India: Yearly Rewind: AI & Data Protection

ARTIFICIAL INTELLIGENCE AND DATA PROTECTION

The year of 2023 was characterized and defined by the introduction and growth of generative AI products, such as Google Bard and Chat GPT. These products work on large language models (LLMs) and are based on processing of substantial amount of data. Accordingly, though data was already important in various technologies being developed, LLMs made data the central theme for innovating the next generation of products. In this section, we highlight the key issues that emerged in the data and AI space in 2023 in India considering the global context. We touch upon India's stand on developing an AI specific regulation, the emerging issues of deepfakes and misuse of personality rights by using AI and technology, India's new data protection law and its position on cross-border movement of data.

India's view on AI specific regulatory regime

AI systems using LLM rely heavily on vast datasets to train and improve their performance.¹ With the rise of such systems, there is an increased risk of privacy violations, data breaches and unauthorized use of sensitive information.² To address such concerns, the European Union (EU) became the first jurisdiction to regulate AI with the enactment of the Artificial Intelligence Act.³ On 09 December 2023, the EU entered into a provisional agreement to prohibit application of AI in instances which may have a potential adverse impact on the rights of its citizens. For instance, AI systems with the ability to manipulate human behaviour, to circumvent their free will or systems which can assign social scores to individuals based on social behaviours come under its purview.⁴

Currently, there is no specific regulatory regime on AI in India and the Indian government has clarified that India will not be considering enacting the same.⁵ Although, the NITI Aayog, which is Indian Government's top strategy and policy think tank, published an approach document on the responsible use of AI, which outlines various systemic considerations including privacy and security concerns, and accountability of the decisions taken by such AI systems.⁶

Deception by deepfakes

In 2023, Indian policymakers faced multiple issues concerning use of AI leading to privacy infringements and unlawful use of personal data, particularly, in the form of a series of incidents involving deepfakes.⁷ Deepfakes are commonly understood to mean any video recording, motion-picture film, sound recording, electronic image, or photograph, or any technological representation of speech which is deceptive in nature but appears to be authentic.⁸ In India, while activities such as identity theft and cheating are generally governed under the Information Technology Act, 2000 (IT Act) and the Indian Penal Code, 1860, there is no specific law addressing deepfakes. The increased concerns on deepfakes prompted the Ministry of Information and Technology in India to issue an advisory to social media intermediaries to exercise necessary due diligence to identify misinformation and deepfakes.⁹ Such intermediaries have been obligated to remove objectionable content from their platforms and on failing to do so, the intermediaries lose their protection under the safe harbour provision of the IT Act which provides them protection from liability for any third-party information, data or communication that is either made available or hosted by them.

In other jurisdictions such as the United States of America (US)¹⁰, a specific legislation with respect to deepfakes has been in place since 2019 which defines deepfakes expansively and delineates the penalties in the form of both criminal or civil liabilities and private right to claim damages. Going ahead, India may also benefit from a directed legislative framework to protect against privacy and personal information infringements by deepfakes.

Reappearance of personality rights in context of AI

In 2022, the Delhi High Court recognized the personality right of a popular Indian actor and issued directions restraining the unauthorized use of his personality traits¹¹. In India, personality rights are not expressly recognized as a distinct category under intellectual property law. However, certain aspects of an individual's personality such as name, image and voice are protected through a combination of laws related to privacy, defamation, and the right to publicity.¹² In 2023, the conversation regarding misuse of personality rights resurfaced, only this time, with the use of AI. In a recent case before the Delhi High Court,¹³ the personality rights of another Indian actor were protected when the court restrained the use of any technological tools such as AI to create content using a person's image, voice and personality. It can be noticed that even in the absence of a particular law on personality rights, Indian courts have been positively inclined towards protecting personal information and privacy rights of individuals.

Beginning of a new era of data protection laws in India

Speaking of privacy rights, individuals around the world have already started seeking legal measures against privacy breaches and improper use of personal data.¹⁴ Amid such concerns, in 2018, the EU General Data Protection Regulation (GDPR) became one of the first legislations that regulated collection and movement of data. The GDPR ensures that all companies operating in the EU are required to maintain same levels of data protection irrespective of the place of incorporation of such entities.

In India, presently, the collection and use of personal data is governed under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) notified under the IT Act. In the previous years, discussion on various shortcomings in the SPDI Rules to effectively regulate personal data gained considerable traction. Issues such as the definition of 'sensitive personal data' being too narrow and excluding several vital categories of personal data were identified.¹⁵ In 2023, to address such concerns, India enacted the Digital Personal Data Protection Act, 2023 (DPDA). The DPDA has not come into effect till date, but upon being effective, it will replace the SPDI Rules to regulate the processing which includes collection, storage, transfer, sharing or use of digital personal data of an individual.

With the DPDA, India joins the league of jurisdictions having a strict stance on protection of personal data. However, the DPDA is not without its challenges, one of the most important being the extent of powers given to government bodies for processing of personal information if it is necessary for the performance of their functions. In this aspect, the DPDA stands in contrast with the GDPR which specifically prohibits public authorities from using 'legitimate interest' as a ground to process personal data in the performance of their task as a public authority. While the DPDA fortifies consent requirements and privacy rights of individuals, it still needs to be more detailed for actual implementation. Going into 2024, it is expected that the Indian government will publish rules under the DPDA which should provide a better understanding of working of the new data protection law in India.

Data Localisation vs. Data Free Flow

Data localization and free flow of data are two contrasting approaches for movement of data. Data localization refers to the practice of storing and processing data within the borders of a specific country, rather than allowing it to flow freely across international borders.¹⁶ This concept has gained prominence due to the increasing digitization of information and concerns about national security and sovereignty. On the other hand, some international organizations such as the World Economic Forum subscribe to the view that free flow of data across borders may be essential to enable innovation and establish global trade.¹⁷ Certain countries such as Japan have encouraged free flow of data under a global cooperative regime of 'Data Free Flow with Trust'.¹⁸ EU also provides for an enabling provision allowing transfer of data to countries that ensure adequate level of data protection.

India's approach under the DPDA is inclined towards free flow of data across jurisdictions which maintain a higher degree of protection than that imposed in India.¹⁹ The DPDA does not require companies operating in India to mandatorily store the relevant data within the country. In fact, the DPDA allows data to flow freely across jurisdictions unless prohibited by a statutory authority. For instance, the RBI prohibits payment system providers operating in India to transfer any data related to payment systems outside India.²⁰ Additionally, the Indian government has been given the power to restrict the transfer of data to identified territories outside India.

Roadmap ahead

Globally, the EU is leading the way in regulating AI and data protection with comprehensive legislations on both subject matters. The US stands at the far end of the spectrum in terms of specifically regulating AI and data. India has taken a similar course of action as the EU in regulating data but does not intend to regulate AI as a whole. It is unlikely that a dedicated legislation to regulate all applications of AI will be introduced in India. It appears that specific instances of AI application will be regulated by sector specific laws. It is possible that the Digital India Act,²¹ the enactment of which is under consideration to govern new age technologies, will lay out the general principles which can be considered by sectoral regulators before introducing relevant regulations.

Footnotes

1. MDPI, Re-Thinking Data Strategy and Integration for artificial Intelligence: Concepts, Opportunities, and Challenges (30 May 2023), access here

2. MIT, Here's how to regulate artificial intelligence property (visited on 20 December 2023), access here

3. European Parliament, Headlines (19 December 2023), access here

4. European Parliament, Headlines (19 December 2023), access here

5. Business Today, No Regulations for Artificial Intelligence in India: IT Minister Ashwini Vaishnaw (06 April 2023), access here

6. Niti Aayog, Responsible AI (visited on 20 December 2023), access here

7. BBC, Why are there so many deepfakes of Bollywood actresses (22 December 2023), access here

8. US Congress, Deepfakes Accountability Act (visited on 20 December 2023), access here

9. Ministry of Electronics and Information Technology, Press Release (07 November 2023), access here

10. US Congress, Deepfakes Accountability Act (visited on 20 December 2023), access here

11. Amitabh Bachchan v. Rajat Nagi & Ors, CS (Comm.) No. 819 of 2022

12. Titan Industries Ltd. v. M/s. Ramkumar Jewellers, 2012 SCC OnLine Del 2382

13. Anil Kapoor v. Simply Life India and Ors. CS(COMM) 652/2023

14. Warren v. DSG Retail Ltd., [2021] EWHC 2168

15. A Free and Fair Digital Economy Protecting Privacy, Empowering Indians Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (2018), access here

16. Carnegie India, How Would Data Localisation Benefit India? (14 April 2021), access here

17. World Economic Forum, Data Free Flow with Trust: Overcoming Barriers to Cross-Border Data Flows, White Paper (January 2023), access here

18. METI, Data Free Flow with Trust and Data Governance (September 2019), access here

19. Section 16 of Digital Personal Data Protection Act, 2023

20. RBI, Storage of Payment System Data (06 April 2018), access here

21. Ministry of Electronics and Information Technology, Proposed Digital India Act (19 March 2023), access here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.