Are law firms 'data fiduciaries' under DPDP?

When a law firm processes the personal data of clients or third parties for purposes of providing legal services, the firm is the data fiduciary. The client is the data principal for their own data. For data of third parties (witnesses, opposing parties, etc.), the firm is processing under a 'legitimate use' exception, but consent and notice obligations still attach in many cases. Read sections 4 to 8 of the Act for the specific framework.

Does DPDP apply to data we send to a foreign AI model?

Cross-border transfer is governed by section 16 of the Act and notified countries by the Central Government. As of this writing, the rules on cross-border transfer for personal data have not been fully crystallised in subordinate legislation. The conservative position, and what we recommend to all our installs, is to keep processing within India or within the EEA, on infrastructure where the firm has a direct contractual relationship with the processor.

What's the maximum penalty if we get this wrong?

The Act provides for penalties up to ₹250 crore for the most serious breaches, scaled by category. Section 33 sets out the framework. Realistic exposure for a 30-lawyer firm that takes reasonable security measures is much lower, but the headline number is what gets the partner's attention, and it should.

Reading the DPDP Act 2023 like a law firm partner: what actually applies to your AI use

TL;DR

The Digital Personal Data Protection Act, 2023 is now law. For Indian law firms using AI, three things matter most: where personal data is processed, how consent is recorded, and who the firm has named as its grievance officer. None of these requires a lawyer to understand. They require a partner to make a few decisions and write them down. This post is the version of the Act you can read in 12 minutes, with the partner's questions answered first.

What the Act actually does

The DPDP Act creates a framework for the processing of digital personal data in India. It applies to any processing of personal data within India, and to processing outside India that involves offering goods or services to data principals in India. For a Mumbai law firm whose clients are largely Indian, the Act applies to almost everything.

The Act's framework is short by Indian statute standards. Roughly 44 sections. The structure is straightforward.

A data principal is the individual whose personal data is being processed.

A data fiduciary is the entity that determines the purpose and means of processing. For a law firm, this is almost always the firm itself.

A data processor is anyone processing data on behalf of a fiduciary. For an AI workflow, the LLM provider may be a processor depending on contract terms.

Personal data is anything that can identify a person. Names, addresses, financial details, communications, the lot.

The Act creates obligations on the fiduciary, rights for the data principal, and a regulator (the Data Protection Board) to enforce them.

The three things that actually matter for your AI use

Most of the Act is general-purpose data protection. Three things matter specifically for AI workflows.

Where the data is processed

Section 16 contemplates restrictions on cross-border transfer of personal data. The rules on which countries are permitted are still being notified. The conservative position, which is what we install at every Matter Labs deployment, is to process within India or within infrastructure that the firm has directly contracted for.

Practically, this means: if your AI workflow sends a draft notice (containing the client's name, the opposing party's name, transaction details, sometimes financial information) to a vendor's general API endpoint, you need to know exactly where that endpoint runs and what the vendor's contractual obligations are. "OpenAI's API" is not an answer. "Azure OpenAI in the South India region under our enterprise agreement with retention disabled" is.

Section 6 requires consent to be free, specific, informed, unconditional, and unambiguous. For a law firm, this matters at three moments:

Engagement. The engagement letter has to inform the client about how their personal data will be processed, including by AI tools. Most firms updated their engagement letters in 2024. Check yours.

Third-party data. When the firm processes the personal data of a witness, an opposing party, or an unrelated third party as part of a matter, the firm is relying on a legitimate-use exception. Section 7 lists these. The "performance of a function under any law" exception covers most litigation work, but it is worth knowing which exception you are relying on for which matter.

Marketing. If the firm uses AI to draft outbound marketing or business development emails based on contact data, that is a separate consent regime. Section 6 applies in full.

The grievance officer

Section 8(9) requires every fiduciary to publish the contact details of a grievance officer. Most Indian law firms have not done this on their websites yet. It is a 30-minute fix and the absence of it is the easiest thing for the Data Protection Board to flag. Pick a partner. Put their email on the firm's website. Done.

What we install at firms

When we wire AI into a firm's workflow, we make four DPDP-aware choices by default.

One. All processing happens inside the firm's existing M365 tenant or Google Workspace, in the India region where available. The data does not leave the firm's existing environment for any purpose other than the active task.

Two. The LLM provider is contracted under an enterprise agreement that disables training and limits retention to 30 days for abuse monitoring. The firm gets a copy of the data processing addendum.

Three. Every AI-generated output is logged with the matter number, the user, the time, and the model version. If a client ever requests a record of how their data was processed, the firm can produce it.

Four. The firm's grievance officer is named in our standard AI-use policy template, which we ship with every install. The policy is published on the firm's intranet and a redacted version goes on the firm's website.

These four choices do not make a firm DPDP-compliant in the legal sense (only a properly signed-off privacy programme does that) but they remove 80% of the risk surface for AI use specifically.

What is still unclear

Some parts of the Act are not yet fully operationalised. The cross-border transfer rules. The exact constitution of "Significant Data Fiduciary" (most law firms will not be one, but big ones might). The detailed procedural framework for the Data Protection Board's enforcement.

This is a moving target. Our installs include a quarterly review where we flag changes in the regulatory landscape that affect the firm's setup. The first such review for most of our clients is in October 2026, by which point most of the subordinate legislation should have settled.

What to do this week

If you are a partner reading this and your firm has not done a DPDP audit of its AI use yet, here is the minimum.

Pick a partner as grievance officer. Publish the email on the website.
Walk through every place where AI touches client data. Write down what model is used, where it is hosted, and what the contract terms say about retention and training.
Update the engagement letter to mention AI use. A two-line clause is enough.
Decide whether your AI vendor is contracted under terms that satisfy section 8 obligations. If not, fix it.

That is the partner-level checklist. Anything more detailed than this is below the partner's pay grade. If you want a sample DPDP-aware AI-use policy and the engagement letter clauses we ship with every install, book a teardown and we will share them on the call.