Using AI in hiring lawfully in India
Reviewed by Mellow Editorial Team, HR & payroll content team
Employers can use AI tools to screen CVs, schedule interviews and assess candidates — but doing so without a clear framework creates legal and reputational risk. India does not yet have AI-specific hiring legislation, yet several existing laws already constrain how you collect, process and act on candidate data.
What Indian law already covers
The Digital Personal Data Protection Act, 2023 (DPDPA) is the primary framework to understand. It governs how personal data of Indian residents is collected and processed, including by employers during recruitment. Key obligations include:
- Consent before collection. You must tell candidates what data you are collecting, why, and for how long you will keep it. Consent must be free, specific and informed — a buried clause in a job application form is unlikely to satisfy this standard.
- Purpose limitation. Data collected to assess a candidate for one role should not be fed into an unrelated AI model or used for a different purpose without fresh consent.
- Data minimisation. Collect what you actually need. If an AI screening tool requests access to a candidate's social media profiles or location history, ask whether that data is genuinely necessary for the decision at hand.
- Grievance and correction rights. Candidates have the right to correct inaccurate data and to raise grievances. Your hiring process should have a named point of contact for such requests.
India's four consolidated Labour Codes, which came into force in 2025, do not specifically address AI in hiring, but the Industrial Relations Code and the Code on Social Security contain anti-discrimination principles that courts and tribunals may interpret in this context.
Where AI tools create the most risk
Algorithmic bias. An AI tool trained on historical hiring data can encode and amplify existing biases — against women returning to work, candidates from certain regions, or those with non-linear career histories. If a shortlisting tool systematically disadvantages a protected group, you are exposed to discrimination complaints even if no human made a deliberate decision.
Automated rejection without human review. Rejecting a candidate based solely on an AI score — with no human review of the output — is the scenario most likely to attract regulatory scrutiny as data protection frameworks mature. The DPDPA framework, and broader global trends, are moving toward requiring meaningful human involvement in significant decisions about individuals.
Opaque scoring. If you cannot explain to a candidate why they were rejected, you cannot respond to a grievance in good faith. If your vendor cannot explain how its model works, that is a due-diligence gap you carry.
Third-party vendor risk. Many AI hiring tools are built and hosted abroad. Before signing a contract, check where candidate data is stored, whether the vendor complies with DPDPA requirements, and what happens to the data after the contract ends.
Building a lawful AI hiring process
A few practical steps reduce exposure considerably.
Map the decision points. Write down exactly where AI is involved in your process — CV parsing, psychometric scoring, video interview analysis, background verification — and identify who reviews the AI output before a decision is made.
Keep a human in the loop for consequential decisions. Final shortlisting and rejection decisions should involve a human reviewer who can exercise independent judgement, not simply ratify a score. Document that review.
Update your privacy notice. Your candidate-facing privacy notice should explicitly state that AI tools are used in hiring, what categories of data they process, and how candidates can seek review of an AI-assisted decision. Vague notices invite complaints.
Audit your tools periodically. Ask your vendor for bias-testing reports. If they do not produce them, commission your own review or switch to a vendor that does. Bias audits are not a one-time exercise — model behaviour can drift as training data changes.
Set retention limits. Decide how long you will retain CV data and assessment scores for unsuccessful candidates, and enforce those limits. Indefinite storage of rejected candidate data is inconsistent with the DPDPA's storage limitation principles.
Train your hiring managers. The people using AI outputs need to understand what the tool does and does not measure. A high-scoring candidate on a culture-fit algorithm is not the same as a high-performing candidate. Human managers should interrogate, not defer to, the tool.
What to watch as regulation evolves
India's data protection regulator, the Data Protection Board, was still being constituted as of mid-2026. Sector-specific guidance on automated decision-making may follow. The Bureau of Indian Standards has also been developing an AI assurance framework. Neither is binding at the time of writing, but both signal the direction of travel: transparency, accountability and human oversight will be the regulatory expectations.
Employers who build those principles into their AI hiring process now will be in a stronger position when more prescriptive rules arrive — and will run fairer, more defensible recruitment regardless.
---
Run HR and payroll in India with Mellow
Mellow brings HR, payroll and 12 AI agents into one platform — built to handle India properly, with payroll included, from £4 per employee per month. The AI agents don't just answer questions; they generate contracts, run cost estimates and draft letters for you.
[Start a free trial →](/register)