Strengthening India’s Digital Impact Assessment Regime: Towards a Precautionary Strict Due Diligence Standard

This guest post is authored by Mr. Rudraksh Lakra, Research Fellow (Law and Technology) at the Vidhi Centre for Legal Policy

.

Introduction

The requirement for impact assessment as part of due diligence obligations has emerged as a key norm in India’s technology law and policy landscape. It is already embedded in data protection legislation, is gaining increasing relevance in the context of AI, and has become essential for the regulation of algorithmic management. In the first subsection, I analyse these impact assessment requirements, highlighting how they currently reflect ‘weak’ due diligence obligations, functioning primarily as a duty of conduct. I then contend for a recalibration toward a ‘strict’ due diligence standard,, which would elevate impact assessments into a duty of result and a substantive obligation. In the second subsection, I explore how this strict due diligence standard can be strengthened by drawing insights from the precautionary approach under international environmental law.

Case for Transitioning from a Weak to a Strict Due Diligence Standard

The Digital Personal Data Protection Act, 2023, mandates significant data fiduciaries to periodically submit data protection impact assessments [Section 10(2)(c)(i)]. Similar obligations were proposed in the data protection bills of 2018, 2019, 2021, and 2022. Impact assessments are also referenced in AI-related policy documents issued by NITI Aayog, the Reserve Bank of India, and the Securities and Exchange Board of India. While the Karnataka Platform-Based Gig Workers (Social Security and Welfare) Act, 2025, does not explicitly require impact assessments, provisions such as preventing discrimination on protected grounds through automated monitoring may incentivise entities to conduct such assessments to ensure compliance [Section 13(2)].

In the examples above and in the way that impact assessment mandates are generally conceptualised, we see what I call 'weak due diligence. It obliges the relevant entities to consider the risks associated with proposed measures and may even require them to implement mitigation strategies, but it does not go beyond that. In contrast, a strict due diligence standard would require that if the assessed risks outweigh the potential benefits, even after considering proposed mitigation measures and safeguards, the initiative should not proceed.

The strict version of due diligence was formulated in the context of environmental law. The Wingspread Statement on the precautionary approach [Editor 21] [RL2] (1998), signed by scientists, lawyers, policymakers, and environmentalists, observed that:

“The process of applying the precautionary approach must be open, informed and democratic and must include potentially affected parties. It must also involve an examination of the full range of alternatives, including no action.”

Weak due diligence functions as a duty of conduct: it requires an entity to take reasonable steps to prevent harm, but does not categorically prohibit proceeding with the action. In contrast, strict due diligence embodies a substantive standard, prioritising the principle of “no action” when potential risks are deemed unacceptable.

Strict due diligence restricts such discretion by requiring a proportionate evaluation of risks and rewards, whereas weak due diligence gives the state or entity greater latitude  in deciding on the proper degree of intervention. The former sustains regulatory minimalism, functioning as a procedural alibi rather than a substantive constraint. A safety net riddled with institutional holes through which harm predictably slips. For example, Supreme Court’s upholding of the environmental clearances for the Sardar Sarovar Dam and the Manohar International Airport (see here and here), despite flawed impact assessments, illustrates how proceduralism legitimizes and shields from genuine scrutiny. In these cases, under strict due diligence, the Court would have faced much greater difficulty in approving these projects and atleast have to more meaningfully with the evidence of discrepancies in the impact assessments. At its core, weak due diligence sanctifies bureaucratic ritual and the theatre of compliance. While strict due diligence reclaims accountability by insisting that legality must not merely record precaution but materially instantiate it.

In India, a limited form of strict due diligence exists under the EIA Notification, 2006, which mandates ex-ante environmental clearance for projects. While it requires a comprehensive impact assessment, it does not clearly indicate whether a project should be halted if it poses disproportionate harm. The effectiveness of this regime has been further weakened  by poor implementation and subsequent amendments(see here, here, here, and here,). Notifications in 2017 and 2021 further undermined it by allowing ex-post facto approvals. The Supreme Court declared this practice unconstitutional in Vanashakti v. Union of India in June, 2025. Globally, in fields such as AI regulation, data protection, and algorithmic management, the weak form of due diligence remains far more common. An exception is the California Privacy Protection Agency’s Automated Decision-Making Technology Regulation (2026). It requires an impact assessment in high-risk cases and prohibits the activity when potential harms outweigh benefits, even after considering safeguards.

The impact assessment under strict due diligence already codifies the balancing requirement, a core element of the principle of proportionality that plays a central role in human rights adjudication. Necessity, another key aspect of proportionality, should be applied in a more limited form during impact assessments. Specifically, while an entity is not obligated in every instance to implement the least restrictive measure capable of achieving its objective, if any measure is disproportionate or excessive. It should trigger a duty to explore and adopt a less restrictive alternative.  Naturally, if no effective alternative exists, the measure must not proceed. This interpretive approach extends the logic of the Wingspread Statement, repositioning strict due diligence as a substantive standard of restraint rather than a procedural formality. It challenges the bureaucratic reduction of precaution to paperwork, reaffirming impact assessment as a norm that confronts the tendency of power to normalize harm under the guise of risk management.

Precautionary Approach as an Illuminating Guide

In the previous section, I examined the contours of strict due diligence, which suggest that if an impact assessment indicates that a proposed measure would cause disproportionate adverse impacts, then it should not proceed. This approach draws on the principle of proportionality, incorporating both balancing and a more limited form of necessity. While more substantive than weak due diligence, strict due diligence can still be undermined in practice. This makes it essential to consider how its application can be strengthened.

At this juncture, two fundamental questions come to the fore: who bears the burden of proof, and what evidentiary standard should govern the evaluation of scientific and technical evidence? One interpretation asserts that the burden of proof should rest entirely on the proponent of an activity, with any scientific uncertainty tipping the scales against the proposed measure. Another interpretation, by contrast, assigns the burden of proof to affected parties or those challenging the activity, resolving uncertainties in favour of the proponent. The latter position tends to entrench existing power structures typically advantaging states and corporate actors, while affording limited protection to vulnerable domains such as the environment, public health, and human rights. . The former, by contrast, subverts this asymmetry, demanding that those who seek to act under conditions of uncertainty must also bear the evidentiary weight of potential harm. In doing so,  aligning it closely with the precautionary principle as established under international environmental law.

The precautionary approach is not an independent principle under international law, but it has crystallized as a normative anchor within environmental governance, enshrined in multiple framework treaties and instruments. (see here, here, here, and here). It incorporates two key safeguards: the burden of proof rests on the proponent of the measure, and scientific uncertainty is not a barrier to taking precautionary action. Together, these safeguards reconfigure the epistemic and ethical terrain of decision-making. Preventing evidentiary gaps from justifying inaction and steering governance toward a proactive logic that prioritizes harm prevention over assumptions of permissibility. Crucially, the logic underpinning the precautionary approach is equally relevant to the field of technology. Like environmental interventions, emerging technologies create risks that are uncertain, complex, and potentially irreversible. In both contexts, decision-making occurs under conditions of incomplete knowledge and rapidly evolving consequences.. For example, requiring technology developers and deployers to bear the burden of proof ensures that those best placed to assess and mitigate risks remain accountable. Likewise, acknowledging that uncertainty is not a reason for inaction prevents regulators and policymakers from postponing protective measures until harms have already manifested. Moreover, akin to environmental harms, technological risks are frequently diffuse and asymmetrical: the benefits tend to accrue to powerful entities, while the costs, such as privacy violations, bias, or service disruptions, fall disproportionately on vulnerable groups. By requiring assessment and proactive mitigation even under conditions of uncertainty, the precautionary approach injects a risk-averse, public-interest orientation directly into the architecture of due diligence This orientation aligns closely with the logic of strict due diligence, which compels entities not merely to identify and mitigate risks, but to suspend or halt initiatives where residual risks remain excessive despite safeguards. In this way, the precautionary approach strengthens strict due diligence by ensuring that regulatory practice privileges long-term societal well-being over the ephemeral gains of unbridled technological innovation.

Conclusion

In summary,  the strict due diligence model reconceptualizes  impact assessments from a procedural duty of conduct into a substantive duty of result. It demands not only the identification and mitigation of risks but also the suspension or cessation of initiatives when residual risks outweigh anticipated benefits, even after proposed safeguards are accounted for.. The effectiveness of this standard, however, depends on how questions of burden of proof and scientific uncertainty are addressed.

The precautionary approach strengthens strict due diligence by placing the burden of proof on the proponent of a measure and by rejecting uncertainty as a justification for inaction. Applied to the technology sector, this principle ensures that risks are proactively addressed, even in the absence of complete evidence. In doing so, it reinforces strict due diligence as a forward-looking, protective framework that prioritises long-term societal interests and prevents innovation from proceeding at the expense of disproportionate harm. As India’s regulatory regimes governing data protection, AI, and algorithmic management continue to evolve, embedding these principles at the core of both policy and technical design is indispensable to preventing disproportionate harms under the guise of ‘progress.’