Back to Blog
DPDP Act 9 min read

DPDP Act Automated Decisions: AI and Profiling Rules

How the DPDP Act 2023 applies to automated decision-making, AI profiling, and algorithmic outputs that affect Data Principals — what disclosures are required and what safeguards apply.

Key Takeaways
  • The DPDP Act does not have a dedicated "automated decision-making" provision equivalent to GDPR Article 22, but general obligations of purpose limitation, accuracy, and transparency apply to AI-driven decisions.
  • Automated decisions that use personal data must have a declared purpose and a lawful basis — they are not exempt from the consent and purpose limitation framework.
  • Accuracy is a heightened obligation for automated decisions that significantly affect Data Principals — incorrect profiling data can cause material harm.
  • The right to access (Section 11) applies to automated decision outputs — Data Principals can request information about decisions made about them.
  • Significant Data Fiduciaries building AI systems that process personal data at scale are likely to face DPA requirements and DPIA obligations.

In this guide

  1. Automated Decision-Making and the DPDP Act
  2. Lawful Basis for AI and Profiling Activities
  3. Data Accuracy in AI-Driven Decisions
  4. Transparency Obligations for Automated Systems
  5. Data Principal Access Rights for AI Decisions
  6. DPIAs for High-Risk AI Processing
  7. Practical AI Compliance Checklist

Automated Decision-Making and the DPDP Act

Automated decision-making — where algorithms or AI systems process personal data to produce decisions or recommendations that affect individuals without meaningful human review — is a growing concern in data protection globally. Credit scoring, insurance underwriting, fraud detection, content moderation, job screening, and dynamic pricing are all examples of automated decision-making that can significantly affect individuals.

The DPDP Act 2023 does not contain a dedicated provision equivalent to GDPR Article 22, which gives individuals specific rights regarding automated individual decision-making including profiling. However, the Act's general framework applies fully to automated processing: the lawful basis requirement, purpose limitation, data accuracy, and data subject rights all govern how personal data is used in AI and algorithmic systems.

The absence of a specific automated decision-making article does not mean this area is unregulated. The Rules and future guidance from the Data Protection Board may address AI and automated processing specifically. Indian companies building AI products should proactively implement good practice — transparency, accuracy, and access to decision information — rather than waiting for explicit regulatory requirements.

Lawful Basis for AI and Profiling Activities

Every automated processing activity must have a lawful basis under Section 4. For AI systems that process personal data: what is the declared purpose? What is the lawful basis — consent or a Section 7 legitimate use? Was the purpose disclosed in the privacy notice at the time of data collection? These questions apply as much to AI model training and inference as to any other processing activity.

Training an AI model on personal data requires a lawful basis for the model training activity, separate from the basis for the original data collection. If you collected customer interaction data to provide a support service, using that same data to train a support quality scoring AI is a secondary purpose that requires its own basis — either fresh consent or a documented legitimate use. The "anonymised training data" approach (anonymising data before training) can avoid this issue for some use cases, but genuine anonymisation must be demonstrated.

For real-time profiling — generating scores, classifications, or predictions about individuals based on their personal data — the profiling activity itself must be disclosed in the privacy notice. If your product generates a "churn risk score," a "creditworthiness estimate," or a "fraud probability," users should know this is happening and understand that it affects how they are treated within your product.

Data Accuracy in AI-Driven Decisions

The Section 8(3) accuracy obligation applies with particular force to AI-driven decision systems. Automated decisions based on inaccurate input data amplify the harm of that inaccuracy at scale — a flawed data input that causes a manual human decision to be wrong affects one person; a flawed data input in an automated scoring model that processes thousands of applications may cause systematic harm to an entire affected population.

AI model training data should be subject to data quality checks before use. Outdated data, biased samples, and incorrect labels in training data can cause systematic inaccuracies in model outputs. Implement training data quality pipelines: validate data completeness, check for systematic biases in the training sample, and monitor model output distributions for unexpected patterns that may indicate data quality issues.

Provide Data Principals with access to and the ability to correct data that feeds into automated decisions about them. If a user's credit score is based partly on employment data held in your system, they must be able to correct inaccurate employment data and understand that the correction will affect future scoring. Implement correction propagation that re-runs scoring or re-evaluates decisions when input data is corrected.

Transparency Obligations for Automated Systems

Section 5 of the DPDP Act requires a privacy notice that specifies the personal data collected and the purposes for which it is processed. For AI systems, this means the privacy notice must disclose: (a) that automated processing is conducted, (b) what personal data categories are used as inputs, (c) what decisions or outputs are generated, and (d) how those outputs may affect the Data Principal.

Generic disclosures ("we use your data to personalise your experience") are insufficient for consequential automated decisions. If your product makes decisions about loan eligibility, insurance premiums, job applications, content visibility, or service access based on automated algorithms, the privacy notice should describe this with enough specificity that a reasonable person understands what is happening. For high-stakes decisions, consider providing individual explanations of specific decisions on request.

Model cards and algorithmic impact summaries are best-practice tools for documenting AI systems — describing the model's purpose, data inputs, known limitations, and potential biases. While not currently required by the DPDP Act, publishing model cards demonstrates transparency and builds user trust. They also serve as internal governance documentation for DPIA exercises.

Data Principal Access Rights for AI Decisions

The Section 11 right of access gives Data Principals the right to a summary of their personal data and the processing activities conducted on it. In the AI context, this means a Data Principal can request: the personal data used as inputs to automated decisions about them, the outputs or scores generated about them, and a description of the automated decision-making process. Companies with AI-driven systems need to build capability to produce this information on request.

The right of access does not necessarily extend to revealing proprietary model details or the algorithm itself — this would be equivalent to revealing trade secrets. But the Data Principal is entitled to know what data about them was used and what outputs were generated. The distinction between "explain the algorithm" (not required) and "tell me what data you used and what decision you made about me" (required) is important for building proportionate disclosure systems.

Build individual-level decision logging for consequential AI systems. For every significant automated decision (credit decision, fraud detection flag, job screening outcome), log: the Data Principal's ID, the input data categories used, the output (decision or score), the timestamp, and the model version. This log supports access request responses and provides evidence for any disputes about the decision.

DPIAs for High-Risk AI Processing

Data Protection Impact Assessments (DPIAs) are required for Significant Data Fiduciaries under Section 10(2)(c). More broadly, DPIAs are a global best practice for high-risk processing activities — and AI systems that make consequential automated decisions about large numbers of individuals are a prime example of high-risk processing.

A DPIA for an AI system should assess: the categories of personal data processed (sensitivity of inputs), the volume of Data Principals affected, the nature and potential impact of automated decisions, existing safeguards (accuracy controls, human review mechanisms, appeal processes), residual risks after safeguards, and planned mitigations. The DPIA should be conducted before deploying a new AI system and repeated periodically or when the system changes materially.

Engage diverse stakeholders in the DPIA process: data scientists, product managers, legal/compliance, and if possible, representatives of the communities affected by the automated decisions. Automated systems can embed and amplify biases present in training data — a DPIA that only technical experts assess will miss important social impact dimensions. Document the DPIA findings and the decisions made in response, even if the decision is to proceed with deployment with specific mitigations.

Practical AI Compliance Checklist

For each AI system in your product that processes personal data: (1) document the purpose of the AI system and confirm it is disclosed in your privacy notice; (2) identify the lawful basis for data processing in model training and inference; (3) assess whether the training data and inference inputs are accurate, current, and free from systematic bias; (4) build logging to support Data Principal access requests for input data and decision outputs; (5) implement a correction mechanism so that incorrect input data can be updated and decisions re-evaluated; (6) create a human review process for high-stakes decisions where automated errors could cause significant harm.

For higher-risk AI systems (credit scoring, fraud detection, HR screening, healthcare diagnostics): conduct a DPIA before deployment; implement mandatory human review for negative decisions; provide Data Principals with an accessible appeal mechanism; publish a model card or equivalent transparency document; and monitor for discriminatory outputs or unexpected demographic disparities in outcomes.

Track AI compliance as part of your overall DPDP compliance programme. Map each AI system to the DPDP controls it implicates (Section 4 lawful basis, Section 5 notice, Section 8(3) accuracy, Section 11 access rights) and maintain evidence of compliance with each. AuditPath supports mapping AI processing activities to compliance controls alongside your broader DPDP and SOC 2 compliance evidence.

Frequently Asked Questions

Does the DPDP Act give users the right to have an automated decision reviewed by a human?
The DPDP Act does not contain a specific right to human review equivalent to GDPR Article 22. However, given the accuracy obligation and grievance redressal rights, a Data Principal can challenge an automated decision by requesting correction of input data and re-evaluation, or by raising a grievance if they believe the decision was based on inaccurate or incomplete data. Building a human review pathway for challenged decisions is good practice even without an explicit legal requirement.
Can we train AI models on customer data without obtaining additional consent?
Only if model training is within the purpose disclosed at collection and consented to. "We use your data to provide and improve our service" may or may not cover AI model training depending on how it is interpreted. Explicit disclosure of AI training as a specific purpose, with its own consent, is the safest approach. For training data that will be genuinely anonymised before training, the DPDP Act does not apply to the anonymised dataset.
Does the DPDP Act apply to AI systems built and deployed entirely outside India if they affect Indian users?
Yes. The DPDP Act's extraterritorial scope (Section 3) covers processing outside India that is connected with offering goods or services to Indian Data Principals. An AI system that profiles or makes decisions about Indian users is processing their personal data — the Act applies regardless of where the model runs.
What qualifies as an "automated decision" for DPDP purposes?
Any decision or recommendation about an individual that is generated by an algorithm or AI system based on their personal data, without meaningful human review of that specific decision, qualifies. This includes credit scores, fraud flags, content recommendation rankings, performance ratings (if algorithmically generated), dynamic pricing, and job screening outputs. The key elements are: personal data as input, algorithm-generated output, effect on the individual.
Do AI systems used purely internally (e.g., internal HR analytics) have DPDP obligations?
Yes. Internal AI systems that process employee personal data are subject to the DPDP Act just as customer-facing systems are. Employee data processed by an internal AI system for performance analytics, attrition prediction, or productivity scoring is personal data subject to all DPDP obligations: lawful basis, accuracy, Data Principal access rights, and appropriate safeguards.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

DPDP Act

DPDP Act Data Accuracy: Keeping Personal Data Up to Date

DPDP Act

DPDP Act Purpose Limitation: Collecting Only What You Need

DPDP Act

Data Principal Rights Under DPDP Act: Access, Erasure, Grievance