Module 1: AI & Machine Learning Law

The OECD developed the widely adopted AI definition in 2019, which has been incorporated into various regulatory frameworks including the EU AI Act.

The EU AI Act adopts a risk-based approach, classifying AI systems as unacceptable risk, high risk, limited risk, or minimal risk, with requirements proportionate to risk level.

NITI Aayog's Responsible AI framework includes 7 principles: Safety & Reliability, Equality, Inclusivity, Privacy & Security, Transparency, Accountability, and Positive Human Values.

India currently lacks a statutory definition of AI across all its major legislation including IT Act, DPDPA, Consumer Protection Act, and Copyright Act. This creates regulatory ambiguity.

The IT Rules 2025 definition of deepfake uses the "ordinary person" standard - media that could reasonably deceive an ordinary person into believing the depicted content is real.

IT Rules 2025 require AI content to be labeled using metadata, watermarks, and/or visible disclosures. Multiple methods may be required depending on content type.

IT Rules 2025 require deepfake content removal within 24 hours of receiving a complaint. This is stricter than the general 36-hour timeline for other AI content.

Shreya Singhal clarified that "actual knowledge" under Section 79(3)(b) requires court order or government notification - not mere user complaints or media reports.

The AI liability gap arises because AI's autonomy, opacity, and adaptability challenge traditional tort frameworks that assume human decision-making and predictable behavior.

AI classification as "product" depends on its form: embedded AI in hardware is clearly a product; SaaS AI is traditionally a service; the line is evolving in jurisprudence.

Vicarious liability analysis for AI focuses on whether the deployer (analogous to employer) controls AI operations and benefits from them, similar to employer-employee relationships.

CDSCO (Central Drugs Standard Control Organisation) regulates AI-powered medical devices under the Medical Devices Rules, 2017.

Class D (high-risk) AI medical devices require full clinical evaluation before market approval, demonstrating safety and efficacy for Indian patients.

RBI Digital Lending Guidelines require disclosure of key factors in AI credit decisions and a human intervention option for rejected applications.

SEBI's algorithmic trading framework mandates a kill switch - the ability to halt algorithm operations instantly in case of malfunction or adverse market conditions.

The UK Supreme Court in Thaler held that AI cannot be named as inventor - the Patents Act requires inventors to be natural persons who can hold and transfer rights.

Section 2(d)(vi) of the Copyright Act defines authorship of computer-generated works as belonging to "the person who causes the work to be created" - a unique provision in Indian law.

India's fair dealing provisions are narrower than US fair use and lack a "transformative use" doctrine. AI training on copyrighted works without license is legally risky.

Section 3(k) excludes "computer programme per se" from patentability. However, software with technical effect may be patentable - the "per se" limitation is key.

Historical bias occurs when training data reflects past discrimination - for example, hiring AI trained on historical data where women were underrepresented in certain roles.

Article 14 directly binds government AI. For private AI, constitutional principles may apply through statutes like DPDPA, consumer protection laws, and anti-discrimination provisions.

Proxy discrimination occurs when facially neutral variables (like pin code) correlate with protected characteristics (like caste/religion), causing indirect discrimination.

Under DPDPA Section 11, data principals have the right to access and correct personal data being processed, including by AI systems.

Demographic parity requires equal positive outcome rates across demographic groups - for example, equal approval rates for different communities in lending.

Pre-existing IP refers to each party's background technology, tools, and IP that existed before entering the contract - this typically remains with the original owner.

Best practice is to specify measurable performance metrics (like accuracy percentage on test data) with clear testing methodology, not absolute guarantees given AI's probabilistic nature.

Training rights clauses allowing vendors to use customer data to improve their general AI model are frequently contested. Customers may demand opt-out, anonymization, or exclusion.

Liability caps typically exclude IP infringement, gross negligence, willful misconduct, and data protection violations as these represent serious risks requiring uncapped exposure.

Effective AI governance includes multiple levels: Board (strategy), AI Steering Committee (policy), Ethics Committee (ethical review), and Legal/Compliance (regulatory compliance).

AI risk classification should primarily consider potential impact on individuals and fundamental rights - life/safety, financial harm, discrimination, privacy intrusion.

CERT-In directions require system logs to be maintained for a minimum of 180 days, which applies to AI systems processing user data.

The IndiaAI Mission approved in March 2024 has an allocation of approximately Rs. 10,372 crore covering compute capacity, innovation centers, datasets, and skills development.

Synthetic Media under IT Rules 2025 broadly covers any image, audio, video, or text content created, modified, or manipulated using AI/ML technologies.

Legal explainability requires AI decisions to provide reasons sufficient for judicial review - meeting natural justice requirements, not just technical documentation.

IRDAI is concerned about AI using proxy variables that correlate with prohibited factors (like genetic data, HIV status), leading to indirect discrimination in underwriting.

To overcome Section 3(k), AI patent claims should emphasize technical effect achieved by the AI and include hardware integration where possible, not just the algorithm.

The impossibility theorem shows that different fairness metrics are often mutually incompatible - achieving demographic parity may sacrifice calibration, and vice versa. Organizations must choose.

Model isolation means each customer's AI instance is logically separated from other customers, ensuring data is not commingled and outputs are not influenced by other customers' data.

Documentation serves dual purposes: operational effectiveness and legal defence. In litigation, documented processes, testing, and oversight demonstrate reasonable care and good faith compliance.

SSMIs must publish algorithm transparency reports annually, describing primary parameters, user control options, and measures against harmful content amplification.

Human-in-the-loop means a human approves every AI decision before it takes effect. This is the highest level of human oversight, distinct from "on-the-loop" (monitoring with intervention capability).

Critical infrastructure AI faces stringent requirements: security clearance for vendors, data localization in India, and mandatory manual override capability.

Trade secret protection avoids patent disclosure requirements (which reveal the innovation) and Section 3(k) challenges that computer programs "per se" face in patentability.

Pre-processing approaches address bias before training by resampling training data, removing biased features, or generating synthetic data for underrepresented groups.

DPDPA requires Data Processing Agreements with processing instructions, security measures, sub-processor restrictions, breach notification, audit rights, and data return/deletion provisions.

Effective AI advisory begins with understanding the AI: what type, what data it uses, which sectors apply, risk level, and geographic scope. This informs all subsequent advice.

The EU AI Act has extraterritorial application similar to GDPR. Indian companies serving EU customers must comply with its requirements for generative AI systems.

The radiologist's best defence is demonstrating they followed the standard of care for AI-assisted diagnosis - which includes appropriate human oversight, not blind reliance on AI.

Using copyrighted works for AI training involves reproduction - a right held by copyright owners. Without license or valid fair dealing defence, this may constitute copyright infringement.

AI governance should be proportionate to risk. Low-risk AI needs minimal oversight; high-risk AI (affecting life, rights, finances) requires comprehensive governance including ethics review and human oversight.