ARTICLE
3 July 2026

Do We Need An AI Law? What The AI Bill Reveals About India's Existing Digital Framework

LO
Legacy Law Offices

Contributor

Legacy Law Offices LLP is a multi-disciplinary law firm with a diversified portfolio of professional legal services. The firm has offices in New Delhi, Chandigarh, Solan and Kurukshetra with an associate office in Mumbai as well as a representative office in the Kingdom of Saudi Arabia. Lawyers of the firm provide legal services across India and have worked on various developmental projects across countries in SAR, CAREC, MENA, and Africa. Legacy Law Offices LLP is also empanelled with the PPP authority of Bangladesh. The law firm is acknowledged as a "Leading Law Firm" by various leading global legal directories, including Legal500 and IFLR1000
Artificial Intelligence (AI) is no longer a futuristic concept. It is already shaping how businesses operate, how consumers interact online, and even how important decisions are made. As AI becomes more deeply embedded in everyday life, concerns around accountability, transparency, fairness and bias have become harder to ignore.
India Technology
Legacy Law Offices are most popular:
  • within Media, Telecoms, IT, Entertainment, Litigation, Mediation & Arbitration and Environment topic(s)
  • in India

Introduction

Artificial Intelligence (AI) is no longer a futuristic concept. It is already shaping how businesses operate, how consumers interact online, and even how important decisions are made. As AI becomes more deeply embedded in everyday life, concerns around accountability, transparency, fairness and bias have become harder to ignore.

It is against this backdrop that the Artificial Intelligence (Ethics and Accountability) Bill, 2025 (AI Bill) was introduced. While the AI Bill remains a Private Member’s Bill and has not yet become law, it offers an interesting glimpse into how India may seek to regulate AI in the future.

But does India really need a dedicated AI law? After all, many AI-related activities are already governed by existing legislation, including the Information Technology Act, 2000 (IT Act) and the Digital Personal Data Protection Act, 2023 (DPDP Act). Using the Bill as a reference point, this article examines whether India’s current legal framework already addresses key AI-related concerns, or whether the proposed Bill highlights gaps that existing laws are not equipped to fill.

AI Accountability and Transparency: Does the IT Act Already Address These Concerns?

One of the central themes of the AI Bill is accountability. Simply put, if an AI system causes harm, who should be responsible? The answer may seem straightforward, but in practice it is anything but simple. Is liability to be borne by the developer who created the model, the company that deployed it, or the user who relied on its output?

These questions are exactly what the AI Bill is trying to answer. The Bill proposes a framework built around transparency, explainability and responsible AI deployment. It also contemplates the establishment of an Ethics Committee for Artificial Intelligence and places emphasis on identifying and addressing risks such as bias, discrimination and misuse of AI systems.

Before considering whether such a framework is necessary, it is worth asking a more fundamental question: does India’s existing technology law framework already address these concerns? To some extent, it does.

The Information Technology Act, 2000 ("IT Act") and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("Intermediary Rules") already regulate many of the risks that have become associated with AI. Section 79 of the IT Act provides intermediaries with safe harbour protection from liability for third-part content, provided they comply with prescribed due diligence requirements. The Rules supplement this framework by requiring platforms to take action against unlawful content and maintain compliance mechanisms aimed at reducing online harms. Although these provisions were enacted long before the rise of generative AI, they have increasingly been relied upon to address AI-related disputes. Courts, too, have shown a willingness to adapt existing legal principles to emerging technologies.

One of the examples can be of Anil Kapoor v. Simply Life India & Ors.1, where the Delhi High Court restrained the unauthorised use of the actor’s personality attributes through AI and other technological tools. Similarly, in Arijit Singh v. Codible Ventures LLP & Ors.2, the Bombay High Court recognised and protected the singer’s personality rights against unauthorised exploitation, including through AI-generated content. These decisions demonstrate that Indian courts are not waiting for a dedicated AI law before addressing harms arising from AI technologies.

However, these cases also reveal the limits of the existing framework. The disputes before the courts largely concerned the misuse of AI-generated content and the harm that followed. The focus remained on protecting personality rights, preventing unauthorised use and determining liability after the fact. The courts were not required to examine how the underlying AI systems were trained, whether adequate safeguards have been built into them, or whether they had been tested for bias and discriminatory outcomes.

This is where the Bill starts to do something different. It does not merely call for greater accountability in general terms. It proposes a dedicated governance framework for AI systems and places specific obligations on developers and deployers. For instance, it requires measures to prevent algorithmic bias, including conducting regular audits to identify and mitigate bias in AI systems, ensuring diversity and inclusivity in training datasets, and withdrawing AI systems that exhibit significant bias until corrective measures are implemented. The Bill also requires compliance records to be maintained and contemplates the establishment of an Ethics Committee for AI to oversee adherence to the proposed framework. These requirements move beyond the traditional intermediary model under the IT Act, placing the spotlight directly on the entities developing and deploying AI systems, and shifting the focus from responding to harm after it occurs to preventing it before it does.

This does not mean AI operates in a legal vacuum, but the gaps the Bill targets, transparency, bias testing, system-level accountability, sit outside what intermediary liability was ever built to reach.

Fairness, Bias and Data Governance: What Does the DPDP Framework Cover?

If the IT Act raises questions about accountability, the Digital Personal Data Protection Act, 2023 framework raises a different set of questions. What data can be used to train AI systems? Can personal data collected for one purpose be repurposed for AI training? What happens if an individual later withdraws consent? And how should organisations manage AI systems that rely on data processed across multiple jurisdictions?

These questions are no longer theoretical. AI models are trained on vast quantities of information, much of which includes personal data. The DPDP Act and the DPDP Rules govern how that data may be collected, processed and retained. The Bill does not replace this framework, it sits alongside it, addressing what happens to data once it is inside a model rather than how it was collected.

AI systems often rely on large datasets collected over time and for different purposes. Under the DPDP Act, personal data must generally be processed for a lawful purpose and in a manner consistent with the consent provided by the individual.3 AI training does not automatically fall within that original purpose. This is the principle of purpose limitation at work: broad language in a privacy notice does not resolve the issue, particularly where AI training is a materially different use of personal data from the purpose initially communicated to the individual. The Bill approaches this from the other direction. Rather than asking whether consent covers training, it asks whether the training data itself is diverse and representative enough to avoid biased outcomes. The two frameworks are answering different questions about the same dataset.4

Consent is not the only problem. If a data principal withdraws consent or seeks erasure5, compliance is straightforward in a traditional database environment. The position becomes more complex once personal data has been incorporated into a trained AI model. The DPDP Act establishes the legal obligation, but it does not address the technical difficulty of removing data from a model that has already been trained. The Bill does not solve this either, but its proposed power to require withdrawal of an AI system that shows significant bias offers a blunter, system-level remedy where individual-level erasure is not technically feasible.

Cross-broader processing presents a third complication. Many AI systems rely on cloud infrastructure, foundation models and processing arrangements that operate across multiple jurisdictions. The DPDP Act permits cross-border transfers, subject to restrictions the Central Government may prescribe, but this is a transfer-of-data question, not a question about how the system using that data behaves once deployed. That second question is the AI Bill’s territory.

This is where the limits of the DPDP framework start to show. Much like the IT Act, the DPDP framework already addresses several concerns associated with AI such as consent, purpose, erasure, cross-border transfer. But it has nothing to say about algorithmic fairness once the data has already become a model. That is precisely the gap the Bill’s audit and bias-mitigation obligations are designed to fill.

Conclusion

The AI Bill may still be a proposal, but it highlights an important regulatory question: are India's existing laws equipped to govern AI systems, or merely the content and data they generate and process? While the IT Act and DPDP framework already address many AI-related risks, issues such as explainability, algorithmic bias and system-level accountability remain only partially addressed, making the debate around AI-specific regulation increasingly difficult to ignore.

Footnotes

1 Anil Kapoor v. Simply Life India & Ors., Manu/Deor/248558/2023

2 Arijit Singh v. Codible Ventures LLP, 2024 SCC OnLine Bom 2445

3 Section 4 of Digital Personal Data Protection Act (DPDPA) 2023

4 Section 6 of Digital Personal Data Protection Act (DPDPA) 2023

5 Section 12 of Digital Personal Data Protection Act (DPDPA) 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More