India AI Note

In India, there is no dedicated statute governing the development or use of AI. Instead, AI systems are regulated through the application of existing legal frameworks, with the legal assessment focused on the effects and outcomes of uses of AI rather than the technology itself. This approach is reinforced by India's AI Governance Guidelines (which provide a non-binding framework and recommendations for responsible AI development and deployment) that predominantly recommend applying existing legal frameworks to AI systems, with appropriate amendments to address gaps. Accordingly, existing legal frameworks on data protection, copyright, information technology and consumer protection will apply to the use of AI. Existing laws, including sectoral laws in areas such as banking and securities, have begun incorporating AI-specific provisions, primarily regulating harms arising from use of AI within those domains, and sometimes incorporating sector-specific risk considerations. The law does not establish a formal, cross-sectoral risk-based categorisation framework (e.g., prohibited, high-risk).
For instance, recent amendments to the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules (IT Rules) that governs intermediaries and online content introduced a specific category of content, "Synthetically Generated Information" (SGI) (defined as information that appears to be real, authentic or true), prescribing specific labelling and takedown requirements for platforms that enable the generation, transmission and publication of SGI.

India is a sovereign state and there is no federal or supranational AI regulatory regime above it.

As noted above, there is no AI-specific legislation. Claims and litigation stemming from AI use are currently evolving, but they are primarily being pursued under existing legal frameworks. Existing criminal statutes, such as the Bharatiya Nyaya Sanhita, 2023, as well as the Information Technology Act, 2000 (IT Act) and IT Rules, are relied upon for addressing content-related harms arising from AI, such as the generation of obscene content, child sexual abuse material (CSAM), impersonation, and deepfakes. The Copyright Act, 1957 (Copyright Act), is the foundation for claims against AI developers for the unauthorised use of copyrighted works as training data. Ongoing litigation, such as ANI v. OpenAI (CS(COMM) 1028/2024, Delhi High Court), are looking into whether training constitutes infringement, especially as Indian law lacks a specific exception for text and data mining (TDM).
Further, private litigation concerning AI-generated deepfakes and voice cloning has relied on the judicially recognised right to privacy and personality/publicity rights. Cases like Anil Kapoor v. Simply Life India (CS (COMM) 652/2023, Delhi High Court) have led courts to grant injunctions to protect celebrity personas from unauthorised AI manipulation.
While the substantial provisions of the Digital Personal Data Protection Act, 2023 (DPDPA) are not in force, it provides the legal basis for claims regarding the unauthorised processing of personal data for training AI models.

Training AI models on copyrighted data without a license may constitute infringement under the Copyright Act. India does not have a specific TDM exception, and its 'fair dealing' exceptions are narrow and unlikely to cover commercial AI training. Further, accessing a computer resource/extracting or copying data from a computer resource without the owner's permission is punishable under the IT Act. Since "permission" is not defined, contractual restrictions and/or technological restrictions (such as CAPTCHA) could be considered in determining the absence of such permission. Therefore, if any AI tool scrapes data from websites with such restrictions, such activities may amount to unauthorised access.
Data used to train or operate AI systems is covered by the DPDPA. Processing such data requires a valid legal basis, typically consent, unless the data is made public by the data principal or is required by law. While there are no specific standalone rules for ADM, if personal data is processed to make decisions that affect data principals, the DPDPA requires the data fiduciary to ensure the completeness, accuracy, and consistency of that data. Sectoral frameworks, particularly in the securities sector, require regulated entities to take responsibility for the outputs of AI/ML tools used in decision-making.

The use of AI, specifically generative AI, exposes friction with India's existing intellectual property and data protection laws. Frameworks like the Copyright Act and the DPDPA are not designed for the large-scale data ingestion required to train AI models. The act of copying vast quantities of copyrighted material for training datasets creates legal uncertainty, as the Copyright Act lacks a clear exception for TDM. Similarly, the DPDPA’s narrow exemption for "publicly available" personal data creates tension with the common practice of web scraping, placing developers at risk of non-compliance for processing data without explicit consent.
Further, consumer protection law in India imposes product liability on manufacturers, sellers and service providers for causing ‘harm’ arising from specific scenarios. For instance, product manufacturers are liable for product defects causing harm. Product sellers are liable for causing harm if they have exercised substantial control over the design, testing, or manufacturing of a product. This is strained with respect to AI products. For example, where an entity fine-tunes a third-party AI model which provides output causing harm, it may not be possible to determine whether that output arose from a defect in the original model (resulting in manufacturer liability) or from the entity’s customisation (resulting in seller liability through substantial control). Accordingly, liability attribution blurs across developers, deployers, and data providers in AI's ecosystem, unlike static products.

Recently Enacted Legislation:
IT Rules (as amended in February 2026) (SGI Amendment): Under the SGI Amendment, SGI is defined as audio, visual, or audio-visual content that is artificially created/modified to appear real, authentic, or indistinguishable from a real person or event. Explicit carve-outs exist for: (i) routine editing (e.g., colour correction, transcription) that doesn't alter substance; (ii) good-faith creation of documents, presentations, or educational materials using templates; and (iii) accessibility improvements like translation, without material manipulation.
Key obligations introduced include:

• Intermediaries whose platforms enable SGI creation/sharing must (i) deploy reasonable technical measures to proactively prevent harmful SGI (CSAM, non-consensual intimate imagery, false identity depictions, fake documents), and (ii) ensure all other SGI is prominently and easily noticeably labelled, with permanent embedded metadata (including a unique identifier) traceable to the originating platform, which cannot be removed.

• Significant Social Media Intermediaries (SSMI) (i.e., social media intermediaries with 5 million users) must also require user declarations when uploading SGI, verify those declarations proportionately, and ensure confirmed SGI is clearly labelled. Liability for non-compliance arises only where the SSMI knowingly fails to act.

Proposals, Drafts, and Consultations:

• In November 2025, the Ministry of Electronics and Information Technology (MeitY) (Central Government authority responsible for IT and digital regulation in India) released the India AI Governance Guidelines (Guidelines), which set out the foundation for India's policy framework for AI governance. While the Guidelines are advisory and non-binding, they strongly indicate the direction of future AI regulation. The framework is structured into four parts: foundational principles; issue-specific recommendations across six pillars (infrastructure, capacity building, policy, risk, accountability, institutions); a phased action plan; and techno-legal compliance measures. Crucially, India's approach governs AI applications rather than the underlying technology, empowering sector-specific regulators while stopping short of recommending a standalone AI law at this stage.

Key policy priorities include: (i) amending the IT Act to clarify liability and classification of AI actors (developers, deployers, users) within existing categories like intermediaries; (ii) addressing gaps in the DPDPA around AI training on personal data; (iii) expanding compute access via subsidised GPUs under the IndiaAI Mission; (iv) integrating AI with Digital Public Infrastructure (such as Aadhaar, UPI) to embed governance principles by design; (v) adopting a graded liability framework proportional to risk and due diligence; and (vi) tackling deepfakes through multi-stakeholder standards and techno-legal oversight.

• On 8 December 2025, the Department for Promotion of Industry and Internal Trade (DPIIT) (Central Government authority responsible for industrial policy and promotion of internal trade in India) released the Working Paper on Generative AI and Copyright (Part I) (Working Paper). Though non-binding, it provides an indication of the government's perspective on AI training and copyright regulation. The Working Paper, which assesses copyright issues on the input side, outlines the shortcomings of existing frameworks and sets out a new centralised approach. The Working Paper is structured around (i) an assessment of global regulatory models, and (ii) a detailed proposal for a mandatory blanket licensing regime for India.

Under the proposed mandatory blanket licensing regime, AI developers get an automatic right to use lawfully accessed copyrighted works for training, without individual permissions. Key features include: (i) royalties calculated as a flat percentage of an AI system's gross global revenue, collected and distributed by a new centralised non-profit body — the Copyright Royalties Collective for AI Training (CRCAT); (ii) retroactive application, meaning already-commercialised AI systems trained on copyrighted content may owe past royalties; (iii) royalty obligations transferring to any acquirer if an AI system or its training data is sold; (iv) a mandatory AI Training Data Disclosure Form filed with CRCAT detailing dataset sources and content categories; and (v) a Works Database with authenticity verification tools (watermarking, blockchain, fingerprinting). The burden of proving lawful access rests on the AI developer.

• Sector-Specific Developments: Key sectors are also proposing specific regulatory measures to govern AI use within their respective domains. The SEBI issued a consultation paper outlining guiding principles for responsible AI usage, focusing on investor protection, fairness, and model governance.  The Reserve Bank of India, India’s banking regulator, issued the ‘Free-AI Report’, which recommends a comprehensive framework featuring a graded liability system, mandatory board-approved AI policies, and a dedicated AI incident reporting mechanism for regulated entities such as banks.