As India confronts an unprecedented escalation in AI-driven cyber threats, invasive digital surveillance, and complex cross-border data governance disputes, urgent questions emerge about the preparedness and resilience of its existing cyber law framework. The challenge is no longer merely technological; it is fundamentally legal, strategic, and civilizational. Consequently, the demand for AI-specific legislation, stronger enforcement architecture, deeper international cyber cooperation, and robust data localization policies has become both immediate and unavoidable. At the same time, intensifying cyber warfare risks, mounting digital sovereignty concerns, and persistent regulatory fragmentation continue to expose systemic vulnerabilities. Equally important, the democratization of cyber law, cybersecurity, and AI education will play a decisive role in equipping India’s next generation to navigate an increasingly complex and volatile digital ecosystem.
In an exclusive conversation with The Interview World at CyberComm 2026, organized by Federation of Indian Chambers of Commerce & Industry, Dr. Pavan Duggal, Advocate, Supreme Court of India, and CEO of Artificial Intelligence Law Hub, argues that India’s cyber law regime remains fundamentally inadequate to deliver effective remedies to citizens facing the rapidly expanding harms of artificial intelligence. He further emphasizes the urgent need for international treaties to address rising cross-border cyber tensions, highlights data localization as a critical pillar of India’s broader digital governance strategy, and advocates the introduction of cyber law, cybersecurity, and AI education at an early stage of learning. According to him, such measures are essential for cultivating stronger digital life skills, healthier online behaviour, and more responsible technological mindsets among citizens. Presented below are the key insights from this incisive and thought-provoking conversation.
Q: Are India’s current cyber laws and regulatory frameworks adequately prepared to combat the growing sophistication of AI-driven cyber threats while safeguarding citizens’ rights and access to justice?
A: Indian cyber law remains fundamentally inadequate to provide effective remedies to citizens confronting the escalating harms posed by artificial intelligence. The core problem is structural: India’s existing cyber law framework is not an AI law. It neither expressly addresses artificial intelligence nor meaningfully regulates the complex legal, ethical, and technological issues arising from AI systems.
Consequently, the path forward requires the development of entirely new legal frameworks and dedicated AI legislation capable of addressing the evolving risks and liabilities associated with artificial intelligence. Such frameworks must provide clear, enforceable remedies for individuals harmed by AI-driven systems and decisions.
In this context, the launch of the Global AI Harms Registry marks an important and timely initiative. The registry seeks to systematically document and consolidate emerging instances of AI-related harm affecting individuals worldwide, thereby creating a critical evidentiary foundation for future policy and regulatory intervention.
At the same time, the government has taken a constructive step by introducing the Information Technology Rules, 2026, which mandate the labelling of AI-generated content. However, the effectiveness of these rules remains severely undermined by weak enforcement mechanisms. In the absence of meaningful legal consequences for non-compliance, stakeholders have little incentive to adhere to the regulatory requirements.
Most importantly, users currently lack effective statutory remedies. Neither the Information Technology Act nor the Digital Personal Data Protection Act provides a comprehensive legal mechanism to address harms caused by artificial intelligence. Therefore, India urgently requires robust, enforceable, and future-ready AI-specific legal frameworks to safeguard citizens and ensure accountability in the age of artificial intelligence.
Q: Amid rising cross-border cyber tensions, does India need new cyber laws or targeted amendments to effectively address international cyber threats, jurisdiction, accountability, and digital sovereignty?
A: The Internet and artificial intelligence have effectively rendered geography irrelevant. In doing so, both technologies have demonstrated a fundamental reality: national laws cannot operate effectively beyond territorial boundaries. Consequently, attempts to extend the extraterritorial reach of domestic legislation may not constitute the most viable or sustainable legal solution.
Instead, the international community must work toward establishing common minimum legal standards and universally accepted normative principles capable of securing broad consensus among global stakeholders. Only such harmonized frameworks can meaningfully address the transnational nature of cyberspace and artificial intelligence.
Recognizing this necessity early, I proposed before the United Nations in 2015 the creation of an international convention on cyber law and cybersecurity. Today, that proposal has acquired far greater urgency and relevance. In this regard, the opening of the UN ICT Convention for signatures represents an important beginning. However, significant structural challenges persist.
Most notably, nations remain deeply polarized and increasingly reluctant to engage in constructive cooperation. As a result, existing mechanisms for international collaboration have proven ineffective. The Mutual Legal Assistance Treaty (MLAT) framework, in particular, has largely failed to deliver timely and meaningful cross-border cooperation in cyber investigations and enforcement.
Simultaneously, many countries have come to recognize that access to critical cyber-related information often depends on membership in what may be described as the “big boys’ club” — namely, the Convention on Cybercrime of the Council of Europe. India, however, has refrained from joining the convention because several of its provisions raise legitimate concerns regarding national sovereignty and strategic autonomy.
Nevertheless, the broader reality remains unavoidable. The international community will ultimately have to formulate common legal norms that nation-states can collectively accept and effectively enforce at the global level. Without such coordinated legal architecture, escalating cyber tensions between nations will continue to intensify.
More importantly, the world now confronts emerging forms of cyber warfare and cyber terrorism that transcend traditional geopolitical boundaries. If the international community fails to address these threats through coherent and enforceable global legal mechanisms, they will inevitably generate far more complex security, governance, and geopolitical challenges in the years ahead.
Q: As India advances data sovereignty and internet data localization initiatives, are existing legal frameworks adequate to address the associated regulatory, security, privacy, and cross-border compliance challenges?
A: There can be little dispute that India must seriously pursue a robust data localization framework. The rationale is straightforward and compelling. At present, vast volumes of Indians’ data are routinely transferred beyond India’s territorial boundaries and stored on servers located in foreign jurisdictions. Consequently, such data becomes subject to the jurisdiction of foreign governments, regulatory authorities, and intelligence agencies.
This development raises profound concerns for national sovereignty, security, and strategic autonomy. Increasingly, data originating from Indian users possesses the potential to be exploited in ways that may prejudice India’s national interests and adversely affect Indian citizens. In that context, the adoption of strong data localization principles would constitute a significant and necessary policy intervention.
In particular, the Reserve Bank of India deserves recognition for its decisive approach toward financial data localization. Owing to the RBI’s insistence that the financial data of Indian citizens remain stored within India, the country has succeeded in establishing a far stronger layer of protection over sensitive financial information. As a result, financial data security within the Indian ecosystem has substantially improved.
However, the same level of protection does not currently extend to most other categories of personal and sensitive data. Instead, such data continues to flow freely outside India. Even under the Digital Personal Data Protection Act, the prevailing framework permits the transfer of Indians’ personal data to foreign jurisdictions, except those specifically prohibited by the government. This approach, while operationally flexible, leaves critical concerns relating to jurisdiction, enforcement, accountability, and sovereign control insufficiently addressed.
Therefore, data localization should serve as an important starting point in India’s broader digital governance strategy. Given that India is both the world’s largest democracy and its most populous nation, the country possesses substantial geopolitical and regulatory leverage in shaping global digital norms.
If India can ensure that Indian data remains subject to Indian jurisdiction and that foreign technology platforms, digital intermediaries, and AI service providers become fully amenable to Indian law, the country will significantly strengthen its ability to secure accountability and provide effective legal remedies to Indian citizens. Ultimately, data localization is not merely a technological or regulatory issue; it is a question of digital sovereignty, national security, and the protection of citizens’ rights in the emerging data-driven world order.
Q: As a cyber law expert associated with the Supreme Court of India, what measures would you recommend to democratize and strengthen cyber law education across law colleges and universities in India?
A: I have consistently advocated the democratization of cyber law education as an essential pillar of digital empowerment. Guided by that conviction, I initiated an experimental platform nearly a decade ago through Cyber Law University, where I currently offer 37 online courses dedicated to cyber law, cybersecurity, and emerging technology governance. Over the past ten years, more than 33,000 professionals from 174 countries have completed these programs, reflecting the growing global demand for structured digital legal education.
In the Indian context, the need for such education has now become both urgent and unavoidable. Cyber law education, cybersecurity awareness, and artificial intelligence literacy must become integral components of the school curriculum from the very first standard onward. This is no longer merely an academic recommendation; it is a societal necessity.
The reason is evident. Across India, children now gain access to smartphones, tablets, connected devices, and digital platforms at increasingly younger ages. However, access to technology without corresponding awareness of digital rights, cyber risks, online responsibilities, and AI-driven harms creates long-term vulnerabilities for individuals and society alike.
Therefore, India must move decisively toward democratizing digital legal literacy at scale. Introducing cyber law, cybersecurity, and AI education at an early stage will help cultivate stronger digital life skills, healthier online habits, and more responsible technological mindsets among users as they mature. More importantly, it will empower future generations to navigate the digital ecosystem with greater awareness, resilience, and accountability.
