India DPDP, Australia Privacy Act, and UAE PDPL: AI Governance in Three Growing Markets
The global privacy regulation landscape has expanded well beyond GDPR and CCPA. India, Australia, and the UAE have all enacted or significantly amended data protection laws in the past three years — each with distinct approaches, enforcement mechanisms, and AI-specific provisions.
For AI agents operating in these markets, understanding the differences matters: a manifest configured for GDPR compliance is not automatically compliant with India's DPDP Act.
India: DPDP Act 2023
The Digital Personal Data Protection Act was passed in August 2023. Enforcement is expected from mid-2026 as implementing rules are finalized.
Key characteristics:
Consent-first framework: Processing personal data requires consent (or one of several limited legitimate uses). Consent must be free, specific, informed, and unambiguous. For AI agents: if the agent processes personal data of Indian residents, the consent collection and management process must be documented.
Data Fiduciary and Data Processor model: Similar to GDPR controller/processor. Data Fiduciaries (controllers) bear primary responsibility; Data Processors (including AI infrastructure providers) process only as directed.
Significant Data Fiduciaries (SDFs): MEITY (Ministry of Electronics and IT) can designate certain entities as SDFs based on data volume, sensitivity, and risk to national security. SDFs face additional obligations: data audits, Data Protection Impact Assessments, and appointment of an independent Data Auditor.
Cross-border transfer: Data can flow to countries approved by the Central Government (whitelist approach). The whitelist is still being finalized. For AI agents: until the approved country list is published, cross-border transfers to servers outside India carry regulatory uncertainty.
Penalties: Up to ₹250 crore (~$30 million) per instance of non-compliance.
Manifest implications:
{
"policy": {
"jurisdiction_allowlist": ["IN"],
"require_capability_token": true
},
"constraints": {
"require_human_approval": ["data:write", "data:read"],
"audit_retention_days": 1095
}
}
The jurisdiction_allowlist: ["IN"] enforces data residency until the approved transfer country list is finalized. Like PIPL, India's approach makes localization the default safe choice.
Australia: Privacy Act 1988 (as amended 2024)
Australia's Privacy Act has been amended through the Privacy and Other Legislation Amendment Act 2024. Key changes relevant to AI agents:
Automated decision-making transparency: New provisions require entities to notify individuals when automated decision-making is used and to explain the logic involved. For AI agents making decisions about Australians: the audit log must capture enough to provide that explanation.
Serious privacy breach reporting: The definition of "serious interference with privacy" has been clarified and the mandatory data breach notification scheme strengthened.
APP 1 enhancement: Privacy policies must now address automated decision-making. If your AI agent makes decisions, your privacy policy must explain that.
Penalty increases: Serious or repeated interference with privacy now carries penalties up to A$50 million (up from A$2.22 million) or 30% of adjusted turnover, whichever is greater.
The Australian Privacy Act's 13 Australian Privacy Principles (APPs) have always covered automated systems — the 2024 amendments make the AI application explicit. APP 3 (collection limitation), APP 6 (use limitation), and APP 11 (security) are the most directly relevant to AI agents.
Key difference from GDPR: Australia's Privacy Act has a "small business exemption" for businesses with turnover under A$3 million. AI startups may be exempt — but this exemption is under review and may be removed in the next legislative cycle.
UAE: Federal Personal Data Protection Law (PDPL)
The UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL) came into force in January 2022, with implementing regulations following. The UAE Data Office is the supervisory authority.
Key characteristics:
GDPR-aligned structure: The UAE PDPL follows GDPR's structure closely — lawful basis for processing, data subject rights, controller/processor obligations. The familiarity makes GDPR-experienced teams productive quickly.
Cross-border transfer restrictions: Transfers outside the UAE require either: recipient country has adequate protection, standard contractual clauses, binding corporate rules, or TDRA approval. The approved countries list includes EU member states, UK, and others.
Special categories: Health data, financial data, biometric data, and data concerning minors are treated as sensitive. Higher protection standards apply.
Fines: Up to AED 20 million (~$5.4 million) for serious violations.
Dubai DIFC and Abu Dhabi ADGM: These financial free zones have their own data protection frameworks (DIFC DP Law, ADGM Data Protection Regulations) that differ from the federal PDPL. AI agents operating specifically within these zones face the zone-specific frameworks.
Manifest implications:
{
"policy": {
"jurisdiction_allowlist": ["AE"],
"tool_allowlist": [
"uae_approved_datastore",
"uae_kyc_provider"
]
},
"constraints": {
"audit_retention_days": 730,
"require_human_approval": ["data:write"]
}
}
UAE's retention requirements are 2 years minimum; 5 years is best practice for financial data.
The Common Thread
Across India, Australia, and UAE, three requirements are consistent:
- Automated decision transparency — if the AI makes a decision, it must be explainable
- Cross-border transfer controls — data residency restrictions require jurisdiction scoping
- Breach notification — all three have notification requirements triggered by security incidents
These three requirements map to: require_human_approval (oversight + explainability), jurisdiction_allowlist (transfer controls), and the audit log (breach notification support).
A manifest that addresses these three areas in GDPR context will be close to compliant in all three jurisdictions — the differences are in the specific timelines, thresholds, and regulatory contacts, not in the underlying control architecture.