Yearender 2025: India's Big Push In Data Protection, Deepfakes And AI
In 2025, the government finally brought into effect the Digital Personal Data Protection (DPDP) Rules, illustrating the challenge India is trying to balance.
Published : December 31, 2025 at 7:00 AM IST
By Afsal Rahman
As 2025 approaches its end, India has found itself right in the middle of what could be termed the country’s largest battle on the issues of digital rights and artificial intelligence. The parliament witnessed fiery debates, the making of new laws, and a series of struggles between privacy groups, tech corporations, and the government, and what it is all about is keeping the country’s digital world moving while safeguarding Indians from the risks of AI.
The Data Protection Law
A significant development in 2025 emerged in November, with the government finally bringing into effect the Digital Personal Data Protection (DPDP) Rules of 2025. This was major news for several reasons. One was that the major data protection legislation of India, known as the DPDP Act, was passed back in 2023; no one actually had a clear idea of how this would operate.
A good way to think of it would be this: when it comes to your personal information, the DPDP Act would be the blueprint, and the new guidelines would be the user manual. Now, according to the guidelines, organisations are required to explicitly tell you the information they want, the reason why they need it, and how long they will retain it. Good riddance to the technical terms. All these have to be written in a manner that a layman can easily read and understand.
The Rules also require companies to obtain your actual consent before using your information, rather than trying to hide consent terms within terms and conditions no one reads. But here’s what really matters: If a firm is hacked and your information is compromised, they’re required to notify you within 72 hours. This is a small window of time, but it is to help protect individuals.
The process of implementation will be gradual. From November 2025, some simple norms have come into effect. However, organisations have been given till May 2027 to abide by the strict norms.
The Deepfake Crisis
If data protection were about personal data, deepfakes are about an even scarier thing – videos and audio recordings of real people. In October 2025, the first-ever targeted rules to combat deepfakes were announced by the government to amend the IT Rules.
It is a serious concern. Scammers are using deepfake technology to prepare fake videos of celebrities requesting that people send them money. It has even reached the extent that people are using voices to commit fraud. It has even happened in cases that are meant to humiliate people in deepfake videos without consent.
The norms regarding this are very clear: any individual who produces AI content must mark this content, and this watermark must take a minimum of 10% of the screen. The content mark can’t be removed. The platforms where deepfake content is hosted, for example, YouTube and Instagram, have to ensure that it is removed, preferably within 36 hours.
However, the tricky part is how to check the authenticity of something to see if it is a deepfake without possibly suppressing legitimate content in the first place. What about comical parodies or original work using artificial intelligence? Regulation attempts to walk the thin line between preventing people from being harmed while still facilitating genuine innovation.
All this happened when India itself was launching comprehensive AI Governance Guidelines in the month of November 2025. These guidelines are not legislation that locks people up in prison, but rather guidelines showing how AI must be utilised responsibly within India.
The Guidelines include seven key principles, or “Sutras,” to govern AI: trust, people first, fairness, accountability, understandable design, safety, and innovation space. They also establish a framework for establishing AI-specific institutions that could include an AI Safety Institute and AI Governance
What matters is that India did not develop a single overarching law regarding AI. Rather, the government declared, "Well, we already have laws in place that address some aspects of AI."
The law regarding data is already in place in India in terms of data protection in the DPDP Act, law regarding crimes in the IT Act, and so on, and the guidelines simply weave all these different laws together and outline how all these different concepts need to interact and work together.
For the tech sector, the year 2025 turned into a year of scrambling. Tech startups, e-commerce sites, and social media sites all had to prepare for the arrival of the new Rules. Some thought the rules were just too tough and costly to implement. Some thought that the rules could potentially trap them in certain areas that aren’t very clear-cut. Many wondered about the cost implications and whether they had enough time to implement the changes.
On the other hand, there is support too. Tech leaders felt that data protection is actually an advantage to India because data protection brings trust to the digital world and makes the country an even safer place to carry out business operations.
The Big Picture
What happened in 2025 illustrates the challenge that India is trying to balance. On one hand, the government is keen to safeguard data and privacy for Indians, combat harmful deepfakes, and provide assurance that AI would cause no harm. On the other hand, the government wishes to encourage innovation and the growth of tech giants.
These two goals seem to be opposing each other. The gradual introduction of the DPDP Rules, the world’s first set of deepfake rules, and the AI Governance Guidelines reflect that India is paying heed to these concerns. These are under debate in parliament. Firms are racing against time to fall in line.
Civil society is keeping a weather eye open to ensure that these norms serve a purpose. The end of 2025 saw the establishment of a whole new paradigm for India’s digital sector, and at the heart of this paradigm were data security and AI safeguards. Whether these measures will prove effective—that companies will fall in line, and citizens will be made safe, and deepfakes will be halted—that will be determined in the years to come in 2026 and beyond.
Read More:
