Synopsis
The Internet and Mobile Association of India (IAMAI) has written to the Ministry of Electronics and Information Technology (MeitY), voicing its concerns over the March 24 National Human Rights Commission (NHRC) notice that had alleged breaches of the Digital Personal Data Protection (DPDP) Act, 2023, by AI platforms.The Internet and Mobile Association of India (IAMAI) has written to the Ministry of Electronics and Information Technology (MeitY), voicing its concerns over the March 24 National Human Rights Commission (NHRC) notice that had alleged breaches of the Digital Personal Data Protection (DPDP) Act, 2023, by AI platforms.
In its letter dated March 30, a copy of which ET has seen, IAMAI argued the NHRC’s intervention is premature. It said key provisions governing children’s data under Section 9 of the DPDP Act are not yet in force and that they are scheduled to come into effect only in May 2027.
“Without affording the legally mandated time for compliance, such interventions are an infructuous exercise,” the industry body said.
Google, Microsoft, Meta, OpenAI, Perplexity, Anthropic, Canva, and xAI did not respond to ET's queries.
The NHRC notice is based on a report by the Advanced Study Institute of Asia (ASIA), which flagged gaps in how certain AI tools handle children’s data. The report studied 14 widely used platforms across AI tools, social media, edtech, and government services -- Google's Gemini, NotebookLM, Khan Academy's Khanmigo, Photomath, IIT Kanpur's Sathee, Ministry of Education's DIKSHA, Microsoft Math Solver in OneNote, Meta's WhatsApp, Instagram, OpenAI's ChatGPT, Perplexity, Anthropic's Claude, Canva, and xAI's Grok.
These were evaluated against 14 legal criteria derived from the Act.
'Flawed methodology'
However, IAMAI criticised the report’s methodology, stating that it relied solely on publicly available policies without consulting the companies assessed. It also pointed to what it described as “internal inconsistencies,” including conflicting quantitative and qualitative assessments of platforms such as the government-run DIKSHA (Digital Infrastructure for Knowledge Sharing).
IAMAI further questioned the NHRC’s reliance on other laws such as the Protection of Children from Sexual Offences (POCSO) Act and the Right to Education (RTE) Act in the absence of enforceable DPDP provisions. It argued that these statutes were not designed to regulate digital data processing and their application in this context may not be legally sound.
The association emphasised that data protection falls within MeitY’s domain, with the DPDP Act and a dedicated Data Protection Board to handle such matters. “Intervention in highly technical domains without corresponding expertise risks creating regulatory uncertainty,” it said.
Highlighting ongoing compliance efforts by industry players, IAMAI warned that premature regulatory scrutiny based on “methodologically flawed reports” could impact innovation and investor confidence.
The body has urged MeitY to formally clarify that Section 9 is not yet operational and reaffirm that oversight of such issues rests with the ministry and the forthcoming Data Protection Board.
Asked if it is fair to assess compliance now when the DPDP Act is not fully enforced yet, Shivani Singh, programme coordinator, for law and critical emerging technologies, ASIA, and first author of the report, 'DPDP Compliance in Respect to Children’s Data, A Comprehensive Assessment of AI Tools Extensively Used by Minors in India', the report on which the NHRC notice was based, told ET on March 26, "The compliance window should not be treated as a legal vacuum. It is meant to prepare systems and processes. If organisations wait until enforcement begins, they risk becoming non-compliant immediately."
"Compliance is not just about updating policies, and adding consent prompts. It requires integrating data protection into operational systems and workflows, which takes time," she said.
