Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

Is your AI business in compliance with India’s new DPDP Act? Let’s discuss the impact of the law on AI and the dos and don’ts for you to follow.

The use of artificial intelligence (AI) continues to surge across industries. A 2022 survey reveals that the AI adoption rate in businesses worldwide grew nearly 2.5 times in 2022 compared to its adoption rate in 2017.

Businesses leverage AI for enhanced efficiency, data analysis, and personalized user experiences. Advancements in machine learning and automation contribute to this growth.

In response to this rapid development, regulatory bodies have issued guidelines and rules to safeguard consumer privacy and maintain robust data protection. These documents outline compliance requirements for organizations seeking to use artificial intelligence and machine learning technologies while upholding fundamental data protection and privacy rights. While other countries have been engaged in discussions and crucial decision-making to safeguard information, India has only recently actively participated in this collective endeavour.

In August 2023, the Indian parliament enacted the Digital Personal Data Protection Act, aiming to protect the rights and responsibilities associated with the management of extensive digital personal data within the economy.

How does the Digital Personal Data Protection Act(DPDPA) affect AI?

India is also experiencing significant growth in AI adoption rates. It was the sixth leading country in terms of AI investment in 2022.

AI and machine learning heavily rely on extensive data collection to mimic human behaviour. The success or failure of a machine learning algorithm is intricately tied to the availability of a vast amount of data.

Though the DPDPA does not specifically address Artificial Intelligence, its fundamental principle is to acknowledge individual rights and safeguard data. It mandates permitting the processing of personal data solely for lawful purposes.

When does this law impact you?

If you handle personal data, be it collecting, storing, analyzing, or sharing, either within India or abroad in connection with activities related to offering goods or services to individuals in India, and you determine how and why this data is processed, you are subject to the DPDPA.

Your AI business might be gathering personal data through various means:

• Extracting from non-public datasets
• Obtaining from users (prompts, inputs)
• Acquiring from developers
• Receiving from third parties (like data broker businesses)

The DPDPA won’t apply to your AI data model if:

It solely uses publicly available data, freely accessible because the data principal or someone legally obligated has made it public.

It’s exclusively used for statistics, research, or archival purposes, adhering to prescribed standards and refraining from making specific decisions about a data principal.

Prerequisites for using Personal Data

Section 4 of the DPDP Act stipulates that processing personal data of a Data Principal is allowed only with valid consent or for legitimate uses, as detailed in Section 7 of the DPDP Act.

Source: Meity.gov

To train AI models, owners need either consent or justification within one of the legitimate uses.

When processing personal data for training algorithms, key obligations include:

• Providing users notice in English and all official Indian languages, specifying the purpose of processing.
• Obtaining clear affirmative consent for the specified purposes and ensuring processing aligns solely with these purposes.
• Securing verifiable consent from a parent/guardian for individuals under 18 or differently-abled persons with guardians.

Processing User Data

The Act outlines requirements for processing user data:

Decision-making AI Models

Ensure completeness, accuracy, and consistency of personal data processed if your AI models influence decisions for data principals.

Prohibited AI Models

• Avoid processing that could harm a child’s well-being.
• Refrain from tracking or behaviorally monitoring children for targeted advertising, unless government-exempt.

Significant Data Fiduciary Obligations

• You may be notified as a Significant Data Fiduciary based on data volume and sensitivity.
• Appoint an India-based data protection officer and an independent auditor.
• Conduct Data Protection Impact Assessments, periodic audits, and government-prescribed measures.

Integrating Third-party AI

• If integrating for personal data processing, ensure the third party complies with the Act.
• Formulate a valid contract passing necessary obligations (security safeguards, data principal’s rights, etc.).
• If the third-party AI developer determines processing purpose and means, they are data fiduciaries under the Act. Reflect this in your contract with relevant representations and covenants.

Challenges in Fulfilling Deletion and Other DSR Requests

After meeting Notice requirements under Section 5 of the DPDP Act and assuming Data Principal consent, complying with certain obligations in Section 8 becomes impossible for Data Fiduciaries. Specifically, Section 8(3)(b) mandates completeness, accuracy, and consistency of data when influencing decisions.

Source: Meity.gov

These vague requirements pose difficulties in continuous monitoring. For instance, users can manipulate Large Language Module models to generate inaccurate data about a Data Principal, raising questions about rectifying non-compliance. Another challenge involves implementing a practical DSR framework with four rights outlined in Chapter III of the DPDP Act. The Right to Access and Correction/Erasure requires identifying the data set storing personal data, which poses technical challenges.

Developing features like Machine Unlearning via Neuro Masking, proposed by Columbia University researchers, is still in its early stages, making compliance with such mandatory Data Principal Requests daunting in the current landscape.

Is your AI Business Compliance-Ready?

The DPDPA is set to introduce varied compliance demands for businesses. This includes formulating data protection policies, appointing a Data Protection Officer (DPO), performing data protection impact assessments, and adhering closely to defined data protection principles.

As this legislation takes effect, businesses, Data Fiduciaries, and Consent Managers should tread cautiously to prevent potential pitfalls that might result in substantial non-compliance fines. These penalties will contribute to the Consolidated Fund of India rather than benefiting Data Principals.

To tackle these challenges and adhere to the DPDPA framework, businesses can leverage the expertise of DPDP consultants in India, who offer valuable support in understanding and aligning with the complexities of this new regulatory landscape. DPDPA Consultants devise tailored solutions to meet your organization’s specific needs.

• Services like the DPDPA Readiness Review help organizations gauge the impact of DPDPA across their operations.
• Ensuring compliance, our Data Protection Officer (DPO) services empower organizations to appoint a third party for process audits and oversee DPDP implementation.
• For existing contracts, our Contract Review service ensures alignment with DPDP specifications, necessitating revisions when necessary.
• Our dedicated team provides comprehensive DPDPA Compliance Assistance, establishing internal audit frameworks for regulatory alignment.
• DPDPA Training program focuses on the practical implications of policies and procedures, providing effective compliance education.
• Our Data Protection Impact Assessment (DPIA) process aids organizations in identifying and mitigating privacy risks associated with projects and policies.

Manage Data Privacy Compliance Seamlessly With DPDP

Looking for expert advice from top consultants?

Whether you need guidance on legal compliance consulting or tool-based technical solutions, DPDP Consultants can help you with the best professional services in the industry. Get tailored insights and practical solutions to help you succeed.

For News updates, expert insights, and practical tips on DPDP compliance and personal data security please subscribe to our newsletter Privacy Talks.