India’s AI regulators just gave platforms two rules that can’t both be followed at once. The 2026 IT Rules amendment on Synthetically Generated Information wants platforms to retain provenance metadata. The DPDP Act wants that same data gone as soon as possible.
Here’s the conflict, plainly. MeitY’s IT Rules amendment, notified via Gazette G.S.R. 120[E] in February 2026, requires platforms handling Synthetically Generated Information to retain metadata that can trace who generated it, when, and through what tool. This is the provenance and traceability layer meant to catch deepfakes and AI-generated misinformation at scale.
The DPDP Act runs on the opposite instinct. Collect only what you need. Use it only for the stated purpose. Delete it once that purpose is served. Retention for its own sake is exactly what the Act was built to discourage.
For any platform running AI content tools, the two obligations sit in direct tension. Hold onto SGI metadata long enough to satisfy IT Rules compliance, and you risk running afoul of DPDP’s storage limitation principle. Delete it on a DPDP-friendly timeline, and you may not have what regulators want if an SGI-related complaint surfaces months later.
Where practice is landing
There’s no notified reconciliation between the two frameworks yet. In the absence of one, legal and compliance teams are converging on a rough middle path: retain SGI provenance data for a defined window, often pegged to a compliance or audit cycle, then anonymize or delete it unless a legal hold applies. This isn’t compliance. It’s risk management while waiting for clearer rules.
Why this matters now
Platforms can’t treat this as a future problem. SGI obligations are already live, and DPDP’s transition period runs through May 2027, with the Data Protection Board expected to move from guidance to active supervision later this year. A platform that over-retains SGI metadata “just in case” is building DPDP exposure. One that deletes too aggressively may find itself unable to respond to an IT Rules inquiry.
The sensible move is documentation, not guessing. Set a retention window for SGI metadata, write down the legal basis for it under both frameworks, and be ready to explain the number you picked. Regulators are far more forgiving of a reasoned position than an absent one.
Expect MeitY or the Data Protection Board to eventually issue guidance bridging this gap. Until they do, platforms operating AI tools in India are compliance officers for two laws pulling in different directions, and the honest answer is that nobody has fully reconciled them yet.
Recent Comments