Here is a view from Mr. M. G. Kodandaram, IRS., Assistant Director (Retd), ADVOCATE and CONSULTANT
Abstract
The rapid emergence of Artificial Intelligence (AI) has transformed public administration, governance, commerce, and legal systems worldwide. Recognising both the opportunities and risks associated with AI, the Supreme Court of India, through its AI Committee, issued the Draft “Regulations for Use of Artificial Intelligence (AI) in Courts, 2026” (herein after ‘draft AI regulations’ for brevity) on 3 June 2026 for public consultation. The draft regulations seek to establish a comprehensive governance framework for the deployment of AI within the Indian judicial ecosystem.
Simultaneously, India has entered a new era of data governance through the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025(DPDP rules). Since AI systems fundamentally depend upon data for training, testing, validation, and deployment, the proposed judicial AI framework cannot operate independently of data protection laws.
This article examines the interaction between the Draft AI Regulations and the DPDP Act, together with the DPDP Rules. It analyses how principles such as purpose limitation, data minimisation, privacy by design, consent management, security safeguards, anonymisation, accountability, transparency, and data fiduciary obligations influence the design and implementation of AI systems in courts. The article also evaluates potential legal challenges and suggests a pathway toward responsible judicial AI governance in India.
—————————————————————————————————-
- Introduction
Artificial Intelligence (AI) has emerged as one of the most transformative technologies of the twenty-first century, prompting judicial institutions worldwide to adopt AI-enabled tools for legal research, document management, translation, transcription, case scheduling, intelligent search, record summarisation, and other administrative functions. In India, initiatives such as SUPACE, SUVAS, AI-based translation systems, intelligent legal databases, and the digital infrastructure developed under the e-Courts Mission Mode Project reflect the judiciary’s growing engagement with AI. While these technologies offer significant opportunities to enhance efficiency and access to justice, they also raise important concerns relating to privacy, fairness, transparency, algorithmic bias, explainability, accountability, judicial independence, and the protection of sensitive judicial data.
Recognising both the potential and risks of AI, the Supreme Court’s AI Committee has proposed the Draft Regulations for Use of AI in Courts. The significance of this initiative is heightened by the existence of India’s dedicated data protection framework under the DPDP Act, 2023 and the DPDP Rules, 2025, which are expressly integrated into the draft regulations. Together, these developments represent India’s first comprehensive attempt to harmonise judicial governance, AI regulation, and personal data protection within a unified regulatory framework.
- Brief Overview the DPDP Act, 2023
The DPDP Act, 2023 establishes a comprehensive legal framework for the processing of digital personal data in India. The Act applies to personal data collected in digital form, digitised personal data, processing activities carried out within India, and certain processing activities outside India where goods or services are offered to individuals in India. It identifies key stakeholders in the data ecosystem, namely the Data Principal, whose personal data is being processed; the Data Fiduciary, which determines the purpose and means of such processing; the Data Processor, which processes data on behalf of the Data Fiduciary; and the Significant Data Fiduciary, a category of entities notified by the Central Government based on the volume and sensitivity of data handled.
The Act is founded on internationally recognised principles such as lawful processing, purpose limitation, data minimisation, storage limitation, accuracy, accountability, security safeguards, and grievance redressal. These principles provide the essential framework for ensuring responsible and trustworthy deployment of AI systems within judicial institutions.
III. Incorporation of DPDP provisions into the Draft AI Regulations
The importance of data protection becomes particularly pronounced in the context of judicial use of AI because courts routinely process and store enormous volumes of highly sensitive personal information. Judicial records frequently contain names and address of litigants, Aadhaar numbers, financial and banking information, medical records, criminal histories, details of family and matrimonial disputes, evidence relating to sexual offences, identities of witnesses, juvenile records, biometric data, and commercially confidential information.
A notable feature of the Draft Regulations for Use of AI in Courts, is the conscious and systematic incorporation of concepts and terminology drawn from the DPDP provisions. The Regulations expressly adopt several key data protection concepts that are essential for the responsible use of AI in judicial environments. For instance, Regulation 3(1)(k) defines “Anonymisation” in a manner that closely aligns with contemporary privacy standards by requiring the irreversible removal or transformation of identifiers so that an individual cannot be identified either directly or indirectly. This concept assumes particular importance in the context of AI training datasets, where large volumes of judicial information may be used for machine learning and analytical purposes.
Similarly, Regulation 3(1)(s) expressly adopts the meaning of “Data” as assigned under Section 2(h) of the DPDP Act, thereby ensuring statutory consistency and avoiding interpretational conflicts between the two regulatory frameworks. Such harmonisation promotes legal certainty and facilitates uniform compliance standards across judicial institutions that process personal information through AI systems. Another significant incorporation is found in Regulation 3(1)(t), which introduces a detailed formulation of the principle of “Data Minimisation.” Under this provision, AI systems are required to collect, retain, and process only such data as is strictly necessary for achieving the specified and legitimate purpose for which the system is deployed.
The Regulations further recognise the unique sensitivity of information handled by courts through the introduction of the category of “Sensitive Judicial Data” under Regulation 3(1) (zh). This specialised classification acknowledges that judicial records often contain highly confidential information relating to litigants, witnesses, victims, juveniles, medical conditions, financial affairs, criminal proceedings, and other matters affecting personal dignity and legal rights. By creating a distinct category deserving heightened protection, the Regulations adopt an approach comparable to sensitive data classifications recognised in international privacy frameworks. Collectively, these provisions demonstrate that the Draft Regulations do not treat AI merely as a technological tool but seek to embed privacy, accountability, and data governance safeguards at the core of judicial AI deployment.
Consequently, the DPDP Act serves as the foundational pillar of judicial AI governance and provides the legal architecture necessary to ensure that technological innovation within the justice system remains consistent with privacy, fairness, and constitutional values.
- Data Protection and Privacy as Foundational Principles
Regulation 10 of the Draft AI Regulations represents the clearest integration of the DPDP Act into the governance framework for judicial AI. It mandates that the processing of personal data through AI systems be governed by the principles of purpose limitation, data minimisation, and privacy by design, thereby incorporating core data protection obligations directly into judicial AI regulation. The provision recognises that the adoption of AI in courts cannot be divorced from the protection of personal data and individual privacy.
A central feature of Regulation 10 is its emphasis on purpose limitation. Under the DPDP framework, personal data may be processed only for a specified and lawful purpose. Applied to judicial AI, this means that information collected for adjudication, case management, or judicial administration cannot automatically be repurposed for AI training, algorithm development, or other secondary uses. Judicial records, therefore, cannot be treated as unrestricted datasets for technological experimentation. Any secondary use must be supported by a lawful basis, appropriate authorisation, and compliance with applicable privacy safeguards.
The regulation also incorporates the principle of privacy by design, requiring privacy protections to be embedded into AI systems from the outset rather than added later as compliance measures. This necessitates safeguards such as access controls, encryption, role-based permissions, audit logs, retention limits, and regular security assessments, particularly given the sensitive nature of judicial data.
Through the integration of these principles, Regulation 10 brings judicial AI governance in line with global best practices and firmly anchors it within India’s data protection regime under the DPDP Act.
- Human Rights, Privacy and the Puttaswamy Doctrine
The constitutional basis of privacy protection within the Draft Regulations is rooted in the landmark judgment of the Supreme Court in Justice K.S. Puttaswamy v. Union of India, which recognised privacy as a fundamental right under Article 21 of the Constitution. The nine-judge Bench held that privacy is inseparable from individual dignity, autonomy, and personal liberty, and that the collection, storage, and use of personal information must be subject to constitutional safeguards. This decision laid the foundation for India’s contemporary data protection framework, including the DPDP Act, 2023.
The Draft AI Regulations seek to operationalise these constitutional principles in the context of judicial AI. Reflecting the spirit of Puttaswamy, Regulation 10(2) expressly provides that “the right to privacy shall be ensured in all AI-related operations of Courts.” This provision elevates privacy from a procedural compliance requirement to a governing constitutional principle for the deployment of AI within the justice system.
The regulation further reinforces the principle that technological innovation in courts must remain subject to judicial oversight and constitutional limitations. AI systems that result in excessive data collection, unauthorised profiling, intrusive surveillance, or disproportionate interference with personal information may therefore be vulnerable to constitutional challenge and judicial review. In this sense, the Puttaswamy doctrine serves as the normative foundation of the emerging judicial AI governance framework, ensuring that the adoption of AI in courts remains aligned with the constitutional commitment to privacy, dignity, liberty, and human rights.
- Transparency and Explainability under Regulation 7
Regulation 7 addresses one of the most significant challenges associated with the use of AI in the judiciary — the opacity of AI systems. Many AI models operate as “black boxes,” generating outputs without clearly revealing the reasoning behind them. Such opacity is inconsistent with the judicial principles of transparency, accountability, and reasoned decision-making. To address this concern, Regulation 7 requires AI systems used in courts to adhere to the principles of transparency, explainability, intelligibility, and disclosure of decision logic, while subjecting opaque systems to heightened scrutiny.
These requirements complement the DPDP Act, 2023, by extending the concept of accountability beyond data processing to algorithmic decision-making. The regulation recognises that AI systems influencing legal rights or judicial processes must be capable of explanation and review.
The need for explainability is particularly important where AI tools assist in functions such as bail prioritisation, case listing, sentencing analysis, risk assessment, or document relevance ranking. In such situations, affected parties may legitimately seek to know what data was used, why a recommendation was generated, whether bias influenced the outcome, and whether the recommendation can be challenged or corrected. These questions are central to procedural fairness and due process.
By requiring AI-generated outputs to be understandable and open to scrutiny, Regulation 7 helps ensure that AI-assisted judicial administration remains consistent with constitutional values, principles of natural justice, and public confidence in the justice system.
VII. Regulation 12 and the Principle of Proportionality
Regulation 12 adopts a risk-based approach to judicial AI governance, recognising that different AI applications pose varying levels of risk to personal liberty, legal rights, and judicial outcomes. The regulation requires safeguards to be proportionate to the level of risk involved, reflecting a widely accepted approach in contemporary AI governance. Under this framework, AI systems used for administrative functions such as scheduling and case management are treated as low-risk, while research and analytical tools may fall within the medium-risk category. Applications that influence bail decisions, sentencing, detention, or adjudicatory processes are regarded as high-risk because of their potential impact on fundamental rights and individual liberty.
For such high-risk uses, Regulation 12 mandates enhanced safeguards, including meaningful Human-in-the-Loop oversight. This ensures that critical judicial decisions remain subject to human review and final determination, preventing any form of autonomous judicial decision-making. The regulation reflects the constitutional doctrine of proportionality, under which greater restrictions on rights require stronger justifications and safeguards.
VIII. AI Training and DPDP Compliance: Regulation 20
Regulation 20 is one of the strongest data protection safeguards in the Draft AI Regulations and creates a direct link between judicial AI governance and the DPDP Act. It prohibits the use of personal data for training, testing, or refining AI systems unless prior approval has been obtained and all applicable data protection requirements are satisfied.
This provision addresses a critical concern in modern AI development, where machine-learning systems are typically trained on large datasets. Unlike publicly available internet content, judicial records contain highly sensitive information relating to litigants, accused persons, witnesses, victims, minors, and other participants in the justice system. Such records may include personal identifiers, financial details, medical information, family disputes, and criminal allegations, making their use for AI development particularly sensitive.
To address these concerns, Regulation 20 requires judicial approval before court records can be used for AI training or testing. This ensures that courts retain control over judicial data and prevents indiscriminate sharing with technology developers or third parties. The regulation also mandates compliance with applicable data protection laws, effectively extending DPDP principles such as lawful processing, purpose limitation, data minimisation, and accountability to AI training activities.
By placing oversight responsibilities on judicial authorities, Regulation 20 reinforces the role of courts as custodians of sensitive personal data.
- Consent and Legitimate Processing Challenges
One of the most challenging issues at the intersection of AI and data protection concerns the use of judicial data for AI development and training. Under the DPDP Act, personal data processing generally requires either the consent of the individual concerned or a recognised ground of legitimate use. Applying these principles to judicial records raises complex legal questions.
Information disclosed during court proceedings differs from data voluntarily provided in commercial or digital contexts. Litigants, witnesses, victims, and other participants often disclose personal information because it is required for the adjudication of disputes and the administration of justice. Such information is furnished with the expectation that it will be used for judicial purposes, not for training or refining AI systems. Consequently, the secondary use of court records for AI development raises concerns relating to purpose limitation, informed consent, and the reasonable expectations of data principals.
A critical question is whether the original consent associated with judicial proceedings can extend to AI training activities. Since the data is collected primarily for adjudicatory purposes, extending its use to AI development may exceed the original purpose of collection. Similarly, while courts may rely on their statutory functions to adopt technological tools, any such use of personal data must still satisfy the requirements of necessity, proportionality, and lawful processing.
These challenges highlight the importance of anonymisation and de-identification as safeguards for balancing innovation with privacy protection. Although the Draft Regulations recognise these concerns, they do not fully resolve them, indicating a need for clearer rules governing consent, secondary use of judicial data, anonymisation standards, and institutional accountability.
- Regulation 48 and Sensitive Judicial Data
Regulation 48, of the Draft Regulations, provides the most comprehensive privacy protection framework for judicial AI systems. It establishes safeguards for the protection, management, and lawful use of sensitive judicial data, reflecting the objectives of the DPDP Act.
One of the salient features of the regulation is its restriction on the transfer of sensitive judicial data. Such data cannot be shared with external systems or third parties without express written authorisation. This safeguard is particularly important where cloud service providers, AI vendors, consultants, or analytics firms are involved in judicial technology projects, ensuring that confidential court information is not disclosed without proper oversight.
The regulation also mandates technical and organisational safeguards, including encryption, contractual controls, access restrictions, and cybersecurity measures. These requirements help protect judicial data from unauthorised access, misuse, and security breaches while ensuring accountability among entities handling such information.
In addition, Regulation 48 incorporates the principle of data minimisation by encouraging the adoption of AI systems that require the least amount of personal data necessary to achieve their objectives. It further promotes anonymisation wherever technically feasible before data is used for AI training, testing, or refinement, thereby reducing risks of re-identification and privacy violations.
- Cybersecurity Obligations and the DPDP Framework
Effective protection of personal data in judicial AI systems depends not only on privacy safeguards but also on robust cybersecurity measures. Recognising this, the Draft Regulations treat cybersecurity as an essential component of AI governance, consistent with the DPDP Act, which requires reasonable security safeguards to protect personal data from breaches and unauthorised access.
Regulation 48(5) operationalises these obligations by mandating annual cybersecurity audits, reporting of audit outcomes, and maintenance of audit records. These requirements ensure that cybersecurity remains an ongoing process of monitoring, assessment, and improvement rather than a one-time compliance exercise. Regular audits help identify vulnerabilities, evaluate existing controls, and strengthen institutional accountability. By requiring periodic audits and continuous oversight, this strengthens the security of judicial AI systems and complements the privacy protections contained elsewhere in the Draft Regulations.
XII. AI Secretariat and Governance Architecture
The Draft Regulations establish an AI Secretariat as the primary institutional authority responsible for overseeing the use of AI within the judicial system. The Secretariat is entrusted with functions relating to approvals, audits, incident monitoring, record maintenance, and overall regulatory oversight. From the perspective of data protection governance, it resembles a sector-specific compliance body tasked with ensuring that AI deployment remains consistent with legal and ethical standards. Over time, the Secretariat may play a broader role in developing privacy impact assessment templates, AI risk assessment frameworks, anonymisation standards, and vendor compliance protocols. The creation of such a dedicated institutional mechanism significantly strengthens accountability and governance within the judicial AI ecosystem.
XIII. Private Sector Participation and Data Fiduciary Obligations
The development and deployment of judicial AI systems will inevitably involve collaboration with private technology providers. While Chapter VI permits engagement with private entities, such participation raises important implications under the DPDP framework. Depending on the nature of their role, private vendors may function either as Data Processors when acting solely on court instructions or as Data Fiduciaries where they independently determine the purposes and mean of processing. This distinction has significant legal consequences and underscores the need for carefully structured contractual arrangements. Agreements with vendors should clearly address issues relating to data ownership, confidentiality, retention periods, deletion obligations, breach reporting, and audit rights. In the absence of such safeguards, sensitive judicial data may become vulnerable to misuse or commercial exploitation.
XIV. Cross-Border Data Transfers and Judicial Sovereignty
As many AI systems rely on cloud-based infrastructure that may be located outside India, questions relating to cross-border data processing are likely to assume increasing importance. Although the Draft Regulations do not extensively address this issue, the requirements of the DPDP framework concerning international data transfers will remain relevant. Judicial data is uniquely sensitive, involving concerns relating to sovereignty, national security, and confidentiality. Consequently, future iterations of the regulatory framework may consider measures such as localisation of judicial AI infrastructure, adoption of sovereign cloud arrangements, greater reliance on domestic data centres, and restrictions on foreign access to sensitive judicial information.
- Areas Requiring Further Clarification
While the Draft Regulations represent a significant step towards responsible AI governance in the judiciary, certain areas would benefit from further clarification. The framework could be strengthened by requiring AI-specific Privacy Impact Assessments before the deployment of high-risk systems. Similarly, independent algorithmic audits could be mandated to evaluate issues such as bias, fairness, explainability, and accuracy. Greater clarity is also needed regarding data retention requirements, including prescribed timelines for storage and deletion of information used by AI systems. In addition, litigants may require stronger procedural protections, including the right to know when AI tools are used, to challenge AI-generated recommendations, and to seek correction of inaccuracies. The allocation of liability between courts and private vendors in cases of error, misuse, or data breaches also remains an area requiring further regulatory guidance.
XVI. Conclusion
The Draft AI Regulations represent a significant step in integrating AI into India’s judicial system while preserving judicial independence, transparency, accountability, and constitutional rights. Anchored in the DPDP Act, 2023 Rules, 2025, the framework recognises that courts are custodians of highly sensitive personal information and therefore require stronger safeguards than those applicable in ordinary commercial settings.
The Regulations establish important protections by restricting unauthorised use of personal data for AI training, mandating transparency and explainability in AI-assisted processes, requiring meaningful human oversight in high-risk applications, and safeguarding sensitive judicial data through security and privacy measures. These provisions seek to ensure that AI remains a tool to assist, rather than replace, human decision-making in the administration of justice.
Ultimately, the challenge for India is not merely to digitise court processes but to ensure that technological innovation strengthens the constitutional values of fairness, privacy, dignity, transparency, and the rule of law. Read together with the DPDP framework, the Draft AI Regulations provide a strong foundation for responsible judicial AI governance and position India among the leading jurisdictions seeking to balance technological advancement with the protection of fundamental rights.
Mr. M. G. Kodandaram, IRS.
