Skip to Content
OPINION

Notes from the Asia-Pacific region: India signals shift on AI regulation

India's digital trust landscape is evolving as government officials signal a possible shift toward AI-specific legislation while courts and regulators confront emerging risks.

Published
Subscribe to IAPP Newsletters

Contributors:

Shivangi Nadkarni

Senior Vice President and General Manager, Digital Governance

Persistent Systems

Editor's note

The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains. 

The monsoon season has finally set in across most of India, bringing much needed relief from the brutal summer. The greenery all around helps add that extra spring in the step — much welcomed for those of us who track digital trust and governance in the country, given how the action never seems to slow down.

In an interesting development, 11 June 2026, the Union Minister for Electronics and Information Technology Ashwini Vaishnaw indicated the government may look to govern artificial intelligence differently from its earlier stated stance. In an interview with the Press Trust of India, he said the country needs a fresh AI-specific law because "the world of AI is very different from the world when the (Information Technology) Act was enacted in 2000." 

This seems to contradict the government's earlier stated stance that it was not considering a separate law regulating AI. It may well be that the government may make this a part of the IT Act revamp that has been in the works for a while. We need to wait to find out.

A week later, 18 June 2026, Prime Minister Narendra Modi, while addressing the VivaTech Summit in Paris, added another layer to India's global AI positioning. Repeating the M.A.N.A.V. framing he used at the India AI Impact Summit in February, Modi told a European audience that "for India, AI means all inclusive," reiterating the importance of democratizing technology. In light of recent geopolitical developments around access to AI models, this message carries significance.

While the government figures out how to legislate and govern, courts are marching ahead. On 2 July 2026, in Pooja Ramesh Singh v. Jammu and Kashmir Bank Ltd., the Supreme Court of India set aside orders passed earlier by the National Company Law Tribunal and the National Company Law Appellate Tribunal as they were based on AI-generated fake precedents attributed to the Supreme Court. Further, the judicial bench directed the Bar Council of India to constitute a committee to prescribe disciplinary norms for advocates who file AI-generated fake citations.

For those of us watching responsible AI in high-stakes public sector deployments, this is the clearest domestic articulation yet of the "human-in-the-loop" principle — and importantly, it is being enforced at the top of the judicial pyramid.

One day earlier, 1 July 2026, saw another instance of the Delhi High Court taking action in favor of a deepfake victim. In a ruling on a plea against a raft of AI-generated deepfakes and morphed images by Rajya Sabha Member of Parliament Raghav Chadha, the court ordered the removal of five specific posts.

The Madurai Bench of the Madras High Court, meanwhile, 2 July 2026, directed the Tamil Nadu Police to promptly investigate the morphing and nonconsensual circulation of images of a Singapore-based Indian woman. The judgment placed such conduct squarely within the protection of bodily privacy and decisional dignity under Article 21 of the Constitution of India.

Key sectoral regulators continued to march ahead, too.

The Reserve Bank of India issued a directive in early June giving banks and other regulated entities until 30 June 2026 to submit board-approved gap assessments on frontier-AI cyber risks. In the 5 June post-monetary-policy briefing, RBI Deputy Governor Swaminathan Janakiraman publicly confirmed advisories had been issued and Mythos-class models were engaging the government at both the RBI and inter-regulatory forum levels. 

On 24 June 2026, the RBI released for public comment the draft "Guidance on Regulatory Principles for Model Risk Management," expressly extending the framework to third-party models and AI/machine learning systems used by commercial banks, small finance banks, payments banks, nonfinancial banking companies, asset reconstruction company's and credit information companies. This is a decisive step toward institutionalizing an AI-model-lifecycle view of risk in India's financial sector.

The Insurance Regulatory and Development Authority of India has also been active. It added dark patterns to its agenda and commissioned a study by the Institute of Public Auditors of India to observe dark patterns over a nine-month period. IRDAI Chairman Ajay Seth also explicitly called out insurers who force customers to hand over personal data before showing a quote. 

Talking of dark patterns, the Central Consumer Protection Authority initiated fresh enforcement action 3 June 2026 against PhysicsWallah Limited and McAfee Software India Private Limited with fines — albeit very nominal — for basket sneaking, confirm shaming and forced action. 

Another recent interesting development was the Ministry of Electronics and Information Technology's notice to Meta's WhatsApp — and shortly thereafter to Telegram and Signal — over their optional usernames feature. The notice gave WhatsApp three days to explain why the feature — announced globally 29 June 2026 — should not attract regulatory action under Section 79 of the IT Act and the 2021 Intermediary Rules, and asked the company to hold the India roll-out until MeitY concluded its consultation. The concern is that cybercriminals would misuse this feature.

Since I like to close with a set of numbers that puts the month in perspective, here are some from the Nasscom-Zinnov "GCC Value Orbit report" released 3 July 2026. As of FY26, India hosts 2,117 Global Capability Centres operating across 3,728 units and employing about 2.36 million professionals, with the ecosystem clocking USD98.4 billion in revenues. Around 506 of the Forbes Global 2000 companies now run operations from India. Nearly 64% of GCC site leaders now hold dual mandates that include cybersecurity and AI governance as mission-critical responsibilities.

What this data tells me — from a digital trust standpoint — is that the demand for privacy, AI governance and cybersecurity skills will only intensify in India over the next 12 to 18 months, precisely as the Digital Personal Data Protection Act takes full effect 13 May 2027, the Data Protection Board starts functioning and the sectoral regulators sharpen their enforcement teeth.

The monsoon season may drench Pune and much of the country for the next two months, but there is nothing wet or weary about India's digital trust momentum right now.

This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.

CPE credit badge

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs

Contributors:

Shivangi Nadkarni

Senior Vice President and General Manager, Digital Governance

Persistent Systems

Tags:

AI and machine learningAI governance

Related Stories