Section 32 – Offenses and Penalties

(1) Any person who contravenes or fails to comply with any provision of this Act, or the rules or regulations made thereunder, shall be liable to penalties as specified in this Section.

(2) Systemically Significant Digital Enterprises (SSDEs) under the Digital Competition Act, 2024, that employ high-risk AI systems and fail to comply with the provisions of this Act shall be liable to the following penalties:

(a) For the first offense, a fine of up to 5% of the SSDE’s total worldwide turnover in the preceding financial year or INR 50 crores, whichever is higher;

(b) For subsequent offenses, a fine of up to 10% of the SSDE’s total worldwide turnover in the preceding financial year or INR 100 crores, whichever is higher.

(3) Significant Data Fiduciaries (SDFs) under the Digital Personal Data Protection Act, 2023, that employ high-risk AI systems and fail to comply with the provisions of this Act shall be liable to the following penalties:

(a) For the first offense, a fine of up to 4% of the SDF’s total worldwide turnover in the preceding financial year or INR 25 crores, whichever is higher;

(b) For subsequent offenses, a fine of up to 8% of the SDF’s total worldwide turnover in the preceding financial year or INR 50 crores, whichever is higher.

(4) Entities developing, deploying, or operating high-risk AI systems, other than those covered under sub-sections (2) and (3), that fail to comply with the provisions of this Act shall be liable to the following penalties:

(a) For the first offense, a fine of up to INR 10 crores;

(b) For subsequent offenses, a fine of up to INR 25 crores.

(5) In addition to the financial penalties specified in sub-sections (2), (3), and (4), the IAIC may take the following actions against non-compliant entities:

(a) Issuing warnings and directions for remedial measures;

(b) Suspending or revoking the certification of the AI system;

(c) Prohibiting the deployment or operation of the AI system until compliance is achieved;

(d) Mandating independent audits of the entity’s processes at their own cost;

(e) Recommending the temporary or permanent suspension of the entity’s AI-related operations in cases of persistent or egregious non-compliance.

(6) Entities developing, deploying, or operating AI systems exempted from certification under Section 11(3) shall be encouraged to voluntarily comply with the provisions of this Act. Non-compliance by such entities shall not attract any penalties, provided that:

(a) The AI system remains within the scope of the exemption criteria specified in Section 11(3);

(b) The entity maintains the incident reporting and response protocols as required under Section 11(4);

(c) The entity cooperates with the IAIC in the event of any investigation or inquiry related to the AI system.

(7) The IAIC shall establish clear guidelines for the determination and imposition of penalties, ensuring transparency, proportionality, and due process. Factors such as the nature, severity, and duration of the non-compliance, the entity’s willingness to cooperate and take remedial measures, and the potential harm caused by the non-compliance shall be considered while deciding the quantum of penalties.

(8) Any penalty imposed under this Section shall not prevent the initiation of criminal proceedings against the offender if the same act or omission constitutes an offense under any other law for the time being in force.

(9) All sums realized by way of penalties under this Act shall be credited to the Consolidated Fund of India.