From policymakers and citizens to businesses and privacy forums, everyone is talking about artificial intelligence these days. Though the term has long been in use, many confuse AI with automation, a process so old it was in use as early as 1500 B.C.E., when timekeeping was automated in Babylon and Egypt.
Although automation is the start of the roadmap to AI, what arguably differentiates AI from mere automation is data, as it is dependent on the availability and quality of data from which it learns. Though personal data is not used in all AI systems, when it is used, it can cause significant policy issues for governments and businesses and harm for citizens.
India's Digital Data Protection Bill and AI: An apparent conflict
In India, development and promotion of AI has been high on the government's list of priorities, which recognizes AI's potential to make lives easier. However, on one hand, the Indian government and industry is moving towards developing and deploying AI on a large scale. On the other hand, AI's societal and ethical implications have come into focus. For AI based on personal data, there is a clear tension between the constant desire of government and businesses to sell the idea of AI, and the need to develop laws and policies to address its societal and ethical implications.
The most recent conflict between AI and privacy is likely demonstrated by India's proposed Digital Personal Data Protection Bill. No part of the bill explicitly regulates the use of AI, but its many provisions are relevant to AI and directly challenge processing personal data that is enabled by it. Looking at the bill from an AI lens reveals a clear rift between its data protection principles and the full deployment of the power of AI.
Struggle to find lawful basis
Any AI-enabled business will want to know if it needs people's permission to analyze their data with AI. Organizations will need a lawful basis to process personal data. These are essentially permissions — consent being one of several lawful bases prescribed under comprehensive data protection regimes around the world — and the most appropriate one will depend on the circumstances.
For example, if a business runs a food delivery app, user terms and conditions may be the most appropriate basis to process their address details to make the delivery, but if the same data is used by the business to send targeted ads to such customers, then legitimate interest of the business may be the more appropriate lawful basis.
Unlike developed data protection regimes in countries where consent is one of the several lawful bases prescribed for processing personal data, it may seem surprising that the bill allows processing of personal data only with the consent of the individual.
However, the bill simultaneously provides for the concept of "deemed consent" in certain situations where consent of the individual is deemed "necessary." This includes where the individual is reasonably expected to provide his or her personal data voluntarily to the business when where such data is necessary for compliance with judicial orders, for employment purposes, for public interest, or to provide for other "fair and reasonable" purposes. Except for public interest or fair and reasonable purposes, none of the other situations appears to allow processing for AI.
Regarding the former, the bill mentions the following can be included in the "public interest:"
- Fraud prevention and detection.
- Mergers and acquisitions.
- Network and information security.
- Credit scoring.
- Search engines processing publicly available personal data.
- Publicly available personal data.
- Recovery of debt.
The government may arguably rely on "public interest" as a lawful basis to process personal data for AI while citing fraud prevention or detection. But, as far as processing by businesses directly for revenue-generating operations is concerned, none of the above exceptions hint at any basis which they could use public interest as lawful basis for processing data for AI. At most, all these could be applied to situation-based processing like mergers and acquisitions, or processing ancillary to business operations.
Reading of the other situation with "fair and reasonable" purposes also results in a negative assessment, as you're left to consider:
- Whether your legitimate interests in processing for AI outweigh any adverse effect on the rights of the individual.
- Any public interest in processing for AI.
- And the reasonable expectations of the individual having regard to the context of the processing.
The use of the word "and" above suggests all three conditions must be satisfied. That makes it difficult to imagine a situation where a business may rely on fair and reasonable purposes as its lawful basis to process data for AI.
This is because public interest is an essential condition for businesses to satisfy, which appears to be an insurmountable struggle, regardless of any possibility for businesses to find an argument to meet the other two conditions.
Subsequently, there is another definition of public interest in the bill for fair and reasonable purpose, where public interest means in the interest of any of the following:
- Sovereignty/integrity of India.
- State security.
- Foreign relations.
- Public order.
- Preventing incitement to the commission of offenses relating to the above.
- And preventing dissemination of false statements of fact.
In addition to the lack of clarity for two separate definitions of public interest, it will be extremely difficult for a business to justify its processing for AI based on public interest given the restrictive nature of definitions. It's more likely the definition is used by the public authorities rather than private businesses. This leaves businesses to assess whether express consent could be used as a lawful basis for AI-based processing of personal data.
Consent: An impossible dream for AI?
The bill provides that consent is valid only if freely given, specific and informed. These requirements are difficult to realize in connection with AI applications, at least in cases where there is no direct relationship with the people whose data is processed.
One example is cloud, SaaS or outsourcing service providers hosting data or websites where people submit their personal information cannot practically obtain consent from such individuals. Even with a direct relationship, it may be extremely difficult to collect valid consent for more complicated operations, such as those involved in AI.
Also, with technology changing at an unprecedented pace, it's always a challenge to obtain and maintain consent with sufficient specificity. The bill also allows users to withdraw consent, which can be difficult to manage and means organizations need to identify a new lawful basis to continue processing. Under the bill, consent or deemed consent is the only option, so data processing activities must stop once this is withdrawn,.
Consent will be insufficient to support an AI application unless there is another compelling reason to process the data — statutory derogations per European-style data protection laws — such as legitimate interest of the business. Although not strictly an exemption, the bill contains the novel concept of deemed consent, which is likely another lawful basis, but one softer than consent, intended for situation-based processing, and including fair and reasonable purpose as one of the situations.
Arguably, deemed consent for fair and reasonable purpose under the bill as could be viewed as an equivalent to legitimate interest in certain other jurisdictions. However, a business most likely may not achieve the desired compliance with the bill if it relies on this as a lawful basis.
The challenge with statutory exemptions
Despite the impossibilities around consent discussed above, a business may assume its ability to obtain consent or satisfy deemed consent criteria for AI-based processing under the bill. However, AI-powered businesses may hit roadblocks, as most AI systems based on personal data either engage in statistical analysis of personal data, make inferences or profile users with such data, thereby resulting in the creation and processing of new personal data.
The bill does not appear to allow either of these for two reasons. First, Section 18(2)(b) of the bill leaves the government to decide whether to exempt processing necessary for research, archival or statistical purposes. Notably, this is a significant departure from comprehensive privacy laws in jurisdictions where processing for research or statistical purposes is not considered incompatible with the original purpose for which the data was collected if certain conditions prescribed under law are satisfied. When such conditions are met and the processing is considered compatible, no other legal basis separate from the one that allowed the original collection and use of the personal data is required. The natural consequence of the departure is that under the bill, unless the government permits, the businesses may not process personal data for AI research or statistical purposes under the bill.
Second, Section18(2)(b) categorically states the government can make the exemption, on the condition that the personal data is not used to take any decision-specific user profiling. This may have massive and far-reaching consequences for AI-based industries, as several businesses in India operate using AI applications that engage in profiling, which is prohibited by the bill in principle, with no exceptions whatsoever.
The way forward
Unless the bill is amended and applied so, without compromising its aim to protect personal data, it does not substantially hinder the AI applications based on such data or place Indian companies at a disadvantage compared with their foreign competitors, companies in India with AI or similar technologies may be looking at challenges when keeping it business as usual.