Artificial Intelligence and the Law in India : A Guide for Global Counsel

India does not intend to observe the AI revolution from the margins. That much is now clear. The India AI Impact Summit 2026 in New Delhi marked a turning point — for the first time, a global AI summit shifted decisively to the Global South. For international stakeholders, the implication is equally clear: engagement with India's evolving AI legal framework can no longer be passive or peripheral.

Yet beneath this momentum lies a more complex reality — and for global counsel, a more demanding one. We have annexed a detailed presentation to this post — readers are encouraged to view it alongside this analysis for a fuller picture of the landscape we discuss here.

India has made a deliberate policy choice. There will be no omnibus AI statute. No single, horizontal law of the kind the European Union has pursued through its risk-tiered AI Act. Instead, India has embedded AI governance within its existing legal architecture — the Information Technology Act, the Digital Personal Data Protection Act, the Copyright Act, the Competition Act, and a web of sectoral regulations issued by RBI, SEBI, and CCI. This is not regulatory inertia. It is a conscious design decision, grounded in the view that AI is a general-purpose technology — probabilistic, adaptive, and embedded across sectors — and that premature hard-law regulation risks locking in assumptions that may rapidly become obsolete.

For global counsel advising multinationals, this is not an abstract observation. It is the starting point for every AI-related mandate in India. AI legal risk here is not concentrated in a single statute. It is distributed — across multiple regulatory touchpoints, each with its own enforcement logic, institutional culture, and compliance timeline.

India's AI Governance Guidelines crystallise this approach. They articulate seven core principles — trust, human centricity, innovation, fairness, accountability, explainability, and safety — not as a compliance checklist, but as a policy compass. The Guidelines do not regulate AI as a technology. They regulate AI use-cases, placing primary responsibility on sectoral regulators to address risks contextually and within their existing statutory mandates. Where the EU AI Act seeks legal certainty through predefined risk tiers, India seeks institutional flexibility. For global clients, that distinction carries a real advisory cost: regulatory outcomes are context-sensitive but far less predictable ex ante. Compliance cannot be templated. It must be constructed sector by sector.

The central question this analysis pursues, therefore, is not whether AI should be regulated. That debate is settled. The question is how India's existing legal frameworks must be interpreted, adapted, and supplemented to govern AI responsibly — without undermining the innovation that makes governance worth having in the first place.

Understanding AI Beyond the Hype

The discussion begins by grounding the analysis in a technical and conceptual understanding of AI. It explains how modern AI systems—particularly machine learning, deep learning, and large language models—function through data‑driven training rather than explicit programming. The distinction between upstream activities (data collection, model training, infrastructure and foundation models) and downstream activities (fine‑tuning, deployment, user interaction and outputs) is central to the legal analysis that follows.

This lifecycle‑based approach is crucial. Many legal issues—whether in copyright, data protection, or competition—arise not from AI outputs alone, but from the processes through which models are trained, refined, and commercialised. Treating AI as a black box obscures accountability; unpacking its architecture enables targeted regulation.

Data Protection : The Legitimate Interests Gap

The Digital Personal Data Protection Act creates a further structural divergence. Indian law omits a "legitimate interests" basis for processing — the flexibility that AI developers in GDPR-compliant jurisdictions routinely rely upon for training, inference, and continuous learning. The Indian framework places greater weight on consent, purpose limitation, and publicly available data exemptions — concepts that sit uneasily with modern AI development pipelines. We have written about this in greater detail in one of our earlier blogposts, https://www.sarvadavartalap.com/post/one-critical-gap-what-global-ai-developers-must-know-about-india-s-data-privacy-law-introduction

For multinationals operating unified global AI systems, this is not a minor compliance footnote. It requires India-specific data strategies: separate consideration of training datasets sourced from or referencing Indian users, revisiting anonymisation standards given AI's capacity to re-identify individuals through inference, and careful mapping of data flows against purpose limitations that Indian law treats as near-absolute. Global AI workflows that assume GDPR's balancing flexibility will need structural adaptation for India.

Copyright and Training Data : India as a Test Jurisdiction

Perhaps the most consequential divergence for global AI developers concerns training data. India's copyright framework — narrow, purpose-specific, built for human authorship — offers no reliable safe harbour for large-scale AI training.  Considering the same, India is exploring a hybrid licensing model: mandatory blanket licensing, centralised royalty collection, and revenue-linked compensation for rights holders.

This is a fundamental policy departure. The EU permits text and data mining with opt-out rights for rights holders. The US resolves disputes through fair use litigation, case by case. India is moving toward compulsory but compensated access — socialising data availability while preserving economic participation for creators.

For global firms, the cross-border implications are immediate. Dataset composition, model training infrastructure, and deployment structuring will increasingly need to account for jurisdiction-specific copyright treatment. India may become the first major jurisdiction to operationalise a statutory licensing regime for AI training — making it a critical test case for whether compensated non-consensual access can function as a scalable global model.

Liability and Contract Design as First-Line Risk Management

Indian law is converging on role-based, risk-proportionate liability — distributing responsibility across developers, deployers, and intermediaries. In the absence of settled jurisprudence, contract design becomes the primary risk management instrument: indemnity structures, disclosure obligations, internal governance protocols must carry the weight that statutory clarity does not yet provide.

Way forward

India is not a jurisdiction that global technology companies can afford to engage with retrospectively — after products are built, datasets are assembled, and systems are deployed. For global counsel, India demands a systems-level advisory approach — understanding how policy, regulators, courts, and markets interact across sectors. The companies and counsel that engage seriously with Indian law now, while frameworks are still being formed and regulatory interpretation is still in its early stages, will be far better positioned than those who arrive later with products built for other legal environments. India is not converging toward a familiar model. It is building its own. Global counsel must build their understanding of it accordingly — not as an afterthought, but as a first principle.

Please feel free to reach out to our Team to discuss any of the Technology Law, Competition Law, International Trade and Policy Issues.