Accountability Principle in DGPSI AI

Posted on August 2, 2025 by Vijayashankar Na

Amongst all AI Governance systems, one principle which stands out is the principle of “Accountability”.

In the context of “Data Fiduciaries” under DPDPA being responsible under law for compliance, “Accountability” under DPDPA mandates that the autonomous AI systems are “Accountable” to the Data Fiduciary.

Hence every AI algorithm by itself is a “Joint Data Fiduciary”. However since law recognizes the legal obligations only on a Juridical entity with a human who can be put behind bars if required, it is not possible to recognize the “AI Algorithm” by itself as a “Joint Data Fiduciary” in its full sense. It is the human who is responsible for the AI functioning who will be the “Joint Data Fiduciary” who could be liable under DPDPA. That human may be an individual behind a corporate entity such as the person identified under Section 85 of ITA 2000. The legal logic for such responsibility is Section 11 of ITA 2000.

Hence the current law as it exists in India makes the person who causes an automated system to behave in a particular manner responsible for its actions and when such responsible person is a corporate entity, the person responsible for the busienss or the CEO including the Directors etc who are not exercising “Due Diligence” shall be responsible.

No new law such as the Digital India Act is required to apply this principle.

Hence DGPSI AI considers that “Accountability” is an inherent legal requirement and has to be accommodated in the DGPSI AI.

Such accountability is implemented first by a mandated signature in the software and secondly by a disclosure of a “Handler” or “AI Owner” for every AI system.

The first accountability implementation starts from the deployer who has to embed the “Signature of the Developer” into the code. Subsequently, every owner of license should embed their signature so that a “Chain of AI ownership” is built into the software code. .

The “Disclosure” requirement may operate at the contract level so that whenever the license to use an AI is transferred,, the contract should declare who is responsible at the supplier’s end for the contractual terms. He becomes the “Handler” as disclosed.  The Data Fiduciary need not necessarily have access to the embedded ownership trail to go ahead.

Once a Data Fiduciary adopts an AI algorithm into his system it is his responsibility to designate a owner which should be disclosed to the Data Principals . For outsiders, the DPO himself is the responsible person and since all AI users could be considered as “Significant Data Fiduciaries”, DPO s shall be present in all cases. Internally it is open for the organization to  designate a process owner as the person accountable for the AI.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.