India has taken a landmark step in digital regulation by formally bringing into force the Digital Personal Data Protection Act, 2023 (DPDP Act), along with its implementing rules. This marks the nation’s first comprehensive law dedicated to protecting digital personal data, placing new obligations on firms operating in the crypto and artificial intelligence (AI) sectors and reshaping the privacy landscape.
What Has Changed
- The Indian government has notified the Digital Personal Data Protection Rules, 2025, giving legal effect to the DPDP Act.
- Under the new regime, for the first time in India:
- Data-fiduciaries (organisations that collect or process personal data) must obtain verifiable consent from users, especially when children or persons with disabilities are involved.
- Organisations must notify individuals and the newly-established Data Protection Board of India in case of data breaches.
- There are requirements for data retention limits, data erasure obligations, and transparency (e.g., publishing a Data Protection Officer’s contact, grievance redressal).
- The law also introduces the concept of a “significant data fiduciary” (SDF), entities that process large volumes or highly sensitive data, subject to stricter rules such as localisation of some data flows.
Why This Matters for Crypto and AI
Crypto sector implications: Although the law is not specifically limited to cryptocurrencies, the cross-border and data-intensive nature of crypto platforms means they must now carefully assess how they handle user data in India. Platforms offering services to Indian users, or processing Indian residents’ data even outside India, fall under the act’s jurisdiction.
Key areas: user identity data (KYC/AML), transaction metadata, and behavioural profiling (especially for algorithmic trading or recommendation engines) will now draw regulatory scrutiny.
AI and algorithmic systems: AI applications often rely on large datasets, behavioural tracking, and profiling. With India strengthening data-collection rules, AI firms will need to ensure their data pipelines comply with verifiable consent, the ability for users to opt out, and robust security safeguards. This also intersects with proposed rules on AI-generated content in India.
The law thus serves as a foundational piece for India’s broader digital ecosystem regulation, signalling that AI systems cannot operate outside of data-protection norms.
Some of the Immediate Impacts and Challenges
- Companies have been given a transition window (12-18 months) to comply with many of the obligations.
- The definition and identification of “significant data fiduciaries” remain unclear; firms must prepare for heavier compliance obligations if designated as such.
- Data-localisation and cross-border data-flow restrictions for SDFs may increase operating costs, especially for international crypto/AI platforms.
- While the law strengthens user-rights and transparency, some stakeholders have flagged concerns about government access or exemptions (e.g., for public interest) that may blur privacy protections.
What to Watch Going Forward
- How the government defines and notifies SDFs, and the scope of data-flows that must remain inside India.
- How crypto platforms and AI firms revise their consent-management systems, breach-reporting workflows, and data-erasure protocols to meet the rules.
- Whether future regulations articulate detailed rules for AI incident-reporting, algorithmic transparency, and misuse of predictive data (some academic work highlights this gap).
- How enforcement develops: whether the Data Protection Board issues guidelines, chooses high-profile cases, and sets precedents impacting global platforms.
FAQs
Q1: When exactly did India’s data-protection law come into effect?
The DPDP Act was passed in August 2023, and its rules (the DPDP Rules, 2025) were notified in November 2025, making many key provisions operative now.
Q2: Does this law apply to crypto exchanges and blockchain platforms?
Yes, any organisation processing digital personal data of individuals in India (or offering goods/services to them) falls under the law’s scope, which means crypto platforms must comply if they collect, store or process user data.
Q3: How does the law affect AI companies and data-heavy services?
AI and data-intensive services will need to ensure the data they collect is subject to verifiable consent, can be deleted/erased when required, and is secured. They should also monitor profiling practices, especially for children or vulnerable groups.
Q4: Are there heavy penalties for non-compliance?
Yes, although the rules are being phased in, the law allows for meaningful penalties, which may include significant fines and other regulatory actions.
Q5: What should a crypto or AI company operating in India do now?
Start by auditing data-flows (what data is collected and processed), consent-mechanisms, data-retention policies, breach-notification readiness, and localisation/cross-border transfer practices. Appoint a Data Protection Officer (if required), set up grievance-redress, and get legal guidance on classification as an SDF.
