Digital personal data protection: Update this law to the age of AI

While it’s essential to prioritize the safety and data privacy of children in the digital age, an age threshold set at 18 years might not be practical or in line with the evolving landscape of technology and children’s maturity levels.
While it’s essential to prioritize the safety and data privacy of children in the digital age, an age threshold set at 18 years might not be practical or in line with the evolving landscape of technology and children’s maturity levels.


India should consider revisiting some of its provisions to enable more effective AI operations without compromising privacy

The Digital Personal Data Protection (DPDP) Act of 2023 marks a pivotal moment in India’s data governance, one that will significantly influence the trajectory of artificial intelligence (AI). With its focus on personal data processing, this law will have AI systems deployed to obtain explicit user consent, deliver comprehensive multilingual notices and adhere to predefined data usage objectives, thereby curtailing indiscriminate data scraping practices. This transformation carries profound implications for the AI ecosystem, given its fundamental reliance on data for training and progression.

It is important to understand the intricate mechanisms by which AI systems operate, particularly in the context of data acquisition to train their models. Contemporary AI-using enterprises engage in a multifaceted process of data gathering that spans a spectrum of sources, with a significant focus on personal data. This repository encompasses data not only from users who interact with these systems, responding to prompts and giving inputs, but also from developers who refine AI models with extensive open-source data-sets. Let’s understand this better with the help of an example. Take the use of AI for healthcare diagnostics. Before the DPDP Act, AI-driven healthcare systems could access extensive patient data for diagnostics, often without stringent consent requirements, leading to effective medical outcomes. Now with the law coming into force, strict consent and data handling norms will be enforced, impacting AI’s access to patient records and thereby also impacting the effective training of its models.

This brings us to how the DPDP Act redefines the rules of the game for data management in India, compelling AI systems to undergo a transformative shift in their operational mechanisms. First, the Act mandates a re-evaluation of the procedures for training algorithms on personal data and processing it. This necessitates a stringent adherence to the specified purposes of data usage, rendering indiscriminate data mining untenable. Further, AI systems must provide comprehensive notices in both English and all official Indian languages, elucidating the precise intentions of data processing. Consent, a cornerstone of data protection under the new law, must be enabled through unequivocal affirmative actions and applied strictly in accordance with the stated purposes, curtailing any unauthorized diversions of data. Crucially, for individuals below the age of 18 or those with guardians, AI systems are obliged to secure verbal consent from parents or guardians, thereby impeding AI’s ability to train on children’s data without explicit consent. While it’s essential to prioritize the safety and data privacy of children in the digital age, an age threshold set at 18 years might not be practical or in line with the evolving landscape of technology and children’s maturity levels. It’s crucial to strike a balance between protecting children and allowing them to responsibly engage with digital platforms. Adjusting the age threshold and implementing robust educational initiatives aimed at digital literacy and responsible online behaviour might be more effective.

Further, the Act replaces “deemed consent" with “legitimate uses," but narrows the definition of legitimate uses by eliminating “fair and reasonable purposes" and “public interest" grounds. Data can be processed without explicit consent when voluntarily provided and not refused per se by the data principal. This allows the use of data in scenarios like exchanging it for services. The Act specifies legitimate uses that include state functions, safeguarding the state, providing benefits, legal obligations, health emergencies, disasters and employer requirements of employee data. Unlike foreign data protection laws like the EU’s General Data Protection Regulation (GDPR), India’s DPDP Act lacks provisions for “performance of a contract" or “legitimate interests." These changes may impact how AI systems handle data in India. In the GDPR, “performance of a contract" lets organizations process personal data when it’s necessary to fulfil a contractual obligation, while the “legitimate interests" part offers a legal basis for data processing when it serves a legitimate purpose and the interests of the data subject do not override those of the organization. These omissions in the Indian law could have implications for AI systems operating in India.

AI systems that rely on data for contract-related activities may face challenges in compliance. The absence of performance-of-contract as a legal basis for data processing may require these systems to seek explicit consent for every bit of data usage, potentially causing operational friction that affects the user experience. Second, AI applications that leverage data for purposes deemed to be legitimate may need to reevaluate their data processing practices. Without a specific legal basis for “legitimate interests," organizations may need to rely on other lawful grounds or obtain explicit consent, potentially impeding their ability to swiftly respond to emerging needs or business requirements. The DPDP Act’s deviation from global data protection norms in terms of those two provisions could necessitate adjustments in how AI systems operate in India and may impede the growth of such emerging technologies in the country. Also, while the Act makes substantial strides in data privacy and consent, it fails to provide a comprehensive framework for addressing cybersecurity concerns and safeguarding data from breaches. The law focuses predominantly on data handling, user consent and legitimate uses of personal data. It may be beneficial to incorporate more explicit provisions or guidelines related to data encryption and measures to prevent unauthorized data scraping activities. This is especially important given the increasing prevalence of data breaches and cyber threats in the digital age.

While India navigates stricter data processing requirements as per its new law, it’s also crucial to strike a balance between robust data protection and fostering innovation. While innovation propels AI’s potential, it also necessitates safeguards to protect individual privacy and data integrity. The unchecked pursuit of innovation could lead to unintended privacy breaches and data mismanagement. Hence, exploring the adoption of risk-based AI frameworks could emerge as a pivotal strategy in this balancing act. These frameworks should hold the potential to identify and mitigate potential risks associated with AI applications, ensuring that innovation proceeds responsibly and ethically.

AI represents the next frontier in technology. Its adoption can potentially revolutionize industries, enhance efficiency and improve lives. To harness its transformative power, India should consider revisiting certain provisions in the DPDP Act to provide clearer pathways for AI systems to operate effectively while maintaining safeguards for data privacy. India should not inadvertently obstruct the growth of emerging technologies like AI. While data protection is paramount, it’s also essential to create an enabling environment for AI to flourish, ensuring that India remains at the forefront of global technological advancements. This can be achieved by striking a balance between data privacy and innovation, helping us realize the full potential of AI in the country.

Catch all the Elections News, Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.


Switch to the Mint app for fast and personalized news - Get App