(P.S: This is in continuation of our discussion on the suggested AI regulations for Judiciary by the supreme Court)

In September 2025 when FDPPI published the DGPSI-AI framework, it was presented as an extension of DGPSI for Data Fiduciary environment. This was the first AI regulatory guideline presented in India as a compliance framework for the industry.  As against this “Self Regulatory” suggestion, MeitY released the  Balaraman Committee report   as its version of suggested AI regulation in November 2025.

In the recent days the  industry has been trying to exert its influence through NASSCOM to persuade MeitY to introduce industry favouring regulation such as the infamous Economic times Report on “Law to Code” as a solution for DPDPA Compliance.

However the release of the Draft regulation on AI usage in Judiciary by Supreme Court has now put a huge speed breaker on the industry lobbying. By making this internal guideline as a comprehensive regulatory framework, Supreme Court has now presented a “Due Diligence framework” for industries to follow. It also indicates that any other framework or AI regulation to be introduced by MeitY has to be in compliance with this Judiciary Framework since eventually the Supreme Court will determine if the law is acceptable.

Naavi.org is happy to note that many of the suggestions made under this SC-Framework on AI is supplementing DGPSI-AI framework. We shall try to point out this comparison in this article.

Essence of DGPSI-AI 

The DGPSI AI consists of

a) Six Principles of Governance

b)Nine implementation specifications  for AI deployers (Restricted to DPDPA Compliance in a Data Fiduciary)

c) Thirteen specifications for AI developers  (Restricted to supply of AI software to Data Fiduciaries)

For immediate reference, we are reproducing these three parts of DGPSI-AI here.

Th foundation of this framework is the following six principles.

1 Unknown Risk is a Significant Risk

2 Behind every AI algorithm there shall be one human for accountability

3 Every Privacy Notice covering an AI Process involved in processing of personal data shall be accompanied by an Explainability disclosure.

4 Use of every AI Process shall be validated by a document justifying the technical, operational and economical need both at the level of the Data
Fiduciary and the Data Processor with unconditional indemnity to the data principal.

5 Every AI process shall document the specific guardrails to secure the processing against Dark Patterns, Neurological manipulation and
physical harm to any data principal.

6 The responsibility of the AI deployer as a “Fiduciary” shall ensure all measures to safeguard the society from any adverse effect arising out of
the use of the AI.

The DGPSI-AI works within the framework of DPDPA Compliance and therefore has defined AI as an “Unknown Risk”. The logic for  additional framework of compliance for AI is built because “Unknown Risk is Significant Risk” and bearer of significant risk should be considered as a Significant Data Fiduciary with the additional obligations under DPDPA.

The SC-AI framework (SCAIF) did not need  support of such a logic and is being implemented within the administrative powers available to the Supreme Court to regulate the judiciary in India.

The “Human Accountability” is the second principle of DGPSI-AI and is the distinguishing feature of the SCAIF.

DGPSI-AI expects that a proper document explains the “Requirement of use of AI” where the concepts of “need”, “Proportionality” etc are covered.

DGPSI-AI recognizes that being a “Fiduciary”, a Data Fiduciary is obliged to get the best practices into place. Now the learnings from the SCAIF becomes the reference  document that DGPSI-AI auditor has to take note of.

Here is a comparison of the two frameworks for further discussion

A closer examination, however, indicates that the two frameworks are similar and  complementary instruments operating at different layers of the AI ecosystem.

The Supreme Court Regulations focus primarily on the governance of AI within judicial institutions. They prescribe the conditions under which Courts may procure, deploy, supervise, audit, and use AI systems while preserving judicial independence, human oversight, accountability, privacy, and constitutional values.

DGPSI-AI, on the other hand, focuses on the obligations of AI developers, deployers, service providers, and organisational users. It establishes a structured compliance framework for AI governance, risk management, transparency, accountability, privacy protection, and ethical deployment.

Viewed in this context, DGPSI-AI effectively governs the vendor and deployer side of the same AI ecosystem that the Courts seek to regulate through Chapter VI of the draft Regulations. The AI Service Providers engaged by Courts under Regulation 46 would, if compliant with DGPSI-AI specifications, already satisfy a substantial portion of the contractual and governance requirements contemplated under Regulation 46(4), including requirements relating to data protection, explainability, accountability, auditability, incident reporting, cybersecurity, and lifecycle governance.

The two frameworks therefore reinforce each other. The Court Regulations establish the expectations of the judicial customer, while DGPSI-AI establishes the operational responsibilities of the AI supplier and service provider.

There are, however, certain areas that may require further harmonization.

The first relates to audit philosophy. The draft Regulations prefer an “in-house audit” model and restrict disclosure of source code, algorithms, and datasets to external parties. DGPSI-AI, consistent with broader governance and assurance practices, recognizes the value of independent third-party audits as a mechanism for enhancing trust and accountability. A balanced approach may eventually emerge in which internal judicial audits are supplemented by accredited external assurance under controlled conditions.

The second relates to regulatory posture. The Court Regulations explicitly adopt a presumption in favour of responsible AI adoption and encourage innovation unless specific risks are demonstrated. DGPSI-AI, while equally supportive of innovation, follows a structured risk-management approach that places greater emphasis on demonstrating compliance before deployment. The difference is  not one of objective but of emphasis.

These differences  reflect the different institutional perspectives of a judicial regulator and a governance framework for AI providers.

Consequently, we look at the proposed Supreme Court framework as a validation of DGPSI-AI. However some tweaking of the DGPSI-AI framework if required would be thought of.

Naavi

Here are the preliminary views of Naavi on the draft AI Regulations proposed for Judiciary by the Supreme Court and released for public comments.

Copy of the “Regulations for use of Artificial Intelligence (AI) in Courts 2026” for public comments

The guideline is a comprehensive document with 57 clauses spread over 10 chapters ready to be converted into a formal law on AI usage.

The chapters are divided into the following:

Chapter I: Preliminary

Chapter II:  General Principles to Govern adoption, deployment and use of AI systems in Courts.

Chapter III: Permissible and Prohibited uses

Chapter IV: Policy Making and Institutional Mechanism

Chapter V: Oversight, Audits and Incident Management

Chapter VI: Procurement and Private Sector Engagement

Chapter VII: Data Protection and Cyber Security

Chapter VIII: Capacity Building, Training and Best Practices

Chapter IX: Grievance redressal and Remedies

Chapter X: Miscellaneous

It is clear from the above that the guidelines are very comprehensive and can be considered as a law by itself. The draft is one of the most comprehensive judicial AI governance frameworks proposed anywhere in the world. It adopts a distinctly Indian approach: AI is welcomed as an assistant to justice, but never as a substitute for judicial reasoning. The framework balances innovation with constitutional safeguards and places human accountability at the centre of all AI-assisted judicial processes.

This will now set the platform for the AI regulations in the country. Whatever regulation which the Government was planning now will have to be re-looked in the eyes of this guideline. Though this guideline at present is restricted to Judiciary it is likely to be considered as an indicative “Due Diligence”. To further formalize this due diligence, Naavi/FDPPI will work on the DGPSI-AI framework and upgrade it to create a version for the non judicial sector compatible to the principles reflected here.

..The debate continues. Watch out for further discussion here.

Naavi

Also Refer: SCO Observer

Copy of the “Regulations for use of Artificial Intelligence (AI) in Courts 2026” for public comments

The Supreme Court of India has released a notice dated 3rd June 2026 with a copy of the proposed regulations for Use of Artificial Intelligence (AI) in Courts, 2026 for public comments.

This has been prepared under the aegis of the Artificial Intelligence Committee, Supreme Court of India. These regulations aim to govern the use of Artificial Intelligence in Courts, grounded in the principles of human primacy, transparency, accountability, data protection, and judicial independence, while establishing an institutional framework for responsible AI adoption across India’s judicial system.

All stakeholders and the general public are invited to share their comments and suggestions on the said draft regulations through email addressed to Member Secretary, AI Committee, Supreme Court of India at email ID office.regcc@sci.nic.in by 20/06/2026.

Naavi would be consolidating the views of the members of FDPPI and if required submitting the comments.  Please forward your views to naavi.

Current views of naavi would be published here in subsequent articles.

Naavi

(This is a continuation of the series of articles on Independent Data Auditors which emanated from the Event on June 6)

Financial audit professionals have long relied on a system of Peer Review Audits to preserve the integrity, credibility, and quality of the audit profession.

A Peer Review is an independent evaluation of an auditor’s work conducted by qualified professionals who were not involved in the original audit engagement. The objective is not to substitute the judgment of the original auditor, but to assess whether the audit was performed in accordance with accepted standards, regulatory requirements, and established professional practices.

During a peer review, experienced auditors examine the audit methodology, working papers, evidence collection procedures, documentation practices, and reporting conclusions. Such reviews help determine whether the audit process met the expected standards of professional diligence and competence. The process enhances confidence in audit outcomes and promotes continuous improvement within the profession.

In many professions, peer review forms part of a broader quality assurance framework and serves as an important mechanism for maintaining public trust in the audit process.

Peer Review in the FDPPI Framework

As FDPPI develops its framework for DPDPA compliance audits, elements of the peer review concept are being incorporated as a recommended best practice.

Under the FDPPI framework, audit firms may be recognized as Certified Audit Firms for conducting DPDPA audits. Upon completion of an audit, the auditor is expected to submit a Data Trust Score (DTS) report and related audit records. These records may be retained by FDPPI for quality assurance purposes and may be referred for a peer review when circumstances warrant.

Simultaneously, the auditee is encouraged to provide feedback regarding the audit engagement. The availability of inputs from both the auditor and the auditee may occasionally reveal inconsistencies, misunderstandings, or concerns that merit an independent examination. In such situations, FDPPI may recommend a peer review process.

It is important to emphasize that FDPPI does not seek to substitute its judgment for that of the auditor or interfere with the auditor’s professional independence. The purpose of peer review is solely to strengthen the credibility and reliability of the audit ecosystem through constructive quality assurance.

Ethical Foundation

The peer review concept is being proposed as part of the evolving Code of Ethics for Independent Data Auditors under the framework of the Association of Independent Data Auditors of India (AIDAI). These principles may be incorporated into the ethical commitments undertaken by auditors as well as into engagement agreements between auditors and their clients.

At present, these remain voluntary professional standards. Neither FDPPI nor AIDAI possesses statutory authority to enforce such ethical obligations. Their effectiveness therefore depends largely on the willingness of auditors to embrace them as part of their professional responsibility.

Beyond Regulation: The Need for Self-Governance

The long-term strength of any profession depends not merely on external regulation but on the internal values of its practitioners. Ethical conduct becomes meaningful only when it is voluntarily adopted and consistently practiced.

FDPPI therefore urges all empanelled auditors to embrace peer review and similar quality assurance measures as part of a commitment to professional excellence. The objective is not compliance with an external mandate, but the cultivation of a culture of integrity, transparency, accountability, and continuous improvement.

Ultimately, the effectiveness of an Independent Data Auditor is determined not only by technical competence but also by the auditor’s commitment to ethical self-governance. In that sense, the profession requires not merely training and certification, but an “inner engineering” that aligns professional conduct with the larger objective of building trust in the digital ecosystem.

A profession earns public trust not through regulation alone, but through the willingness of its members to hold themselves accountable to standards that are often higher than those imposed by law.

Naavi

(This is in continuation of the previous article)

In the previous article, we discussed the distinction between the objectives of the CISO and the DPO.

The same distinction raises a broader question regarding the independence of DPDPA audits.

If a DPDPA audit is intended not only to assess organizational controls but also to evaluate whether the interests of Data Principals are adequately protected, can management alone determine the scope of the audit?

The Traditional Audit Model

Most governance frameworks recognize the right of management to define the scope of compliance activities.

ISO 27001 follows this approach through the Statement of Applicability.

DGPSI similarly permits management to define implementation boundaries through the Deviation Justification Document.

The rationale is straightforward.

Management bears the business risk and therefore has the right to determine its risk appetite. Risks that are consciously accepted may be mitigated through operational controls, contingency planning, insurance, or other risk-treatment mechanisms.

The Challenge

The problem arises when a management decision affects not only organizational risk but also the rights of Data Principals.

A DPDPA audit is different from a conventional information security audit.

The question is not merely:

“Has the organization managed its risk?”

The question is also:

“Have the interests of Data Principals been reasonably protected?”

An excessively narrow audit scope may therefore conceal significant privacy risks while still appearing acceptable from a management perspective.

The DGPSI Approach

DGPSI addresses this challenge through a structured risk-assessment process.

The auditor is expected to identify risks based on applicable implementation specifications and present these findings to management.

Management may then choose to mitigate, transfer, absorb, or otherwise manage those risks.

Any exclusions or deviations are expected to be documented and justified.

The resulting Data Trust Score (DTS) reflects not only implemented controls but also the residual risks accepted by management.

This approach is comparable to an individual managing health risks through a combination of medication, lifestyle adjustments, emergency medical facilities, and insurance coverage. The risk is not eliminated but consciously managed.

Is Additional Oversight Necessary?

During the discussions, a concern was raised regarding situations in which management may seek to aggressively reduce audit scope by asserting:

“We will deal with the risk if and when it materializes.”

If such decisions significantly affect the interests of Data Principals, should there be an independent validation mechanism?

One suggestion was that the audit scope should be supported by a formal risk assessment and be reviewed by an independent body before the audit proceeds.

The objective would not be to overrule management.

Nor would it be to dictate implementation choices.

The objective would simply be to determine whether the scoping assumptions appear professionally reasonable.

A Possible Role for Audit Quality Control

DGPSI currently contemplates a quality-control mechanism under which completed audits may be reviewed by an FDPPI quality committee if significant concerns arise.

A similar concept could potentially be applied at the scoping stage.

Under such an approach, an auditor may voluntarily submit the risk assessment and proposed scoping document to an Audit Quality Control Committee for validation of the underlying assumptions.

The committee would not certify compliance, approve the audit, or interfere with auditor independence.

Its role would be limited to examining whether significant exclusions have been adequately justified.

Conclusion

As India develops professional standards for Independent Data Auditors under DPDPA, the industry must address an important question:

Can an audit remain truly independent if its scope is entirely determined by management?

The answer is unlikely to be straightforward.

Management must retain the right to determine business priorities and risk appetite. At the same time, DPDPA compliance requires recognition of interests that extend beyond the organization itself.

The suggestions discussed here are exploratory and intended to stimulate professional debate. FDPPI and AIDAI are in the process of developing ethical and professional standards for DPDPA audits, and practitioner feedback will play an important role in shaping these standards.

The objective is not to prescribe answers but to encourage the development of a robust and credible audit ecosystem for India’s emerging data protection framework.

Naavi