Notes from the Asia-Pacific region: India's regulatory heat wave hits privacy, AI, dark patterns

It has been a brutal summer here in India — where it starts early and temperatures touch 50 degrees Celsius in some parts of the country. What keeps the average Indian going during the peak month of May is cricket's Indian Premier League, the second-richest sports league in the world by per-match value, trailing only America's National Football League. And, of course, we have the king of fruit — Mangos.

There is no off season for India's digital governance landscape, however. The past month has been action packed.

The big news that did not garner the attention it should have is that full enforcement of India's Digital Personal Data Protection Act is now one year away. On 13 May 2027, all key compliance obligations under the DPDPA will kick in — consent management, data principal rights, security safeguards, breach reporting and the full penalty regime, with fines of up to INR2.5 billion. The clock is now ticking loudly.

There are important intermediate deadlines, too. The consent manager registration framework becomes mandatory 13 Nov. — less than six months away. And the Data Protection Board is getting ready, as well. The board's budget was increased fivefold — from INR20 million to INR100 million — in the Union Budget 2026, a clear signal that the enforcement machinery is being operationalized.

Another fascinating trend became unmistakable this month: multiple Indian regulators are now addressing the issue of dark patterns. The core issues are manipulative design, inadequate consent and poor data governance. The result is a web of overlapping compliance obligations that organizations ignore at their peril.

The most significant development here is the Reserve Bank of India's upcoming dark pattern ban. The Draft RBI (Commercial Banks — Responsible Business Conduct) Amendment Directions, issued in February, take effect 1 July — just one month away. This makes the RBI the first sectoral financial regulator in India to formally define and prohibit dark patterns in banking applications — covering basket sneaking, false urgency, subscription traps, forced action and 11 other manipulative design patterns. 

The directive is backed by hard data: Financial Express reported a LocalCircles survey of 141,000 respondents found 63% of banking app users had encountered drip pricing, 61% reported basket sneaking, 68% saw subscription traps and a staggering 82% experienced interface interference.

Meanwhile, the Central Consumer Protection Authority continues to enforce aggressively under its 2023 Dark Patterns Guidelines. The CCPA has cumulatively issued 997 notices to e-commerce platforms, facilitating INR14.4 million in refunds to affected consumers. 

Enforcement actions have hit entities across aviation, e-commerce and digital healthcare, with a notable fine of a prominent quick-commerce platform for basket sneaking and drip pricing. The CCPA has also issued notices to 15 major platforms — including Amazon, Flipkart, Blinkit, Swiggy, MakeMyTrip, BigBasket and Tata 1mg — after finding continued dark pattern use despite these platforms having submitted self-audit compliance declarations.

The Indian judiciary continues to act on personality rights, another interesting area seeing regular action. Two major Delhi High Court orders were issued within days of each other. On 8 and 9 May, Justice Mini Pushkarna passed an interim injunction to protect the personality rights of Congress MP Shashi Tharoor, after he appeared before the court seeking removal of artificial intelligence-generated deepfake videos that falsely portrayed him praising Pakistan's diplomatic prowess during the Kerala election campaign. 

The court restrained the unauthorized use, reproduction, imitation or manipulation of Tharoor's name, image, likeness, voice, signature speaking style, mannerisms and distinctive vocabulary for the creation or dissemination of deepfakes. It also directed social media platforms, including Meta and X, to take down the content and provide basic subscriber details associated with the accounts responsible for uploading it. 

Just one day later, 10 May, Justice Tushar Rao Gedela granted sweeping ex parte ad interim protection to entrepreneur Aman Gupta — co-founder of boAt Lifestyle and a judge on Shark Tank India — restraining over 44 entities from using his name, image, voice, likeness, trademarks or personality traits without authorization, including through AI and deepfake technology. The court took serious note of AI-generated obscene and pornographic content featuring Gupta's likeness. This is among the first instances where a well-known entrepreneur in India — as distinct from a film star or politician — has secured such broad personality rights protection against deepfakes.

Together, these orders show Indian courts are prepared to grant urgent relief against AI deepfakes within 24 to 72 hours. The foundation for protection of personality rights has always been rooted in Article 21 of the Constitution of India. What has changed is the speed and breadth of relief courts are willing to grant.

Another theme that dominated across multiple regulators this month is the coordinated response to AI-driven cybersecurity threats — particularly those arising from frontier AI models capable of autonomously discovering and exploiting software vulnerabilities at speed and scale.

The Securities and Exchange Board of India set the tone. On 5 May, SEBI issued a circular titled "Advisory on Emerging Advanced Artificial Intelligence (AI) Tools for Vulnerability Detection," naming Anthropic's Claude Mythos explicitly — making SEBI the first financial markets regulator in India to name a specific AI model in a formal regulatory circular. 

The advisory went far beyond a warning: it ordered an immediate cybersecurity overhaul for all 19 categories of regulated entities in Indian securities markets — including stock exchanges, depositories, clearing corporations, mutual funds and venture capital funds, among others. SEBI constituted a task force named cyber-suraksha.ai to coordinate vulnerability management, threat intelligence sharing and mitigation strategies across the entire market ecosystem.

The Insurance Regulatory and Development Authority of India was next. In a 15 May notice, IRDAI directed every insurer in the country to submit a formal Action Taken Report on frontier-AI cyber readiness by 22 May — an extraordinarily compressed three-day deadline. Insurers were required to demonstrate they can withstand frontier AI cyber threats and detail their preventive, detective and responsive security measures. The directive applies broadly to insurers, foreign reinsurance branches, brokers, corporate agents, web aggregators, third-party administrators and insurance repositories.

The Indian Computer Emergency Response Team followed up 25 May with a comprehensive 38-page blueprint titled "Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure." The document recommends organizations patch critical vulnerabilities on internet-facing systems within 12 hours of discovery or active exploitation. This is believed to be among the most aggressive patching timelines issued by any national cybersecurity authority globally, explicitly calibrated to the speed at which AI-assisted attacks now weaponize disclosed vulnerabilities.

Adding a governance dimension, the Ministry of Electronics and Information Technology convened a National Consultative Workshop on "Strengthening Cyber Security Frameworks for State Data" 11 May, chaired by MeitY Secretary Shri S. Krishnan. He emphasized that the protection of citizen data held by state governments — such as health records, land titles, educational credentials and welfare databases — is a "fundamental governance responsibility, not an administrative formality." 

With the Digital Personal Data Protection Act fully enforceable beginning 13 May 2027, he noted, cybersecurity preparedness is no longer a best-effort commitment but a legal obligation. "Cybersecurity is not an IT function. It is a governance imperative," he said.

The threat landscape data underscores the urgency. Kaspersky's 2025 threat report, released 19 May, revealed that spyware attacks against Indian businesses jumped 72% year-on-year — from 214,407 incidents recorded in 2024 to 369,445 in 2025. Backdoor malware attacks rose 23% to 715,077.

Another rather interesting development connected to AI-related risks was the 20 May nationwide strike of over 1.24 million chemist shops, or pharmacies, called for by the All India Organisation of Chemists and Druggists. They were protesting online pharmacy platforms that the AIOCD says are accepting AI-generated fake prescriptions to dispense antibiotics, opioids and banned drugs. The AIOCD submitted a memorandum to Prime Minister Narendra Modi demanding that AI-generated prescriptions be declared invalid nationwide.

For those of us working at the intersection of AI governance and public policy, this episode is a stark reminder: the downstream harms of ungoverned AI are not limited to data breaches and misinformation alone. They can affect patient safety, drug resistance and public health at national scale.

I always like to end with numbers that capture the broader trajectory. The State of India's Digital Economy 2026 report, released 29 May by the ICRIER Prosus Centre for Internet and Digital Economy, offers a stunning snapshot. India has emerged as the world's fifth most digitalized economy — up from the eighth spot in 2025 — and ranks fourth globally in AI performance, behind only the U.S., China and Singapore. Other key findings: India generated USD328 billion in digitally delivered trade and is home to the world's second-largest AI talent pool. 

The sheer density of developments this month is remarkable. Not bad in temperatures that can test an average person's patience and resilience.

Meanwhile, my wish for you is to "stay cool out there."