The Best Time to Enact Data Protection Laws was 20 Years Ago; The Next Best Time is Now!

The road to personal data protection in India has been rocky. In 2017, India’s Supreme Court upheld the right to privacy as a part of our fundamental right to life and liberty. A panel chaired by retired Justice B N Srikrishna was given the task of drafting a Bill. In 2018, this panel submitted its draft to the Ministry of Electronics & Information Technology. The Personal Data Protection Bill that was eventually tabled in parliament in December 2019 proposed restrictions on the use of personal data without the explicit consent of citizens and introduced data localization requirements. It also proposed establishing a Data Protection Authority.

However, the bill was widely seen as a diluted version of what was originally envisioned by the Srikrishna panel in terms of its ability to truly protect the data/privacy of individuals. The bill was seen to place a significant regulatory burden on businesses and thus viewed as an impediment to the “ease of doing business” in India. A major bone of contention was the bill granting the government a blanket right to exempt investigative agencies from complying with privacy and data protection requirements. Understandably, there was pushback from BigTech, global financial services players as well as activists; even startups were unhappy with the proposed regulatory burdens.

In December 2021, after a number of extensions spanning over two years, the Joint Parliamentary Committee (JPC) that was set up to examine the draft bill submitted its report to the Lok Sabha. The JPC report has reportedly highlighted areas of concern and proposes a number of amendments/recommendations such as:

  • a single law to cover both personal and non-personal datasets;
  • using only “trusted hardware” in smartphones and other devices;
  • treating social media companies as content publishers, thus making them liable for the content they host.

In early August 2022, the government withdrew the Personal Data Protection Bill, 2019, with the promise to introduce a new one with a “comprehensive framework” and “contemporary digital privacy laws”.

 

India needs New Regulations to Plug the Data Protection Gap

That India needs robust data protection and privacy regulations which should be enacted soon is beyond debate. With digitalization becoming ever more pervasive by the day, the longer we are without clear regulations, the greater the risk is to our citizens. Each of the major trends below has the potential to infringe on individual privacy and can give rise to large-scale risks of user data (including personally identifiable information) being leaked/breached and misused:

  • The growth in digital banking, payment apps and other digital platforms.
  • The potential for Blockchain-based apps (in education- e.g., degree certificates, mark sheets; in health care – medical records; in unemployment benefits; KYC, passports etc.).
  • The growing popularity of crypto assets (and the attendant risk of them being used for money laundering, funding terror/anti-national activities etc.).
  • The rise of Web 3.0.
  • The increase in the use of drones for civilian purposes (e.g., delivery of vaccines, food to disaster-hit areas etc).
  • The emergence of the Metaverse as a theatre of personal/commercial interactions.

According to a news report, IRCTC had sought the services of consultants to help them analyze the huge amount of customer data they have and explore avenues to monetize the information. Given that the existing bill has been withdrawn, they have deferred this plan till new legislation is in place. Delays in enacting new data protection legislation thus also can impact revenue growth and profitability of various businesses- which is another reason for quickly coming up with new legislation.

 

The New Data Protection Law should be Well-defined and Unambiguous

While “consent” must be a cornerstone of any such legislation, the government must also ensure that users whose data need to be protected, fully understand the implications of what they are consenting to. For example, each time an individual downloads an app on his/her smartphone, the app seeks a number of permissions (e.g., to mic, contacts, camera etc.). As smartphones become repositories of larger slices of personally identifiable information as well as financial data (such as bank/investment details), and authentication details such as OTPs, emails etc., the risks of data breaches and misuse that cause serious harm increase. There are a number of frauds and digital scams to which citizens are falling prey. Commercial and other organizations that build and manage various digital platforms must be held accountable for what data they capture, how they do so, why they need the data, how/where they will store such data, who will have access to them etc.

Just as important is for the new law to define unambiguously terms like “critical data”, “localization”, “consent”, “users”, “intermediaries” etc. Many companies are establishing their Global Captive Centres (GCCs) in India, to take advantage of the large talent pool and process maturity. Strong laws will encourage more layers to consider this route seriously, thereby adding to jobs and GDP growth. Such investments also make it easier for India to be a part of emerging global supply chains for services (including high-value ones such as R&D and innovation).

It must address the risks of deliberate breaches as well. For instance, if hybrid working models are indeed going to remain in place, who should be held responsible for deliberate data leaks by employees working remotely? Or by their friends/relatives/others who take screenshots (or otherwise hack into systems) and share data with fraudsters?

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. If the government fails to do so, our aspirations to become one of the top three nations on earth will take much longer – worse, they main only remain on paper as grandiose but unfulfilled visions.

Picture Credits: Photo By Fernando Arcos: https://www.pexels.com/photo/white-caution-cone-on-keyboard-211151/ 

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. 

POST A COMMENT

IS17428 -A New Privacy Assurance Standard in India

Recently, Aditya Birla Fashion and Retail Ltd (ABFR) faced a major data breach on its e-commerce portal. As per the reports, personal information of over 5.4 million users of the platform was made public. The 700 GB data leak included personal customer details like order histories, names, dates of birth, credit card information, addresses and contact numbers. Additionally, details like salaries, religion, marital status of employees were also leaked.  Forensic and data security experts were pro-actively engaged to implement the requisite damage-control measures and launch a detailed investigation into the matter.[1] This demonstrates the need to have wider awareness and establish standardized protocols for personal data management. 

The battle of data protection and privacy currently stands at a juxtaposition with a flourishing data economy. 2021 was a watershed moment in the privacy & data protection dialogue in the country. The need for comprehensive data protection law was louder than ever and there were major initiatives on the legislative and executive front.

In June of 2021, the Bureau of India Standards (BIS) introduced IS 17428 for data privacy assurance. It is a privacy framework designed for organisations to handle the personal data of individuals that they collect or process. The certification provided by BIS for IS 17428 can be deemed as an assurance extended to the customers/users by the organizations of well-implemented privacy practice. The BIS being a statutorily created standard-setting body of our country will bring some welcome change in our data management.  

IS 17428 is divided into 2 parts[2]:

  • Part 1 deals with the Management and Engineering parameters that are mandatory for an organization to comply with. This part provides for establishing and cultivating a competent Data Privacy Management System.
  • Part 2 deals with the Engineering and Management guidelines which enable the implementation of Part 1. These guidelines are not mandatory in nature but a reference framework for an organization to implement good practices internally.

 

The Context – Privacy & Data Protection laws in India

 

The Data protection bill was expected to be tabled in parliament back in 2019 but was postponed due to the ongoing pandemic. The country was hoping to pass the bill last year, however, it was sent to the Joint Parliament Committee (JPC) for perusal. The JPC made its report on the bill public in the month of December 2021.

Also, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 had been implemented back in 2011, primarily to safeguard the sensitive personal data of individuals that are collected, processed, transferred, or stored by any organisation and enumerate security practices. The rule lays down certain practices and procedures to be followed by a stakeholder while dealing with sensitive personal data. International Standard IS/ISO/IEC 27001 is one such acceptable standard.

Later ISO27701 was specifically introduced that focused on Privacy Information Management.  However, our Indian enactment has not specifically endorsed any such standards though Standards formulated by the industry association that is approved and notified by the Central Government are also deemed appropriate.  In this background, BIS introducing a standard is a welcome initiative as it will help in bringing uniformity in terms of the implementation of privacy practices across Indian industries.

Components of Part 1 of IS 17428[3]

 
Development of Privacy Requirements:

While developing the privacy requirements of the organisation in relation to the data collected or processed, the organisation has to take into consideration various factors such as jurisdiction, statutory requirements and business needs.

Personal Data Collection and Limitation:

The organisation is permitted to collect the personal information of the individuals, provided the same has been consented to by such individuals.

Privacy notice: 

The organisation is bound to provide a notice to individuals while collecting information from them and when such collection is through an indirect method employed by the organisation, then it is the duty of the former to convey by the same in an unambiguous and legitimate means.

The contents of a privacy notice at the minimum should include the following[4]:

  • Name and Address of the entity collecting the personal data
  • Name and Address of the entity retaining the personal data, if different from above
  • Types and categories of personal data collected
  • Purpose of collection and processing
  • Recipients of personal data, including any transfers
Choice and Consent:

As mentioned earlier, while collecting information, the organisation should get the consent of the individual at the initiation of the process while offering such individuals the choice of the information that they consent to disclose. This entire process should be done in a lawful manner and according to the privacy policies implemented by the organisation.

Data Accuracy: 

The data collected by the organisation should be accurate, and in case it is inaccurate, it should be corrected promptly.

Use Limitation: 

The data collected by the organisation should be used for the legitimate purpose for which it was agreed upon and it shall not be used for any other purposes.

Security: 

The organisation should implement a strict security program to ensure that the information collected is not breached or compromised in any manner.

Data Privacy Management System: 

The organisation is required to establish a Data Privacy Management System (DPMS). The DPMS shall act as a point of reference and baseline for the organisation’s privacy requirements/objectives.

Privacy Objectives: 

The privacy objective of the organisation shall be fixed and set out by the organisation itself. While determining the objectives the organisation shall also look into various factors such as the nature of business operations involving the GDPR processing of personal information, the industry domain, type of individuals, the extent to which the processed information is outsourced and the personal information collected. Moreover, the organisation shall also ensure that the objectives are in alignment with its privacy policy, business objectives and the geographical distribution of its operations.

Personal Data Storage Limitation: 

The organisation shall be allowed to retain the information collected from the individual only for a specific time period as required by the law or the completion of the purpose for which it was collected in the first place. The individual shall have the right to delete their personal information from the organisation database upon request.

Privacy Policy: 

The organisation shall create and implement a privacy policy that shall determine the scope and be applicable to all its business affiliates. The senior management of the organisation shall be in charge of the data privacy function. Moreover, the privacy policy should be in consonance with the privacy objectives of the organisation.

Records and Document Management

The organisation shall keep a record of its processing activities which shall, in turn, ensure responsibility towards the compliance of data privacy. The possible way to achieve such a standard is to lay out procedures that help to identify various records. While laying out procedures, the organisation shall take into consideration certain factors such as a record of logs that demonstrate affirmative action and options chosen by individuals on privacy consent and notice, evidence of capture events related to access or use of personal information, and retention period of obsolete documents.

Privacy Impact Assessment: 

A privacy impact assessment shall be carried out by the organisation from time to time. Such an assessment shall help in estimating the changes and the impact that they can possibly have on the data privacy of the individuals.

Privacy Risk Management

The organisation shall put in place and document a privacy risk management methodology. The methodology shall determine how the risks are managed and how the risks are kept at an acceptable level.

Grievance Redress:  

A grievance redressal mechanism shall be established by the organisation to handle the grievances of the individuals promptly. The organisation shall ensure that the contact information of the grievance officer shall be displayed or published and that they have the channel of receiving complaints from the individuals. Moreover, the organisation shall also make it clear as to the provision for escalation and appeal and the timelines for resolution of the grievance.

Periodic Audits: 

The organisation shall conduct periodic audits for the data privacy management system. The audit shall be conducted by an independent authority competent in data privacy, internal or external to the organization, at a periodicity appropriate for the organization, at least once a year.

Privacy Incident Management: 

Privacy breaches and data privacy incidents shall be reported regularly and the organisation shall come up with a mechanism to manage such incidents. The process shall involve identifying the incident at the first stage and investigating the root cause, preparing analysis and correcting the incidents in the second stage. The last stage is basically informing the key stakeholders including Data Privacy Authority about the breach or incident.

Data Subject’s Request Management: 

The organisation shall develop a mechanism to respond to requests from individuals concerning their personal data. This process shall include the means to verify the identity of the individual, provision access to the information and the means to update the information.

 

How IS 17428 would help in Privacy and Data Protection? 

 

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (RSPP and SPDI rules) had been the only law for organisations to follow. The rules did not prescribe or detail any specific requirements or standards in relation to personal data management and in the absence of formulated standards for the protection of the sensitive personal data of individuals, industry bodies were struggling to have uniform procedures. 

This being the case, introducing specific standards for personal data management will bring more clarity and will help companies to adhere to an approved standard prescribed by a government agency. Moreover, principles narrated in this standard are in accordance with the Internationally recognised privacy principles and will help Indian companies to proffer confidence when dealing with their commercial counterparts.

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

 

The proposed data protection legislation and the IS 17428

 

The IS 17428 standard has been inspired primarily from the principles dictated from OECD privacy principles, GDPR and ISO27701. The proposed data protection legislation on the other hand has many divergences from the above instruments in many respects. For Instance, the IS standard has an elaborate description provided for the privacy objective of the organisation and the factors that need to be taken into account. Most of these objectives are covered under Sections 22 and 23 of the draft Bill but nevertheless, the standard has recommended a few other factors such as geographical operation, industrial domain and type of individuals as specific factors to be taken into consideration while drafting the privacy objectives. How much discretionary privacy standards can be created, what is allowed freedom for industries in this regard is unclear.

Section 28 of the draft bill talks about the records and document management of the data collected or processed and the standard covers almost every bit of the section. In addition to the consideration mentioned under the bill, the standard goes forward and echoes the need to establish a policy on the preservation of obsolete policies and process documents. Data and record-keeping should be for a defined period. The majority of other legislation prescribes an average of 7 years of data-keeping. Keeping any data beyond such a reasonable period may not serve many purposes. Why this standard has prescribed such obsolete data retention is again unclear.

The standard could be made effective by only having an enactment for data protection legislation in place. For instance, the grievance redressal mechanism, though the standards do envisage an appeal mechanism, they do not establish appeal machinery. This part of the standard can be put to use only after the Data Protection Authority as per section 32 is constituted. The standard also calls for an investigative process in the event of any breach or compromise of data. The organisation is welcome to conduct an onsite or internal investigation into the breach or incidents, but once again an independent authority to investigate in a legitimate and fair manner is required.

In short, I am afraid, has it failed to take into account the special requirements contemplated under the PDPB, 2019 which may eventually become the law of the country thereby, once this law is enacted, this standard will also be required to be modified. The government has not made any announcement as per the RSPP and SPDI rules, that IS 17428 is an appropriate standard certifying the compliance of personal data management. In the absence of such explicit endorsement, the ambiguity continues as to whether the adoption of this standard is sufficient compliance under the said rules.

Finally, with the Data protection bill around the corner, the Data Protection Authority envisaged being constituted under the legislation which shall have the power to issue code, guidelines, and best practices for protecting the privacy of data subjects. How IS 17428 standards framed by the BIS will be looked at by the DPA or the proposed rule will offer a different set of practices shall be an interesting development to observe.

References:

[1] https://economictimes.indiatimes.com/industry/cons-products/fashion-/-cosmetics-/-jewellery/abfrl-faces-data-breach-on-its-portal/articleshow/88930807.cms

[2] The IS 17438 was established on November 20, 2020 and notified in the official gazette on December 4, 2020. Please see the notification available at: https://egazette.nic.in/WriteReadData/2020/223869.pdf (last visited Jan 18, 2022).

[3] Supra note 2.

[4] Sub-clause 4.2.2 of the IS Requirements: “Privacy Notice”.

 

 

Photo Credits:

Image by Darwin Laganzon from Pixabay 

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

POST A COMMENT

Non-Personal Data Governance Framework, 2020

The realm of the internet has become an information powerhouse and data has become the new endowment of resources that governments and corporate entities are eager to tap into. The transformation in the digital environment and the emergence of information-intensive services has made data a necessary raw material for most undertakings.

Reports suggest that every minute Instagram is flooded with 277,000 stories, Google has 4.4 million searches and Uber has over 9700 rides in 2019. Today, data is an asset to various businesses and holds importance while making investments, mergers, and acquisitions, and/ or direct monetization.

 

While the discussion on ‘personal data’ has been revolving around privacy and security concerns, non-personal data is being eyed as an economic opportunity to augment public or private interest which must not be squandered. Considering the value proposition attributed to non-personal data, the legal aspect was sought to be dealt separately from ‘personal data’ which would be governed by the Personal Data Protection Bill, 2019 that is in the brink of finalization.

 

Consequently, an Expert Committee (“Committee“) was constituted by the Ministry of Electronics and Information Technology (“MeitY“) to study various issues relating to non-personal data. The Committee submitted its Report on Non-personal Data Governance Framework for comments from stakeholders in July 2020.

 

The report highlighted that data regulation is essential to utilize the maximum potential in data by realizing its economic, social, and public value. The need to regulate data stems from the imbalances in bargaining power between the companies that lead to the creation of data monopolies. Moreover, the privacy concerns revolving around the dilution of shared data must be tackled.

 

Non-Personal Data (“NPD“) is the data that cannot be identified with a particular individual, for example, weather forecast, traffic details, geospatial information, production processes, anonymized personal data, etc.

 

  1. Committee’s Proposal to Non-Personal Data Regulation

 

The NPD Governance Framework outlines norms for collection of data and data sharing by entities. The salient features of the proposed framework are:

 

  • The NPD framework provides key roles for all the participants such as Data Principal, Data Custodian, Data Trustees and Data Trusts.
  • Classification of NPD: Non-personal Data is further classified into Public NPD, Community NPD and Private NPD. Public NPD is NPD that is collected or generated by the government or by the agency of the government and includes data collected or generated in the course of execution of all publicly funded works (e.g. public health information, vehicle registration, etc.) excluding the one that is explicitly declared as confidential under the law. Community NPD is data about inanimate or animate phenomenon about a particular community of natural persons (e.g. data collected by e-commerce platforms or by telecom). Private NPD is NPD collected or produced by non-governmental entities or persons.
    • Ownership of non-personal data: In cases wherein, non-personal data is derived from personal data of an individual, the data principal for personal data will be the data principal for the NPD too. Further, the rights over the community NPD collected in India will vest in the trustee of such a community.
    • Sensitivity of NPD: The Committee has also defined a new concept of ‘sensitivity of NPD’, as NPD can also be sensitive from the perspective of: a) national security or strategic interests; b) sensitive or confidential information relating to businesses; and c) anonymized data, that bears a risk of re-identification.
    • Data Businesses and data disclosures: There is also the creation of a new horizontal classification called ‘Data Business’ which is when any existing business collects data beyond a threshold level. Such Data Businesses have to get themselves registered and furnish information on what they do/ collect, their purpose, and the nature of data stored. However, registration of Data Businesses collecting data below the threshold is not mandatory.
    • Non-Personal Data Regulatory Authority: NPD Regulatory Authority shall ensure that data is shared for sovereign, social and economic welfare, for regulatory and competition purposes, and also that all stakeholders adhere to the rules and data sharing requirements.
  1. Unanswered Questions: Shortcomings of the proposed Framework:

 

Attempting to govern the NPD is a commendable effort, however, it seems that there is a slew of questions that are left unanswered. The following are the issues relating to the proposed framework:

 

  • The foremost need to govern NPD as highlighted by the Committee is the imbalance in the digital ecosystem. However, neither the sources of these imbalances have been identified or analysed nor has it been clarified how the proposed regulations resolve these inequities.
  • Ambiguous classification of NPD: The various types of NPD have a potential overlap, but then again, clearly demarcating a line between the three types would be a difficult task. Also, one of the three types of NPD is Community NPD, however, there is no clarification as to how the ‘community’ would be determined. The definition of ‘community’ is wide, under the same even religious groups, residents of the same locality or same educational background would be a valid community, which may have conflicting interests over data shared with the government. Further, without any guiding principles, companies will be forced to make legally binding decisions on what they deem to be a valid community, the scope of data to be shared and for the resolution of competing claims, which is problematic at various levels. Moreover, on a particular dataset, there could be various interests, and in such cases, who would be entrusted with the data remains ambiguous.
  • Anonymization of Personal Data to Non-Personal Data: The process of converting personal data into Non-Personal Data by removing certain identifiers or credentials is termed as ‘anonymization’. Anonymization would undoubtedly convert a set of personal data into non-personal data but, such data runs the risks of re-identification. Further, although anonymization is essential, high anonymization could render the data over-generalized and futile.
  • Reactions of Stakeholders to the sharing of data: Mandatory data sharing is highly criticized by stakeholders, as it undermines the investments put in business and the value of intellectual property information the competitors would suffer. This ‘forced data sharing’ is counterproductive and would have a rather negative effect on foreign trade and investments. NPD can constitute trade secrets, that may be protected by IP laws, sharing this data raises concerns around the right to carry business and India’s obligation under international trade law. The purposes for data sharing under the framework are ‘sovereign’, ‘core public interest’, and ‘economic’ purposes which essentially covers all the data held by companies, and must be narrowed down.
  • Lack of Clarity on who really are trustees of Data: There is ambiguity regarding who will be a data trustee. Whether private, for-profit organizations or private entities within the government could be data trustees is not apparent. Also, the position regarding a data trustee’s independence and conflict of interest remains murky. It is essential that the roles and functions of these bodies are comprehensively defined.
  • User-Consent: NPD Framework also proposes that before the anonymization of data the consent of the user must be taken. It remains particularly unclear as to how would the consent be taken from them. Further, a company needs to invest in resources and obtain user consent, and sharing data may provide no incentive to such companies and would drown them into losses.
  • Over-Regulation by Non-Personal Data Authority: Creating altogether a new authority for NPD would lead to potential regulatory overlap given Data Protection Authority addresses and enforces privacy concerns and the Competition Commission of India looks over consumer welfare.
  1. Conclusion

This effort of the Ministry to set up a Committee to study the NPD which may subsequently lead to a legislation governing the NPD in India is praiseworthy, however, a lot of issues need reconsideration. Stakeholders have expressed anguish over the mandatory sharing of data and data disclosures as it conveniently overlooks the humungous investments put in by the companies. Further, the roles and functions of various entities under the framework are not clearly defined. The NPDA established under the framework may have functional overlaps with the CCI and the Data Protection Authority.

 

Moreover, there is ambiguity regarding Community NPD and user consent. There is no doubt that the ever-evolving nature of information technology is demanding as far as regulatory mechanism is concerned therefore the road ahead is arduous. Hopefully, the concerns raised are adequately addressed by the Committee and constructively resolved in favour of all the stakeholders.

Photo by Franki Chamaki on Unsplash

This effort of the Ministry to set up a Committee to study the NPD which may subsequently lead to legislation governing the NPD in India is praiseworthy, however, a lot of issues need reconsideration. Stakeholders have expressed anguish over the mandatory sharing of data and data disclosures as it outrightly overlooks the humungous investments put in by the companies.

POST A COMMENT

Core Legal Issues with Artificial Intelligence in India

The adoption and penetration of Artificial Intelligence in our lives today does not necessitate any more enunciation or illustration. While the technology is still considered to be in its infancy by many, so profound has been its presence that we do not comprehend our reliance on it unless it is specifically pointed out. From Siri, Alexa to Amazon and Netflix, there is hardly any sector that has remained untouched by Artificial Intelligence.

Thus, the adoption of artificial intelligence is not the challenge but its ‘regulation’ is a slippery slope. Which leads us to questions such as whether we need to regulate artificial intelligence at all? If yes, do we need a separate regulatory framework or are the existing laws enough to regulate artificial intelligence technology?

Artificial intelligence goes beyond normal computer programs and technological functions by incorporating the intrinsic human ability to apply knowledge and skills and learning as well as improving with time. This makes them human-like. Since humans have rights and obligations, shouldn’t human-likes have them too?

But at this point in time, there have been no regulations or adjudications by the Courts acknowledging the legal status of artificial intelligence. Defining the legal status of AI machines would be the first cogent step in the framing of laws governing artificial intelligence and might even help with the application of existing laws.

A pertinent step in the direction of having a structured framework was taken by the Ministry of Industry and commerce when they set up an 18 member task force in 2017 to highlight and address the concerns and challenges in the adoption of artificial intelligence and facilitate the growth of such technology in India. The Task Force came up with a report in March 2018[1] in which they provided recommendations for the steps to be taken in the formulation of a policy.

The Report identified ten sectors which have the greatest potential to benefit from the adoption of artificial intelligence and also cater to the development of artificial intelligence-based technologies. The report also highlighted the major challenges which the implementation of artificial intelligence might face when done on large scale, namely (i) Encouraging data collection, archiving and availability with adequate safeguards, possibly via data marketplaces/exchanges; (ii) Ensuring data security, protection, privacy and ethical via regulatory and technological frameworks; (iii) Digitization of systems and processes with IoT systems whilst providing adequate protection from cyber-attacks; and (iv) Deployment of autonomous products and mitigation of impact on employment and safety.[2]

The Task Force also suggested setting up of an “Inter–Ministerial National Artificial Intelligence Mission”, for a period of 5 years, with funding of around INR 1200 Crores, to act as a nodal agency to coordinate all AI-related activities in India.

 

Core Legal Issues

When we look at the adoption of artificial intelligence from a legal and regulatory point of view, the main issue we need to consider is, are the existing laws sufficient to address the legal issues which might arise or do we need a new set of laws to regulate the artificial intelligence technologies. Whilst certain aspects like intellectual property rights and use of data to develop artificial intelligence might be covered under the existing laws, there are some legal issues which might need a new set of regulation to overlook the artificial intelligence technology.

 

  • Liability of Artificial Intelligence

 

The current legal regime does not have a framework where a robot or an artificial intelligence program might be held liable or accountable in case a third party suffers any damage due to any act or omission by the program. For instance, let us consider a situation where a self-driven car controlled via an artificial intelligence program gets into an accident. How will the liability be apportioned in such a scenario?

The more complex the artificial intelligence program, the harder it will be to apply simple rules of liability on them. The issue of apportionment of liability will also arise when the cause of harm cannot be traced back to any human element, or where any act or omission by the artificial intelligence technology which has caused damage could have been avoided by human intervention.

One more instance where the current legal regime may not be able to help is where the artificial intelligence enters into a contractual obligation after negotiating the terms and conditions of the contract and subsequently there is a breach of contract.

In the judicial pronouncement of United States v Athlone Indus Inc[3] it was held by the court that since robots and artificial intelligence programs are not natural or legal persons, they cannot be held liable even if any devastating damage may be caused. This traditional rule may need reconsideration with the adoption of highly intelligent technology.

The pertinent legal question here is what kind of rules, regulations and laws will govern these situations and who is to decide it, where the fact is that artificial intelligence entities are not considered to be subject of law.[4]

 

  • Personhood of Artificial Intelligence Entities

 

From a legal point of view, personhood of an entity is an extremely important factor to assign rights and obligations. Personhood can either be natural or legal. Attribution of personhood is important from the point of view that it would help identify as to who would ultimately be bearing the consequences of an act or omission.

Artificial intelligence entities, to have any rights or obligations should be assigned personhood to avoid any legal loopholes. “Electronic personhood”[5] could be attributed to such entities in situations where they interact independently with third parties and take autonomous decisions.

 

  • Protection of Privacy and Data

For the development of better artificial intelligence technologies, the free flow of data is crucial as it is the main fuel on which these technologies run. Thus, artificial intelligence technologies must be developed in such a way that they comply with the existing laws of privacy, confidentiality, anonymity and other data protection framework in place. There must be regulations which ensure that there is no misuse of personal data or security breach. There should be mechanisms that enable users to stop processing their personal data and to invoke the right to be forgotten. It further remains to be seen whether the current data protection/security obligations should be imposed on AI and other similar automated decision-making entities to preserve individual’s right to privacy which was declared as a fundamental right by the Hon’ble Supreme Court in KS Puttaswamy & Anr. v Union of India and Ors[6]. This also calls for an all-inclusive data privacy regime which would apply to both private and public sector and would govern the protection of data, including data used in developing artificial intelligence. Similarly, surveillance laws also would need a revisiting for circumstances which include the use of fingerprints or facial recognition through artificial intelligence and machine learning technologies.

At this point in time there are a lot of loose ends to be tied up like the rights and responsibilities of the person who controls the data for developing artificial intelligence or the rights of the data subjects whose data is being used to develop such technologies. The double-edged sword situation between development of artificial intelligence and the access of data for further additional purposes also needs to be deliberated upon.

Concluding Remarks

In this evolving world of technology with the capabilities of autonomous decision making, it is inevitable that the implementation of such technology will have legal implications. There is a need for a legal definition of artificial intelligence entities in judicial terms to ensure regulatory transparency. While addressing the legal issues, it is important that there is a balance between the protection of rights of individuals and the need to ensure consistent technological growth. Proper regulations would also ensure that broad ethical standards are adhered to. The established legal principles would not only help in the development of the sector but will also ensure that there are proper safeguards in place.

In this evolving world of technology with the capabilities of autonomous decision making, it is inevitable that the implementation of such technology will have legal implications. There is a need for a legal definition of artificial intelligence entities in judicial terms to ensure regulatory transparency. While addressing the legal issues, it is important that there is a balance between the protection of rights of individuals and the need to ensure consistent technological growth.

POST A COMMENT