Professional Documents
Culture Documents
Intersection of AI and
Cybersecurity in India
Introduction
1. The Indian government aims to fuel economic growth in the upcoming decade, termed as India's "techade,"
with a focus on technology-driven development. Efforts include revising legal frameworks to address privacy
and cybersecurity concerns, although explicit definitions for "GenAI" or "AI" are currently lacking in Indian
statutes.
2. The Information Technology Act, 2000, supplemented by various rules and regulations, serves as the primary
legal framework for cybersecurity in India. Sector-specific regulations and initiatives like the CERT-In Rules and
Directions mandate reporting of cybersecurity incidents, but there is a gap in addressing emerging
technologies like AI/ML and GenAI within the current legislative framework.
3. Sectoral regulators, such as SEBI, RBI, and IRDAI, have released frameworks for cybersecurity, emphasizing
reporting requirements and compliance obligations for regulated entities. However, these frameworks do not
specifically address risks related to AI/ML or GenAI, leaving a gap in addressing emerging technological threats
within sectoral regulations.
Approach of Indian Court
1. Indian courts have addressed emerging technological challenges, such as deepfakes and AI, within existing legal frameworks,
recognizing the limitations and risks associated with relying solely on AI-generated data for legal adjudication.
2. The proposed Digital India Act (DIA) aims to address regulatory gaps by introducing a legislative framework to regulate high-risk AI
systems and emerging technologies, potentially replacing the outdated Information Technology Act (IT Act) as the primary
legislation for cybersecurity threats.
3. The Digital Personal Data Protection Act (DPDPA) focuses on governing personal data (PD) protection, including stringent
requirements for data fiduciaries and penalties for non-compliance, although it does not specifically address risks related to AI or
GenAI.
4. While the DPDPA covers incidents involving PD breaches, such as those involving GenAI, it does not address broader cybersecurity
issues related to anonymized or aggregated data, which may require consideration under other laws.
5. The DIA is expected to regulate AI and emerging technologies through the lens of "user harm," potentially aligning with
international efforts such as the EU's Artificial Intelligence Act (EU AI Act) while filling regulatory gaps in India's legal framework.
Recommendations for Policy Makers and
Stakeholders
Urgent need for AI-specific legislation to address the growing use of AI and associated harms, with
principles outlined by NITI Aayog emphasizing reliability, equality, privacy-by-design, transparency,
and positive human values.
Importance of enhancing AI literacy among judiciary and law enforcement agencies to effectively
balance innovation with individual rights, ensuring considerations of data privacy, transparency, and
fundamental rights in legal rulings.
Promotion of incentives for AI research through industry standards and self-regulation, guided by
clear, comprehensive principles aligned with national AI strategy, encompassing ethical
considerations, safety standards, and accountability measures, with oversight by an independent
governing body to ensure adherence and accountability.
Conclusion
1.AI's unique ability to autonomously produce data sets distinguishes it from other
forms of AI, presenting both opportunities and risks in cyber-attacks and defensive
cybersecurity capabilities.
2.Technological innovations like GenAI are neutral and can be used for both beneficial
and harmful purposes, emphasizing the importance of a principles-based approach
to law-making to address present and future scenarios.
3.The legislative vacuum around AI and cybersecurity in India hampers proactive
measures to curb harm and protect user rights, highlighting the need for a
farsighted law to balance risks and innovation.
THANK YOU