What changed, what's coming, in one paragraph
India does not yet have a dedicated, comprehensive AI law — and as of May 2026, none is on the legislative pipeline. Instead, builders shipping AI products into the Indian market navigate a layered regime: the Information Technology Act 2000, the Digital Personal Data Protection Act 2023 (DPDP), the 10 February 2026 amendment to the IT (Intermediary Guidelines) Rules covering synthetic generated content, and a patchwork of sectoral guidance from the RBI, SEBI, IRDAI and others. The DPDP Act commenced in phases: Phase I (the Data Protection Board) took effect on 13 November 2025; Phase II — provisions pertaining to consent managers — kicks in on 13 November 2026; Phase III — the full substantive obligations on data fiduciaries, processors and rights of data principals — lands on 13 May 2027. The 10 February 2026 IT Rules amendment, operative from 20 February 2026, layers a deepfake and synthetic-media accountability regime over the top. If you are building or selling AI in India, the next twelve months are about getting consent flows, labelling, and cross-border-transfer architecture into shape before enforcement starts.
The four laws that govern AI in India today
There is no single Indian "AI Act" to point at. Treat the regulatory environment as a stack of four overlapping instruments and read them together — failure modes usually come from compliance with one and a blind spot on another.
| Instrument | Year | What it covers | Who it binds |
|---|---|---|---|
| Information Technology Act | 2000 | Cybercrime, electronic records, intermediary liability, computer-related offences | All entities operating computer systems and intermediaries in India |
| DPDP Act | 2023 | Processing of digital personal data, consent, data principal rights, data fiduciary obligations | Any data fiduciary processing digital personal data of Indian residents (including extra-territorially) |
| IT (Intermediary Guidelines) Rules — Feb 2026 amendment | 2026 | Synthetic generated content (deepfakes), intermediary diligence, takedown obligations | Intermediaries hosting or facilitating user content, including AI generation services |
| Sectoral guidance (RBI, SEBI, IRDAI, MeitY advisories) | Various | Domain-specific rules: lending, securities, insurance, model deployment advisories | Regulated entities in those sectors, plus their AI vendors by extension |
"Processing" under DPDP is defined broadly — wholly or partly automated operations on digital personal data including collection, storage, retrieval, use, disclosure, alignment, and erasure. AI training, inference, fine-tuning and feedback collection all fall inside that definition. There is no carve-out for "AI" as a category, which is the central architectural fact for builders.
Before 13 November 2026, build a one-page "data map" showing every flow of personal data through your model: capture point, lawful basis, storage location, retention period, third-party processors, and cross-border transfer destinations. This single artefact unlocks consent-manager integration, Section 17 monitoring, and any later Significant Data Fiduciary audit. Most teams discover gaps the first time they try to draw it.
10 February 2026 amendment: what it asks of you
On 10 February 2026, the Ministry of Electronics and Information Technology (MeitY) notified amendments to the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules. The amendment, operative from 20 February 2026, specifically targets synthetic generated content — what most builders call deepfakes — and tightens intermediary accountability. The legal architecture remains intermediary-centric (the IT Act has no first-principles regulation of AI models), so the obligations attach to platforms hosting or facilitating synthetic media rather than to model authors directly.
What this means in practice for AI builders:
- Labelling and provenance. Synthetic content surfaced through your service should carry visible identification. C2PA-style provenance metadata is becoming the de facto compliance signal — bake it into your generation pipeline.
- User reporting and grievance. A grievance officer with publicly listed contact details is standard for intermediaries; AI services that meet intermediary thresholds inherit the same obligation.
- Acting on lawful takedown notices. Define service-level windows for responding to takedown demands and document them in your terms.
- Significant social-media intermediary thresholds. The pre-existing significant-social-media-intermediary threshold under the 2021 IT Rules continues to apply — check current MeitY guidance for the live numeric threshold. If your AI product crosses it, expect heightened due-diligence obligations.
The amendment does not, on its face, regulate the act of training a model. It regulates what your platform shows, hosts, generates and propagates. That is a builder's instruction set, not a legal abstraction: ship labelling, ship grievance, ship takedown.
DPDP Phase II — 13 November 2026: the consent-manager runway
Phase II commences exactly twelve months after the Phase I notification, i.e. 13 November 2026. The provisions that come live cover consent managers — a registered class of entity that helps data principals give, manage, review and withdraw consent through an accessible, transparent, and interoperable platform. For a UK reader: think of it as a regulated layer between data principals and data fiduciaries, with shades of the EU's Open Banking consent infrastructure but engineered specifically for personal-data flows.
Why it matters to AI builders: by 13 November 2026, your consent capture cannot rely solely on a checkbox in an onboarding screen if you intend to be defensible. You will want machine-readable consent receipts, the ability to honour withdrawal in near-real-time across your data pipelines, and an architecture that can hand consent state off to a registered consent manager. If you train models on user inputs, withdrawal needs to flow through to the next training cycle's data selection — not just to live inference logs.
DPDP Phase III — 13 May 2027: full substantive obligations
Phase III, eighteen months from notification, brings the rest of the Act into force. This is where the obligations on data fiduciaries — including the heightened ones on Significant Data Fiduciaries — become enforceable, where data-principal rights to access, correction and erasure are exercisable, and where the Data Protection Board's adjudicatory powers fully engage. Penalties under the Act run up to ₹250 Cr for the most serious classes of breach by Significant Data Fiduciaries. The 13 May 2027 date is the one to plan capital expenditure and security spend against.
For AI builders, the practically biggest items are:
- Notice and consent — clear, plain-language notice at or before collection, in English and the data principal's chosen Indian language (one of the scheduled Indian languages).
- Purpose limitation — model training as a "purpose" needs explicit notice; reusing customer-support transcripts to train a base model later is the kind of step regulators will be alert to.
- Data principal rights — access, correction, erasure, grievance redressal — operationally answerable through your product.
- SDF designation — if you're notified as a Significant Data Fiduciary, expect a Data Protection Officer requirement (based in India), independent audits, and Data Protection Impact Assessments.
- Children's data — verifiable parental consent and bans on tracking, behavioural monitoring, and targeted advertising directed at children.
Builder checklist by November 2026
The next eighteen months break naturally into four working sprints. Treat the table as a backlog, not a wishlist.
| Workstream | By Phase II (13 Nov 2026) | By Phase III (13 May 2027) |
|---|---|---|
| Consent flows | Plain-language notice, granular purpose toggles, machine-readable consent receipts, multilingual support | Live integration path with a registered consent manager; withdrawal honoured in real time across pipelines |
| Data inventory | Complete data map: source, purpose, lawful basis, retention, third parties, transfer destinations | Inventory wired to access/erasure tooling; cross-team incident playbooks |
| Synthetic content (Feb 2026 amendment) | Provenance metadata in generation pipeline; visible labelling; grievance officer published | Audit logs of takedowns, response-time SLAs documented and tested |
| Cross-border transfers | Maintain a live country-by-country data-flow register; subscribe to MeitY notifications | Rapid-rerouting capability if a country is added to a restriction list under Section 17 |
| Model training data | Documented lawful basis for every dataset; opt-out path for users whose data feeds training | Training-pipeline filters that exclude erased or withdrawn records before each retraining cycle |
| Children's data | Identify if your product is "directed at children"; design verifiable parental consent | Behavioural monitoring and targeted advertising filters in place; certified flow |
| Security & breach | Reasonable security safeguards in place; logged; tested; incident-response runbook | Breach notification path to the Data Protection Board operationalised; tabletop exercised |
Want to discuss this with other verified Builders?
Every article on AI Tech Connect is written by a Verified Builder. Browse profiles, shortlist who you want to hire or collaborate with.
Browse Builders →Cross-border data transfer rules — DPDP Section 17
Section 17 of the DPDP Act is the Indian answer to a question Europe has been arguing about for a decade: where can personal data go? The answer in India is, architecturally, permissive: transfer of personal data outside India is allowed unless the Central Government, by notification, restricts transfer to specific countries or territories. There is no equivalent of the EU's adequacy-decision framework, no standard contractual clauses regime, and (as of May 2026) no published negative list. But the legislative power exists, and one notification can change a builder's storage architecture overnight.
For AI training data — voice samples for an Indic-language ASR, image data for a fashion-tech model, chat logs for a customer-support agent — Section 17 is the clause to architect against. Practical guidance: maintain the option to host Indian-resident user data in India for training and inference, even if you currently don't, so that a future restriction can be honoured without a six-month migration. Assume sectoral rules (RBI on payment data, for example) are stricter than the DPDP baseline and design to the strictest applicable rule.
The ₹250 Cr penalty cap under DPDP attaches to Significant Data Fiduciary breaches — not theoretical for a deep-pocketed AI platform. A single mass-incident where a deepfake leak intersects a personal-data breach (think: voice clone trained on customer-support audio) could trigger penalty exposure under DPDP and takedown obligations under the Feb 2026 IT Rules amendment simultaneously. The compliance failure modes compound across instruments.
What UK and global builders selling INTO India must understand
The DPDP Act has extra-territorial reach. It applies to processing of digital personal data outside India where the processing is in connection with offering goods or services to data principals in India. A UK SaaS firm with paying Indian customers is, in most cases, a data fiduciary under the Act, regardless of where its servers sit. The compliance implications are not hypothetical: notice and consent obligations apply, data-principal rights are exercisable, and the Data Protection Board's jurisdiction reaches you.
The two practical asks for non-Indian builders: (i) appoint clear accountability for DPDP compliance — a named individual or function — even if you are not an SDF and so not formally required to nominate a DPO based in India; (ii) treat any Indian roll-out as a privacy-design milestone, not a localisation or translation task. Multilingual notice, granular purpose-based consent, and a grievance contact reachable from India are launch blockers, not nice-to-haves.
Dual-market reality. An Indian-domiciled AI start-up — say, a Bengaluru voice-agent company serving Indian retail customers — will spend most of its 2026–27 compliance effort on consent flows, sectoral overlays (the RBI's account-aggregator rules sit on top of DPDP for any fintech adjacency), and the practical engineering of erasure across training cycles. A UK SaaS firm selling into India — say, a London-based document-AI platform with an Indian channel partner — has a different priority list: extra-territorial mapping, appointing accountable function holders, multilingual notice, and survival planning for a future Section 17 negative-list notification. Same Act; different starting positions; very different runways.
Builder angle — concrete steps for the next 12 months
If you take only a six-item plan into the next year, make it this one. Each item is sized to a one-engineer-quarter or smaller; none requires a legal retainer to start.
- Q2 2026: Draw the data map. Every flow of personal data, end-to-end, including model-training pipelines. This artefact pays back in every later workstream.
- Q2 2026: Ship the Feb 2026 IT Rules deltas — provenance metadata in any generated output, visible synthetic-content labels, grievance-officer details on the site, takedown response SLA in your terms.
- Q3 2026: Rebuild your consent capture. Granular purpose toggles, plain-language notice in English plus at least one Indian language for your largest user-base region, machine-readable consent receipts.
- Q3 2026: Subscribe to MeitY's notification feed, the IAPP's India tracker, and the Internet Freedom Foundation's case updates. Operationalise a 30-day review cadence.
- Q4 2026: Integrate a consent-manager API path (treat the registered list of consent managers as your roadmap). Test withdrawal flowing through to your next training cycle's data selection.
- Q1 2027: Run a tabletop on a Significant Data Fiduciary designation and on a Section 17 country-restriction notification. Surface the architectural debt; budget the rebuild.
Read this checklist next to our UK AI Code of Practice 2026 guide, our EU AI Act August 2026 high-risk deadline checklist, and our EU AI Act GPAI August 2026 checklist — together they cover the three regimes most builders will live under simultaneously.
Open questions: the Supreme Court challenge, and what could shift
A constitutional challenge to the DPDP Act 2023 and its implementing rules has been filed at the Supreme Court of India. The Court has issued notice; the case is pending. The grounds — broadly framed around the right to privacy, the breadth of executive rule-making power under the Act, and concerns about journalistic exemptions — are serious and worth tracking. But the law remains in force, the commencement dates are unchanged, and enforcement architecture is being built. The pragmatic posture for builders is: comply now, monitor the case, and assume your Phase III obligations land on 13 May 2027 as drafted.
Two other shifts worth pricing in. First, the Central Government has unused power under Section 17 to publish a country-restriction list — a single notification could re-architect cross-border data flows for a class of services. Second, MeitY's pattern over 2024–26 has been to use the IT Rules as a fast-cycle instrument for AI-adjacent issues; further amendments specific to AI agents, autonomous systems or model-deployment thresholds are plausible inside the next twelve months. The Indian regulatory environment in 2026 rewards builders who treat compliance as a continuous engineering discipline, not a one-off project.
Indian context to read alongside this guide: Sarvam's $350M Series C and India's sovereign-AI bet, Oolka's $14M Series A on AI agents for Indian credit users, and our two sister releases today: Sarvam's multilingual stack (Vision + Bulbul + ASR) and ServiceNow's autonomous-workforce knowledge play.
This article is editorial — for binding advice on your specific product or operations, consult counsel admitted to practise in India.
Primary sources: IAPP — India DPDPA + AI governance guidelines, DLA Piper — India data protection, AK & Partners — India's AI Governance Regime, EY — DPDP compliance guide, Prime Infoserv — IT Rules 2026 deepfake amendment, and Internet Freedom Foundation — Supreme Court notice on the constitutional challenge.