The Government of India wants to turn law into code. This is bigger than automation!!
MeitY is reportedly exploring “law-to-code” translating DPDPA provisions into machine executable rules so systems enforce compliance by design.
The logic is sound. When AI moves at machine speed, governance cannot run at the speed of a legal opinion. A system trying to access personal data without a valid basis should be blocked at the moment of the act, not flagged in a quarterly audit.
But code is precise. The DPDPA is deliberately not.
The statute relies on terms like “reasonable safeguards,” “necessary,” and “fair.” These are not gaps. They are features that let a single rule survive a thousand situations no drafter could foresee.
I always say that it will be “reasonableness” which will be a guiding factor, and unless it is fixed to check software, you can’t enforce the law effectively. You’ve just shipped one engineer’s interpretation of it.
For AI – MeitY is thinking this way because AI broke the old model. Human-speed audits cannot keep up with a system making thousands of decisions a second. To govern something that acts in milliseconds, you need a rule that acts in milliseconds. That case is strong.
But a human officer can see a borderline case and pause. Code does not pause. It executes. So we gain speed and lose the judgment that made enforcement bearable.
For law- Law runs on deliberate ambiguity. Reasonable, fair, proportionate are not drafting failures. They let one statute survive decades of cases nobody foresaw, with a judge filling the gap from the facts in front of them.
Encode the rule and you settle the ambiguity before any facts exist. Power moves from the future judge who will see the case to the present engineer who cannot.
For the common man- The upside is real. Today an ordinary person has almost no way to enforce their data rights; the breach happens silently and they learn of it months later. In code, protection becomes automatic, and does not depend on the citizen being vigilant. But when the rule is automated, so is the mistake.
A system can block a legitimate person, wholly within the code and wholly wrong on the facts, with no one who chose it and no one to argue with. The same automation that protects the unaware traps the exception, and the common man is the exception far more often than the corporation is.
As live enforcement of DPDPA approaches on 13 May 2027 with a ₹250 crore penalty ceiling, three critical shifts follow:
- Compliance moves into the architecture: The DPDPA question leaves the policy file and enters the system design review.
- The burden of proof inverts: Your logs become your defense. The organization that cannot prove what its systems decided in real-time is exposed the moment the Board asks.
- A new fault line opens: Soon, a system will block a citizen lawfully, automatically, and wrongly. The rule will have worked. The justice will have failed.
Translating a statute is an engineering problem. Deciding what should never be translated is a legal one.
My final take is that the “Law-to-code” shifts power away from having to fight for your rights, which is good, and away from being able to explain yourself, which is dangerous. Which one wins turns on the single thing the technology cannot supply: a fast, human, reachable way to override the machine when it gets a real person wrong.
Maybe we will see these things coming into reality i.e Privacy by Code, Compliance by Code and Privacy by Design in future frameworks and architecture.
