On 25th July 2025, The Mainstream (formerly known as CIO News) presented an event titled “Digital Native Nexus 2025” with an interesting theme “Tech Born, AI-Fueled, Human Led”.
Naavi presented a key note address in the event on the topic of “DPDPA & the Age of AI: Building a Culture of Compliance, Trust & Transparency“.
During the key note address, Naavi highlighted what he termed as the “Twin Challenges” faced by the Digital Natives namely the companies which are Digitally Driven and AI led.
In terms of continued business in the digitally driven world, AI is driving growth through innovation but DPDPA is applying the braking influence. The Digital natives therefore need to manage growth within the regulatory framework placed by DPDPA.
One of the challenges that AI poses is that it creates “Unknown risk” at the “Deployer’s end”. The recent developments in the AI world such as the “Replit” incident has brought the attention of the world to the Risks in AI which can grow rogue and create a catastrophic crash.
The “Unknown Risk” for a Data Fiduciary is to be classified as a “Significant Risk” and hence all AI deployers are carrying “Significant Risk” rendering them “Significant Data Fiduciaries” and the corresponding obligations.
Since DPDPA expects the Digital Natives to be “Fiduciaries” and have to make a self assessment of the Risks they carry, the need to realize whether an organization is a “Significant Data Fiduciary” or not is the responsibility of the Digital Native himself.
AI-Risk at the Deployer’s end can only be mitigated if there is a proper control of Risk at the Developer’s end where Bias, Hallucination may get embedded into the AI system during the learning and development of the AI algorithm.
DPDPA requires that the Data Fiduciary manages the risk or face the consequences of non compliance and hence the AI developer transfers all the Risks arising out of Bias, Hallucination, exhibition of Rogue behaviour, lack of Transparency to the Data Fiduciary.
The Data Fiduciary desirous of using AI should therefore ensure that during the AI control transfer process, a proper disclosure happens by the Developer along with a binding contract that fixes the accountability of the AI developer if and when AI becomes the cause of a Non Compliance of DPDPA.
Currently different countries seem to be approaching the issue differently in terms of managing the AI risks. US currently under Trump has suspended AI regulatory efforts of the States to promote “Innovation”.
EU on the other hand has taken up a regulation through the EU-AI Act which tries to define the “Risk Profile” of an AI and apply different yardsticks for regulation from banning to Risk Mitigation and Risk Disclosure to No regulation depending on whether the Risk is unacceptable or manageable or non existent. Australia has approached the issue by “Contractual liability management”.
India has some of the existing provisions in ITA 2000 which can be applied to AI usage which should suffice till a more detailed law can be considered in future.
The AI Chair of FDPPI has however focussed on developing a specific framework called DGPSI-AI which tries to provide guidance to Data Fiduciaries for a “DPDPA Compliant Use of AI”. This framework will try to marry the core principles of AI Governance with the core principles of DPDPA Compliance.
Await the release of the first version of DGPSI-AI shortly.
The interaction with professionals at the Digital Nexus was as expected brief and could only summarize the emerging Twin Challenges being faced by the industry and how DGPSI-AI could be a solution to explore. Several other aspects that have a bearing on the above remains to be explored in detail.
For example, it may be noted that during the discussions in the Digital Nexus, the term Digital Natives were used with reference to the digitally driven companies while way back in 1999, Naavi used the term “Netizens” to refer to the users of Internet in his pioneering book “Cyber Laws for Every Netizen in India”.
DPDPA is now the law regulating the Digital Natives for the protection of the Right of Privacy of the Netizens.
In terms of terminology therefore we can consider “Digital natives” to be “Organizational entities” while “Netizens” are individuals.
Personal data belongs to the Netizens and protected by the Digital natives. Protection of Personal data of Netizens is different from protection of nonpersonal data (which is every data other than personal data).
Laws that regulate protection of personal data are different from laws that protect non personal data.
These aspects will be elaborated in greater detail when Naavi publishes the details of DGPSI-AI during the forthcoming multi city IDPS 2025 under the theme “Bracing for Impact”
