含羞草社区

含羞草社区 Digital Personal Data Protection Act, 2023 (DPDPA) does not mention artificial intelligence directly, but it significantly affects the technology. AI requires vast amounts of data, often personal data, for training, and it also generates synthetic outputs that can create new forms of harm.

Under the DPDPA, the central legal question is not simply whether personal data is processed, but for what purpose, and how that data is reused across functions. The same input may be used to verify identity, detect fraud, train a model, personalise content, improve accuracy, target advertising or generate insights. From an engineering perspective, that seems efficient; from a legal perspective, it can look dangerously over-bundled.

DPDPA purpose limits AI data use

The DPDPA requires organisations to define purpose and limits the temptation to collect data broadly for unspecified future uses. In practical terms, any organisation using AI should clearly specify the purpose through notice and consent frameworks.

To understand AI-related privacy challenges, it is useful to see the problem in three stages: collection, inference and generation. AI first collects personal data, then creates new data through prediction and profiling, and finally generates synthetic content, cloned identities and fabricated trust.

In India, DigiYatra is a useful example of how AI-linked convenience can quickly become a personal data risk. By using facial recognition to streamline airport entry and boarding, it turned routine travel into a biometric data environment. The system has been defended through the language of privacy by design: decentralised wallet-based storage, encrypted sharing and timely deletion. Yet the real issue is whether it can demonstrate minimisation, retention discipline, and meaningful technical and security controls over such sensitive personal data.

AI collection scales, inference intensifies

Globally, Clearview AI shows what this appetite looks like when it scales without meaningful restraint. Its facial recognition system was built by scraping billions of images from the internet and social media, turning everyday photos into a searchable biometric database. The significance of that example is not only the volume of data collected, but the shift in purpose: images uploaded for social or personal reasons were converted into raw material for secondary use.

Then there are generative AI chat tools, where a text box becomes a collection point for sensitive personal data through prompts. The privacy significance of this became visible in OpenAI’s March 2023 incident, when some users could see titles from other users’ chat histories, as well as payment-related details.

These examples reveal the first stage of the AI landscape: collection at scale. Once biometrics, videos, prompts and behavioural data enter AI-supported systems, the legal question becomes much larger than whether the data was collected lawfully in the first place.

The next shift is even more complex. AI systems do not only collect personal data; they also generate new data about people. The Department of Telecommunications’ ASTR tool, developed by the Centre for Development of Telematics, is an AI and ML-powered facial recognition system designed to identify fraudulent SIM subscriptions. Here, too, the issue is not only collection, but whether the inference is accurate, proportionate and contestable.

AI infers profiles, generates harms

The same pattern plays out more quietly on social media platforms, where recommendation and advertising systems constantly infer what users are likely to engage with, believe or buy. This is one of AI’s most overlooked consequences. It creates a new layer of personal data: risk scores, identity matches, profiles and behavioural predictions.

AI no longer only collects data or draws inferences from it. It now generates entirely new forms of personal data harm through cloned voices, synthetic likenesses, fabricated endorsements and deepfakes capable of causing reputational and financial damage.

This is the conceptual shift of the generative era. Earlier privacy debates focused on what organisations collected and what algorithms inferred. Now the law must also confront what AI systems can manufacture in someone else’s image: a cloned voice, fake endorsement, fabricated video, or synthetic identity persuasive enough to trigger real-world loss.

The DPDPA, in other words, can no longer be concerned only with lawful collection, storage and transfer, but also with reuse, impersonation, platform responsibility and the harms AI can create at scale. Taken together, these developments show why 含羞草社区 DPDPA framework matters so much in the age of AI.

Shantanu Sahay is a partner and Pratyush Acharya is an associate, both from the litigation and data governance practice, at Anand and Anand