Navigating Algorithmic Decisions: A Comparative Lens for Indian Businesses

The rapid proliferation of artificial intelligence (AI) and machine learning (ML) systems has brought algorithmic decision-making (ADM) to the forefront of privacy discussions. From credit scoring to hiring, and even content moderation, algorithms increasingly make or significantly influence decisions impacting individuals. For Indian businesses operating in this evolving landscape, understanding the domestic regulatory position alongside international developments is critical. This analysis anchors on India’s Digital Personal Data Protection Act (DPDPA) 2023 and compares it with key global frameworks concerning ADM.

DPDPA’s Approach: Principles Over Prescriptions

India’s DPDPA 2023, while a landmark privacy law, notably maintains a degree of silence on explicit rights related to automated individual decision-making (AIDM). Unlike its global counterparts, the DPDPA does not contain a specific provision granting data principals the right not to be subject to a decision based solely on automated processing. The Act’s framework relies on broader principles that indirectly apply to ADM. Data fiduciaries deploying algorithms must still adhere to principles of lawful processing (Section 4), purpose limitation (Section 5), and data minimisation (Section 6). The requirement for clear and informed consent (Section 7) for processing personal data, including for profiling, remains paramount. Furthermore, the duties of data fiduciaries under Section 8, such as implementing reasonable security safeguards, implicitly extend to the design and deployment of algorithmic systems. While the DPDPA mandates a grievance redressal mechanism (Section 13) and the Data Protection Board of India has powers to investigate (Section 27), these are general enforcement tools rather than specific rights against algorithmic decisions.

Beyond the DPDPA, existing sectoral regulations offer some, albeit limited, guidance. The Reserve Bank of India (RBI) has issued guidelines on IT governance and outsourcing for regulated entities, which indirectly touch upon the responsible use of technology, including algorithms, by financial institutions. These often focus on risk management, data security, and fair practices. Similarly, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, mandate due diligence for intermediaries, which could imply some responsibility for algorithmic content moderation, but again, these are not directly about data subject rights concerning ADM.

GDPR Article 22: The Right Against Automated Decisions

The European Union’s General Data Protection Regulation (GDPR) sets a global benchmark with its explicit provisions on AIDM. Article 22 of the GDPR grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This right is not absolute, with exceptions for decisions necessary for entering into or performing a contract, authorised by Union or Member State law, or based on the data subject’s explicit consent. Crucially, even when exceptions apply, data controllers must implement suitable safeguards, including the right to obtain human intervention, to express one’s point of view, and to contest the decision. This provides a clear, actionable right for individuals to challenge algorithmic outcomes.

EU AI Act: A Risk-Based Ecosystem

Complementing the GDPR, the EU AI Act, which is expected to be fully implemented by May 2026, introduces a comprehensive, risk-based regulatory framework for AI systems. It categorises AI systems based on their potential to cause harm, with “high-risk” AI systems facing the strictest requirements. Many ADM systems, particularly those used in critical sectors like employment, credit assessment, and law enforcement, fall under the high-risk category. For these systems, the EU AI Act mandates rigorous obligations on both providers and deployers, including requirements for risk management systems, data governance and quality, technical documentation, record-keeping, transparency, human oversight, accuracy, and cybersecurity. While the EU AI Act focuses on the safety and fundamental rights implications of AI systems rather than individual data processing rights, it significantly bolsters the protections against harmful ADM by ensuring responsible development and deployment.

Colorado AI Act: Focus on Algorithmic Discrimination

Across the Atlantic, the Colorado AI Act (SB24-205), effective January 1, 2026, represents a significant state-level initiative. This Act focuses specifically on preventing algorithmic discrimination, defining it as any condition that results in an unlawful differential treatment or impact based on protected characteristics. It imposes duties on both developers and deployers of “high-risk artificial intelligence systems” that make, or are a substantial factor in making, consequential decisions. Developers must exercise reasonable care to avoid algorithmic discrimination and provide specific disclosures to deployers. Deployers are required to implement risk management programs, conduct impact assessments, and provide transparency notices to consumers when a high-risk AI system is used to make a consequential decision. Crucially, the Act also grants consumers a right to appeal an adverse consequential decision made by a high-risk AI system, echoing the human intervention safeguard seen in GDPR.

Comparative Trade-offs

When comparing these frameworks, the DPDPA 2023 stands out for its silence on specific ADM rights. While its general principles of consent, fairness, and accountability apply, it lacks the direct “right not to be subject to” automated decisions found in GDPR Article 22 or the explicit human intervention and appeal mechanisms. This makes the Indian regime looser in this specific aspect compared to the GDPR.

Against the EU AI Act and the Colorado AI Act, the DPDPA’s framework is also looser as it lacks a dedicated, risk-based regulatory structure for AI systems themselves, including mandates for risk assessments, human oversight, or specific measures to prevent algorithmic discrimination. While India’s sectoral regulators like the RBI address some aspects of technology governance, they do not offer the comprehensive, system-level oversight that these AI Acts provide.

The GDPR Article 22 primarily focuses on data subject rights concerning automated decisions, whereas the EU AI Act and Colorado AI Act take a broader approach, regulating the systems that produce these decisions. The EU AI Act is comprehensive in its scope of fundamental rights and safety, while the Colorado AI Act is more narrowly tailored to address algorithmic discrimination. Both AI Acts, however, represent a move towards proactive governance of AI, a domain where India’s legislation is yet to develop a specific framework.

Practical Takeaway

For Indian businesses, particularly those leveraging AI/ML for customer interactions, HR, or financial services, the current regulatory landscape presents a dual challenge. While the DPDPA 2023 does not explicitly mandate specific ADM rights, its underlying principles of fair and transparent processing, accountability, and consent mean that businesses cannot ignore the ethical and privacy implications of their algorithms. Furthermore, for companies with global operations, compliance with stricter regimes like the GDPR, EU AI Act, or Colorado AI Act is non-negotiable. Proactively implementing robust AI governance frameworks, conducting algorithmic impact assessments, ensuring human oversight in critical decisions, and building transparent communication channels for individuals to understand and contest algorithmic outcomes are not just best practices but increasingly a global compliance imperative. Indian businesses should anticipate that future rules under the DPDPA or new sectoral guidelines might bridge the current legislative gap, making proactive measures a strategic advantage.