Artificial intelligence development is inherently global. Models are trained on datasets aggregated from multiple jurisdictions. Compute resources may be located wherever electricity costs and cooling capacity optimise. Inference may occur in cloud infrastructure distributed across continents. This global character collides with territorial data protection regimes that assert control over personal data flowing across borders. For India, with its substantial data protection ambitions and growing AI sector, managing this collision is a matter of strategic and legal significance.
The DPDPA Cross-Border Framework
The Digital Personal Data Protection Act, 2023, takes a permissive approach to cross-border transfers, departing from earlier drafts that imposed strict data localisation. Under the Act, personal data may be transferred to countries not specifically blacklisted by the Central Government. This whitelist-by-default approach contrasts with the EU's adequacy regime, which requires affirmative assessment of destination country protections before transfers are permitted.
For AI practitioners, this regime creates both opportunity and uncertainty. Opportunity because training data can flow to global AI development centres without navigating complex transfer mechanisms. Uncertainty because the government retains authority to restrict transfers to specified countries at any time. A geopolitical shift could suddenly prohibit transfers to a major AI development hub. Organisations must build flexibility into their data architectures to accommodate potential future restrictions.
Sector-Specific Localisation
While the DPDPA takes a general approach, sector-specific regulations impose localisation requirements that AI development must respect. The Reserve Bank of India requires payment system data to be stored only in India. The Insurance Regulatory and Development Authority of India has data localisation expectations for insurance records. Proposed healthcare data regulations contemplate localisation for sensitive health information.
These sector-specific requirements create compliance complexity for AI systems that process regulated data. A fintech AI trained on payment transaction data cannot simply upload that data to a foreign cloud for model development. A healthtech AI must navigate localisation requirements that may prevent training on the comprehensive datasets that drive model performance. The AI developer must map data flows against sector-specific requirements, not merely general data protection law.
The Training Data Question
AI model training typically involves processing large datasets to extract patterns that inform model parameters. The relationship between training data and resulting model raises novel cross-border questions. When personal data is used to train a model, and that model is then deployed abroad, has personal data been transferred? The model contains information derived from the training data but does not contain the data itself in recoverable form.
Different jurisdictions are reaching different conclusions on this question. The conservative view treats model deployment as a form of transfer because the model embodies information from the training data. The permissive view treats the model as a new work product distinct from the training data, analogous to a statistical summary that can be shared without sharing the underlying data. Indian law has not definitively resolved this question, creating regulatory risk for organisations deploying Indian-trained models internationally.
Contractual Mechanisms
In the absence of comprehensive transfer frameworks, organisations rely on contractual mechanisms to manage cross-border data flows. Standard contractual clauses, modelled on EU precedents, commit receiving parties to data protection standards equivalent to those in the sending jurisdiction. Data processing agreements allocate responsibilities between data fiduciaries and processors. Binding corporate rules establish intra-group data sharing frameworks.
For AI development, these contractual mechanisms must address AI-specific concerns. What happens to training data after model development is complete? What restrictions apply to model deployment? Can the receiving party use data for purposes beyond the originally specified AI application? What audit rights does the sending party retain? Standard templates developed for traditional data processing may inadequately address these AI-specific questions.
Government Access Concerns
Cross-border data transfers raise concerns about government access in destination jurisdictions. Data transferred to certain countries may be subject to surveillance or compelled disclosure obligations that Indian data subjects would not expect or accept. The DPDPA's blacklist mechanism provides a tool for addressing such concerns, but the criteria for blacklisting and the process for designation remain unclear.
AI training data may be particularly sensitive from a government access perspective. Models trained on Indian citizens' data could be exploited by foreign governments to understand Indian population characteristics, predict behaviours, or develop targeting capabilities. These national security dimensions of AI data flows increasingly inform policy discussions, though they have not yet crystallised into binding legal requirements.
Strategic Considerations
For organisations developing AI with Indian data, cross-border transfer strategy requires careful planning. Data flow mapping should identify all points where personal data crosses borders, including backups, analytics, and support access. Transfer mechanisms should be documented and maintained. Contingency plans should address potential future transfer restrictions. Architecture decisions should preserve flexibility to shift processing locations as regulatory requirements evolve.
The tension between global AI development and territorial data sovereignty is not unique to India; it is a global phenomenon. India's approach, more permissive than some jurisdictions but more assertive than others, positions the country as a potential AI development destination while preserving policy flexibility. The lawyer advising on cross-border AI data flows must navigate current requirements while anticipating future developments. In this domain, regulatory agility may matter as much as current compliance.