Unit 2 of 4

4.2 — DPDP Act and AI Systems

AI systems that process personal data fall squarely under the DPDP Act. This includes training data, inference inputs, and outputs that contain or derive personal information. Consent requirements apply to data collection for AI training.

DPDP Act vs GDPR — Key Differences
Feature
DPDP Act (India)
GDPR (EU)
Right to explanation (automated decisions)
No explicit right; transparency required
Article 22 — right not to be subject to solely automated decisions
Cross-border transfers
Blacklist approach — allowed except restricted countries
Whitelist approach — needs adequacy decision or safeguards
Consent approach
Free, specific, informed, unconditional, unambiguous
Freely given, specific, informed, unambiguous
Children's age threshold
Under 18 years
Under 16 (member states can lower to 13)
DPO requirement
Only for Significant Data Fiduciaries
Required for all controllers meeting criteria
Enforcement body
Data Protection Board of India (DPBI)
Supervisory Authorities in each member state
Lawful bases for processing
Consent + Legitimate uses (narrower)
6 lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests)
EXAM TIP

The DPDP Act uses a 'blacklist' approach for cross-border transfers (allowed except to restricted countries), while GDPR uses a 'whitelist' approach (restricted except to adequate countries). This is a frequently tested distinction.

Children's data: Processing of children's data (under 18) requires verifiable parental consent. Targeted advertising and tracking of children are prohibited. AI systems used in educational contexts must comply with these requirements.

COMMON MISTAKE

India's children's age threshold is 18 — higher than GDPR's 16 (or 13 in some member states). Any AI system processing data of persons under 18 in India triggers enhanced consent requirements.

Key Points
AI training data and inference both covered under DPDP
No explicit right to explanation but transparency required
Cross-border transfers: blacklist (India) vs whitelist (GDPR)
Children's data: verifiable parental consent + no tracking
Higher children's age threshold than GDPR (18 vs 16)
CREATE YOUR CHARACTER ON THE PREP INDEX PAGE TO UNLOCK CHALLENGES
← Previous unitNext unit →