MODULE 04

India DPDP Act + RBI AI/ML Guidelines

Coverage of India's Digital Personal Data Protection Act 2023, RBI's framework for responsible AI/ML in financial services, and MeitY's advisory on AI governance. Essential for auditing AI systems in the Indian regulatory context.

4
Units
~2.5 hrs
Duration
~375 min
Per unit
7
Practice Qs
Learning objectives
After completing this module, you will be able to:
August 2023 — India's first comprehensive data protection law
AI training data and inference both covered under DPDP
Model governance framework mandatory for financial AI
MeitY advisory on AI model approvals (March 2024)
0 of 4 units completed0%
Start learning
In this module
4.1 — Digital Personal Data Protection Act 2023 (DPDP Act)
4.2 — DPDP Act and AI Systems
4.3 — RBI Guidelines on AI/ML in Financial Services
4.4 — MeitY and Emerging Indian AI Governance
Practice questions
Q1: What are the key roles defined in the DPDP Act and their GDPR equivalents?
Show Answer

Data Fiduciary (determines purpose/means — GDPR 'controller'), Data Processor (processes on behalf of fiduciary — same in GDPR), Data Principal (individual whose data is processed — GDPR 'data subject').

Q2: What additional obligations do Significant Data Fiduciaries have?
Show Answer

Must appoint a Data Protection Officer based in India, conduct periodic Data Protection Impact Assessments, and undergo independent audits.

Q3: How does the RBI require explainability in AI lending decisions?
Show Answer

AI-driven lending decisions must be explainable to customers with specific, actionable rejection reasons. Opaque 'AI-decided' responses are not acceptable. Independent model validation is required for high-impact models.

Q4: Compare the cross-border data transfer approach of DPDP Act vs GDPR.
Show Answer

DPDP Act uses a 'blacklist' approach — transfers are allowed to all countries except those specifically restricted by the government. GDPR uses a 'whitelist' approach — transfers are restricted unless the destination country has an adequacy decision or appropriate safeguards are in place.

Q5: What is the maximum penalty under the DPDP Act and for what violation?
Show Answer

The maximum penalty is ₹250 crore (~$30M) per instance, applicable for failure to take reasonable security safeguards to prevent a data breach.

Q6: How does India's approach to AI regulation differ from the EU's approach?
Show Answer

India favors sector-specific regulation (RBI for banking, SEBI for capital markets, etc.) combined with voluntary frameworks, while the EU adopted a comprehensive, cross-sector legislative approach through the EU AI Act. India does not currently have a single comprehensive AI law.

Q7: What are the children's data requirements under the DPDP Act?
Show Answer

Processing children's data (under 18 — higher threshold than GDPR's 16) requires verifiable parental consent. Targeted advertising and behavioral tracking of children are prohibited. AI systems in educational contexts must comply.

03. EU AI Act05. Model Cards & Red-Teaming