Introduction
Artificial intelligence has moved from research laboratories into everyday life with remarkable speed. It now assists doctors in diagnosing disease, helps banks detect fraud, powers recommendation engines on e-commerce platforms, and is increasingly used by government departments to deliver public services. As this technology becomes woven into decisions that affect people's rights and livelihoods, a pressing legal question has emerged: should India enact a dedicated statute to govern artificial intelligence, or is it sufficient to regulate AI through existing laws applied flexibly to new technology? This blog examines that question by tracing the current legal landscape, weighing the arguments on both sides, and considering the direction India appears to be taking.
Background
India's engagement with AI policy began in earnest when the government positioned the country as a hub for AI-led growth. NITI Aayog's national strategy paper set out a vision for using AI in healthcare, agriculture, education, and mobility, describing the technology as a lever for inclusive development rather than a threat to be contained. [1]
At the same time, global regulators began moving in the opposite direction, treating AI less as an opportunity to be encouraged and more as a risk to be controlled. The European Union's decision to adopt a comprehensive, risk-tiered statute dedicated entirely to artificial intelligence marked a turning point, and it placed pressure on other jurisdictions, including India, to clarify their own regulatory stance.
The Ministry of Electronics and Information Technology has, in the meantime, examined related questions such as the governance of non-personal data generated by AI systems, signalling that Indian policymakers are alive to the issue even without a single overarching AI code. [2]
Legal Framework
India does not currently have a law that refers to artificial intelligence by name. Instead, AI-related conduct is governed indirectly through a patchwork of statutes. The Information Technology Act, 2000, remains the primary umbrella legislation for digital activity, covering matters such as electronic records, intermediary liability, and cybercrime, but it was drafted long before machine-learning systems existed and does not address issues unique to AI, such as algorithmic bias or automated decision-making. [3]
The Digital Personal Data Protection Act, 2023, is the closest India has come to regulating a core input of AI systems, since it governs how personal data may be collected, processed, and used, including by automated systems, though it does not deal with the outputs or decisions that AI systems generate. [4]
Beyond these statutes, sector-specific regulators have begun issuing their own guidance. The Reserve Bank of India has examined algorithmic lending and fraud-detection tools used by banks, and the Securities and Exchange Board of India has looked at algorithmic trading, but these remain fragmented, sector-by-sector responses rather than a unified legal framework.
This fragmented approach was preferred internationally too, at least at first: the European Union's shift to a single, dedicated AI statute, which sorts AI systems by risk level and imposes obligations accordingly, is often cited as the clearest example of what a standalone law could look like. [5]
Analysis and Discussion
The case for a dedicated AI law rests on several arguments. First, existing statutes were not designed with autonomous or self-learning systems in mind, and courts may struggle to apply concepts such as negligence, liability, or intermediary status to decisions made by an algorithm rather than a person. Second, a standalone law could introduce AI-specific safeguards, such as mandatory disclosure when a person interacts with an AI system, a right to a human review of automated decisions, and risk-based obligations that scale with the potential for harm, similar to the tiered approach used in the European Union.
Proponents also point to NITI Aayog's own recognition that trustworthy AI requires attention to fairness, accountability, and transparency, principles that are difficult to enforce through data protection or consumer law alone. [6]
On the other side, several commentators and government officials have cautioned against rushing into a rigid, standalone statute. India's AI sector is still young, and a premature law risks freezing rules around a technology that is evolving quickly, potentially discouraging the very innovation the government has sought to promote. There is also a practical concern about enforcement capacity: a new regulator or specialised bench would need technical expertise that most existing institutions do not yet have. A related worry is that a single, horizontal AI law may sit awkwardly alongside sector regulators who already have domain knowledge, for instance in banking, healthcare, or securities, creating overlapping jurisdiction rather than legal clarity.
Indian courts have, in other technology contexts, shown a willingness to step in decisively when regulators act without clear statutory backing, which suggests that leaving AI governance entirely to informal guidelines carries its own legal risk of judicial intervention or reversal. [7]
A middle path, and one that appears closest to India's current trajectory, is to develop AI-specific principles through soft law and policy documents in the short term, while amending existing statutes, such as the Information Technology Act and sectoral regulations, to close the most urgent gaps. A standalone AI code could follow once regulators have gathered enough practical experience to know which harms genuinely require new legal categories, as opposed to firmer enforcement of principles that already exist.
Conclusion
Artificial intelligence poses genuinely new legal questions, but that alone does not settle whether India needs a wholly separate statute to answer them. There are strong reasons to move carefully: adapting current laws preserves flexibility and lets regulators learn before rules harden into legislation. At the same time, gaps around AI-specific harms, such as opaque automated decisions and algorithmic discrimination, are unlikely to close on their own. The most workable path for India may not be an immediate, standalone AI Act on the European model, but a phased approach that strengthens the Information Technology Act and the Digital Personal Data Protection Act in the near term, while keeping the door open to a dedicated law once the shape of AI-related harm in the Indian context becomes clearer.
Reference
[1] NITI Aayog, National Strategy for Artificial Intelligence, June 2018.
[2] Ministry of Electronics and Information Technology, Report of the Committee on Non-Personal Data Governance Framework, 2020.
[3] Information Technology Act, No. 21 of 2000, India Code (2000).
[4] Digital Personal Data Protection Act, No. 22 of 2023, India Code (2023).
[5] European Parliament and Council of the European Union, Regulation (EU) 2024/1689 (Artificial Intelligence Act), 2024.
[6] NITI Aayog, Responsible AI for All: Approach Document, Part 1, 2021.
[7] Internet and Mobile Association of India v. Reserve Bank of India, (2020) 10 SCC 274 (illustrating judicial scrutiny of technology-driven regulatory action).