The Digital Personal Data Protection Act, 2023 And Intellectual Property Law: An Emerging Conflict in India’s Data-Driven Economy

Introduction

The Digital Personal Data Protection Act, 2023 (DPDP Act),[1] is a significant development in the Indian privacy regime. The DPDP Act cautions the rights of data principals (individuals) and obligations on data fiduciaries concerning consent, purpose restriction, data minimisation, and the right to correct/erase. Conversely, the Indian IP regime regarding copyrights, patents, trade secrets, database protection, and contract licenses treats information and creative outputs as economic property to be owned, licensed, assigned, and exploited. Today, many new technologies and new products are necessarily data-intensive, and thus it is quite paradoxical to see the DPDP Act’s individualistic-privacy-remedial regime lie parallel to the property-and-exclusivity regime in India’s IP law.[2]

This blog will highlight how a conflict is emerging between DPDP Act and IP regulations in India, specifically looking at how Data Protection Rights conflict with IP Ownership, Licensing, and Enforcement principles. The blog holds that a lack of harmonization between these different systems could pose a danger to Personal Privacy as well as Innovation Incentives.

Conceptual Divergence: Data as a Right versus Data as Property

At the conceptual plane, there are differing legal traditions and philosophies that run between the DPDP Act and IP law. While the DPDP Act conceptualises personal data as an extension of their dignity and liberty and accordingly extends a principal continuing controllership to the individual regarding the processing of their own personal data, which is considered valid and revocable consent also necessary for authorised purposes, IP law conceptualises information and creative works as property rights. The IP right, once it comes into existence, is considered to be exclusive, long-term, and transferable, such that the right-holder can sell it for monetary gains.[3]

However, this divergence may pose a concern when personal data constitutes the fundamental resource in IP-protected property. Where personal data is contained in a copyrighted database, an AI model, or an IP-protected dataset, the IP law presumes stability in IP ownership, contrary to the provision in the DPDP Act permitting continuous interference by the data principal via consent withdrawal and right to erasure. There is not yet a clarification in any law as to which takes precedence in situations where these rules conflict.[4]

Consent Withdrawal and the Stability of IP Rights

It is one of the areas that is of most relevance because of the right of withdrawal of consent that is provided under the DPDP Act. It is stated that the law of IP relies on the predictability and continuity of rights. Licenses that are provided to copyrighted works, data sets, and software are granted on fixed terms based on fixed prices. But what is the extent of the impact if the data principal withdraws consent for the processing of personal data after this license has been granted?[5]

Such ambivalence is dangerous to businesses that rely on their data. If withdrawal of consent affects, or could affect, undermining IP licences, it could raise the costs of investment. Alternatively, if IP rights prevail over withdrawal of consent, it could weaken privacy rights intended by the DPDP Act. The DPDP Act should clarify these rights, rather than making judges decide what to do in every case, which could be dangerous to businesses that rely on their data.

Database Copyright versus Data Minimisation Obligations

The Indian copyright law protects compilations and databases that show a sufficient level of skill, labour, and judgment. These provisions encourage large-scale data compilation. Under the DPDP Act, on the other hand, there is a requirement of data minimisation, whereby a data fiduciary is obliged to collect and maintain only that much personal data that is required for the specified purpose.

This creates structural tensions. Even as IP law fosters the establishment of full databases, DP law obstructs the accumulation and retention of the same. If a subsequent audit establishes that the copyrighted database contravenes DP law in terms of excessive accumulation of personal information above the set DPDP Act limit, the fiduciary may be forced to delete some aspects of the database. This may compromise the integrity of the copyrighting, with the effect that the IP right lapses as a mandatory requirement to follow DP law.[6]

Trade Secrets and the Right to Access Personal Data

Protection of trade secrets is highly significant in protecting algorithms, data sets, and business methods, especially in the tech industry. The DPDP Act provides data principals with a right to know how their personal data is being processed. This is a very important right, but it may sometimes conflict with the protection of trade secrets when personal data is closely linked to them.[7]

This might mean, for example, that the right of access in regard to personal data processed in algorithmic decision-making requires disclosure of logic structures with regards to data processing, feature selection, or model construction. Access can lead to a deterioration of the confidentiality required for preserving trade secret rights. This issue has not been clearly addressed by the DPDP Act regarding balancing rights on access and trade secrets.

AI Training Data: Intersection of Personal Data, Copyright, and Trade Secrets

AI systems are a complex are of DPDP obligations and intellectual property rights. Indeed, training an AI system involves processing large amounts of data that may contain copyrighted works and personal data such as images, speech, and behavioural data. From an IP point of view, carefully created datasets and trained models may constitute copyrightable works or Trade Secrets. On the DPDP side, the processing of personal data to train models is indeed processing that must be performed in accordance with the provisions concerning consent and the purposes of processing.[8]

One highly contentious area is in cases where an individual exercises their right to erasure after an AI system has already learned from their personal data. This is because it has proven difficult to retrospectively deprive an AI system that has learned from certain pieces of personal data of its effects. There is no clarity on whether and how IP rights are impacted by this ‘machine unlearning’ process provided by the DPDP Act.

Fair Dealing and Purpose Limitation

The Indian Copyright Act has a provision related to ‘fair dealing’ for research, educational, critical, or review purposes. These exceptions include activities involving the work without the copyright owner’s permission, based on the public interest involved in the dissemination of knowledge. But the DPDP Act states that the personal data has to be processed for the same reason the consent was sought or a legitimate reason.[9]

This, in turn, results in issuances, which create a doctrinal conflict where a use may well be allowed under copyright statute laws, yet limited through data protection laws. An example includes a researcher using a fair dealing right to analyse publicly available data that includes personal data, yet requires compliance with DPDP obligations nonetheless. A lack of certainty regarding issuances to derogate a regime to require consent will, in turn, stifle academic and journalism endeavours.

Licensing, Assignments, and Commercial Uncertainty

IP licenses and assignments are the spine of commercialisation in the creative and technological industries. These licenses and assignments imply a certain permanence and enforceability. Consent-centric law, as implied in the DPDP Act, clouds the guarantees implied in such licenses and assignments, including those concerning personal data. Withdrawal of consent may mandatorily require a halt in the processing, and the license holders might not be in a position to fully utilise the licenses they had acquired.[10]

This ambiguity is compounded in a complex licensing chain that includes sublicenses and international exploitation. This is especially so in regards to the lack of authoritative legislation on the implications of withdrawing consent in the granting of licenses.

Cross-Border Data Transfers and Global IP Exploitation

However, while IP rights are territorial, their exploitation is increasingly global. While the DPDP Act applies to the processing of personal data linked to India and imposes conditions on cross-border data transfers, where IP assets such as datasets or AI models are licensed internationally, compliance with DPDP transfer requirements may restrict global exploitation.

This is where the tension becomes quite relevant for Indian startups trying to commercialise data-driven IP in global markets. The demand for the harmonisation of IP licensing strategy with data protection compliance creates an added layer of regulatory complexity that might influence competitiveness.

Remedies and Enforcement Conflicts

The IP enforcement mechanism and that under the DPDP Act are different. While the latter commonly involves civil remedies such as injunctions and damages, the former has provided for administrative penalties, directions to cease processing and data deletion orders. Often, carrying out a data protection order could undermine an IP enforcement action, or vice versa.

For instance, a court might order the preservation of a dataset as evidence in an IP dispute, while the data protection authority orders its deletion. The absence of coordination mechanisms or of priority rules facilitates such a risk of conflicting orders.

Comparative Insights and the Need for Harmonisation

Internationally, there are also tensions that have emerged under the EU’s General Data Protection Regulation that specifically involve AI and data-driven innovation. On the international level, topics involving the World Intellectual Property Organisation concern the need for a clear understanding on how data-driven innovation should be governed. These are areas in which India can learn particularly in relation to the principles of proportionality and specific exceptions.

Conclusion

The DPDP Act, 2023, is a giant leap in the direction of protection of personal data in Indian law. However, when it comes to Intellectual Property laws, there appear to be an amplitude of tensions at various levels. Indeed, as data becomes increasingly at the heart of innovation, the conflict between control and property rights is expected to escalate. This has implications that might run against not only the protection of privacy but also innovation. There needs to be an approach that strikes a harmonious note in legitimising both sets of rights, with definite directions on how conflicts are to be settled.

Author: - Pallavi Kumari, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.

[1] Ministry of Electronics & Information Technology, Government of India. (2023). The Digital Personal Data Protection Act, 2023 (No. 22 of 2023). Government of India. https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf 

[2]PRS Legislative Research. (2023). Summary: Digital Personal Data Protection Bill, 2023. PRS India. https://prsindia.org/files/bills_acts/bills_parliament/2023/Summary_Digital_Personal_Data_Protection_Bill_2023.pdf.

[3] World Intellectual Property Organization. (n.d.). Artificial intelligence and intellectual property. https://www.wipo.int/en/web/frontier-technologies/artificial-intelligence/index.

[4] European Parliament & Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.

[5] Government of India. (2025). Digital Personal Data Protection Rules, 2025 [Rules under the Digital Personal Data Protection Act, 2023]. Government of India.

[6] U.S. Copyright Office. (2024). Copyright and artificial intelligence, part 3: Generative AI training (pre-publication version). https://www.copyright.gov/ai/Copyright-and-Artificial-Intelligence-Part-3-Generative-AI-Training-Report-Pre-Publication-Version.pdf

[7] International Journal of Creative Research Thoughts (IJCRT). (2025). Digital personal data protection law and intellectual property rights. https://www.ijcrt.org/papers/IJCRT2501900.pdf

[8] India’s Digital Personal Data Protection Act and Its Interplay With Intellectual Property Regimes. (n.d.). Indian Journal of Law and Legal Research. https://www.ijllr.com/post/india-s-digital-personal-data-protection-act-and-its-interplay-with-intellectual-property-regimes

[9] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).

[10] Puthrans. (n.d.). Digital protection and intellectual property: An interplay. https://www.puthrans.com/digital-protection-and-intellectual-property-an-interplay/