From Law–To–Code: India's Emerging Data Protection Compliance Infrastructure

Introduction

India is on the verge of implementing the Digital Personal Data Protection Act, 2023 ("DPDPA"). To assist the industry with compliance, the Ministry of Electronics and Information Technology (MeitY"), is exploring a "law-to-code" framework that seeks to build compliance directly into technological infrastructure by converting law into machine-executable rules capable of being automatically implemented within digital systems.

The proposal also comes at a time when policy makers are increasingly concerned about the growing sophistication of AI-driven cyber threats. Advanced frontier AI systems¹ are capable of identifying vulnerabilities, system loopholes and security flaws at a scale and speed that traditional human-led compliance systems may struggle to address effectively. This has led to concerns that conventional compliance models may no longer be sufficient in an environment where cyberattacks can operate at machine speed.²

The larger significance of this development lies in the fact that DPDPA compliance may no longer remain confined to privacy policies, legal teams and period audits. Moreover, compliance may become something embedded directly into code, APIs, workflows and system architecture itself.

Why DPDPA compliance is difficult in practice?

The government's interest in coded compliance also reflects a practical gap in the operational and financial implementation of DPDPA, particularly for startups and small businesses.

Unlike traditional sector-specific compliance obligations that may be handled largely through internal policies or contractual safeguards, data protection compliance is deeply integrated into the day-to-day functioning of digital systems. In practice, many of the obligations listed under DPDPA, require not only legal interpretation, but also continuous technical implementation.

For large corporations, this may be manageable. Major enterprises often have dedicated legal teams, technical support teams, cyber security divisions, privacy consultants and external advisory support from large firms capable of building sophisticated compliance frameworks. Several companies in consumer, retail and e-commerce have already begun integrating DPDPA compliance, which makes for only 50% of the organizations.³

However, the situation is very different for startups and smaller entities. Many businesses may not have the legal, financial or technical capacity to independently build DPDPA compliant systems from scratch. Around 77% of organizations reportedly lack the infrastructure needed to implement privacy technologies such as consent-management systems, data discovery mechanisms and rights-fulfilment tools. In addition, nearly 76.4% face difficulties due to limited access to specialised expertise, while 58.8% continue to struggle with complexities surrounding cross-border data transfers.⁴ Even relatively basic compliance requirements such as maintaining valid consent records, managing data deletion request or implementing granular access controls may require expensive technological infrastructure and ongoing compliance monitoring.

The operational challenge also becomes clearer when viewed against the phased implementation timeline under the DPDP Rules, 2025. The government has adopted a staggered rollout model instead of bringing all obligations into force simultaneously. Under the present framework, the first phase became operational in November 2025 and primarily dealt with definitions, constitution of the data protection board and procedural provisions. The second phase, expected to commence from November 2026, focuses on the consent management framework. However, the most compliance intensive obligations are scheduled to come into force only in the final phase around May 2027. Considering MeitY's proposal for a reduce compliance timeline, these obligations may come into force by November 2026. These include notice requirements, consent obligations, rights of data principals, security safeguards, breach notification requirements, obligations of data fiduciaries, significant data fiduciaries and cross-border data processing provisions.⁵

For startups and smaller businesses, this timeline is both a relief and a pressure. While the phased rollout provides additional preparation time, the core compliance obligations that require significant technological restructuring are concentrated in the final implementation phase. In practical terms, businesses may effectively have less than eighteen months to build consent systems, restructure data flows, establish audit mechanisms and operationalize retention and deletion infrastructure.

The government's push toward a consent compliance ecosystem

The idea of coded compliance did not emerge in isolation. Over the past year, MeitY has gradually been building the foundations of a broader consent-management and compliance ecosystem under the DPDPA. Much of this effort appears to be centred around standardising how organizations collect, manage and operationalize consent in digital systems.

One of the most significant steps in this direction is the release of the Business Requirement Document for Consent Management under the DPDPA ("BRD"). The document goes beyond broad legal principles and attempts to create a structured operational framework as to how consent systems may function in practice. It lays down detailed technical and functional requirements relating to notices, consent records, user dashboards, revocation mechanisms, interoperability, auditability and data-sharing outflows.⁶

In many ways, the BRD represents an important shift in how compliance is being approached. Traditionally, privacy regulation has focused primarily on legal obligations and enforcement standards. The BRD, however, effectively creates a bridge between statutory compliance and technical execution. It appears to function as more than a mere guidance document. It may be understood as an attempt to make DPDPA compliance eventually operate across sectors.

Alongside the BRD, MeitY has also initiated broader efforts around consent-management infrastructure and implementation support. Through initiatives such as the "Code for Consent" challenge, the government has actively invited companies and technology providers to develop practical consent management solutions aligned with the operational requirements of the DPDPA. This signals a move towards an environment where private technology providers may play a significant role in shaping how DPDPA is implemented in practice.⁷

The "Code for Consent" initiative

MeitY's "Code for Consent" Initiative reflects the government's attempt to build a practical compliance ecosystem around the DPDPA. Instead of leaving organizations to independently design consent systems, the initiative encourages technology providers to develop interoperable compliance tools aligned with the consent management system under the BRD.

According to the guidelines for "Code for Consent"⁸, the government intends to provide entities including government entities, states/union territories, private organizations and small enterprises, with a foundational open-source consent-management system aligned with the BRD, upon which these entities may build sector-specific customisations with relatively limited modifications. Entities applying under the initiative were also required to identify the specific sector for which they intended to develop the framework. The identified sectors for development of open-source CMS includes Information Technology (IT) and software services, banking and financial services (BFSI), healthcare, e-commerce, human resources, education, marketing and advertising and telecommunications among others.

The companies selected by MeitY also demonstrate how coded compliance may operate across different sectors⁹. For instance, Jio Platforms¹⁰ operates at an enormous digital scale involving telecom services, digital identity systems and consumer data ecosystems.

Similary, IDfy¹¹, works extensively in identity verification, KYC processes and employee background verification.

Zoop¹², which provides API-based identity and verification infrastructure, is another example of how machine-readable compliance may function.

Other selected entities also illustrate the expanding scope of coded compliance. Concur Live¹³ appears to focus on workflow and consent orchestration systems that may assist with audit trails, approval systems and compliance monitoring. Aurelion Future Forge¹⁴ operates in areas involving AI governance and digital trust systems, which may become increasingly relevant as organizations attempt to manage automated compliance risks. Meanwhile, Redacto¹⁵ works on privacy automation and redaction technologies capable of protecting sensitive information within documents.

Taken together, these companies demonstrate that coded compliance is not limited to a single sector or use-case. The concept extends across employee data management, fintech systems, telecom infrastructure, identity verification, document management and AI-governance environments.

Privacy-by-design and global parallels

The Government's move towards a coded compliance mechanism, also reflects a broader global shift toward what is often known as "privacy-by-design". Under such models, privacy protections are not treated as external legal obligations applied after a system is built. Instead, compliance safeguards are integrated directly into digital systems from the outset.

This approach finds some parallels with Article 25 of European Union's General Data Protection Regulation ("GDPR") which specifically recognises the principle of "data protection by design and by default", requiring organisations to integrate privacy safeguards into systems and processing activities at the design stage itself.

Viewed from this perspective, the Government's coded compliance initiative may be understood as an attempt to operationalize a form of privacy-by-design under the DPDPA. The practical implications of such an approach may become clear with the following sector-specific examples.

In a traditional approach, quite often, the response to data breach is reactive and consequences of such breach, especially in a data sensitive sector like banking and fintech, extend well beyond penalties. Coded compliance may ensure proactive enforcement and penalty mitigation.

Whether this vision ultimately materialises is uncertain. The effectiveness of coded compliance will depend on widespread adoption, regular updates and the ability of the underlying systems to evolve alongside law.

The unresolved questions around coded compliance

While coded compliance may simplify implementation and several aspects, it also raises important legal and operational questions that remain largely unresolved.

One of the biggest concerns relates to the evolution of law itself. Privacy law is not static. Regulatory guidance changes, evolving nature of legal interpretation and technologies constantly create situations that existing frameworks may not have anticipated. A compliance system that is legally accurate today may quickly become outdated if the underlying software is not updated to reflect changes in law or interpretation.

This creates an important practical issue. Who will be responsible for maintaining and updating the compliance architecture? If compliance software fails to incorporate a new legal requirement or regulatory interpretation in time, businesses relying on such systems may unknowingly fall into non-compliance.

There is also the question of liability when the technology itself fails. Under traditional compliance structures, accountability is relatively straightforward. A company may be held responsible for failing to implement inadequate safeguards, violating consent requirements or mishandling personal data. While human decision makers, compliance officers and management structures remain identifiable, coded compliance could complicate this chain of responsibility considerably.

At the same time, these concerns do not necessarily undermine the larger objective behind code compliance. Standardised compliance could significantly reduce costs and improve operational efficiency for startups and small businesses that may otherwise struggle to implement DPDPA independently. However, for such systems to function effectively, there may need to be clear update mechanisms, audit standards, liability frameworks and fallback safeguards for situations where the technology itself malfunctions are becomes outdated.

Way forward

Traditionally, the Government's role in implementing regulatory frameworks has largely been limited to prescribing statutory requirements and, where necessary, issuing clarifications through notifications or circulars. The responsibility for operationalizing legal obligations has generally rested with regulated entities themselves. Through the BRD and "Code for Consent" initiative, however, the Government has gone a step further in helping with compliance.

For startups and smaller businesses, such initiatives may prove particularly beneficial since they often lack the resources to independently build sophisticated privacy-compliance infrastructures.

However, the availability of a standardised framework should not be mistaken for a "safe harbour" against liability. Privacy obligations will continue to evolve through legislative amendments, judicial interpretation, regulatory guidance and technological developments. Organisations relying on coded compliance systems may therefore remain responsible for ensuring that their implementations are regularly reviewed, updated and aligned with the prevailing law. A failure to update compliance architecture may result in penalties as any other compliance failure.

As the organizations are given the option to customise and deploy these systems, responsibility and accountability for implementation failures may ultimately rest with the organizations themselves.

This article has been authored by Prashanth Shivadass, Partner, Shivadass and Shivadass Law Chambers and co-authored by G.S. Shri Gayathri, Senior Associate and Sandra Lisa Philip, Associate, Shivadass and Shivadass Law Chambers.

Footnotes

1. https://red.anthropic.com/2026/mythos-preview/

2. https://knnindia.co.in/news/newsdetails/sectors/others/india-explores-law-to-code-framework-for-ai-era-compliance

3. https://www.ey.com/en_in/insights/cybersecurity/india-s-data-privacy-shift-steering-the-dpdp-compliance-and-readiness

4. https://www.ey.com/content/dam/ey-unified-site/ey-com/en-in/insights/cybersecurity/documents/2026/01/ey-india-s-digital-privacy-crossroads-understanding-the-dpdp-act-and-rules-impact-and-enterprise-readiness.pdf

5. MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY NOTIFICATION,13th November, 2025 https://www.meity.gov.in/static/uploads/2025/11/c56ceae6c383460ca69577428d36828b.pdf

6. https://d38ibwa0xdgwxx.cloudfront.net/whatsnew-docs/8d5409f5-d26c-4697-b10e-5f6fb2d583ef.pdf

7. https://www.forbesindia.com/article/news/explained-govts-new-code-for-consent-initiative-under-the-dpdp-act/96584/1

8. Guidelines for Code for Consent: The DPDP Innovation Challenge, https://msh.meity.gov.in/whatsnew https://d38ibwa0xdgwxx.cloudfront.net/whatsnew-docs/777fd952-b6d9-44ce-afe8-c9ad07da77da.pdf

9. https://www.forbesindia.com/article/news/explained-govts-new-code-for-consent-initiative-under-the-dpdp-act/96584/1

10. https://www.jio.com/platforms/

11. https://www.idfy.com/

12. https://www.zoop.one/

13. https://www.concur.live/

14. https://www.aurelionfutureforge.com/

15. https://www.redacto.ai/en-in