Tag: digital personal data protection act

  • India AI Governance Guidelines: What They Mean for International Research Collaborations

    India’s AI Governance Guidelines, issued by the Ministry of Electronics and Information Technology (MeitY) on 5 November 2025, set a “innovation over restraint” policy for AI in India while adding two practical checkpoints for foreign partners: prior approval for cross-border collaboration under the IndiaAI Mission, and compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) for any personal data that crosses India’s borders. For institutions with Indian co-investigators, data, or infrastructure, these guidelines are now a distinct compliance track, separate from the EU AI Act, China’s algorithm rules, or the patchwork of US state AI laws.

    The India AI Governance Guidelines are a non-binding national policy framework — not a statute — that sets seven principles and a four-part action plan for how AI should be developed, deployed, and regulated across Indian government, industry, and research institutions.

    What are India’s AI Governance Guidelines?

    The guidelines are structured into four parts: a statement of principles, a set of recommendations, a phased action plan, and practical guidance for industry and regulators. They rest on seven principles — trust, a people-first approach, innovation over restraint, fairness and equity, accountability, “understandable by design” (transparency), and safety, resilience and sustainability.

    Unlike the EU’s AI Act, the guidelines create no new licensing regime or penalty structure. They instead lean on existing law: AI systems are not treated as intermediaries under India’s IT Act, and human operators retain legal responsibility, since “humans should, as far as possible, have final control over AI systems.” The guidelines also flag that copyright law “may need to be amended to enable large-scale training of AI models, while ensuring adequate protections for copyright holders” — a live issue for any joint project using Indian text or image corpora.

    Does India require approval for international AI research collaborations?

    Yes, for projects funded or hosted under the IndiaAI Mission. Submission guidelines for the mission — the government’s central AI programme, approved by the Union Cabinet on 7 March 2024 with an outlay of INR 10,371.92 crore — state that grantee investigators “should not enter into collaboration with a foreign party (individual/academic institution/industry) in execution of this project without prior approval of IndiaAI.”

    This means a joint grant, dataset-sharing agreement, or model-training partnership involving an IndiaAI-funded Indian institution needs sign-off before the foreign partner is formally engaged, not after. For collaborations outside IndiaAI funding, this specific clearance does not apply, but institutions should still expect any AI-related MoU with an Indian university or research council to reference the November 2025 guidelines as the applicable national policy baseline.

    • Confirm whether the Indian partner’s project is IndiaAI-funded before drafting a collaboration agreement.
    • Build IndiaAI approval into the project timeline, not as an afterthought.
    • Clarify intellectual property ownership and indemnification terms in writing, since the guidelines leave IP allocation to bilateral agreement rather than statute.

    How does the DPDPA affect cross-border research data sharing?

    The Digital Personal Data Protection Act, 2023 governs any processing of personal data linked to Indian data subjects, including in AI research. It requires verifiable consent, data minimisation, and purpose limitation, and it permits cross-border transfer of personal data except to countries the government specifically restricts by notification.

    For an international consortium, this means anonymised or non-personal research datasets face fewer constraints, but any dataset containing identifiable participant, patient, or survey data collected in India must have a documented DPDPA-compliant consent and transfer basis before it leaves the country. This sits alongside, not instead of, ordinary research-ethics review.

    How does India’s approach compare with the EU, China and US state laws?

    India’s framework is deliberately lighter-touch than its major counterparts. The table below sets out the structural difference for administrators weighing multi-jurisdiction AI research.

    Jurisdiction Instrument Legal status Core mechanism
    India AI Governance Guidelines (MeitY, Nov 2025) Non-binding policy Voluntary principles; IndiaAI approval for mission-funded foreign collaboration; existing law for liability
    European Union AI Act (Regulation (EU) 2024/1689) Binding regulation Risk-tiered obligations, mandatory conformity assessment for high-risk systems
    China Interim Measures for Generative AI Services (effective 15 August 2023) Binding administrative measure Security assessment and algorithm filing with the Cyberspace Administration of China
    United States State AI laws (e.g. Colorado AI Act) Binding at state level only No federal AI statute; a growing, uneven patchwork of state ai laws on high-risk automated decisions

    Read together, this is the core distinction for any comparison of ai regulations around the world: China’s regime is the strictest and most centralised, the EU’s AI Act is the most codified and risk-based, US state ai laws remain fragmented in the absence of a federal ai act regulation, and India’s guidelines sit closest to a self-regulatory model — light on penalties, but not without a formal approval checkpoint for internationally funded AI research.

    Frequently asked questions

    Are India’s AI Governance Guidelines legally binding?

    No. The guidelines are advisory, not a statute. They rely on voluntary codes of conduct and existing law — including the IT Act and the DPDPA — rather than creating new offences or licensing requirements for AI developers or researchers.

    Which government body issued India’s AI governance guidelines?

    The Ministry of Electronics and Information Technology (MeitY) released the guidelines on 5 November 2025, developed through an expert subcommittee under the IndiaAI Mission framework, according to the Press Information Bureau.

    How does India’s AI policy differ from the EU AI Act?

    The EU AI Act is a binding regulation with tiered risk categories and enforceable penalties. India’s guidelines are non-binding policy, favouring sandboxes and self-regulation, with obligations arising indirectly through the DPDPA and IndiaAI Mission approval rules rather than a dedicated AI statute.

    Yes. Under the DPDPA, 2023, any processing of personal data tied to an identifiable person in India requires verifiable, purpose-limited consent, regardless of whether the AI system involved is domestic or part of an international research project.

    What should research administrators do now?

    Institutions with active or prospective Indian AI research partnerships should treat the November 2025 guidelines as the current baseline, not a final rulebook — MeitY has signalled further sector-specific guidance and possible copyright-law amendments will follow. In practice, that means research offices should map which Indian collaborations touch IndiaAI funding, audit any personal data flows against DPDPA consent requirements, and put IP and liability terms in writing rather than relying on the guidelines to allocate them.

    Because the framework is principles-based rather than statutory, its practical effect will be shaped by how IndiaAI applies its approval process and how Indian courts interpret existing law against AI-related disputes — a trajectory research administrators should monitor alongside the EU AI Act’s phased enforcement and China’s algorithm-filing regime when assessing multi-jurisdiction AI research risk.