India is in the process of formulating and implementing policy frameworks to govern various aspects of AI regulation. While comprehensive AI-specific regulations are still evolving, several initiatives and guidelines are in place to guide the responsible development and deployment of AI technologies in India.
This primer provides an overview of the key policy strategies and frameworks governing AI regulation in India.
National Artificial Intelligence Strategy
In 2018, India introduced its inclusive approach to artificial intelligence (AI), known as #AIFORALL, in its first national strategy for AI.[1] The strategy emphasised essential areas for national focus in AI innovation and application, encompassing healthcare, education, agriculture, smart cities, and transportation.[2] Since then, several recommendations outlined in the strategy have been successfully implemented, including the development of high-quality datasets to support research and innovation, as well as the establishment of regulatory frameworks for data protection and cybersecurity.
Principles for Responsible AI
Drafted in February 2021, the Principles for Responsible AI is the first part of an approach paper drafted by NITI Aayog as a follow-up to the national strategy. It serves as India’s roadmap for the creation of an ethical, responsible AI ecosystem across sectors. The ethical considerations discussed in the paper are divided into two categories: system considerations and societal considerations.[3] System considerations deal with principles behind decision-making, ensuring rightful inclusion of beneficiaries and accountability of AI decisions. Societal considerations focus on the impact of automation on job creation and employment. The paper outlines seven broad principles for responsible management of AI systems: 1) safety and reliability; 2) inclusivity and non-discrimination; 3) equality; 4) privacy and security; 5) transparency; 6) accountability; and 7) protection and reinforcement of positive human values
Operationalising Principles for Responsible AI
In August 2021, NITI Aayog released the second part of its approach paper, which concentrates on operationalising the principles derived from the ethical considerations surrounding AI governance that were studied in the first part.[4] The document highlights the importance of government intervention to drive responsible AI adoption in social sectors, in partnership with the private sector and research institutes. It emphasises the need for regulatory and policy interventions, capacity building, and incentivising ethics by design by inculcating a responsible attitude among private sectors toward AI.
Draft Digital India Act
The draft Digital India Act 2023 is a proposed legislation in India aimed at replacing the existing Information Technology Act of 2000. First announced in June 2022, the bill is expected to undergo public consultation soon. The Digital India Act aims to establish a comprehensive legal framework for the digital economy in India, addressing a wide array of issues such as cybercrime, data protection, online safety, and intermediary regulation.[5] It also envisages the creation of a new government agency responsible for overseeing the digital domain.
We observe that in relation to AI, the legislation may delineate specific “no-go areas” for companies and internet intermediaries employing AI and machine learning in consumer-facing applications.[6] The primary objective of this provision is to safeguard users from potential harm, and it proposes stringent penalties for any violations.
Draft National Data Governance Framework Policy
On 26 May 2022, the Ministry of Electronics and Information Technology (MeitY) released the draft National Data Governance Framework Policy (NDGFP).[7] The primary objective of this policy is to modernise and revamp government data collection and management procedures. The NDGFP’s core aim, as stated in the draft, is to foster an ecosystem for AI and data-driven research and start-ups in India, achieved by establishing an extensive repository of datasets.[8]
India is taking measures to ensure best practices of transparency and inclusion, as the key elements of the Framework include establishing the India Data Management Office under MeitY and the Digital India Corporation, developing the India datasets platform, setting up request-based access to datasets, and promoting private sector’s participation through contribution of non-personal and anonymised data to the datasets platform.
Draft Indian Standard: Information Technology – AI – Guidance on Risk Management
The Bureau of Indian Standards (BIS) has a committee on AI that is proposing draft Indian Standards equivalent to ISO Standards.[9] We note that there are currently three draft Indian standards related to AI that correspond to International Standards, which are ISO/IEC 24668, ISO/IEC TR 24372, and ISO/IEC 38507, with the latest one focusing on Guidance on Risk Management – identical to ISO/IEC TR 24368 – and having recently been open for public consultation.[10] Following ISO standards will accelerate the deployment and use of AI tools as implementing an interoperable framework that works alongside the legal and regulatory framework will allow policy to be built based on the technology architecture for AI.
Recommendations on Leveraging Artificial Intelligence and Big Data in Telecommunication Sector
After a consultation in the latter half of 2022, the Telecom Regulatory Authority of India (TRAI) released its recommendations on “Leveraging Artificial Intelligence and Big Data in the Telecommunication Sector” on 20 July 2023.[11] The recommendation paper calls for the immediate establishment of a common regulatory framework covering AI across all sectors. This framework will include an independent statutory body and a multistakeholder advisory body to support the proposed statutory authority. Additionally, AI use cases will be categorised based on risk, with high-risk applications subject to regulation through legally binding obligations. The statutory authority will be responsible for developing AI governance guidelines and ethical codes for lower-risk usages in both the public and private sectors. It is noteworthy that TRAI’s approach – categorising AI by application types – somewhat diverges from that of the Ministry of Electronics and information Technology’s, which is slated to be centered on user harm.[12]
The Head of Digital India Corporation claimed that they were “looking at this paper for finalising our framework for responsible and ethical AI”.[13]
Roadmap for AI Ecosystem (Tentative)
In March 2023, MeitY introduced IndiaAI, the national program on AI, aimed at serving as a comprehensive initiative to cover all AI-related research and innovations.[14] Utilising a multistakeholder approach that includes the government, academia, corporates, and start-ups, MeitY established a taskforce responsible for creating a roadmap for the development, structure, and functioning of IndiaAI.[15] Although the original deadline for the roadmap’s completion was April, there have been no updates on its progress so far. Nonetheless, the IndiaAI framework is anticipated to play a pioneering force in shaping the AI ecosystem in India.
Data Embassy Policy (Tentative)
During her budget speech in Feb 2023, Finance Minister Nirmala Sitharaman announced that “for countries looking for digital continuity solutions, (India) will facilitate setting up of their Data Embassies in GIFT IFSC (Gujarat International Finance Tec-City International Financial Services Center)”.[16] The Minister of State for IT followed up and shared that the policy will permit countries and corporations to set up “data embassies” within India that will offer “diplomatic immunity” from local regulations for national as well as commercial digital data.[17] He further shared that India’s vision was to build “corridors of trust” so that Indian users’ data can be stored in foreign cloud as long as they are subject to Indian laws and “foreign entities can also create pockets of data where their own laws apply”. Since then, local industry associations have come out to support the move but called for the concept to be extended beyond GIFT IFSC.[18] Worryingly, unnamed officials also told the press that the data embassy policy may only cover non-personal data.[19] This decision has not yet been verified and can be expected to be met with industry backlash.
Although the Minister of State had previously said that the data embassy policy will form a part of the Digital Personal Data Protection Bill which is scheduled to be introduced in parliament in July 2023, the policy has not been included in the draft bill and will likely be developed as a standalone policy.
National Cybersecurity Reference Framework
The Government of India has taken significant steps to provide structured cyber security guidance to critical sectors like telecom, power and energy, transportation, finance, strategic entities, government entities, and health sectors. This initiative is being led by the National Critical Information Infrastructure Protection Centre under the National Security Council Secretariat. On 12 June 2023, Lt General Rajesh Pant, the National Cyber Security Coordinator, announced the finalisation of the first version of the NCRF document.[20] This framework will serve as a guiding document for critical sector entities to develop their governance and management systems, as well as their architecture framework for both Information Technology and Operational technology systems. The NCRF will be continuously updated to address new threats and technologies, enabling organisations to improve their cybersecurity posture, reduce the risk of data breaches, comply with regulations, instill customer confidence, and enhance operational efficiency.
Global Partnership on Artificial Intelligence (GPAI)
India has become a member of the Global Partnership on Artificial Intelligence (GPAI), joining other prominent economies like the United States, the United Kingdom, the European Union, Australia, Canada, France, Germany, Italy, Japan, Mexico, New Zealand, South Korea, and Singapore.[21] The GPAI is an international initiative that involves multiple stakeholders and aims to steer the responsible development and utilisation of AI, emphasising principles such as human rights, inclusion, diversity, innovation, and economic growth. The GPAI Summit 2023 is scheduled to take place in New Delhi, India, from 12-14 December 2023.
AI experts from various sectors can participate in GPAI working groups as individuals, either through GPAI member’s nomination or self-nomination. During their three-year term, they do not represent their organisation or country. Currently, GPAI is inviting partners to engage in discussions regarding the challenges related to the trust of generative AI.[22]
If you would like to keep updated with AI developments and AI thought leadership, please subscribe to our channels and our AI Policy Lab Newsletter.
[1] https://niti.gov.in/sites/default/files/2019-01/NationalStrategy-for-AI-Discussion-Paper.pdf
[2] https://www.psa.gov.in/mission/artificial-intelligence/34
[3] https://indiaai.gov.in/research-reports/responsible-ai-part-1-principles-for-responsible-ai
[4] https://indiaai.gov.in/research-reports/responsible-ai-part-2-operationalizing-principles-for-responsible-ai
[5] https://economictimes.indiatimes.com/tech/newsletters/morning-dispatch/draft-digital-india-act-to-open-for-public-consultation-soon-concerns-raised-over-impact-of-the-digital-competition-bill/articleshow/101291929.cms?from=mdr
[6] https://government.economictimes.indiatimes.com/news/digital-india/digital-india-act-to-make-ai-platforms-liable-in-cases-of-harm-to-users-in-healthcare/101305644
[7] https://www.meity.gov.in/content/draft-national-data-governance-framework-policy
[8] https://www.techcircle.in/2023/02/01/budget-2023-fm-announces-data-governance-policy-to-enable-access-to-anonymised-data
[9] https://www.services.bis.gov.in/php/BIS_2.0/dgdashboard/Published_Standards_new/standards?commttid=Mzg2&commttname=TElURCAzMA%3D%3D&aspect=&doe=&from=2022-07-21&to=2023-07-21
[10] https://www.services.bis.gov.in/php/BIS_2.0/dgdashboard/Published_Standards_new/standards?commttid=Mzg2&commttname=TElURCAzMA%3D%3D&aspect=&doe=&from=2022-07-21&to=2023-07-21
[11] https://trai.gov.in/notifications/press-release/trai-releases-recommendations-leveraging-artificial-intelligence-and-big
[12] https://inc42.com/buzz/india-to-regulate-ai-to-keep-digital-citizens-safe-rajeev-chandrasekhar/
[13] https://government.economictimes.indiatimes.com/news/technology/india-must-create-laws-to-make-ai-unbiased-inclusive-md-ceo-digital-india-corp/100263514
[14] https://indiaai.gov.in/news/india-ai-will-become-a-global-innovation-and-research-brand-mos-rajeev-chandrasekhar
[15] https://www.business-standard.com/article/economy-policy/meity-forms-task-force-to-draft-roadmap-for-indiaai-ecosystem-by-april-end-123031301290_1.html
[16] https://www.indiabudget.gov.in/doc/budget_speech.pdf
[17] https://economictimes.indiatimes.com/tech/technology/govt-may-notify-data-embassy-policy-as-part-of-new-data-bill/articleshow/97560396.cms
[18] https://economictimes.indiatimes.com/tech/technology/let-data-embassies-come-up-across-the-country-not-at-gift-ifsc-alone-industry/articleshow/97741774.cms
[19] https://www.business-standard.com/article/technology/data-embassies-may-only-be-allowed-to-store-non-personal-information-123021200403_1.html
[20] https://www.nationalheraldindia.com/national/ncsc-launches-national-cybersecurity-reference-framework-in-pune
[21] https://gpai.ai/
[22] https://oecd.ai/en/wonk/global-challenge-partners
