Artificial Intelligence and the Regulatory Frontier: A Comparative Analysis of Privacy, Surveillance, and Automated Decision-Making under Indian and European Law

DOI

10.2991/978-2-38476-547-8_11How to use a DOI?

Keywords

AI Governance; DPDP Act; EU AI Act

Abstract

The present report includes a stringent comparative evaluation of the new regulatory environment around Artificial Intelligence (AI) with reference to the deep divergence between the Digital Personal Data Protection (DPDP) Act, 2023, in India, and the two-tier regulatory frameworks of the GDPR and AI Act of the European Union. The active and quick rise of systems that involve data-intensive AI is bound to collide with the established privacy concepts, such as data minimization and consent.

The methodology that this research uses to analyse this collision is the comparative legal doctrinal approach. It applies a doctrinal method to critically examine the primary legal documents, such as the DPDP Act 2023 of India, the GDPR, and AI Act of the EU, to generalize on the current legal principles. This is coupled with a point of comparison framework that conducts a practical examination of the manner in which these two different mechanisms deal with the overall technological dangers, where they agree or differ.

The EU has a minimal rights framework, which makes use of the risk-based and technology-focused EU AI Act to supplement the GDPR, therefore, enforcing integrated compliance, transparency, and auditability of potentially high-risk AI systems. On the other hand, the DPDP Act of India is designed based on the high-consent standard and an original Consent Manager system. Most importantly, the Act itself gives extensive exceptions to national security and law enforcement, which the government retains the authority to require that any data fiduciaries give data and instruct them against disclosing such giving. This privatizes an apparatus of state surveillance and pushes a lot of the risk of sovereign access onto the private sector.

The desire to have an explicit right against the use of automated decision-making alone (Article 22 of GDPR) is also a major distinction between the EU and the DPDP Act. In the case of multinational enterprises (MNEs), strategic compliance entails sourcing a globally integrated governance model founded on the risk classification, and using a highly secure and protected infrastructure to help back off India-specific mandatory data retention and sovereign access risks.

Copyright

© 2026 The Author(s)

Open Access

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 4.0 International License (http://creativecommons.org/licenses/by-nc/4.0/), which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

Download article (PDF)

TY  - CONF
AU  - Joseph Thomas
PY  - 2026
DA  - 2026/03/05
TI  - Artificial Intelligence and the Regulatory Frontier: A Comparative Analysis of Privacy, Surveillance, and Automated Decision-Making under Indian and European Law
BT  - Proceedings of the International Conference on Socio Legal Intricacies of Artificial Intelligence (ICSLIAI 2026)
PB  - Atlantis Press
SP  - 84
EP  - 95
SN  - 2352-5398
UR  - https://doi.org/10.2991/978-2-38476-547-8_11
DO  - 10.2991/978-2-38476-547-8_11
ID  - Thomas2026
ER  -