Understanding Personal Data Laws and AI in India

The 2019 Personal Data Privacy Bill incorporates essential enforcement standards, dilutes data ownership protections, and enhances state jurisdiction. A preventive mechanism for the collection and use of personal data is provided in the bill. No entity can collect data from an individual without their permission, and the processing of “sensitive personal data” is subject to higher requirements. Personal data should not be stored or processed except for the reason it has been obtained, unless the individual consents.

The position of the sectoral regulator has been enhanced by requiring their feedback into codes of practice and by requiring consultation prior to the notification of sensitive personal data categories. To promote the advancement of emerging technologies like artificial intelligence and machine learning, the bill includes a regulatory sandbox provision of 12 to 36 months, exempting organizations from requirements like intent, storage, and consent.

Key concerns revolve around relying on customer approval and transparency in data processes. Enterprises collecting data must comply with standards that have faced criticism since the 1990s. Users often grant permission through contracts they do not read, leading to issues like consent fatigue and desensitization.

Introduction:

The bill relies heavily on the principle of “harm,” recommending legal standards to address disruptions caused by the misuse of personal data. Penalties are levied based on incurred damage, a concept that is controversial and demands multi-pronged legal practices across organizations.

"Any discrimination" caused by the use of data is considered harmful. However, businesses must inevitably discriminate in operational contexts. The Indian Constitution prohibits discrimination in employment and access to public spaces based on specific grounds but does not align with the broader interpretations in the bill.

The bill also grants the government authority to compel corporations to share anonymized non-personal data. While intended for purposes like service quality enhancement, concerns remain about open circulation or compensation for such data, potentially discouraging innovation.

Implications for Artificial Intelligence:

The Personal Data Protection Bill (PDP Bill) significantly impacts the development and deployment of AI technologies in India. Key points include:

Data Processing Regulations
AI systems must adhere to lawful, fair, and transparent data processing practices.
Consent Requirement
Explicit user consent is mandatory for data processing, requiring AI applications to integrate consent mechanisms.
Data Minimization
AI systems should collect only essential data, adhering to the principle of data minimization.
Accountability and Compliance
Organizations must appoint a Data Protection Officer (DPO) and conduct Data Protection Impact Assessments (DPIAs) for high-risk AI systems.
Rights of Individuals
AI systems must enable users to access, correct, or delete personal data in compliance with user rights.
Cross-Border Data Transfers
AI solutions relying on global data processing must comply with the bill’s transfer regulations.
Penalties for Non-Compliance
Violations can result in significant penalties, affecting AI projects financially.

Conclusion:

The Personal Data Protection Bill demands AI developers prioritize privacy, implement robust consent mechanisms, and comply with regulatory standards. It underscores the need for:

Enhanced harmonization between data protection regimes.
Collaboration between regulators to remove obstacles to digital data exchange.
Addressing secondary data usage conflicts with principles like privacy and constitutional rights.

The absence of comprehensive protections for secondary data use could impact foreign regulators' adequacy conclusions about India's data security framework, restricting cross-border data transfers. A balanced approach to fostering innovation while safeguarding privacy and ethical considerations is critical for the future of AI in India.