AI, Data Privacy, and India’s Digital Personal Data Protection Bill: What is at Stake?

AI-driven tools and machine learning algorithms have revolutionized how we interact with technology, offering automation of tasks and promising transformational outcomes. Nevertheless, it’s essential to recognize the potential drawbacks, such as lack of transparency and ethical implications

Data privacy is a critical aspect seen with Large Language Models (LLM) such as OpenAI’s GPT 3, which is trained on vast amounts of internet data, including personal websites and social media content. This has sparked concerns about data usage without proper consent, leading to challenges in data ownership and control after it’s used to train the model.

The “right to be forgotten” is another pressing issue. As AI adoption increases, individuals may seek the option to delete their data from model databases. However, currently, there is no standardized process for individuals to request such data deletion from machine learning models.

Is This Legal?

The legality of using personal data to train machine learning models such as GPT-3 varies depending on the applicable laws and regulations in a given country or region. For instance, in the European Union, the General Data Protection Regulation (GDPR) mandates that data be collected and utilized exclusively for specific, lawful purposes. GDPR requires organizations to obtain explicit consent from individuals before collecting and using their data. While there are legal grounds for processing personal data for scientific and historical research purposes, the controller must adhere to GDPR’s fundamental principles and respect individuals’ rights

In contrast, the United States lacks a federal law exclusively governing the use of personal data for training machine learning models. Nevertheless, organizations typically need to comply with existing laws like the Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA), and the California Consumer Privacy Act (CCPA) when handling personal data, especially for sensitive categories.

How are things in India? 

India’s proposed Digital Personal Data Protection Bill (DPDP Bill) demonstrates the most recent conflict between AI and privacy. Interestingly, here the friction is not just limited to AI but extends to search engines and online directories with the proposed change, thereby encompassing a wide array of businesses.

Previously, the DPDP Bill incorporated the notion of “deemed consent” under Section 8(8). This encompassed situations where the individual was reasonably expected to provide their personal data voluntarily to the business for purposes like compliance with judicial orders, employment, public interest, or other “fair and reasonable” objectives.

Under “public interest,” the Bill mentioned the following:

  1. Fraud prevention and detection.
  2. Mergers and acquisitions.
  3. Network and information security.
  4. Credit scoring.
  5. Search engines processing publicly available personal data.
  6. Publicly available personal data.
  7. Recovery of debt.

Experts sa processing of “Publicly available personal data” has been removed in the latest draft. Instead, a new Section (Section 18) titled

legitimate purposes

has been introduced, which is more restrictive and requires AI, search engines, and online directories to collect and process publicly available personal information only with the prior consent of the individual(s). A contempt of these probable guidelines could lead such businesses exposed to prolonged and several litigations

The Federal Trade Commission recentlyopened an investigatio into OpenAI for potential consumer protection law violations by making false, misleading, disparaging, or harmful comments through its AI software ChatGPT. It also faces anotherclass action lawsui for scrapping vast amounts of personal data to train the LLM

The Way Forward

As privacy regulations continue to advance, there is a noticeable emphasis on safeguarding consumers’ rights. The DPDP Bill, if enacted, aims to provide users with increased options and safeguards regarding their data usage. It will grant consumers convenient access to their data held by companies and streamline the process of requesting data deletion. Non-compliance with these regulations could lead to substantial fines, with potential penalties reaching up to INR 250 Cr, highlighting the significance of data protection and adherence to the evolving privacy landscape. As a way forward, companies must begin planning toward compliance with the new regulations, to hit the ground running when the Bill comes into effect.

DISCLAIMER – No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.