AI-driven tools and machine learning algorithms have revolutionized how we interact with technology, offering automation of tasks and promising transformational outcomes. Nevertheless, it’s essential to recognize the potential drawbacks, such as lack of transparency and ethical implications

Data privacy is a critical aspect seen with Large Language Models (LLM) such as OpenAI’s GPT 3, which is trained on vast amounts of internet data, including personal websites and social media content. This has sparked concerns about data usage without proper consent, leading to challenges in data ownership and control after it’s used to train the model.

The “right to be forgotten” is another pressing issue. As AI adoption increases, individuals may seek the option to delete their data from model databases. However, currently, there is no standardized process for individuals to request such data deletion from machine learning models.

Is This Legal?

The legality of using personal data to train machine learning models such as GPT-3 varies depending on the applicable laws and regulations in a given country or region. For instance, in the European Union, the General Data Protection Regulation (GDPR) mandates that data be collected and utilized exclusively for specific, lawful purposes. GDPR requires organizations to obtain explicit consent from individuals before collecting and using their data. While there are legal grounds for processing personal data for scientific and historical research purposes, the controller must adhere to GDPR’s fundamental principles and respect individuals’ rights

In contrast, the United States lacks a federal law exclusively governing the use of personal data for training machine learning models. Nevertheless, organizations typically need to comply with existing laws like the Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA), and the California Consumer Privacy Act (CCPA) when handling personal data, especially for sensitive categories.

How are things in India? 

India’s proposed Digital Personal Data Protection Bill (DPDP Bill) demonstrates the most recent conflict between AI and privacy. Interestingly, here the friction is not just limited to AI but extends to search engines and online directories with the proposed change, thereby encompassing a wide array of businesses.

Previously, the DPDP Bill incorporated the notion of “deemed consent” under Section 8(8). This encompassed situations where the individual was reasonably expected to provide their personal data voluntarily to the business for purposes like compliance with judicial orders, employment, public interest, or other “fair and reasonable” objectives.

Under “public interest,” the Bill mentioned the following:

1. Fraud prevention and detection.
2. Mergers and acquisitions.
3. Network and information security.
4. Credit scoring.
5. Search engines processing publicly available personal data.
6. Publicly available personal data.
7. Recovery of debt.

legitimate purposes

The Way Forward

As privacy regulations continue to advance, there is a noticeable emphasis on safeguarding consumers’ rights. The DPDP Bill, if enacted, aims to provide users with increased options and safeguards regarding their data usage. It will grant consumers convenient access to their data held by companies and streamline the process of requesting data deletion. Non-compliance with these regulations could lead to substantial fines, with potential penalties reaching up to INR 250 Cr, highlighting the significance of data protection and adherence to the evolving privacy landscape. As a way forward, companies must begin planning toward compliance with the new regulations, to hit the ground running when the Bill comes into effect.

DISCLAIMER – No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.