Welcome to The Esya Dispatch, a weekly snapshot of the policy debates shaping India’s digital economy. Each edition brings together key developments in technology policy, from platform governance and AI regulation to data protection and competition — along with the Esya Centre’s perspective on what they mean for innovation, businesses, and users.

Here’s a quick recap of two key tech policy developments from the past week:

1. MeitY explores ‘law-to-code’ approach to DPDPA compliance

MeitY explores ‘law-to-code’ approach to DPDPA compliance: MeitY has been exploring a ‘law-to-code’ approach for DPDP Act compliance, converting legal provisions into machine-executable code that enforces obligations without human intervention. The development comes amid stakeholder consultations on the implications of frontier AI models for data security. 

ESYA'S TAKE: The DPDP Act’s obligations cannot easily be translated into software rules. Under Section 6 of the Act, consent must be free, specific, informed, unconditional, & unambiguous. However, a software system cannot assess whether a consent notice was intelligible to a particular user, whether the purpose described was specific enough, or whether the way consent was obtained placed undue pressure on the user. Similarly, Section 7 of the Act allows data to be processed without consent for ‘certain legitimate uses’, a category whose scope depends on the nature of the processing and the relationship between the parties. Obligations of this nature require human judgment, and may be difficult to reduce to a set of pre-programmed conditions. 

Notably, the DPDPA’s obligations do not come fully into force until May 2027, and MeitY is still evaluating applications for the Data Protection Board of India, which will oversee the law’s implementation. Thus, translating the DPDPA’s requirements into code at this stage will require fixing their meaning in advance, in the absence of any guidance or judicial precedent. Thus, businesses risk building their systems around an interpretation that may later be deemed inadequate. 

2. CERT-In releases blueprint for defending against AI-assisted cyber threats:

On 25 May 2026, CERT-In released a Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerability Exploitation in Digital Infrastructure. It is a guidance document for organisations aiming to secure their systems against cyberattacks that use AI to automate and scale threats like phishing, malware, and deepfake fraud. The blueprint is advisory in nature and does not impose binding obligations.

ESYA'S TAKE: The blueprint assumes that AI-enabled cyber risks can be addressed through a common set of governance measures across sectors. However, the risks posed by an AI system depend heavily on the context in which it is deployed. Thus, a uniform approach may impose compliance costs on organisations without addressing the specific threats they face. 

The blueprint also instructs organisations to prepare staff to detect deepfake voice and video. However, in India, online fraud and misinformation are often carried out using ‘cheap fakes’ (basic edits using widely available software) rather than AI-generated content. Further, not all deepfakes are harmful – synthetic content has legitimate applications across sectors like medical research and advertising, among others. Thus, the blueprint risks overstating the nature and prevalence of the security threat posed by deepfakes..