Notes from the Asia-Pacific region: India's AI ecosystem, digital competition and more

August and September mark the beginning of India's "festival season," bringing good cheer all around. Among the bigger festivals celebrated in the western part of India — where I reside — is the 11-day Ganpati festival. It celebrates the birth of Lord Ganesha, or Ganpati, the Hindu god known as the remover of obstacles and the giver of wisdom.

It is a community festival — celebrated both publicly via large public installations by local communities and in homes, bringing families, like mine, together. My family has been celebrating this festival through generations for well over 250 years. It brings the whole clan together from across the world.

Good cheer always makes me look at the world around me positively. So while India's Digital Personal Data Protection Act rules did not pass — as widely anticipated — in Parliament's Monsoon session, lots of action has been taking place in the digital arena and, consequently, in governing it.

India's AI ecosystem

Fostering of the artificial intelligence ecosystem by the government continues with gusto. At a recent event, Additional Secretary and CEO, IndiaAI Mission, Ministry of Electronics and Information Technology Abhishek Singh said, "India is committed to building a robust and inclusive AI ecosystem through the deployment of 38,000 GPUs at affordable rates and the establishment of 600 data labs to accelerate AI research and innovation. Embedding responsible and ethical AI frameworks while combating misinformation will be critical as we move forward."

One of the actions signaling the intent for responsible AI is reflected in the release of the Reserve Bank of India's Framework for Responsible and Ethical Enablement of AI. This framework is the output of the FREE-AI Committee, established by the RBI 26 Dec. 2024, and tasked with creating guidelines for AI adoption by sectors under the RBI's purview — which includes banks, nonbanking financial companies and financial technology firms. 

Known for its proactive approach, the RBI's work has often set the tone other regulators in India tend to converge around. Hence this framework is a significant one for India.

The framework establishes seven "sutras" or foundational principles for AI deployment: trust is the foundation; people first; innovation over restraint; fairness and equity; accountability; understandable by design; and safety, resilience and sustainability.

To operationalize these, the framework outlines six strategic pillars that cover the twin objectives of enabling innovation while mitigating risk. For innovation enablement, the pillars focus on infrastructure, policy and capacity, and for risk mitigation, the focus is on governance, protection and assurance.

To mitigate AI risks, it recommends: forming a board-approved AI policy; expanding product approval processes, consumer protection frameworks and audits to include AI-related aspects; augmenting cybersecurity practices and incident reporting frameworks; establishing robust governance frameworks across the AI lifecycle; and making consumers aware they are dealing with AI.

Progress is being made not just on guardrails around AI but also in other arenas that impact the digital economy.

Gig workers

The government of Karnataka, a state in the south of India, the capital of which is Bengaluru, passed a landmark law to protect the rights of gig workers.

For some context, there were an estimated 12 million gig workers in India in FY 2024-25, projected to increase to 23.5 million by 2029-30, per a report from NITI Aayog. Most of these workers are associated with app-driven platform services like rideshare, food delivery and other hyper local e-commerce services. The social welfare and protection of these gig workers has been a topic of debate in recent years.

While looking at all facets of welfare for gig workers, an aspect that may be of interest to privacy professionals is a section around algorithmic transparency. The law states platforms are required to explain "automated monitoring and decision making parameters … including but not limited to fares, earnings, customer feedback and allied information."

Further, this explanation needs to be in simple language — the local state language Kannada, English, or any other language from the Eighth Schedule of the Indian constitution.

Another section of the law talks of non-discrimination, stating, "The aggregator or platform shall take measures to prevent discrimination on the basis of religion, race, caste, gender, or place of birth or on the grounds of disability by the automated monitoring and decision making systems deployed."

This law is expected to set a potential model for other states to follow.

Legislative updates

Meanwhile, even on the DPDPA front, it is not complete silence. The overlap of digital competition and privacy is one aspect being discussed and debated, the main thought being that in digital markets, data — especially personal data — tends to be at the center, giving near-monopolistic advantages to bigger players while, simultaneously, creating privacy-related issues. Consequently, the governance of competition and data protection cannot be done in silos.

In this regard, Chairperson of the Competition Commission of India Ravneet Kaur recently held a meeting with Ministry of Electronics and Information Technology Secretary S. Krishnan to deliberate on issues relating to the DPDPA and other matters, such as interface with competition law and the CCI's work in digital markets.

The judiciary is also not far behind in articulating caution while adopting technology. At a seminar organized by the Supreme Court Bar Association, Supreme Court of India Judge Vikram Nath warned that AI is an aid, not an arbiter.

While it can — and is — being used as a tool to reduce delays and assist in research, Nath said, "the ultimate act of adjudication must remain a human function." In highlighting the issues of algorithmic bias, lack of transparency and accountability, his resounding statement was, "A judge is not an algorithm."

Steps forward, steps backward

While all the above may instill a sense of things moving ahead on the governance front, instituting guardrails in a rapidly escalating digital world is messy. For every step forward, there is a step backward. So, we also saw measures that would likely set us back.

For example, Parliament passed the amended Income Tax Act 12 Aug., overhauling the 60-year-old law to make it relevant in the digital age. The Income-Tax (No.2) Bill gives significantly expanded search and seizure powers to tax authorities over "virtual digital spaces." The reasoning stated is to enable authorities to unearth data tucked away in emails, cloud and encrypted services. Experts are concerned minimal thresholds are provided for this and that abuses can result in compromising privacy.

In another example, the Ministry of Road Transport and Highways released a data sharing policy 18 Aug. that provides procedures for sharing data it collects via various channels in the transport ecosystem, like vehicle registration data. The policy acknowledges the ministry controls personal and sensitive data and its procedures on data sharing should ensure compliance with the DPDPA.

Measures stated include sharing only "bulk data" under "exceptional" circumstances and masking personally identifiable information before sharing, except when sharing with police, law enforcement or national security.

Apprehensions have been voiced about the efficacy of the measures and its potential for misuse downstream.

And as data proliferates, can cybercrime be far behind?

The Indian Parliamentary Standing Committee on Home Affairs presented its 254th report 20 Aug. on cybercrime. Key recommendations center around changes required on the legislative, investigative and enforcement fronts, the impact of AI, and financial frauds.

The report notes current laws pertaining to cybercrime are spread across multiple statutes, creating both enforcement and judicial challenges. It recommends establishing an integrated cybercrime task force and significantly increasing penalties. It also calls for "increased coordination between government agencies, regulators, technology platforms, and civil society for knowledge sharing and capacity building in the cyber space."

Some statistics published in conjunction with the report are hardly encouraging. The National Cybercrime Reporting Portal received an aggregate of over 5.4 million complaints from its August 2019 inception to November 2024. At 85%, financial cybercrimes form the largest component of the cases reported, collectively accounting for a total amount of 31,594 crore.

Shivangi Nadkarni is senior vice president and general manager, digital trust at Persistent Systems.