Every second, a modern connected vehicle generates thousands of data signals—GPS coordinates tracking precise movements, cabin microphones capturing voice commands, telematics systems logging driving behaviour, sensors monitoring battery performance, and cameras recording surroundings. For years, automakers treated this torrent of information as a valuable asset to be collected broadly and analysed freely. That era has abruptly ended. India’s Digital Personal Data Protection Act (DPDPA) has fundamentally altered the equation, transforming data from an unregulated resource into something that must be justified, minimised, secured, and collected only with explicit, revocable consent. “Just as emission norms once forced automakers to redesign engines, the DPDPA is now forcing them to rethink their digital architectures from the ground up,” observes Jeffry Jacob, Partner and National Sector Leader – Automotive at KPMG India. This isn’t merely regulatory compliance—it’s a wholesale reimagining of how vehicles interact with personal information.
From Data Exhaust to Regulated Liability
The DPDPA’s impact on automotive data practices cannot be overstated. Everything from precise location trails and driver behaviour patterns to cabin voice commands, telematics logs, battery usage analytics, and even biometric cues now qualifies as protected personal information under the law. Modern vehicles emit hundreds or thousands of signals per second, covering ECU diagnostics, telematics data, and infotainment logs. Until recently, this information was collected broadly, often with minimal granularity in consent mechanisms or purpose tagging.
“The DPDPA transforms this data exhaust into a tightly regulated liability, something that must be minimised, justified, secured, and collected only with clear, revocable consent,” explains Ankita Sabharwal, Head of Data Privacy at Chadha and Chadha. The paradigm shift is fundamental: every byte of personal data emitted by a vehicle must now be justified, consented to, protected, and minimised. Automakers can no longer operate on the assumption that collecting everything and determining uses later is acceptable practice.
The complexity lies in the sheer scale and diversity of automotive data flows. A single connected vehicle involves multiple systems—from advanced driver assistance sensors to infotainment platforms to cloud-based analytics—each potentially processing personal data differently. Mapping this entire lineage and attaching correct purpose tags and consent markers at each stage represents an enormous operational and engineering undertaking. As Biswajeet Mahapatra, Principal Analyst at Forrester, notes, “The hardest part is identifying personal versus non-personal data across heterogeneous systems and maintaining dynamic classification as software updates change data flows.”
Engineering Privacy by Design
The DPDPA mandates that automakers embed privacy controls at the architectural level, ensuring lawful purpose and user control from the first line of code. This represents a fundamental departure from treating privacy as a compliance afterthought. “Engineering needs to embed privacy gates in every feature, to ensure lawful purpose and user control,” Jacob emphasises. Consent layers must be built into the human-machine interface (HMI) so customers can easily understand and control what they share, with systems designed to accommodate consent changes at any time.
Original equipment manufacturers and component suppliers must now embrace “data minimalism” as the default setting. This involves redesigning sensors and modules to collect only functionally necessary data rather than broad datasets that might prove useful later. Cloud architectures must similarly shift, with defaults configured to reduce the need to transmit personal information to remote servers. The goal is to capture sufficient data to enable vehicle features whilst avoiding excessive collection that creates privacy risks and compliance burdens.
Jacob identifies several critical gaps in current industry readiness: “The largest gaps are inaccurate or incomplete data inventories, insufficient purpose-mapping, and outdated consent flows that do not meet DPDPA’s explicit requirements. Data retention and deletion policies are often inconsistent across systems.” Incident response readiness remains weak, with many companies lacking compliant breach notification frameworks that fully meet DPDPA and CERT-In timelines.
On the security front, automakers are implementing end-to-end encryption, tokenisation for sensitive identifiers, and multi-factor authentication for over-the-air updates. “DPDP rules explicitly require ‘reasonable security safeguards’ including encryption and access logging,” Mahapatra observes. Whilst large OEMs have begun mapping data flows and redesigning consent mechanisms with robust compliance programmes underway, significant challenges remain. “The long tail of dealer networks, service centres, connected apps, and supplier systems remains fragmented, and there is still quite some way to go for them to reach the required maturity level,” Jacob notes.
The Cross-Border Compliance Minefield
Perhaps the most operationally disruptive aspect of the DPDPA is its approach to cross-border data transfers. The upcoming blacklist of prohibited countries for data transfers creates direct operational risks for automakers. Connected vehicles constantly transmit data to global servers, foreign telematics partners, and parent-company systems. If any destination falls on the prohibited list, OEMs must immediately cease all transfers, regardless of consent.
“This forces rapid localisation of cloud storage, re-evaluation of foreign vendors, and redesign of data flows across telematics, infotainment, diagnostics, and analytics,” Sabharwal explains. The blacklist mechanism effectively makes cross-border data handling one of the sector’s biggest compliance checkpoints, pushing manufacturers towards building India-specific, jurisdiction-aware, privacy-first mobility systems.
India currently follows a negative list model, allowing cross-border transfers until a country is specifically blacklisted. However, as Jacob points out, “A sudden inclusion into the restricted-countries list could require OEMs to re-architect global data routes at short notice. They will need to negotiate contracts with global partners to ensure that data does not transit through prohibited geographies.” Mahapatra adds that the Centre’s power to restrict transfers creates uncertainty for automakers using global cloud or telematics vendors, potentially forcing contract renegotiations and rapid migration to India-compliant infrastructure.
The DPDPA represents more than regulatory obligation—it’s fundamentally reshaping how connected vehicles are conceived, engineered, and operated. Just as emission standards once drove innovation in engine design and fuel efficiency, privacy regulations are now driving innovation in data architecture and user control mechanisms. Automakers who view this purely as a compliance burden risk missing the deeper opportunity: building trust through transparency and control, differentiating on privacy protection, and pioneering approaches that may well become global standards. The transition is challenging, requiring significant investment in systems redesign, process transformation, and organisational capability building. Yet for an industry that has successfully navigated numerous technological disruptions—from fuel injection to electrification to autonomous systems—integrating privacy by design represents the next essential evolution in automotive engineering.