Date:
February, 2026
Author/s:
Meta and The Quantum Hub
Open Loop India Report on AI Innovation, Effective Anonymization and the Digital Personal Data Protection (DPDP) Act
India’s AI ecosystem is ready to embrace data protection, but needs clearer rules to do so with confidence. This report, produced by The Quantum Hub with support from The Dialogue, Tsaaro Consulting, and the Data Security Council of India as part of Meta’s Open Loop India Program, examines the gap between India’s data protection ambitions and the regulatory clarity its AI ecosystem needs. Drawing on a structured survey of 44 organizations across 13 sectors, interviews with 14 cohort companies, and consultations with technical, legal, and policy experts, the report maps the pressure points where the Digital Personal Data Protection (DPDP) Act meets the realities of AI development.
The report’s central finding is that India’s AI ecosystem is not compliance averse but is actually hungry for clarity. The DPDP Act’s consent and purpose-limitation framework, designed for discrete transactional processing, sits uneasily with the iterative, multi-stage nature of AI development. Without clear standards for anonymization or regulatory recognition of Privacy-Enhancing Technologies, organizations default to overly conservative data strategies that limit innovation.
The report identifies three areas where targeted regulatory intervention could unlock AI development while maintaining meaningful privacy protections:
- The first concerns the iterative nature of AI workflows. An interim exemption for core model development activities such as training, fine-tuning, evaluation, and improvement from select DPDP provisions could provide the near-term certainty that organizations need, while permanent and more tailored legal bases are developed over time. Such an exemption would preserve baseline safeguards while creating space to assess where personal data genuinely remains indispensable, particularly for high-stakes applications in public health, education, microcredit, and voice recognition that synthetic data alone cannot adequately serve.
- The second area concerns anonymization. Without a clear statutory benchmark for what constitutes effectively anonymized data, organizations are caught in a compliance grey zone. The report explores how a risk-based standard that treats anonymization as a spectrum, assesses re-identification risk relative to context and intended purpose, and places the onus on reasonable effort rather than strict liability, could transform anonymization from a source of uncertainty into a confident compliance pathway.
- The third area concerns Privacy-Enhancing Technologies. Despite strong awareness, advanced PETs remain underdeployed with only 5% of organizations using techniques like differential privacy, held back by cost, limited expertise, and above all, uncertainty about whether such investments would be recognized as valid under the DPDP framework. The report examines how regulatory recognition of PETs as reasonable security safeguards alongside clarity on when they achieve full anonymization versus when they operate within the DPDP framework, could catalyze adoption.
The choices India makes now to navigate privacy frameworks will shape India’s AI trajectory and offer a template for how large, data-rich democracies can govern emerging technology without sacrificing the innovation that makes it valuable.