Does India Need a Separate AI Law? Justice N.S. Sanjay Gowda on What the DPDP Act Cannot Do, explained at Parul University!

India's data protection law rests on consent. But modern AI can identify a person from data that contains no personal information at all. At Parul University's Law Conclave 2026, Justice…

AI Demands a New Legal Framework - Justice N.S. Sanjay Gowda at PU Law Conclave 2026!

July 14, 2026 | Rohit Singh |

PU Conclave 2026 – Kashika Varma’s experience on LinkedIn!

The most technically demanding session at Parul Institute of Law‘s Law Conclave 2026 belonged to Justice N.S. Sanjay Gowda of the Gujarat High Court, and it began with an attack rather than an abstraction. When Cambridge Analytica harvested the data of Facebook users, he argued, the data ceased to be merely valuable. It became a weapon capable of shaping democratic systems and public opinion.

“Data is not only the most valuable asset but also the most powerful weapon in the digital world.” – Hon’ble Mr. Justice N.S. Sanjay Gowda, High Court of Gujarat

The unauthorised use of personal data, in his framing, was an attack on democracy itself, and a demonstration that technological innovation can erode democratic principles rather than strengthen them. From that premise, he built the conclave’s most consequential legal argument: that India’s existing data protection law, however sound, was designed for a world that no longer exists.

The rise of artificial intelligence, and of agentic AI in particular, adds a layer of difficulty that the drafters of that law could not have anticipated. What follows is the clearest available account of why.

India’s Arrival at the DPDP Act!

Justice Sanjay Gowda traced the lineage carefully. Judicial recognition of privacy as a fundamental right in the Puttaswamy case created the constitutional foundation for protecting personal data in India. That intervention made legislation necessary, and legislation eventually followed: a Personal Data Protection Bill introduced in 2019, scrutiny by a Joint Parliamentary Committee, recommendations, the withdrawal of the earlier Bill, and finally the passage of the Digital Personal Data Protection Act in 2023, now administered within the framework of the Ministry of Electronics and Information Technology.

He drew a lesson from the length of that process. Technology moves faster than legislatures. By the time a statute is enacted, the conditions that prompted it have changed, which is a structural problem rather than a failure of any particular Parliament. Four years elapsed between the first Bill and the final Act, and the field it sought to regulate was transformed within them.

The Act itself, he explained, balances the protection of individual privacy against the legitimate processing of personal data. Processing requires informed, unambiguous, and clear consent. Individuals gain a set of rights: to know how their personal data is processed, to correct inaccurate information, to withdraw consent, to have data erased, and to bring grievances before the Data Protection Board.

The Gap: Why Consent Fails Against AI

Then Justice Sanjay Gowda explained why that architecture is insufficient, and the explanation is the reason this session matters beyond the room.

Sophisticated AI tools can derive sensitive information about individuals from datasets that are anonymised, publicly available, or entirely innocuous. Unlike traditional data processing, modern AI can correlate several independent datasets to identify a person using data that is not, in itself, personal data at all.

Consider what that does to a consent-based statute. Consent is given over identifiable personal information. If a person can be reconstructed from information they never consented to share, because none of it was personal when they shared it, then the consent framework governs the wrong object entirely. Legislation written for traditional processing cannot regulate the autonomous decision-making, algorithmic bias, profiling capacity, and inferential power of contemporary AI systems.

He quoted, “Modern AI can identify a person from data that was never personal. Consent then governs the wrong thing.”

Why Legislatures Always Arrive Late!

The re-identification problem exposes something structural rather than accidental. A statute must describe the thing it governs. Data protection law describes personal data, defines who processes it, and attaches consent to that processing. But an inferential system does not process personal data in the way the statute imagines. It processes ordinary information and produces personal knowledge as an output.

A law aimed at the input cannot reach a harm that appears only at the output. This is why Justice Sanjay Gowda’s argument is not a complaint that the DPDP Act is badly drafted. It is a demonstration that the Act, drafted well for its purpose, was written against a model of data processing that AI has quietly replaced. Amending it would not close the gap; the gap sits beneath the statute rather than inside it.

What India Is Doing, and What Others Have Done

Justice Sanjay Gowda was fair to the efforts underway. He noted India’s AI Governance Group, a Technology and Policy Expert Committee, and sector-specific regulators established to monitor emerging technological risks and develop governance strategies.

He set these beside international practice. The European Union’s AI Act and Singapore’s agile regulatory regime were cited as examples of proactive AI governance, characterised by continuous monitoring of developing technologies through regulatory testing rather than fixed rules written once and left to age.

His concern about the consequences of leaving AI ungoverned was specific rather than atmospheric. He identified AI’s potential influence on elections, the profiling of dissenters, and state overreach as problems requiring urgent legal response.

Notice that all three are political rather than commercial harms. A data breach costs money and can be compensated. A system that profiles those who disagree with the state, or that shapes what voters believe before they vote, damages something no compensation reaches. That is why Justice Sanjay Gowda treated AI governance as constitutional business rather than consumer protection, and why he began with Cambridge Analytica rather than with an ordinary leak.

PU Law Conclave 2026 – Dr. Devanshu Patel, the President of Parul University’s message for Legal Professionals!

The Proposal: Beyond Consent!

Justice Sanjay Gowda’s conclusion was a call to move away from a consent-oriented legal approach and toward a legally mandated AI governance structure. Such a framework, he argued, must impose positive obligations on those who build AI systems, requiring them to ensure that personal information cannot be reassembled from the data their systems process.

He set out the tools available for that task.

  • Restricting AI scraping of data: limiting the indiscriminate harvesting that makes re-identification possible.
  • Privacy-preserving machine learning: training techniques designed to prevent models from retaining identifiable information.
  • Homomorphic encryption: allowing computation on encrypted data without decrypting it.
  • An expanded right to erasure: strengthening an individual’s ability to have data deleted.
  • Accountability for AI creators: placing legal responsibility on those who build the systems rather than only on those who deploy them.

The last of these carries the most weight and is the least comfortable for the technology industry. Consent-based law places the burden on the individual, who must read, understand, and agree. An obligations-based regime moves that burden onto the party who actually understands the system, which is the only party capable of preventing the harm. A student in a data protection classroom should notice how large that shift is: it changes the question from what the user permitted to what the builder ought to have prevented. Besides this, he even suggested that students who are passionate about making an impact at the intersection of AI & Law must enrol on BA LLB, BBA LLB, and LLM programmes at Parul Institute of Law.

The problems of data protection, AI regulation, democracy, and the rule of law cannot be addressed in isolation, he argued, and future-proof frameworks will require legal scholars, policymakers, scientists, and technologists to work together. Humans must remain the controllers of artificial intelligence rather than its victims, a conclusion shared by every justice at the conclave, including Justice D.N. Ray’s insistence that AI remain a servant

PU Law Conclave 2026 – Bhumika Induliya’s experience on LinkedIn!

FAQs

+ Does India need a separate AI law?

Justice N.S. Sanjay Gowda argued at Parul University's Law Conclave 2026 that it does. The Digital Personal Data Protection Act 2023 regulates traditional data processing through consent, but cannot govern the autonomous decision-making, algorithmic bias, profiling, and inferential power of modern AI systems, which he said requires a legally backed AI governance framework.

+ Why is consent insufficient to protect privacy from AI?

Because sophisticated AI can derive sensitive information about individuals from anonymised, public, or apparently harmless datasets, correlating independent datasets to identify a person using non-personal data. Consent given over identifiable personal information therefore, fails to cover the data from which a person can actually be reconstructed.

+ What is the DPDP Act 2023?

The Digital Personal Data Protection Act 2023 is India's data protection statute, requiring that personal data be processed only with informed, unambiguous consent for lawful purposes. It grants individuals rights to know how their data is processed, to correct it, to withdraw consent, to seek erasure, and to raise grievances with the Data Protection Board.

+ How do other countries regulate AI?

Justice Sanjay Gowda cited the European Union's AI Act and Singapore's agile regulatory regime as examples of proactive AI governance, which rely on continuous monitoring of developing technologies through regulatory testing rather than static rules, and contrasted these with consent-based data protection alone.

Shape your legal career with future-ready law programmes at Parul Institute of Law!

Apply Now

Open for admission year 2026-27

Apply now apply
Need guidance? Your PU coach is here! ⚡