EU’s New Law on Artificial Intelligence

The EU’s New Law on Artificial Intelligence: Global Implications

Pursuant to ‘trilogue’ negotiations among major institutions of the EU, an agreement on a proposed regulation with respect to artificial intelligence (“AI”) was arrived at in Brussels a few months ago, the text of which may be approved, published, and subsequently enter into force later this year. This is the world’s first comprehensive law on AI (the “AI Act”). According to the current draft, the AI Act should apply two years after its entry into force, likely from the second quarter of 2026.
The broad focus of this new law is a risk-based approach, based on an AI system’s capacity to cause harm. Compared to prior legislative proposals, additional elements of the current agreement include rules on high-impact general-purpose AI models that can cause systemic risk in the future, as well as on high-risk AI systems. The AI Act may set a global standard for AI regulation in other jurisdictions, just like the EU’s General Data Protection Regulation (“GDPR”) did with respect to personal information. Moreover, similar to the GDPR, one of the most important effects of the AI Act will be its extraterritorial scope, involving obligations for non-EU businesses as well.


Can Deepfakes be Leveraged Responsibly?

Can Deepfakes be Leveraged Responsibly?

‘Deepfakes’, which involve the creation of highly realistic content (images, video, audio) by harnessing the power of artificial intelligence (“AI”), raise important concerns related to misinformation, identity theft, fraud, privacy infringement and electoral democracy – including as recently witnessed in India via incidents involving media personalities and politicians. However, deepfakes also promise exciting possibilities in various fields and business applications, including for personalized marketing, virtual training simulations and operational efficiency.
As of date, India does not have a specific law to regulate deepfakes or AI. However, certain provisions under the Information Technology Act, 2000 and its corresponding rules (together, the “IT Act”) may be invoked by appropriate authorities in this regard, including with respect to potential misuse and related penalties. In addition, new legislation – such as the proposed Digital India Act and the recently published Digital Personal Data Protection Act, 2023, respectively – which, when acting together, remain poised to overhaul the IT Act in its entirety – may introduce bespoke rules on regulating AI and deepfakes in India.
As organizations navigate this transformative techno-legal landscape, the responsible use of deepfake technology – including through a combined adoption of ethical frameworks, transparent policies, security measures, technical collaborations and awareness campaigns – is necessary to ensure a positive impact on the business ecosystem.
 


India’s Digital Public Infrastructure DPDP Act

India’s Digital Public Infrastructure Could Have All the Answers to Questions Under the DPDP Act

Confusion abounds among key stakeholders of India Inc. with respect to consent management and allied concerns under India’s newly published Digital Persona Data Protection Act, 2023. This is especially true in the context of age verification requirements, along with the means of obtaining verifiable parental consent for children’s data. However, India’s digital public infrastructure could provide all the right answers – eventually. This note explores and examines how.


Contractual Arrangements Under India’s New Data Protection Law

Contractual Arrangements Under India’s New Data Protection Law: A Data Fiduciary’s Guide to the Data Processing Universe

In light of India’s new Digital Personal Data Protection Act, 2023 (the “DPDP Act”), organizations need to check whether and to what extent such new compliance regime applies to them and their operations. In this regard, they may need to improve their existing IT and cybersecurity systems. Relatedly, organizations should monitor entities in their supply chains with respect to data processing obligations. In particular, existing contractual arrangements may need to be reviewed, and future data processing agreements (“DPAs”) must be negotiated in light of the new law.

Unlike the GDPR which places certain direct regulatory obligations on data processors, the DPDP Act appears to attribute sole responsibility upon the main custodians of data even when the actual processing is undertaken by data processors pursuant to a contract or other arrangement. Therefore, organizations have to ensure that their own statutory obligations remain mirrored in their supply chain, as well as in delegated/outsourced data processing tasks.

Accordingly, this note discusses due diligence and risk assessment/mitigation strategies; key lessons from the GDPR; necessary clauses in a DPA; the possibility of transferring liability through, and the inclusion of appropriate indemnity provisions in, such DPAs; as well as ensuring confidentiality and security, along with business continuity and disaster recovery, in such contexts.


Managing Consent

Yes Means Yes: Managing Consent Under India’s New Data Protection Law

Unlike the EU’s GDPR (which allows non-consensual data processing under various circumstances), India’s new Digital Personal Data Protection Act, 2023 (the “DPDP Act”) relies heavily on consent as a ground for processing personal data. Other than a few ‘legitimate uses’ specified in the DPDP Act, consent will be the only legal basis for processing digital personal data in India once the law enters into force. This note discusses the role of consent managers and the potential of notice-and-consent management platforms (both inhouse and outsourced) to help entities comply with their obligations under the DPDP Act.


Digital Personal Data Protection Act 2023

It’s Personal: A Roadmap for Data Mapping in Digital India

Although India’s newly published Digital Personal Data Protection Act, 2023 (the “DPDP Act”) is not yet in force, it is likely to take effect soon. Accordingly, while entities wait for the government to notify discrete provisions of the DPDP Act along with specific rules under it, they could use this transitional phase to align themselves to the requirements of the new regime and prepare for future obligations. Before anything else, organizations could draw up a compliance roadmap, the starting point of which should include a comprehensive data mapping exercise.
Organizational databases are likely to contain vast volumes of digitized information, not all of which may be considered ‘personal’ data. This note discusses the main features of the data mapping process, including the determination of, and the processual prerogatives with respect to, personal information contained in mixed datasets – where organizational data inventories are likely to comprise both personal and non-personal data.


Digital Personal Data Protection Act 2023

All Aboard: Getting Ready for India’s New Data Protection Journey

The Digital Personal Data Protection Act, 2023 (the “DPDP”) is poised to (re)define India’s legal framework with respect to the processing of digital personal data.
This new regime is designed to be an overarching one, irrespective of data category (in terms of sensitivity) or entity type. While provisions of the DPDP are likely to be notified soon, all organizations need to check whether and to what extent the DPDP applies to them and their operations.


Digital Personal Data Protection Act 2023

India’s New Law: The Digital Personal Data Protection Act, 2023

This note provides an overview of the Digital Personal Data Protection Act, 2023 that was published in the official gazette pursuant to a notification dated August 11, 2023. The Act will become effective from the date(s) notified by the Central Government, and different dates may be notified for different provisions. Also, rules may be notified in future, not inconsistent with the provisions of the Act, to carry out the purposes of the Act. The Act seeks to overhaul the current legal framework governing personal data in India. Accordingly, the Act establishes a legal framework to protect digital personal data, including by prohibiting the unauthorized use, alteration or sharing of information in a way that compromises the confidentiality, integrity and/or accuracy of such data. In this regard, the Act distinguishes among a data principal, data fiduciary and data processor, and provides rights for data principals and imposes obligations on data fiduciaries. The Act applies to consent managers as well.


’22/’23 Vision: Because India’s 2022 Draft Data Protection Law is so Last Year

A new version (the “23 Draft”) of India’s long-awaited Digital Personal Data Protection law (“DPDP”) is being moved for consideration and passing in the Lok Sabha today, i.e., Monday, August 7, 2023.
India has made several attempts over the last few years, including in terms of parliamentary tabling (and withdrawal), to introduce a comprehensive legal framework for data protection. However, the 23 Draft of DPDP was introduced in the Lok Sabha only late last week.
As such, it is a revised version of a previous DPDP draft that was released in November last year for public comments (the “22 Draft”). While the revised version contains several incremental changes compared to the 22 Draft, some such differences may prove significant in the long run.
A detailed analysis of the 23 Draft, along with an in-depth review relative to its prior iterations, will soon follow. Meanwhile, a few key takeaways from the current version in light of the changes made to the 22 Draft are highlighted here.
Accordingly, this note comprises two parts. Part I discusses the legislative status and possibilities with respect to DPDP’s 23 Draft. Part II provides a summary of key changes made to the 22 Draft, as currently reflected in the 23 Draft.