IAMAI flags NHRC DPDP notice to AI firms as jurisdictional overreach

The Internet and Mobile Association of India (IAMAI) has reportedly urged the IT ministry (MeitY) to step in after the National Human Rights Commission (NHRC) sent notices to AI platforms over alleged lapses in handling children’s data. IAMAI’s core claim is that the NHRC is acting outside the statutory scheme of the Digital Personal Data Protection (DPDP) Act, 2023, which assigns primary sectoral oversight to MeitY and, once operational, the Data Protection Board.

At the heart of the dispute is Section 9 of the DPDP Act, which sets out obligations for processing children’s data. IAMAI argues these provisions are not yet in force and are only scheduled to become operational in May 2027, making any compliance notice premised on current non-compliance premature. From this perspective, NHRC’s move risks creating confusion about when legal duties actually bite and who is empowered to enforce them.

CADP’s view is that the institutional question matters even for those who disagree with IAMAI’s substantive stance. India needs regulators to push AI firms toward child-safety by design well before formal enforcement dates, but it also needs clear lines of authority and legally sound hooks for intervention. If public bodies lean on non-operational provisions or ambiguous mandates, they may dilute both compliance incentives today and the credibility of enforcement once the DPDP regime is fully in place.

The episode underscores a broader tension in India’s emerging data protection landscape: how to encourage early alignment with future legal standards without blurring the boundaries between advisory pressure, soft law, and binding enforcement. Resolving these questions will be crucial as AI-specific and child-safety norms evolve ahead of the DPDP Act’s full rollout.