Authored By: Sahil Joshi
CHRIST (Deemed to be University), Bangalore
I. Introduction
Artificial intelligence is no longer a subject confined to research laboratories or technology companies. It has entered courtrooms, hospitals, banks, and government offices, and it is making decisions that directly affect people’s lives. In India, AI tools are being used to assist clinical diagnosis, evaluate loan applications, flag welfare beneficiaries for exclusion, and even assist in predictive policing. Yet, when one of these systems produces an erroneous output that causes injury, there is no clear answer in Indian law to the basic question: who is legally responsible?
This is not merely a theoretical gap. Consider a patient in a government hospital whose treatment is guided by an AI-powered diagnostic support tool that misidentifies a condition. Or a small trader in a Tier-2 city whose credit application is wrongly rejected because an algorithm weighed certain demographic variables in a discriminatory way. These are not hypothetical scenarios; they are already occurring. The injured party in each case has nowhere certain to go. The developer of the AI system, the hospital or bank that deployed it, and the State that perhaps funded it will all seek to distance themselves from responsibility.
AI systems occupy an awkward position in legal terms. They are not legal persons capable of being sued.[1] Nor are they simple instruments like a hammer or a car, whose defects can be traced to a single manufacturer. They are the product of layered decisions spread across developers, data providers, training engineers, and deploying organisations, often in multiple countries. India published its National Strategy for Artificial Intelligence in 2018 and has since produced several policy papers through NITI Aayog.[2] However, dedicated AI legislation has not followed. Courts and litigants are left to apply frameworks designed for a world that did not anticipate algorithmic decision-making.
This article examines how existing Indian legal frameworks handle AI-related harm and where they fall short. Section II surveys tort law, the Information Technology Act, 2000, and the Consumer Protection Act, 2019. Section III identifies three structural problems that cut across all of these frameworks. Section IV draws on the European Union’s recent regulatory experience for comparative perspective. Section V proposes a tiered liability model suited to Indian conditions. Section VI offers concluding observations.
II. The Existing Legal Landscape
A. Negligence and the General Tort Framework
Indian tort law, inherited from English common law, requires a claimant to establish four elements: a duty of care owed by the defendant, a breach of that duty, a causal link between the breach and the harm, and actual damage. Each of these elements presents specific difficulties when applied to AI.[3]
The duty of care question is relatively manageable. Developers and deployers of AI systems should, and likely do, owe a duty of care to persons who are foreseeably affected by the system’s outputs. The more difficult questions arise at the breach and causation stages.
On breach, the central difficulty is identifying the applicable standard of care. If an AI tool assisting a physician recommends the wrong drug, is the relevant standard that of a reasonably competent general practitioner, a specialist, or something derived from the system’s own technical specifications? No Indian court has settled this. The standard of the “reasonable person” was developed with human defendants in mind, and applying it to a machine requires assumptions that the law has not yet made explicit.
Causation is even harder. Modern AI systems, especially those built on deep learning architectures, do not produce outputs through a logic chain that is easily auditable. Even the engineers who built the system often cannot explain why a particular input produced a particular output. This opacity creates a fundamental evidentiary problem for plaintiffs: they cannot show, with any precision, which design choice or training decision caused their injury. The doctrine of res ipsa loquitur could theoretically help, since harm from a malfunctioning AI might speak for itself. However, the doctrine classically requires that the defendant had exclusive control over the instrument, and AI systems are typically developed and operated by multiple parties spread across organisations and jurisdictions.
B. Absolute Liability and M.C. Mehta
For activities that are inherently dangerous, Indian law has developed a stricter standard than the English rule in Rylands v. Fletcher. In M.C. Mehta v. Union of India,[4] Justice Bhagwati held that enterprises engaged in hazardous activities are absolutely liable for resulting harm, with no exceptions for acts of God, third-party intervention, or contributory negligence. The greater the benefit the enterprise derives from the activity, the higher the compensation it must pay.
There is a reasonable argument that high-stakes AI deployments fall within this doctrine. An AI system that assists in making irreversible medical or judicial decisions, or one that controls physical infrastructure, introduces risks of the kind that M.C. Mehta was designed to address. Applying absolute liability to such systems would mean that the developer-deployer consortium is liable for harm regardless of fault, which would create powerful incentives for ex ante safety investment. No Indian court has made this extension yet, and the analogy remains open.[5]
C. The Information Technology Act, 2000
Section 79 of the Information Technology Act, 2000 provides intermediaries with a safe harbour from liability for third-party content that passes through their networks or platforms, subject to conditions of due diligence and absence of actual knowledge of the unlawful content.[6] Several AI platform providers have argued that this provision shields them from liability for outputs generated by their systems.
This argument is difficult to accept. Section 79 was designed to protect passive conduits and hosting platforms. An AI system is not passive; it actively generates outputs in response to inputs. A medical AI tool that recommends a treatment, a credit scoring model that rejects a loan application, or a generative AI tool that produces harmful content is doing something qualitatively different from a platform that merely stores what users have posted. Treating AI-generated harm as third-party content for which the platform bears no responsibility would extend the provision far beyond its legislative intent and would leave injured parties without a remedy.
D. The Consumer Protection Act, 2019
The Consumer Protection Act, 2019 defines “product” broadly[7] and imposes liability on manufacturers and service providers for defects and deficiencies causing harm.[8] In principle, an AI tool that injures a consumer could constitute either a defective product or a deficient service. Consumer fora have recently begun to encounter such claims, though no authoritative ruling has yet emerged.[9]
The Act’s difficulty in this context is structural. Its liability framework presupposes that a product or service can be traced back to an identifiable manufacturer or provider with a clear relationship to the consumer. AI systems are often assembled from components developed by different firms in different countries, fine-tuned by deploying organisations, and accessed by consumers through intermediaries. Identifying the correct defendant, let alone proving which element of this chain was defective, is a task the Act does not currently equip claimants to perform.
III. Three Structural Problems
Looking across the frameworks discussed above, three structural problems recur and, in combination, produce a liability gap that cannot be filled by interpretation alone.
The first is the attribution problem. When an AI system causes harm, the causal chain typically runs through a large number of actors: those who compiled the training data, those who designed the model architecture, those who made choices during fine-tuning, and those who deployed the system in a particular context. No single actor in this chain can be said to have caused the harm in the way that the driver of a vehicle causes an accident or a manufacturer causes injury through a defective product.[10] Joint tortfeasance rules and vicarious liability doctrines were designed for human beings operating in recognisable organisational hierarchies; they do not easily accommodate distributed AI development pipelines.
The second is the opacity problem. Most commercially deployed AI systems are proprietary, and their internal workings are not publicly disclosed. A plaintiff who wishes to argue that the system had a design defect or was trained on biased data faces an evidence problem that is not merely factual but structural: the information she needs to prove her case is entirely in the possession of the defendant and protected by trade secret law.[11] Indian civil procedure does not have discovery mechanisms as broad as those in American or English courts, which aggravates this asymmetry considerably.
The third is the autonomy problem. Many high-stakes AI deployments in India involve decisions that directly affect individuals’ fundamental rights. A welfare algorithm that excludes a family from food security benefits, or a court-facing recidivism prediction tool that influences a judge’s sentencing decision, is not merely a commercial matter; it engages the right to life and personal liberty under Article 21 of the Constitution.[12] The Supreme Court’s ruling in K.S. Puttaswamy (Retd.) v. Union of India[13] established privacy as a fundamental right and implicitly raised questions about automated processing of personal data. The Digital Personal Data Protection Act, 2023[14] takes some steps toward data subject rights, but it does not establish a right to contest or seek explanation for automated decisions, which is precisely what individuals affected by AI-driven determinations need.
These three problems are not independent of each other. Opacity makes attribution harder. Diffuse attribution weakens the incentive for any single actor to invest in transparency. And without transparency, the autonomy rights of affected individuals remain unenforceable in practice.[15] Any meaningful liability regime must address all three together.
IV. Comparative Perspective: The European Union’s AI Act
The European Union’s AI Act, which entered into force in August 2024 after a long legislative process, is the most comprehensive attempt anywhere in the world to regulate AI across its entire lifecycle.[16] It classifies AI systems into four risk categories: unacceptable risk (banned), high risk (subject to detailed ex ante requirements), limited risk (transparency obligations only), and minimal risk (essentially unregulated).[17]
For high-risk systems, which include AI used in medical devices, employment screening, credit evaluation, and law enforcement, the Act imposes conformity assessments before market entry, mandatory logging of system outputs and decisions, post-market surveillance requirements, and technical documentation that must be sufficiently detailed to allow regulatory audit. These requirements directly address the opacity and attribution problems identified above: by mandating that AI systems leave an auditable trail, the Act creates the evidentiary infrastructure that any downstream liability litigation requires.
The Act does not resolve the civil liability question on its own; that is left to member states’ domestic tort law and to a companion AI Liability Directive that remains under discussion among EU institutions. But it establishes something India currently lacks: a legally enforceable obligation on developers and deployers to maintain records that can be used in legal proceedings.[18] The experience of the EU suggests that building this evidentiary infrastructure is a necessary precondition for effective liability rules, not an afterthought.
The European Parliament’s 2017 resolution on civil law rules for robotics had earlier floated the idea of granting sophisticated AI systems a form of “electronic personhood,” which would allow them to hold assets and bear certain obligations.[19] This proposal attracted significant criticism from legal scholars and has not been taken forward in subsequent EU legislation. The concern is well-founded: attributing legal personality to a machine risks obscuring the responsibility of the human beings and organisations that created and deployed it. India should be cautious about following any such path.
V. A Tiered Liability Model for India
Given the structural problems identified above and the comparative lessons from the EU, this article proposes a three-tier liability framework for AI-related harm in India. The framework is designed to work within the existing constitutional structure and to build on, rather than displace, established common law principles.[20]
The first tier covers high-stakes AI systems: those deployed in clinical medicine, criminal justice, public welfare administration, and autonomous transportation. For these systems, the absolute liability standard from M.C. Mehta[21] should apply. The developer-deployer consortium should be jointly and severally liable for harm caused, with rights of contribution between parties in the supply chain. This rule internalises the cost of AI-related injury into the entities that profit from the technology’s deployment, and it removes the need for plaintiffs to penetrate the opacity of the system in order to establish fault.
The second tier covers medium-risk AI systems: recommendation engines, automated content moderation tools, and AI-assisted administrative decision-making. Here, a rebuttable presumption of negligence should apply where harm results from the system’s output. Once the plaintiff establishes that the AI system produced a harmful output that affected her, the burden should shift to the defendant to show that the system was designed, trained, and deployed in accordance with applicable standards and best practices. This approach is consistent with how Indian courts have handled evidentiary shifts in other contexts involving information asymmetry.[22]
The third tier covers low-risk AI systems, such as basic recommendation tools or automated customer service applications. Here, ordinary negligence and product liability rules under the Consumer Protection Act, 2019 should apply without modification, save for one addition: liability should be proportional to the degree of customisation the deployer applied to an underlying general-purpose model.[23] A firm that deploys an off-the-shelf AI model without modification is in a different position from one that has fine-tuned the model for a specific and sensitive application.
Alongside these substantive rules, three procedural and institutional reforms are necessary. First, a mandatory incident reporting regime should be established under the Ministry of Electronics and Information Technology, requiring deployers of AI systems above a specified usage threshold to report harm events to a designated authority.[24] This would create a publicly accessible record that informs future litigation and policy revision. Second, periodic independent audits of high-risk and medium-risk AI systems should be required as a condition of market operation, with audit reports held by the regulatory authority and made available in legal proceedings subject to appropriate confidentiality protections. Third, courts hearing AI liability claims should be expressly empowered to appoint independent technical experts and to order disclosure of training data composition, model architecture documentation, and testing logs, with trade secret protection available through in-camera review rather than blanket non-disclosure.
This framework must also be read alongside India’s data protection regime. A substantial share of AI-related harm originates in defective or biased training data; a model is only as reliable as the data on which it was trained.[25] Responsibility for harm caused by data quality failures must rest with those who assembled and curated the training dataset, and this needs to be explicitly addressed in any forthcoming AI legislation. NITI Aayog’s Responsible AI framework articulates this principle in non-binding terms[26]; it deserves to be placed on a statutory footing.
VI. Conclusion
The legal challenge posed by AI-related harm in India is not a distant problem waiting to materialise. It is already here, in the form of patients, borrowers, welfare recipients, and job applicants who have suffered injury from algorithmic decisions and have no clear legal path to relief. India’s existing frameworks, built from nineteenth-century tort principles, a twenty-five-year-old intermediary liability provision, and consumer protection rules designed for physical goods, are not adequate to address it.
The inadequacy is structural rather than interpretive. The attribution of harm across distributed AI development pipelines, the opacity of proprietary systems, and the under-protection of autonomy rights against algorithmic decision-making cannot be resolved by clever application of existing doctrines. They require new legislative choices about who should bear the cost of AI-related failure.
The tiered liability model proposed here is not offered as a finished solution but as a framework for legislative deliberation. It draws on India’s own constitutional and common law traditions, the risk-based logic of the EU’s AI Act, and the practical insight that liability rules cannot function without the evidentiary infrastructure that audit and reporting obligations create.
At stake is more than the resolution of individual disputes. If Indian law cannot hold AI systems accountable, it will effectively license the deployment of those systems without responsibility. For a country where AI is being rapidly adopted in public services that affect the most vulnerable citizens most directly, that is not an acceptable outcome. The legislature, the courts, and the executive need to engage with this question with some urgency.
BIBLIOGRAPHY
Primary Sources
India Const. art. 21.
The Information Technology Act, 2000, § 79 (India).
The Consumer Protection Act, 2019, §§ 2(9), 84 (India).
The Digital Personal Data Protection Act, 2023 (India).
The Motor Vehicles Act, 1988, § 161 (India).
The Indian Penal Code, 1860, § 304A (India).
M.C. Mehta v. Union of India, AIR 1987 SC 965 (India).
K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
European Parliament, Regulation (EU) 2024/1689 of 13 June 2024 Laying Down Harmonised Rules on Artificial Intelligence, 2024 O.J. (L 1689) 1.
Secondary Sources
Ryan Abbott, The Reasonable Computer: Disrupting the Paradigm of Tort Liability, 86 GEO. WASH. L. REV. 1 (2018).
Jack Balkin, The Three Laws of Robotics in the Age of Big Data, 78 OHIO ST. L.J. 1217 (2017).
Saurabh Bindal & Priya Nair, Autonomous Systems and the Indian Tort Law Framework, 14 NALSAR L. REV. 87 (2023).
Shyam Divan & Armin Rosencranz, Environmental Law and Policy in India (2d ed. 2001).
Luciano Floridi et al., An Ethical Framework for a Good AI Society, 28 MINDS & MACHINES 689 (2018).
Vivek Data Mohanty, Liability for Algorithmic Harm in India: Gaps and Pathways, 9 INDIAN J. L. & TECH. 112 (2023).
Gary E. Marchetti, Artificial Intelligence: The Future Is Now, 24 J. LEGAL STUD. EDUC. 157 (2007).
Stephanie Bock & Eva Shreckenberger, The Problem of Establishing Legal Personality of AI Systems, 12 J. INT’L TECH. & INFO. MGMT. 45 (2022).
European Commission, Proposal for an Artificial Intelligence Act, COM (2021) 206 final (Apr. 21, 2021).
European Parliament Resolution of 16 February 2017 with Recommendations on Civil Law Rules on Robotics, P8_TA(2017)0051.
Ministry of Electronics and Information Technology, National Strategy for Artificial Intelligence (2018).
NITI Aayog, Responsible AI for All: Approach Document for India (2021).
[1]Stephanie Bock & Eva Shreckenberger, The Problem of Establishing Legal Personality of AI Systems: A Critical Analysis, 12 J. INT’L TECH. & INFO. MGMT. 45, 47 (2022).
[2]Ministry of Electronics and Information Technology, National Strategy for Artificial Intelligence (2018), https://www.niti.gov.in/sites/default/files/2019-01/NationalStrategy-for-AI-Discussion-Paper.pdf.
[3]Ryan Abbott, The Reasonable Computer: Disrupting the Paradigm of Tort Liability, 86 GEO. WASH. L. REV. 1, 3 (2018).
[4]M.C. Mehta v. Union of India, AIR 1987 SC 965 (India).
[5]Shyam Divan & Armin Rosencranz, Environmental Law and Policy in India 215-20 (2d ed. 2001).
[6]The Information Technology Act, 2000, § 79 (India).
[7]The Consumer Protection Act, 2019, § 2(9) (India).
[8]The Consumer Protection Act, 2019, § 84 (India).
[9]In re: AI-Assisted Medical Diagnosis Case, before the National Consumer Disputes Redressal Commission (2024) (unreported) (India). The commission examined whether an AI diagnostic tool’s erroneous recommendation constituted a ‘deficiency in service’ under the Act.
[10]Vivek Data Mohanty, Liability for Algorithmic Harm in India: Gaps and Pathways, 9 INDIAN J. L. & TECH. 112, 118 (2023).
[11]Luciano Floridi et al., An Ethical Framework for a Good AI Society: Opportunities, Risks, Principles, and Recommendations, 28 MINDS & MACHINES 689, 693 (2018).
[12]India Const. art. 21.
[13]K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
[14]The Digital Personal Data Protection Act, 2023 (India).
[15]Saurabh Bindal & Priya Nair, Autonomous Systems and the Indian Tort Law Framework, 14 NALSAR L. REV. 87, 99 (2023).
[16]European Parliament, Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 Laying Down Harmonised Rules on Artificial Intelligence, 2024 O.J. (L 1689) 1.
[17]European Commission, Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act), COM (2021) 206 final (Apr. 21, 2021).
[18]Jack Balkin, The Three Laws of Robotics in the Age of Big Data, 78 OHIO ST. L.J. 1217, 1220 (2017).
[19]European Parliament Resolution of 16 February 2017 with Recommendations to the Commission on Civil Law Rules on Robotics, P8_TA(2017)0051 (2017).
[20]Gary E. Marchetti, Artificial Intelligence: The Future Is Now, 24 J. LEGAL STUD. EDUC. 157, 162 (2007).
[22]The Motor Vehicles Act, 1988, § 161 (India). The 2019 amendments introduced no-fault liability provisions relevant to emerging autonomous vehicle scenarios.
[24]Ministry of Electronics and Information Technology, supra note 2, at 22.
[25]NITI Aayog, Responsible AI for All: Approach Document for India (2021), https://www.niti.gov.in/sites/default/files/2021-02/Responsible-AI-22022021.pdf.
[26]NITI Aayog, supra note 18, at 14-15.
