Regulating Artificial Intelligence in India: Legal Challenges, Developments, And the Way Forward

Introduction:  

Artificial Intelligence (AI) is revolutionizing numerous domains: health, education,  administration, policing, business, entertainment. Its potential is huge — enhanced  efficiency, predictive power, enhanced decision-making, innovation. But with promise  comes risk: algorithmic bias, opacity, privacy breaches, misuse, discrimination,  intellectual property concerns, liability, ethical issues. In India, phenomenal AI  adoption is now highlighting shortcomings in legal and regulatory systems. As of 2023– 2025, India has made significant legislative (such as the Digital Personal Data  Protection Act, 2023) and judicial/administrative directives, but challenges abound. 

This article discusses the present legal situation in India regarding AI regulation, locates  gaps and issues, considers recent trends, and puts forward recommendations for a  strong legal framework that is balanced with innovation and protection of rights and  harm minimization. 

 I   The Legal & Regulatory Landscape in India: 

1. Right to Privacy as the Point of Departure : 

The historic Supreme Court ruling in Justice K.S. Puttaswamy (Retd.) & Ors. v. Union of  India (2017) declared right to privacy to be a basic right under Article 21 and Part III of  the Constitution. This provides constitutional basis for restraining the use of data by  the state or private actors, including AI systems, wherever privacy is involved. 

2. Digital Personal Data Protection Act, 2023 : 

The DPDP Act (2023) is India’s existing legislative digital personal data protection  statute. It provides for regulating processing of digital personal data in a way that  balances the requirement of protection of individual rights and the legal need to  process such data for permissible purposes. It is, however, not yet operational and  there are questions regarding its sufficiency for AI-related issues.  

3. Information Technology Act, Rules, and Policies:  

 Current legislation like the Information Technology Act, 2000 (IT Act) and regulations  thereunder addresses cybersecurity, intermediary liability, data breach disclosure, etc.  However, they were not enacted with AI in their sight. A lot of governmental  administrative guidelines and policies by think-tanks are surfacing to tackle AI but often  without enforceability or precision.

4. Judicial / Court Guidelines : 

Courts have begun to address AI in certain contexts. For example, the Kerala High  Court recently issued guidelines prohibiting use of AI tools for decision-making or  legal reasoning in the district judiciary, pointing to risks in transparency, accountability,  data security. This shows judicial sensitivity to AI’s potential misuse and the need for  safeguards when AI enters the legal and decision-making domain. 

5. Sectoral & Emerging Technologies Regulation : 

Aside from pure regulation of AI, there are secondary and allied areas: online gaming  regulation (e.g., Promotion and Regulation of Online Gaming Act, 2025) broadcasting  regulation (Broadcasting Services Regulation Bill) . Not being AI-related, these are still  part of the larger digital regulation ecosystem. 

1. Key Legal Challenges in AI Regulation: 

While the law is changing, there are still a number of issues. These are both legal  (statutory, jurisprudential) and practical (enforcement, technical, ethical) issues. 

1. Absence of AI-Specific Legislation:  

Existing laws cover general data protection, cybersecurity, intermediary liability, etc.,  but none are tailored specifically for AI’s unique issues: algorithmic decision-making,  opaque models (“black box” problems), autonomous systems, self-learning systems,  deepfakes. India currently lacks a unified, dedicated statute or clear legal standards  specifically addressing AI liability, transparency obligations, fairness norms. 

2. Transparency, Explainability, and Algorithmic Bias : 

AI systems can reinforce or enhance biases in training data (gender, caste, race, socio economic). When algorithms are opaque, it is hard for the affected individuals to  contest decisions. Questions of importance: who needs to reveal what goes on inside?  How much is needed? Is there a legal recourse if bias is proved? No existing laws  explicitly mandate explainability or fairness audits.  

3. Privacy & Data Protection:  

AI tends to work based on big data sets, which may also contain sensitive personal  information, biometric data, etc. Despite the DPDP Act, 2023, there are issues  remaining like data minimization, purpose limitation, anonymization v/s  pseudonymization, cross-border data transfers, exceptions in case of the state or law  enforcement authority, and the mass surveillance/misuse possibility. Moreover,  occasions like biometric leaks point towards risks in collecting, storing, and governing  data. 

4. Liability & Accountability :  

 When AI systems cause harm (e.g., wrongful decision, discrimination, physical harm  in autonomous systems), who is responsible? The manufacturer, the deployer, the  algorithm designer, or the user? Currently, tort, contract, consumer protection laws  may apply, but these were not designed with AI’s complexity. The absence of clarity  can deter accountability or lead to relabeling the problem.  

5. Intellectual Property Issues:  

AI-created content (art, literature, music, code) poses questions: to whom does  copyright belong, if created by AI? The training data used for training copyrighted  content infringing? Derivative works? Current IP laws in India don’t satisfactorily  answer these.  

6. Ethical, Social & Socioeconomic Implications:  

AI has wider implications: labour displacement, inequality, attacks on democratic  debate (through deepfakes, disinformation), surveillance, discrimination. There is also  potential for chilling effects if users are ever afraid of being constantly monitored. Laws  need to address not only legal liability but also ethical standards.  

7. Enforcement, Technical Capacity, Fragmentation:  

Regulations are only as good as they can be enforced. Indian regulators might not have  technical savvy to audit AI systems, to test for bias, to validate algorithms. Further,  patchwork regulation — various sectors subject to disparate rules (health, finance,  telecom) — can cause inconsistent standards.  

8. Cross-Border and International Law Issues : 

AI systems & data frequently transcross jurisdictions. Data stored overseas, training on  international datasets, output shared worldwide. Which norms hold? How to resolve  clashes between legislation? India’s legislation needs to fit in with world norms (e.g.,  GDPR, OECD guidelines) for consistency, trade, data flows.  

 III. Recent Developments & Emerging Trends : 

India is dynamic; there are a number of recent legal/regulatory & policy-trends which  indicate progress or reveal tensions. 

1. DPDP Act Rules & Enforcement : 

The government has issued (up to September 2025) that the administrative rules of  the Digital Personal Data Protection Act will be out (28 September 2025). ([The  Economic Times][3]) These rules are likely to help explain key implementation issues. 

How consent requirements in AI‑contexts would function, data fiduciary obligations,  grievance redressal, retention, erasure, cross‑border transfer, etc. 

2. Content Deletion / Intermediary Liability Regimes : 

Social media companies are being made to meet higher accountability in terms of  content takedown. For instance, recently, the Karnataka High Court rejected X’s appeal  against the content takedown mechanism launched by the Indian government, holding  that social media companies need to be answerable to Indian law. ([Reuters][12]) The  balance between free speech and regulation of content (hate speech, fake news etc.)  is being dramatized here. 

3. Judicial Directives on AI Application:  

 Kerala High Court guidelines that district judiciary should not employ AI tools in  decision-making or legal reasoning reflect a precautionary approach. The judiciary is  acknowledging its dual roles of user and regulator of AI tools, especially in rights influencing decisions. 

4. Leakage of Biometric Data & Privacy Incidents : 

The release of huge amounts of police and biometric information of applicants in India  (fingerprints, facial scanning etc.) highlights systemic threats. Such events draw public  notice and legal call for tighter data protection, safe storage, accountability.  

5. AI Misuse & Fraud : 

Concern is rising regarding abuse of AI by scammers and its dual‑edged character:  boosting services, but also facilitating scams. Experts have called for greater clarity in  liability, capacity‑building, and regulation.  

1. Analysis: Gaps and Tensions: 

Having witnessed these developments, what are the gaps or tensions that remain?  Understanding these is essential to be able to suggest rational reforms. 

1. Ambiguities in Definitions and Scope:  

• What is considered “high‑risk AI”? Are all AI applications subject to equal treatment by law, or do some face more rigorous obligations? 
• Definition of “automated decision‑making,” “algorithmic bias,” “explainability,”  “interpretability” etc., are not standardized yet in Indian law. 

2. Balancing Innovation with Regulation: 

Too much rigid or slow regulation can smother innovation, most notably for startup  firms. Under-regulation, by contrast, causes harm. Finding an optimal level of  regulatory balance is challenging. 

3. Enforcement Mechanisms & Regulatory Capacity:  

• ∙ Who will audit AI systems? What technical standards will they utilize? How often  will audits occur? 
• ∙ Institutions need data science expertise, algorithmic fairness expertise, AI safety  expertise, etc. 
• ∙ Sanctions and redress need to be strong enough to deter non‑compliance.

4. Accountability & Attribution of Liability:  

•  When a harmful AI‑driven decision is made, whose error is it? Developers  responsible, operators, users, data providers? 
•  How will courts determine causation when decisions are unclear or emergent  characteristics of algorithms? 

5. Privacy vs Public Interest / State Surveillance : 

• ∙ Legislation should restrict abuse of AI by government agencies in the name of  the security. State exemptions or blanket permissions could subvert the Right  to Privacy. 
• ∙ Furthermore, mass surveillance (e.g., facial recognition, predictive policing)  needs to be properly regulated. 

6. IP Rights & AI‑Generated Works: 

Vesting of copyright in a human creator, even if AI created significant material? ∙ Are training sets copyrighted materials? Used without a valid license, this can  be infringing. Existing jurisprudence and legislation are presently inadequate. 

7. Data Quality, Bias, and Fairness : 

Algorithmic decisions based on biased data sets produce discriminatory results.  Potential to perpetuate entrenched inequalities. 

8. Transparency and Explainability : 

 The “black box” of much AI may deprive individuals of the means to contest  detrimental decisions. Require legal requirement for explanation, audit trails, rights  to know.

1. What a Robust Regulatory Framework Should Include : 

Based on the above, below are recommendations and best practices for legal  reform/regulation, policy, and practice in India. 

1. Specific AI Legislation or Amendments : 

• Pass a standalone AI law (or amendment) that is consistent with DPDP but  specifically focuses on AI systems. Major points: 
• Clarify “AI”, “automated decision-making”, “high‑risk AI”, “algorithmic bias”,  etc. 
• Requirements for AI design, deployment, regular monitoring.  Mandatory risk assessments for high‑risk applications (health, policing, social  benefits etc.). Requirements for explainability, transparency, documentation. 

2. Risk‑Based Regulation : 

 Not all AI is equally risky. Some uses (e.g. benign recommendation systems) require  less oversight; others (judicial, policing, health) need much more careful regulation.  The law should adopt a tiered risk‑based approach. 

3. Accountability & Liability Mechanisms: 

• Define clear principles on who bears responsibility for harm inflicted by AI: designer, deployer, data provider, user. May involve joint liability in some  instances. 
• Provide remedies for persons: right to claim redress, compensation. ∙ Supervision or oversight authorities with powers to impose. 

4. Transparency / Explainability : 

• Mandate that automated decision-making involves the provision of explanation  accessible to the affected persons. 
• Preservation of audit trails, decision-logs, and independent audits. ∙ Disclosure requirements on training data sources (as commercially viable). 

5. Data Protection Enhancement : 

• Facilitate minimization of data, limiting its purpose,  anonymization/pseudonymization where feasible. 
• Tight effective provisions for sensitive and biometric data. 
• Safeguards against mass surveillance, abuse by state or private entities. ∙ Secure framework for cross-border data flows.

6. Ethical Norms & Standards:  

• Promote adoption of ethical guidelines: e.g., fairness, non-discrimination,  inclusivity. These can be codified or made statutory. 
• Mandate impact assessments (both privacy and fairness) prior to deployment  of high-risk AI. 

7. Capacity Building & Technical Expertise : 

• Government agencies, regulatory bodies, courts must develop experience and  technical capacity. 
• AI, algorithm, data science training of regulators, judges, law enforcers. ∙ Perhaps setting up a specialized agency or bureau to oversee AI regulation. 

8. Public Participation, Transparency, and Oversight : 

Engage civil society, academia, experts in privacy in rulemaking, oversight. ∙ Transparency in regulation: public disclosure of government or private sector  deployed high-risk AI systems;  reporting requirements for serious adverse incidents. 

9. External Collaboration & Alignment: 

• Align with worldwide standards (EU AI Act, OECD AI principles, UNESCO  guidelines etc.) to be interoperable, enable trade, data exchange 
• Join standards-setting, collaboration, sharing best practices. 

10. Enforcement & Remedies: 

• Severe penalties for non‑adherence: financial penalties; banning use in certain  situations; withdrawal of permits. 
• Prompt and easy grievance redressal mechanisms for parties adversely affected. ∙
•  Judicial review: courts must be given the authority to review AI decisions, even  to direct disclosure of pertinent algorithmic information in suitable instances. 

1. Case Studies / Illustrations : 

To demonstrate the problems and the ways in which regulation may or has occurred  (or should), these are some examples: 

1. Kerala High Court Guidelines  

The latest Kerala High Court guidelines prohibiting the use of AI tools for legal  reasoning in the district judiciary underscore courts’ apprehension regarding due  process, natural justice, transparency. It is a cautious interim measure where AI is  applied to situations with high stakes.

2. Biometric Data Leak  

The case in which police recruits’ biometric information (fingerprints, facial scans etc.)  were leaked highlights the risk in gathering, storing, data safety. This one reveals what  occurs when there are no vigorous safeguards, and compels the necessity for legal  requirements for security measures, breach disclosure, responsibility.  

3. AI as Tool for Fraud & Misuse  

Reports of AI being used by fraudsters to deceive systems or carry out identity  theft/complex scams illuminate technical abuse and loopholes in the law. This indicates  that legislation has to include abuse, cybercrime, and ensure remedies are in place. 

4. Content Removal & Free Speech vs Censorship  

The instance in which X (ex-Twitter) attempted to defy India’s upgraded content  removal process, but there was compliance enforced by courts, in balancing freedom  of speech and responsibility. This indicates that online speech, platforms, content  moderation are also components of the AI/digital regulation environment.  

VII. Policy & Lawmaker Recommendations : 

Based on analysis, here are practical recommendations: 

1. Accelerate Rule‑Making under DPDP Act , with considerations specifically for AI. 

The new rules should clearly deal with automated decision‑making, fairness in  algorithms, sensitive personal data, anonymization, liability, cross‑border transfers.  The consultations for stakeholders should involve tech specialists, civil society,  representatives of data subjects. 

2. Develop an “AI Regulatory Framework / Act” which exists in tandem with DPDP Act  

 The Act may identify high‑risk types, prescribe responsibilities of transparency and  risk analysis, establish oversight bodies, determine penalties, provide redressal. 

3. Require Impact Assessments, Audits, Certification for High‑Risk AI  

 Just as environmental laws tend to mandate environmental impact assessment, AI  must have algorithmic / ethical / human rights impact assessments. 

4. Create an AI Oversight Authority  

 Standalone agency (national or semi‑independent) with technical personnel,  regulatory authority, investigative authority, that can impose regulations, certify  high‑risk systems, audit compliance, and investigate occurrences.

5. Judicial & Procedural Safeguards  

Courts must implement rights to explanation; evidence law might need to adjust to  accommodate AI‑created evidence; assure due process in use of AI by government. 

6. Public Transparency & Disclosure  

 Mandatory public disclosure of certain data: which government‑used AI systems,  dataset origin, high‑risk systems deployed, incidents, etc. 

7. Encourage Research & Standards  

Facilitate creation of open datasets, bias detection techniques, fairness &  interpretability tools; establish technical standards (in coordination with the world) for  AI safety, privacy, security. 

8. Capacity Building  

 Legal education incorporating AI law; training regulators; law enforcement; judiciary;  also tech developers to know legal responsibilities. 

VIII. Conclusion : 

AI is both a challenge and an opportunity. For India, the stakes are too high: inclusive  growth, digital economy development, safeguarding constitutional rights (privacy,  equality, freedom of speech) all hang in balance with how well regulation catches up.  We already possess robust constitutional foundations, some new legislations (DPDP  Act), judicial interventions. Yet much remains to be filled: liability, explainability,  enforcement, capacity. 

A balanced regulatory framework that is risk‑based, transparent, enforceable, ethically  conscious and technologically informed is indispensable. With the right legal  architecture, India can harness AI’s benefits while minimizing its harms — ensuring  justice, fairness, privacy, and innovation go hand in hand.