1. Introduction

Artificial Intelligence (AI) is one of the most transformative technologies of the modern era, reshaping sectors such as healthcare, finance, governance, education, and national defence. In India, AI adoption is accelerating at a remarkable pace, with both the government and private enterprises integrating AI-driven systems into their core operations. However, this rapid integration also brings with it a host of legal and ethical challenges, particularly concerning liability and accountability when AI systems cause harm or make decisions that adversely affect individuals.

Unlike the European Union, which has introduced the landmark EU AI Act, or the United States, which has issued executive orders and sector-specific guidance, India currently lacks a dedicated and comprehensive AI regulatory framework. Instead, AI-related legal issues are addressed through a combination of existing statutes, including the  Consumer Protection Act , the  Information Technology Act , personal data protection legislation, and traditional tort and criminal law principles. This reliance on older legal frameworks creates significant gaps when confronting the novel challenges posed by autonomous and intelligent systems.

Key Exam Point India has no dedicated AI law as of now. All AI-related liability is handled through existing laws such as the Consumer Protection Act 2019, IT Act 2000, DPDPA 2023, IPC 1860, and Constitutional provisions.

This note provides a structured analysis of how Indian law currently addresses AI liability under civil and criminal frameworks, examines the emerging governance mechanisms that India is developing, and identifies the key gaps and challenges that remain unresolved in the present legal system.

2. Civil Liability for AI Actions in India

Civil liability refers to the legal obligation of a person or organisation to compensate another for harm, loss, or injury caused by their actions or omissions. When an AI system causes harm — whether through a malfunctioning product, a negligent decision, or an unauthorised use of personal data — civil liability may arise under contract law, the law of torts, or specific statutory provisions. In India, civil liability for AI can broadly be understood through three overlapping heads: product liability, negligence, and data protection violations.

A. Product Liability and Consumer Protection

The most direct form of civil liability for AI-related harm arises under product liability law. When an AI-powered product is defective or fails to perform as promised, causing damage to a consumer or third party, the manufacturer, distributor, or service provider can be held accountable. In India, the primary statute governing this area is the  Consumer Protection Act, 2019 , which provides consumers with the right to seek compensation for defective goods and deficient services. AI products such as diagnostic medical tools, smart appliances, autonomous vehicles, and financial advisory software all fall within the ambit of this Act if they are used for personal, household, or business purposes.

Additionally, the  Sale of Goods Act, 1930  provides a contractual remedy where an AI product does not meet the implied or expressed warranties of quality and fitness. If an AI system is sold with the promise of performing certain functions and fails to do so, the seller can be held liable for breach of warranty and the buyer may claim damages or a refund.

Illustrative Example Suppose an AI-powered medical diagnostic tool used in a hospital incorrectly identifies a patient as having cancer, leading to unnecessary and painful treatment. In such a case, the hospital or the AI software provider may be sued under the Consumer Protection Act, 2019 for supplying a defective product or deficient service that caused physical and mental harm to the patient.

B. Negligence and Duty of Care

The law of negligence is one of the foundational principles of tort law and is highly relevant in AI liability cases. Negligence occurs when a person or organisation that owes a duty of care to another fails to exercise reasonable caution, and that failure causes harm. In the context of AI, the critical question is whether the operator, developer, or deployer of an AI system exercised adequate diligence in ensuring its safe functioning.

In the field of healthcare, hospitals and medical professionals that deploy AI-assisted diagnostic or surgical systems are expected to maintain those systems to the highest professional standard. If a robotic surgery AI malfunctions due to poor maintenance, incorrect programming, or failure to update the system, and a patient suffers harm as a result, the hospital could be held liable under principles of medical negligence. Indian courts have consistently held medical professionals to a high standard of care, and AI deployment does not diminish that responsibility.

In the domain of finance, AI-driven trading algorithms and financial advisory tools that execute flawed decisions resulting in significant investor losses may expose companies to contractual and tortious claims. Investors who rely on AI-generated financial advice have a legitimate expectation of accuracy and prudence, and a failure to meet that expectation — especially where the AI was poorly tested or inadequately supervised — can give rise to legal action.

In the area of autonomous vehicles, the stakes of AI negligence are perhaps the highest, as malfunctions can lead directly to loss of life. If a self-driving car causes an accident due to defective software or inadequate safety testing, both the vehicle manufacturer and the software developer may face claims under tort law and motor vehicle regulations.

International Reference (Applicable by Analogy in India) In March 2018, an Uber self-driving car struck and killed a pedestrian in the United States. This case brought global attention to the question of how liability should be allocated between the technology developer, the operator, and the regulatory authority. In India, a similar case could be adjudicated under the Motor Vehicles Act, 1988, and the law of tort, requiring courts to determine whether the harm resulted from defective design, inadequate testing, or operator negligence.

C. Data Protection and Privacy Violations

Modern AI systems are fundamentally data-driven. They collect, process, analyse, and make decisions based on vast quantities of personal data. This creates significant exposure to liability under data protection and privacy law. The primary statutory framework in this regard is the  DPDPA, 2023 , which imposes obligations on ‘data fiduciaries’ to collect data only with valid consent, to use it only for specified purposes, and to protect it from unauthorised access or breach. Violations of the DPDPA can attract substantial financial penalties.

The  Information Technology Act, 2000  and its associated rules also govern the handling of sensitive personal data and provide remedies for unauthorised interception, hacking, and data misuse. Where AI systems process biometric data, financial data, or health records without proper authorisation, they risk civil and regulatory liability under these provisions.

Illustrative Example Consider an AI-powered facial recognition system deployed in public spaces by a private company for the purpose of targeted advertising. If this system collects and stores individuals’ biometric data without their knowledge or consent, it would constitute a clear violation of the DPDPA, 2023, and potentially also infringe on the fundamental right to privacy recognised by the Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017).

3. Criminal Liability for AI Actions in India

Criminal liability is fundamentally different from civil liability in both its nature and its purpose. While civil law seeks to compensate the victim, criminal law seeks to punish the wrongdoer and deter future offences. Under Indian criminal law, liability typically requires the presence of two elements: the actus reus (the wrongful act) and the mens rea (the guilty mind or criminal intent). This dual requirement creates a deep structural problem when applied to AI systems, which can act autonomously but entirely lack the capacity for intent, consciousness, or moral reasoning.

The settled position under Indian law is that AI cannot itself be held criminally liable. The law attributes criminal responsibility to human beings — the developers, operators, deployers, or other principals who direct or benefit from the AI system’s actions. This approach, while pragmatically sensible, leaves open difficult questions about how responsibility should be allocated among multiple human actors in complex AI deployment chains.

A. AI and Cybercrime

Artificial Intelligence has become a powerful tool for cybercriminals. AI systems can be used to launch large-scale phishing attacks, generate convincing deepfake audio or video content for fraud, conduct automated identity theft, and break through digital security systems with unprecedented speed and precision. The  IT Act, 2000  is the primary statute governing cybercrimes in India. Under the IT Act, hacking, unauthorised access to computer systems, identity theft, and phishing are all punishable offences. Those who deploy AI tools to commit such offences can be prosecuted under the relevant provisions, alongside the general fraud and cheating provisions of the  IPC, 1860 , particularly Section 420 (cheating) and Section 468 (forgery for the purpose of cheating).

Real-World Case (2019) In 2019, AI-generated voice cloning technology was used by cybercriminals to impersonate the CEO of a UK-based energy company, convincing a subordinate to transfer approximately $243,000 to a fraudulent account. Under Indian law, a similar offence could be prosecuted under Section 420 IPC for cheating, Section 66D of the IT Act for impersonation using a computer resource, and related provisions targeting electronic fraud.

B. Autonomous AI and Criminal Acts

Perhaps the most philosophically and legally challenging issue in AI criminal law is the question of autonomous harm — situations where an AI system causes injury, death, or loss through decisions it makes independently, without direct human instruction at the moment of the harmful act. The challenge arises because traditional criminal law is constructed around the concept of human agency. The requirement of mens rea assumes a mind capable of forming intent, and AI systems simply do not have minds in the legal or philosophical sense.

The concept of vicarious liability offers one avenue for resolving this problem. Under vicarious liability, a principal may be held liable for the wrongful acts of their agent or employee. If an AI system is treated as an ‘agent’ of its operator, the operator could bear criminal or civil responsibility for the AI’s actions, even where no specific direction was given at the moment of the harm. However, Indian law does not yet formally recognise AI systems as agents capable of attracting vicarious liability, and the courts have not authoritatively resolved this question.

Another approach is strict liability, which dispenses with the requirement of proving negligence or intent. Under strict liability, those who deploy inherently dangerous technologies — and advanced autonomous AI may qualify as such — can be held responsible for harm caused by those technologies regardless of fault. This principle, derived from the English case of Rylands v. Fletcher and adapted in Indian jurisprudence in M.C. Mehta v. Union of India (1987), may become increasingly relevant as AI systems are deployed in high-risk environments.

Illustrative Example If an AI-controlled military drone, operating autonomously, were to accidentally kill civilians, Indian courts would face an extremely complex question: is the developer of the AI system responsible, or the defence organisation that deployed it, or the individual military commanders who authorised its use? Under Section 304A IPC, causing death by negligence is a criminal offence, and the prosecution would need to establish which human actor’s negligence was the proximate cause of the tragedy.

C. AI Bias and Discrimination

A subtle but increasingly significant form of AI-related harm is algorithmic discrimination — the tendency of AI systems trained on biased historical data to reproduce and amplify patterns of discrimination in their outputs. AI systems used in recruitment, credit scoring, criminal sentencing recommendations, and law enforcement predictive tools have all been shown in various jurisdictions to produce outcomes that systematically disadvantage women, minorities, and economically weaker sections of society.

In India, the right to equality and non-discrimination is a fundamental right guaranteed by  Article 14  of the Constitution of India. Any AI system deployed by a state actor — or arguably even a private entity performing a public function — that produces discriminatory outcomes may be challenged as a violation of this constitutional guarantee. Furthermore, the  Equal Remuneration Act, 1976  prohibits discrimination in remuneration on the ground of sex and would apply directly to AI-driven payroll or promotion systems that produce gendered pay disparities.

Illustrative Example If a large employer uses an AI-based recruitment tool trained on historical hiring data reflecting past gender biases — and the tool consequently rejects a disproportionate number of qualified female applicants — the employer could be challenged under Article 14 of the Constitution and the Equal Remuneration Act. The company would struggle to justify the differential treatment, as the opacity of AI decision-making makes it extremely difficult to demonstrate that the outcomes were based on legitimate, non-discriminatory criteria.