The ever-growing presence of artificial intelligence (AI) in enhancing, personalising, and enabling user-experiences across ‘daily-use’ digital fronts such as smart devices, streaming services, e-commerce, digital advertising, and virtual or augmented reality, has been reshaping global consumption avenues. Within AI’s pervasive forms, the functioning of AI-based personalised services rely heavily on the usage of digital personal data. Consequently, the volume, method and even types of personal data now collected, processed, and shared worldwide, have transformed rapidly, heightening concerns about data protection.
The Digital Personal Data Protection Act 2023 (Act) has been touted as a more comprehensive data protection framework, in this piece, we touch upon some of the key highlights of the dynamic interplay between personal data and the growing influence of AI, in context of the Act.
Applicability: The Act applies to fully or partly automated processing of personal data, covering AI-based personal data collection, disclosure, and other forms of processing. A more nuanced understanding on this is expected once the pending Rules under the Act are notified. Assuming it’s applicability, data fiduciaries (entities controlling the AI’s usage) will have to ensure compliance with data fiduciary obligations. For example, implementing reasonable security practices, and technological measures and safeguards against data breaches, using personal data only for specified purposes and notifying instances of data breaches, etc. Additionally, data fiduciaries must enable the rights of data principals (individuals) such as obtaining granular and free prior consent, specifying the purpose and use of data collection under a privacy notice, enabling grievance redressal, and facilitating right to erasure, etc.
Public personal data and deepfakes: The Act excludes publicly available personal data from its ambit. This would mean that AI-entities scraping publicly available personal data for self-training may not be required to comply with the data fiduciary obligations (e.g., obtaining prior consent). Similarly, the reach of the Act (if not other laws) on ‘deepfake’ creators using publicly available personal images or videos becomes debatable. While more concrete jurisprudence is awaited on this lacuna, generating public awareness regarding the potential use of public personal data for AI-modelling and training, deepfake creation, and perhaps commercialisation without the users’ knowledge becomes critical.
Profiling: Although not specifically mentioned in the Act, the wide definition of ‘personal data’ may be said to cover profiling or user behavioural pattern data to the extent identifying an individual (together with other information available with the data fiduciary). This would trigger the applicability of data fiduciary obligations and data principal rights relating to such data, which will be a crucial lookout area especially for entities providing personalised digital services through AI-based profiling.
Consent Managers: The Act envisages the novel concept of consent managers (to be appointed for data principals) as a single-point-of-contact for managing user consent across platforms. Though a globally untested concept, this new business segment of consent managers as a service will likely be powered by AI. Thus, consent managers may themselves become large-scale (and highly valuable) repositories of user-specific consent preferences across platforms. While the Act requires consent managers to ensure data principals’ rights, including grievance redressal, data breaches and misuse will remain a concern.
Significant data fiduciaries (SDFs): The central government may notify any data fiduciary or a class of data fiduciaries as SDFs, depending on the volume and sensitivity of personal data, potential risks to data principals, and other parameters. The Act imposes additional obligations on SDFs such as appointing data protection officers and independent data auditors, undertaking periodic audits and data protection impact assessments, and any other prescribed measures. This may require prominent AI-based digital businesses to undertake additional organisational measures towards such higher compliance standards.
Conclusion
Despite AI’s exponential proliferation worldwide, legislative action specifically addressing general AI usage or AI-related data protection concerns remains relatively nascent. The new Act represents a significant step towards comprehensive data protection in India, potentially covering AI ecosystems. It could serve as a stepping stone for more targeted regulations that directly address AI-related data protection concerns. However, these regulations must strike a balance between addressing data protection concerns and recognising the transformative power of AI for businesses.