Who is liable if AI makes a wrong decision?
Updated · 6 July 2026
How is AI liability handled when there's no specific AI law?
India has no bespoke AI statute, so liability is stitched together from existing frameworks that courts and regulators adapt through interpretation.
Product liability under Sections 82-87 of the Consumer Protection Act, 2019 treats AI as a 'product' or part of a 'service' and holds manufacturer, seller and service provider jointly liable. Defects can be in manufacturing (flawed training data), design (biased algorithm) or marketing (oversold capabilities), with strict liability attaching to the harm caused. This framework has been applied to AI-driven medical diagnosis errors, autonomous vehicle accidents and harm from recommendation systems. Alongside it, ordinary negligence in tort — duty of care, breach, causation, damages — applies to any deployer that pushes AI live without adequate testing, accuracy validation, bias audits or human oversight where required. Causation is the hard link because algorithmic decisions are difficult to trace, but damages are usually quantifiable.
Contract law is the primary lever between businesses: AI service providers contractually warrant performance and SLAs specify accuracy, uptime and error rates; breach gives rise to damages, though B2B contracts often cap liability. Constitutional law catches AI decisions by state authorities — they are subject to Article 14 non-arbitrariness, algorithmic discrimination violates Article 15, and lack of explainability may cross into Article 21 due-process territory. Writ remedies are available.
Sector-specific rules add another layer: RBI's Digital Lending Guidelines require algorithmic credit decisions to be explainable and non-discriminatory, SEBI's algo trading framework mandates back-testing and kill switches, and IRDAI has issued principles for AI underwriting. The persistent challenge is causation and apportionment — when AI fails, was it the algorithm, the training data, the deployment context or the human oversight? Courts increasingly reach for res ipsa loquitur when AI harm is obvious.
What do MeitY's AI advisories require?
The Ministry of Electronics and IT has been issuing advisories that signal regulatory intent even ahead of formal legislation.
The March 2024 Advisory on AI / LLM platforms initially required MeitY permission before deploying 'unreliable' AI tools to Indian users, mandated labelling of synthetically generated content, called for originator information for AI-generated misinformation and bias-prevention measures. Significant clarifications and partial walkbacks followed. The November 2023 Deepfake Advisory confirmed that Section 66D IT Act applies to deepfake impersonation and Section 67 to obscene content, and that IT Rules 2021 takedown timelines (24 or 36 hours) apply. Platforms must label synthetic media and remove identifying captions to protect victims — see our deepfake guide.
The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 mandate auto-moderation tools for unlawful content, grievance redressal with 24-hour acknowledgement and 15-day resolution, extra obligations for Significant Social Media Intermediaries (Chief Compliance Officer, Resident Grievance Officer) and content traceability for messaging platforms (under legal challenge). NITI Aayog's National Strategy for AI — the '#AIforALL' principles focused on healthcare, agriculture and education, and an ethics framework built on fairness, transparency, accountability and privacy — is not legally binding but is broadly influential.
The proposed Digital India Act, set to replace the IT Act 2000, is expected to bring dedicated AI provisions with tiered liability for low-risk vs high-risk AI and possibly a new 'Indian AI Authority'; the draft was awaited as of early 2026. Sectoral rules include the RBI Working Group on Digital Lending (2021) — explainable algorithmic credit decisions, no unauthorised personal data, no harassment AI in recovery — and the SEBI algo trading framework requiring approval, strict testing and kill switches for retail algo trading. Compliance is fragmented and moving fast; engage a reputable, specialised tech / data privacy lawyer for sector-specific advice.
Who is liable in specific AI scenarios?
Liability in AI harm typically distributes across several parties — case studies show how.
AI-driven medical misdiagnosis: the hospital and treating doctor carry primary liability under Consumer Forum jurisprudence and medical negligence per Jacob Mathew, the AI vendor is jointly liable under product liability if the tool was defective, and the data provider is on the hook if training data was misleading — see our medical negligence guide. Algorithmic credit denial: the bank or NBFC bears primary liability under RBI Fair Practices Code and DPDPA, must explain reasons because algorithmic decisions need explainability, and the algorithm vendor is exposed if discrimination is baked into the model — see our home loan rejection guide.
Deepfake harm: the creator is primarily liable under Section 66D IT Act and BNS provisions, the platform is liable if it fails to remove within IT Rules timelines, and the AI tool maker faces growing exposure under MeitY advisories — see our deepfake guide. Autonomous vehicle accident: the driver / operator remains liable under the MV Act even in autonomous mode, and manufacturer, software vendor and mapping-data provider face product liability for AI failure, alongside insurance complications — our car accident guide covers the mechanics. Algorithmic hiring bias: the employer faces anti-discrimination liability, the HR tech vendor is exposed if the algorithm is biased, and constitutional protections apply to public-sector hiring.
Where social media auto-moderation takes down legitimate content, the platform is primarily responsible, with the Grievance Appellate Committee (GAC) available for resolution — the IT Act safe harbour requires due diligence. Generative AI producing defamatory content: the user or publisher carries primary defamation liability under Section 356 BNS, the AI tool provider is under increasing scrutiny depending on its disclaimers and controls, and any aggregator or republisher is secondarily liable. AI-generated CSAM is treated most severely — Section 67B IT Act plus POCSO for creators, distributor liability, and strict platform liability under POCSO if not promptly removed. Complaints can typically be filed in parallel across the Consumer Forum, cyber cell, sectoral regulator and courts.
What rights do I have as an individual affected by AI decisions?
Individuals affected by AI decisions can draw on a bundle of rights across statutes, sectoral rules and constitutional protections.
The right to know AI is being used comes from DPDPA Section 5 (notice of processing), the MeitY advisory on AI-generated content labelling, and implicit consumer protection principles. The right to explanation is strongest in banking — RBI guidelines require written reasons for credit decisions — and follows from Article 14 non-arbitrariness for state action; DPDPA Section 11 (right to information) helps, and a fuller right is expected under the proposed Digital India Act. The right to human review is embedded in sectoral rules like RBI Digital Lending (important credit decisions need human review), in administrative law principles for state action, and is coming under the Digital India Act.
Non-discrimination: Articles 14 and 15 protect against discriminatory AI by the state, and statutory protections for women, SC/ST, disabled and transgender persons extend to AI-driven discrimination — see our discrimination guide. Opt-out is anchored in DPDPA — Section 6(4) allows withdrawal of consent and Section 12 gives a right to delete data — though options are limited for state-deployed AI. Correction under DPDPA Section 12 lets you fix wrong data underlying an AI decision and demand fresh assessment.
Compensation for AI harm is available through Consumer Forum, Civil Court or the sectoral grievance authority for financial loss, medical harm or reputational damage. Court challenges: writ petitions for state AI decisions, Consumer Commission for AI-driven services, and specific tribunals like TRAI or SAT for sector-specific AI. Practical steps when you are affected by an AI decision: demand a written explanation immediately, identify both the deployer and the algorithm vendor, look for a sector-specific complaint mechanism, document everything (outputs, communications, harm), and for substantial harm engage a reputable, specialised tech / civil lawyer.
What practical steps should AI deployers take to limit liability?
AI deployers reduce liability by putting a risk management framework in place before deployment and maintaining it afterwards.
Risk assessment starts with mapping potential harms to individuals, groups and society, running severity and probability analysis, and documenting mitigation strategies in an 'Algorithmic Impact Assessment'. Training data quality — audit for bias including demographic representation and edge cases, document provenance, confirm consent and legality of acquisition (avoid unlawfully scraped data), and retrain regularly with updated data. Model testing and validation should cover pre-deployment accuracy, bias across demographics, edge and adversarial cases, and continuous monitoring after launch.
Human oversight — human-in-the-loop for high-stakes decisions, override mechanisms, kill switches for runaway algorithms, and senior review for material decisions. Transparency and explainability — disclose AI usage, deploy explainable-AI techniques, provide plain-language reasons for decisions, and document model logic and parameters. DPDPA compliance requires informing users when AI processes their data, taking specific consent for sensitive processing, providing an easy withdrawal mechanism, and writing privacy notices in plain language.
Vendor management: due diligence on AI vendors, contractual warranties covering accuracy, bias and security, indemnification, and audit rights. Grievance redressal needs a named officer with India presence, time-bound resolution, an appeal mechanism and full documentation. Insurance — cyber liability, professional indemnity and specific AI / ML riders where available. Keep documentation of all design choices, validation, oversight, decision logs, customer complaints and their resolution — this evidence is decisive in liability disputes. Review periodically against the evolving regulatory landscape (MeitY advisories, sectoral guidelines), fresh court precedents, international standards (ISO, NIST AI Framework) and internal incident learnings. Engage a reputable, specialised tech / data privacy lawyer for compliance design; ongoing legal advice remains essential as the law evolves.
Disclaimer: Content provided here is for general legal knowledge only and does not constitute formal legal advice. If you have an urgent or specific matter, please consult a registered advocate.