AI Governance in India: DPDP Act, SEBI, RBI, and the Emerging Regulatory Landscape

The DPDP Act and AI governance

The Digital Personal Data Protection Act 2023, India's first comprehensive data protection legislation, fundamentally changes the legal framework for processing personal data in India — including personal data processed by AI systems. The Act establishes rights for data principals (individuals whose data is processed) including the right to access information about their data, the right to correction and erasure, and the right to nominate a representative. For AI systems processing personal data of Indian residents, these rights create specific obligations around transparency, consent management, and individual access.

The DPDP Act's consent framework is particularly significant for AI. Processing of personal data requires either consent of the data principal or a "legitimate use" specified in the Act. The legitimate use categories are narrower than the equivalent provisions in GDPR, and the consent requirements are specific — consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative act. AI systems that process personal data as part of automated decision-making will need to assess their consent and legitimate use basis carefully when the rules are published.

RBI guidance on AI in financial services

The Reserve Bank of India has been progressively developing its approach to AI in banking and financial services. Key RBI guidance includes: the Master Direction on IT Governance, Risk, Controls and Assurance Practices (2023), which applies to banks and creates specific requirements for AI/ML model risk management; the guidelines on digital lending, which include specific provisions on algorithmic credit assessment; and various circulars on cybersecurity that address AI system security. The RBI's model risk management expectations for AI-driven credit models include requirements for model documentation, validation, and performance monitoring that parallel the US Federal Reserve's SR 11-7 framework.

SEBI and AI in capital markets

The Securities and Exchange Board of India has issued guidance on AI use by market intermediaries — brokers, investment advisers, portfolio managers, and other SEBI-registered entities. The key SEBI AI governance requirements: disclosure of AI use in investment research and advice, requirements for AI systems used in algorithmic trading, and expectations for explainability of AI-generated investment recommendations. SEBI's approach reflects a concern about AI creating systemic risk in capital markets through correlated AI trading strategies and about the integrity of AI-generated investment advice provided to retail investors.