Este artigo está disponível apenas em inglês no momento.
AI Governance in India: DPDP Act, SEBI, RBI, and the Emerging Regulatory Landscape
India's Digital Personal Data Protection Act (DPDP) 2023 is now being implemented, with rules expected in 2026. India's financial regulators — RBI and SEBI — have issued AI guidance. This is the complete guide for organisations operating in India.
Key Takeaways
The Digital Personal Data Protection Act 2023 creates India's first comprehensive data protection framework — its implementation rules (expected 2026) will significantly affect how AI systems processing personal data of Indian residents must be governed.
The DPDP Act's concept of 'consent managers' and the rights of 'data principals' (individuals) create specific obligations for AI systems that use personal data — including rights to withdraw consent and obligations around automated processing.
The Reserve Bank of India has issued guidance on the use of AI and ML in financial services — including expectations for model risk management, explainability, and fairness testing that apply to banks, NBFCs, and fintech companies.
SEBI has published circulars on AI use by market intermediaries, requiring specific disclosures and risk management frameworks for AI used in trading, investment advice, and compliance functions.
India's AI governance landscape is developing rapidly — the Ministry of Electronics and Information Technology (MeitY) published the India AI Mission in March 2024, and sector-specific AI guidance from IRDAI, TRAI, and other regulators is expected through 2026.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
The DPDP Act and AI governance
The Digital Personal Data Protection Act 2023, India's first comprehensive data protection legislation, fundamentally changes the legal framework for processing personal data in India — including personal data processed by AI systems. The Act establishes rights for data principals (individuals whose data is processed) including the right to access information about their data, the right to correction and erasure, and the right to nominate a representative. For AI systems processing personal data of Indian residents, these rights create specific obligations around transparency, consent management, and individual access.
The DPDP Act's consent framework is particularly significant for AI. Processing of personal data requires either consent of the data principal or a "legitimate use" specified in the Act. The legitimate use categories are narrower than the equivalent provisions in GDPR, and the consent requirements are specific — consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative act. AI systems that process personal data as part of automated decision-making will need to assess their consent and legitimate use basis carefully when the rules are published.
RBI guidance on AI in financial services
The Reserve Bank of India has been progressively developing its approach to AI in banking and financial services. Key RBI guidance includes: the Master Direction on IT Governance, Risk, Controls and Assurance Practices (2023), which applies to banks and creates specific requirements for AI/ML model risk management; the guidelines on digital lending, which include specific provisions on algorithmic credit assessment; and various circulars on cybersecurity that address AI system security. The RBI's model risk management expectations for AI-driven credit models include requirements for model documentation, validation, and performance monitoring that parallel the US Federal Reserve's SR 11-7 framework.
SEBI and AI in capital markets
The Securities and Exchange Board of India has issued guidance on AI use by market intermediaries — brokers, investment advisers, portfolio managers, and other SEBI-registered entities. The key SEBI AI governance requirements: disclosure of AI use in investment research and advice, requirements for AI systems used in algorithmic trading, and expectations for explainability of AI-generated investment recommendations. SEBI's approach reflects a concern about AI creating systemic risk in capital markets through correlated AI trading strategies and about the integrity of AI-generated investment advice provided to retail investors.