AI Regulation in India: Current Legal Landscape and Emerging Framework

Executive Summary

Artificial Intelligence regulation in India is evolving through sector-specific guidelines and existing legal frameworks, with no comprehensive AI-specific legislation yet enacted:

Current approach: Principle-based, sectoral regulation
DPDP Act: Automated decision-making provisions (Section 10)
IT Act: Liability for automated systems
MeitY initiatives: Advisory on unreliable AI, deepfakes, accountability
NITI Aayog: National AI Strategy, responsible AI principles
RBI: Guidelines for AI/ML in financial services
Proposed frameworks: Digital India Act may include AI provisions
Key concerns: Algorithmic accountability, bias, transparency, liability

This guide examines India's current AI regulatory landscape and emerging legal framework.

1. Current Regulatory Landscape

Absence of Dedicated AI Legislation

Aspect	Status
Comprehensive AI law	Not enacted
Regulatory approach	Sectoral, principle-based
Draft laws	Digital India Act (under consideration)
Global comparison	EU AI Act enacted, India still developing

Applicable Legal Frameworks

Framework	Application to AI
DPDP Act 2023	Automated decision-making, profiling
IT Act 2000	Liability for automated systems, data protection
Consumer Protection Act 2019	Unfair trade, misleading AI outputs
Copyright Act 1957	AI-generated content ownership
Patent Act 1970	AI inventorship debates
Tort law	Negligence for AI-caused harm

2. DPDP Act and Automated Decision-Making

Section 10 - Automated Processing

Requirement	Specification
Applicability	Decisions with legal/significant effect
Right to explanation	Data Principal can request basis of decision
Human intervention	Right to contest automated decision
Scope	Credit scoring, hiring, insurance, profiling

Covered Automated Decisions

Domain	Examples
Financial services	Loan approvals, credit scoring
Employment	Resume screening, performance evaluation
Insurance	Premium calculation, claim assessment
Healthcare	Diagnosis support, treatment recommendations
Education	Admission algorithms, grading
E-commerce	Pricing algorithms, recommendation engines

Data Principal Rights

Right	Description
Explanation	Understand basis of automated decision
Human review	Request human intervention
Contest	Challenge decision
Correction	Rectify inaccurate data underlying decision

3. MeitY Advisories and Guidelines

March 2024 Advisory on Unreliable AI

Requirement	Specification
Consent for unreliable AI	Explicit user consent before deployment
Labeling	Mark AI-generated content
Fallback mechanisms	Human intervention option
Liability	Platforms responsible for AI outputs

Deepfake and Misinformation (March 2024)

Obligation	Description
Detection tools	Deploy deepfake detection mechanisms
Labeling	Mark synthetic media
Takedown	Remove misleading deepfakes within 24 hours
Liability	Platforms liable if failure to act

IT Rules 2021 Implications

Provision	AI Application
Due diligence	Automated content moderation
Proactive monitoring	AI-powered content filtering (SSMI)
Prohibited content	AI must detect and remove
User complaints	AI can assist but human review required

4. NITI Aayog's National AI Strategy

Responsible AI Principles (2021)

Principle	Description
Safety and reliability	AI systems should be safe and robust
Equality	Non-discriminatory, inclusive
Inclusivity and non-discrimination	Address bias, ensure fairness
Privacy and security	Protect personal data
Transparency	Explainable AI
Accountability	Clear responsibility for AI decisions
Protection and reinforcement of positive human values	Align with societal values

National AI Mission

Focus Area	Objective
Healthcare	AI for diagnostics, drug discovery
Agriculture	Precision farming, crop monitoring
Education	Personalized learning
Smart cities	Urban planning, traffic management
Infrastructure	Smart infrastructure monitoring

5. Sector-Specific AI Regulations

RBI Guidelines for AI/ML in Financial Services

Requirement	Specification
Board approval	AI strategy requires board oversight
Risk management	Identify and mitigate AI risks
Data governance	High-quality, unbiased training data
Model validation	Independent validation of AI models
Explainability	Understand model decisions
Human oversight	Critical decisions require human review
Audit trail	Document AI decision-making process

SEBI and Algorithmic Trading

Regulation	Application
Algo trading norms	Risk controls, audit trails
Pre-deployment testing	Algorithm validation
Monitoring	Real-time surveillance
Kill switch	Emergency halt mechanism

Healthcare AI

Guideline	Source
AI diagnostics	No specific regulation yet
Clinical trials	If AI is medical device, CDSCO approval required
Telemedicine	AI support permitted with human oversight

6. Algorithmic Accountability

Transparency Requirements

Aspect	Requirement
Disclosure	Inform users when AI is used
Model cards	Document AI capabilities, limitations
Explainability	Provide reasons for decisions
Appeals	Mechanism to contest AI decisions

Bias and Fairness

Issue	Regulatory Approach
Training data bias	Data quality standards (RBI)
Algorithmic bias	Fairness audits (emerging)
Discriminatory outcomes	Consumer Protection Act violations
Protected attributes	Cannot discriminate based on gender, caste, religion

Auditing and Testing

Practice	Application
Pre-deployment testing	Financial services (mandatory)
Ongoing monitoring	Detect drift, bias
Third-party audits	Independent validation
Red-teaming	Adversarial testing for safety

7. Liability for AI Harms

Product Liability

Scenario	Legal Framework
Defective AI product	Consumer Protection Act - product liability
Harm from AI	Tort law - negligence
Autonomous systems	Liability unclear - developer, user, or both?

Intermediary Liability and AI

Issue	Analysis
AI-generated content	Section 79 safe harbor may not apply
Automated moderation	Platform responsible for errors?
Recommendation algorithms	Liability for harmful recommendations debated

Manufacturer vs. User Liability

Party	Liability Basis
AI developer	Negligent design, failure to warn
AI deployer	Negligent use, lack of oversight
User	Misuse, reliance without verification

8. Intellectual Property and AI

AI-Generated Content

Issue	Current Status
Copyright ownership	Unclear - human authorship required?
AI as creator	Not recognized under Copyright Act
Training data copyright	Fair use debate ongoing

AI Inventorship

Aspect	Status
Patents	Inventor must be human (per Indian Patent Office)
AI-assisted inventions	Human inventor with AI tool - patentable
AI as sole inventor	Not recognized

9. Emerging Issues

Generative AI (ChatGPT, Gemini, etc.)

Concern	Regulatory Response
Misinformation	MeitY advisory on labeling
Hallucinations	Liability for inaccurate outputs
Plagiarism	Copyright infringement risks
Data privacy	Training on personal data - consent issues

Deepfakes

Regulation	Requirement
IT Rules 2021	Prohibited content if harmful
MeitY advisory 2024	Detection and labeling mandatory
Election deepfakes	Election Commission guidelines

Facial Recognition

Application	Regulation
Law enforcement	No specific framework (widespread use)
Private entities	DPDP Act consent requirements
Public surveillance	Privacy concerns, no comprehensive law

Autonomous Vehicles

Aspect	Status
Liability	No specific law - tort law applies
Testing	MoRTH permits testing with conditions
Insurance	Standard motor insurance may not cover autonomous systems

10. Comparison with Global AI Regulations

India vs. EU AI Act

Aspect	India	EU AI Act
Comprehensive law	No	Yes (enacted 2024)
Risk-based approach	Emerging	Explicit (prohibited, high-risk, limited-risk)
Prohibited AI	No explicit list	Manipulative AI, social scoring, real-time biometric (limited)
High-risk AI	Sectoral approach	Financial, healthcare, law enforcement, etc.
Conformity assessment	Not formalized	Mandatory for high-risk
Penalties	Sectoral penalties	Up to €35M or 7% global turnover

India vs. US

Aspect	India	US
Federal AI law	No	No (Executive Order, sectoral)
State laws	N/A	California AI regulation emerging
Enforcement	Sectoral regulators	FTC, SEC, sectoral agencies
Approach	Principle-based	Risk management frameworks

11. Proposed Digital India Act

Expected AI Provisions

Provision	Description
Algorithmic accountability	Transparency, explainability requirements
Automated decision-making	Enhanced rights beyond DPDP
Liability framework	Clarify developer vs. deployer liability
Risk-based regulation	High-risk AI subject to stricter norms
Sandbox	Testing environment for AI innovation

Timeline

Stage	Status
Consultation	2023
Draft bill	Expected 2024-2025
Enactment	TBD

12. Compliance Best Practices

For AI Developers

Practice	Purpose
Data governance	Ensure high-quality, unbiased training data
Model documentation	Model cards, limitations disclosure
Bias testing	Regular fairness audits
Explainability	Build interpretable models where possible
Security	Adversarial robustness, input validation
Human oversight	Hybrid human-AI systems for critical decisions

For AI Deployers

Practice	Purpose
Risk assessment	Identify potential harms
User disclosure	Inform users when AI is used
Human-in-the-loop	Critical decisions require human review
Monitoring	Detect model drift, bias
Incident response	Handle AI failures/harms
Compliance	Sectoral regulations (RBI, SEBI, etc.)

13. Compliance Checklist

For Automated Decision-Making (DPDP Compliance)

Identify all automated decisions with legal/significant effect
Implement right to explanation mechanism
Provide option for human review
Allow Data Principals to contest decisions
Document decision-making logic
Maintain audit trails

For AI Systems Generally

Conduct AI risk assessment
Ensure training data quality and representativeness
Test for bias and fairness
Document AI capabilities and limitations
Disclose AI use to users
Implement human oversight for high-risk applications
Establish incident response for AI failures
Comply with sector-specific regulations (RBI, SEBI, etc.)
Label AI-generated content
Deploy deepfake detection (if applicable)

For Generative AI

Implement consent for unreliable AI (MeitY advisory)
Label AI-generated outputs
Provide disclaimers on limitations (hallucinations)
Monitor for misinformation generation
Respect copyright in training data and outputs
Implement content moderation for harmful outputs

14. Key Takeaways for Practitioners

No Dedicated AI Law: India relies on existing frameworks (DPDP, IT Act, Consumer Protection) and sectoral regulations.
DPDP Section 10: Right to explanation and human review for automated decisions with legal/significant effect.
MeitY Advisories: Unreliable AI requires consent; deepfakes must be detected and labeled.
Sectoral Approach: RBI (financial services), SEBI (securities), sector-specific AI guidelines.
Algorithmic Accountability: Transparency, explainability, and bias mitigation emerging as key requirements.
Liability Unclear: No specific framework for AI harms - tort law and Consumer Protection Act apply.
Digital India Act: Expected to include comprehensive AI provisions (risk-based framework).
Generative AI Scrutiny: Heightened focus on ChatGPT-like systems - labeling, consent, misinformation concerns.

Conclusion

India's AI regulatory landscape is evolving through a combination of existing data protection laws, sectoral guidelines, and government advisories rather than comprehensive AI-specific legislation. The DPDP Act's provisions on automated decision-making, MeitY's advisories on unreliable AI and deepfakes, and RBI's financial sector guidelines form the current framework. As AI adoption accelerates, India is expected to move toward a more structured, risk-based regulatory approach, likely through the proposed Digital India Act. Organizations deploying AI must navigate this fragmented landscape by ensuring transparency, accountability, human oversight, and sector-specific compliance while monitoring emerging regulations.