INDIA Law and Practice Contributed by: Shivalik Chandan, Hardik Choudhary, Dhruv Singh and Arjun Khurana, G&W Legal
Information Technology Act, 2000 (IT Act) The IT Act, being the primary legislation for regu - lating all things online/digital in India, will apply along with the Information Technology (Reason - able Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the “SPDI Rules”) and IT Rules 2021 in regulating AI. They impact issues such as right to privacy, web scrapping, etc. IT Rules 2021 It is possible, depending on the use made of AI in each instance, that a platform may be con - sidered as an intermediary. In order to qualify as such, it would need to meet the test laid down in Section 79 of the IT Act – namely, that it does not initiate a transmission, select a receiver or exercise any editorial control. In the instance of AI-generated content, it is unlikely that the third part of this test would be met. Additionally, even if all three parts of this test are met, the inter - mediary claiming safe harbour will be required to comply with the obligations placed upon it by way of the law, including specifically under these rules. The DPDPA and the draft DPDP Rules 2025 The soon-to-be-implemented law along with its rules (once finalised) will have implications for the deployment and use of AI where these concern digital personal data. This is likely to have implications for generative AI and regulate the right to privacy against private entities. How - ever, it is to be noted that the DPDPA specifically excludes publicly available personal data from its purview, and this exclusion would mean that training AI models on publicly available datasets (including personal data) may not fall foul of the DPDPA specifically.
report with additional information to the DPB within 72 hours of becoming aware of a breach. Jurisdiction The question of jurisdiction also poses a chal - lenge in contravention by cloud and edge com - puting services. Even though the IT Act and DPDPA have been granted extraterritorial juris - diction, actual enforcement against foreign enti - ties without a tangible presence in India is chal - lenging. Such entities might claim that Indian The draft DPDP Rules 2025 bring some clar - ity on the issue of cross-border data transfers. While the DPDPA only allows for the government to blacklist certain countries to which the per - sonal data of Indian data principals may not be transferred, the draft DPDP Rules 2025 place an additional data localisation requirement on significant data fiduciaries. As per the draft DPDP Rules 2025, the government may, at the recommendation of a committee constituted by it, notify categories of personal data which are restricted from being transferred outside India. laws do not apply to them. Cross-border data transfers 3. Artificial Intelligence 3.1 Liability, Data Protection, IP and There is no sui generis law governing AI in India. Different existing laws/guidelines/policies regu - late AI, including issues on protection of a per - son’s likeness, deepfakes, AI in self-driving cars, drones, etc. Some of the primary ones are listed below. Fundamental Rights Laws and Regulations
129 CHAMBERS.COM
Powered by FlippingBook