
[8] “https://gpai.ai/about/”
[9]“https://www.mondaq.com/india/telecoms-mobile-cable-communications/1514356/trai-issues-directions-to-access-service-providers-for-taking-measures-to-curb-misuse-of-messaging-services “
[10] “https://law.asia/ani-vs-openai-legal-case/?utm_”
[11] “https://www.cci.gov.in/images/pressrelease/en/press-release1731941985.pdf”
[12]“https://www.reuters.com/technology/meta-appeal-indian-order-that-curbs-data-sharing-between-whatsapp-other-apps-2024-11-’19/#:~:text=Nov%2019%20(Reuters)%20%2D%20Meta,would%20legally%20challenge%20the%20order.”
[13] “Karmanya Singh Sareen & Anr. v. Union of India & Ors. [S.L.P. (C) No. 804 of 2017]”
Author Bio
