DPDP Consultants Privacyium Tech Pvt. Ltd. 4th floor, GM IT Park, Plot no 32-33, Sector 142, Noida, Uttar Pradesh 201305
Our Locations
Copyright 2024 © DPDP Consultants, A Privacyium Tech Pvt. Ltd. Company
DPDP Consultants, your trusted partner in ensuring Digital Personal Data Protection (DPDP Act 2023) compliance for businesses in India.
Is your AI business in compliance with India’s new DPDP Act? Let’s discuss the impact of the law on AI and the dos and don’ts for you to follow.
The use of artificial intelligence (AI) continues to surge across industries. A 2022 survey reveals that the AI adoption rate in businesses worldwide grew nearly 2.5 times in 2022 compared to its adoption rate in 2017.
Businesses leverage AI for enhanced efficiency, data analysis, and personalized user experiences. Advancements in machine learning and automation contribute to this growth.
In response to this rapid development, regulatory bodies have issued guidelines and rules to safeguard consumer privacy and maintain robust data protection. These documents outline compliance requirements for organizations seeking to use artificial intelligence and machine learning technologies while upholding fundamental data protection and privacy rights. While other countries have been engaged in discussions and crucial decision-making to safeguard information, India has only recently actively participated in this collective endeavour.
In August 2023, the Indian parliament enacted the Digital Personal Data Protection Act, aiming to protect the rights and responsibilities associated with the management of extensive digital personal data within the economy.
India is also experiencing significant growth in AI adoption rates. It was the sixth leading country in terms of AI investment in 2022.
AI and machine learning heavily rely on extensive data collection to mimic human behaviour. The success or failure of a machine learning algorithm is intricately tied to the availability of a vast amount of data.
Though the DPDPA does not specifically address Artificial Intelligence, its fundamental principle is to acknowledge individual rights and safeguard data. It mandates permitting the processing of personal data solely for lawful purposes.
If you handle personal data, be it collecting, storing, analyzing, or sharing, either within India or abroad in connection with activities related to offering goods or services to individuals in India, and you determine how and why this data is processed, you are subject to the DPDPA.
Your AI business might be gathering personal data through various means:
The DPDPA won’t apply to your AI data model if:
It solely uses publicly available data, freely accessible because the data principal or someone legally obligated has made it public.
It’s exclusively used for statistics, research, or archival purposes, adhering to prescribed standards and refraining from making specific decisions about a data principal.
Section 4 of the DPDP Act stipulates that processing personal data of a Data Principal is allowed only with valid consent or for legitimate uses, as detailed in Section 7 of the DPDP Act.
Source: Meity.gov
To train AI models, owners need either consent or justification within one of the legitimate uses.
When processing personal data for training algorithms, key obligations include:
The Act outlines requirements for processing user data:
Ensure completeness, accuracy, and consistency of personal data processed if your AI models influence decisions for data principals.
After meeting Notice requirements under Section 5 of the DPDP Act and assuming Data Principal consent, complying with certain obligations in Section 8 becomes impossible for Data Fiduciaries. Specifically, Section 8(3)(b) mandates completeness, accuracy, and consistency of data when influencing decisions.
Source: Meity.gov
These vague requirements pose difficulties in continuous monitoring. For instance, users can manipulate Large Language Module models to generate inaccurate data about a Data Principal, raising questions about rectifying non-compliance. Another challenge involves implementing a practical DSR framework with four rights outlined in Chapter III of the DPDP Act. The Right to Access and Correction/Erasure requires identifying the data set storing personal data, which poses technical challenges.
Developing features like Machine Unlearning via Neuro Masking, proposed by Columbia University researchers, is still in its early stages, making compliance with such mandatory Data Principal Requests daunting in the current landscape.
The DPDPA is set to introduce varied compliance demands for businesses. This includes formulating data protection policies, appointing a Data Protection Officer (DPO), performing data protection impact assessments, and adhering closely to defined data protection principles.
As this legislation takes effect, businesses, Data Fiduciaries, and Consent Managers should tread cautiously to prevent potential pitfalls that might result in substantial non-compliance fines. These penalties will contribute to the Consolidated Fund of India rather than benefiting Data Principals.
To tackle these challenges and adhere to the DPDPA framework, businesses can leverage the expertise of DPDP consultants in India, who offer valuable support in understanding and aligning with the complexities of this new regulatory landscape. DPDPA Consultants devise tailored solutions to meet your organization’s specific needs.
DPDP Consultants Privacyium Tech Pvt. Ltd. 4th floor, GM IT Park, Plot no 32-33, Sector 142, Noida, Uttar Pradesh 201305
Copyright 2024 © DPDP Consultants, A Privacyium Tech Pvt. Ltd. Company