The Ministry of Electronic & Information Technology (MeitY) has recently issued an advisory which has the potential to regulate businesses that are using Artificial Intelligence (“AI”) models developed by them or third parties. In this article, we have analysed the scope of advisory, specifically to evaluate what compliance burden does it cast on businesses, and more importantly – which businesses are impacted, and which aren’t.
Brief background
All intermediaries in India must remain compliant with Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules) if they don’t want to risk the loss of statutory immunity (read safe harbour protection) granted to them. If an intermediary loses safe harbour, it may be made responsible for any and all illegal activities that takes place on its platform. MeitY has the powers to make and amend the IT Rules, and it is in relation to exercise of such powers, that it has issued the current advisory.
An intermediary, for the purposes of IT Rules, is essentially any person or entity that receives, stores, or transmits particular electronic records on behalf of another, or provides any services in relation to the particular electronic record.
Due to the wide nature of the above definition, all internet service providers, telecommunication service providers, web hosting service providers, data centres, search engines, online marketplaces etc. are regulated as intermediaries in India.
Scope of the advisory – What compliances does it prescribe?
The advisory essentially introduces three new compliances in relation to AI models, Large Language Models(“LLMs”), generative AI, software(s) and algorithm(s) (together “AI”): (a) AI should not exhibit any inherent bias or discrimination; (b) if the AI is under-tested or unreliable, then its availability to Indian users can take place only with an explicit permission of the Government of India, along with a declaration which indicates that the output may be unreliable; and (c) if the AI is capable of generating information, audio and/or video, which may be potentially used as misinformation or deepfakes, then a permanent label, metadata or identifier should be embedded in the output which identifies the computer resource from which such misinformation or deepfake was created or originated, as well as any other computer resource that modified or played a part in the misinformation or deepfake.
Scope of the advisory – Who does the advisory apply to?
Since the advisory has been issued in relation to IT Rules which apply to intermediaries, there is no doubt that the advisory is binding on the intermediaries.
Interestingly, the IT Rules do not regulate businesses who are using or leveraging AI in order to provide goods and services to end consumers. So, the real question is, does the advisory apply to any and all business that are developing or using AI capabilities?
From a plain reading of the advisory, it appears that the advisory does not directly apply to any and all businesses, if the businesses do not qualify as an intermediary. Most businesses developing or leveraging AI would not fall under the definition of an intermediary.
Unfortunately, the language of the advisory leaves room for other interpretations as well. One interpretation is that the advisory directs intermediaries, in their capacity as gatekeepers of information that is exchanged between businesses and consumers, to ensure that AI developed or leveraged by businesses is of a ‘standard’ quality (as defined in the advisory). Since internet service providers, search engines and web hosting service providers are all intermediaries under Indian law, the advisory may be viewed as an attempt by Government of India to indirectly control businesses that are developing or leveraging AI.
The Minister of IT, however, has clarified that the advisory is applicable to significant platforms only and not to start-ups. Unfortunately, there is no definition of significant platforms. Until further clarification is received, it may be safely assumed that only large platforms will be required to take explicit permission for using under-tested and unreliable AI whereas startups will not.
What changes now for businesses?
All intermediaries operating in India have to submit Action Taken-cum-Status Report (“ATS Report”) to the Ministry. It appears that all intermediaries have taken a conservative view of the advisory and are interpreting the advisory such that it applies only to intermediaries such as platforms (e.g. social media platforms). There is no clarity on the permission process from Government of India as of now.
We expect further clarity to be received in the coming days, once MeitY has reviewed the ATS Reports. Until then, it should be business as usual for most businesses other than those who qualify as intermediary under the IT Rules.
The most important thing for businesses to do as of now, is to evaluate whether the business qualifies as intermediary under IT Rules or not. If it qualifies as an intermediary, all the compliance burden associated with the advisory (described above) will immediately shift on the business.
All pragmatic businesses may consider starting preparations to introduce a permanent label, metadata or identifier in the output, as described above.
From a policy perspective, the advisory appears to be a clear declaration of intent by the Indian Government, that it is looking to regulate AI given its disruptive powers.