India shelves separate AI law, leans on existing rules as Digital India Act stalls

India is not planning a standalone AI law. The Digital India Act is still on ice

India's IT ministry has signaled a clear preference: no new AI law for now. Instead, expect governance to come from the Digital Personal Data Protection (DPDP) Act, intellectual property statutes, and targeted tweaks to existing IT rules.

At an industry meet, MeitY Secretary S Krishnan said fresh legislation will be avoided unless unavoidable. The emphasis is on enabling innovation, with intervention only when AI systems cause harm.

What the government is signaling

• Use existing statutes to manage AI risks: the DPDP Act, copyright and patent law, and the IT Rules.
• Avoid blanket tech regulation; step in only where concrete harm is evident (deepfakes, fraud, safety incidents).
• Prioritise applied AI in agriculture, manufacturing, healthcare, and finance to lift productivity rather than chase model dominance.

Where the law stands today

Today's AI governance rests on a patchwork. The DPDP Act, 2023 and IP laws cover much of the ground: data processing, ownership, and certain rights. IT Rules add levers like content labelling and takedown duties.

There's a catch: publicly available personal data is exempt from several DPDP consent requirements. That creates room to train models on scraped data with limited user protections. Liability is also thin-principles exist, but the enforcement pathway is still forming.

Digital India Act: promised guardrails, no statute

In 2023, the government said the Digital India Act would include "guardrails" for AI focused on user harm, not prescriptive controls. Two years later, there's no draft, no bill in Parliament, and little official mention of the DIA in AI updates. Policy has drifted back to existing laws, advisories, and soft guidance.

From law to advisories and self-regulation

Officials have consistently framed the goal as regulating risky applications, not the technology itself. Deepfakes, misinformation, and CSAM are the headline concerns.

In 2024, MeitY issued-and then partially rolled back-an advisory requiring approval for under-tested models after pushback from startups. By year-end, the government acknowledged a voluntary approach, tasking industry (NASSCOM) with non-binding guidelines. MeitY also told Parliament it had no consolidated data on AI-linked privacy breaches or fraud, highlighting enforcement gaps.

India AI Governance Guidelines (Nov 2025): principles without penalties

MeitY's India AI Governance Guidelines set expectations-accountability, transparency, risk mitigation-without legal teeth. Officials were explicit: this is not regulation. It's a signal to build responsibly while the state holds off on statutory obligations and penalties.

Practical implications for legal teams

• Regulatory certainty: Expect case-by-case interventions and evolving advisories. No horizontal AI law means more reliance on internal controls and contracts.
• Data use for training: The DPDP carve-out for publicly available data reduces consent friction but increases reputational and litigation risk (privacy, misrepresentation, scraping disputes).
• IP exposure: Training and outputs can trigger copyright and moral rights claims. Indian law lacks a clean text-and-data-mining exception; fair dealing defenses are narrow and fact-specific.
• Sector overlays: RBI, SEBI, IRDAI, and health authorities may issue focused obligations (model risk, disclosure, suitability, clinical safety). Track sector circulars closely.
• Enforcement gap: With limited government data on harms, regulators may default to headline incidents. Be prepared to evidence safety-by-design and timely remediation.

Action checklist for GCs and compliance leads

• Data governance: Map data sources used for training/inference; document lawful bases; add filters for children's data and sensitive attributes; maintain a "publicly available" provenance log.
• DPIAs and model risk: Run risk assessments for high-impact use cases (credit, hiring, health, safety). Record testing, bias checks, and red-teaming outcomes.
• Contracts: Add AI clauses to MSAs/DPAs-training-data rights, scraping warranties, IP indemnities, output ownership, audit rights, security and deletion, incident reporting SLAs.
• Content labelling: Implement synthetic content disclosures and watermarking where feasible; align with IT Rules takedown timelines.
• Human-in-the-loop: Require human review for consequential decisions and keep decision logs for audit and litigation defense.
• Vendor due diligence: Demand model cards, evaluation summaries, safety policies, and data lineage statements from providers; tier vendors by risk.
• Incident playbooks: Define triggers for rollback, user notification, regulator engagement, and corrective releases; rehearse with cross-functional teams.
• Cross-border flows: Track locations of training and inference; prep for sectoral data localization or transfer restrictions if introduced.
• Employee use policy: Set rules for prompts, confidential data, export controls, and acceptable tools; log usage for compliance.

What to watch next

• DPDP rulemaking and the operational tempo of the Data Protection Board (consent exemptions, breach actions, systemic orders).
• IT Rules amendments on deepfakes, provenance signals, and expedited takedowns.
• Sectoral guidance from RBI/SEBI/IRDAI/NHA on model risk, disclosure, and customer harm.
• Any revival of the Digital India Act, especially changes to intermediary safe harbour or AI liability.
• Litigation on training data, scraping, and derivative works under the Copyright Act.

Bottom line

India has moved away from a single AI statute. For now, compliance lives in the gaps between the DPDP Act, IP law, IT Rules, shifting advisories, and voluntary codes. Legal teams should build auditable controls, contract for risk transfer, and prepare for targeted, harm-based enforcement.

Resources: Read the Digital Personal Data Protection Act, 2023. For role-specific AI upskilling, see curated AI courses by job.

Update: 17/12/2025, 6:25 pm - a clarifying paragraph was added on the DPDP treatment of publicly available personal data.