Prospective investors in Indian artificial intelligence (“AI”) companies should familiarize themselves with the Indian government’s initiatives in AI regulation and the direction of future regulation. This note, the second of a multi-part series on investing in the Indian AI sector, outlines some of the key developments in AI in the country. However, it is important to keep in mind that India’s approach to AI governance may change in the future, given the rapidly evolving nature of technology as well as the country’s dynamic regulatory trajectory, including with respect to data, intermediary liability, digital technologies, telecommunications and digital competition, as discussed in this note.
Tag: Data
The Implications of India’s New Data Protection Law on Internal Investigations
Internal investigations may need to be carried out in India by employers in relation to a wide range of issues and/or situations. In case of Indian subsidiaries of MNCs, investigations may be carried out for the purpose of satisfying compliance requirements under law(s) applicable to the parent entity, like the Foreign Corrupt Practices Act of 1977 of the US or the UK’s Bribery Act 2010.
In the course of such internal investigations, large amounts of personal data related to accused persons and other relevant individuals may need to be processed by the employer – either by itself or through its advisors and agents. Accordingly, an informed assessment of the rights of such individuals, as well as the obligations of the employer and its advisors/agents, becomes crucial from the perspective of applicable data protection law.
This note specifically discusses the processing of personal data in the context of internal investigations, including with respect to allegations or suspicions of economic and criminal offences. While necessary rules under the Digital Personal Data Protection Act, 2023 are yet to be notified, provisions of this new law, as published in August 2023, indicate key considerations for employers (each of which is likely to be treated as a “data fiduciary”), including with respect to consent, legitimate use and potential exemptions.
Investing in AI in India (Part 1): Key Considerations
While investments in the AI sector in India present significant opportunities, they also present a unique set of risks within an evolving legal and regulatory landscape.
Before making an investment decision, investors should consider IP issues, data-related rights and compliance, any industry-specific concerns, the then-applicable regulatory framework as well as potential developments in AI regulation. In addition, investors should evaluate operational and contractual arrangements, undertake a technical due diligence, and assess potential liabilities and risks. Such risks include product and professional liability, algorithmic bias and discrimination, cybersecurity and data breaches, market and reputational risks, along with concerns related to transparency and explainability.
India’s New Data Protection Regime: Tracking Updates and Preparing for Compliance
The Digital Personal Data Protection Act, 2023 (the “DPDP Act”), published in India’s official gazette last year, is a new law regulating the collection, storage, use and processing of personal data. The DPDP Act will take effect from the date(s) notified by the Indian Government, and different dates may be notified for different provisions of the DPDP Act. Further, several provisions of the DPDP Act require specific rules which are yet to be notified.
According to a recent statement made by the new union minister of the Ministry of Electronics and Information Technology, the new rules are in advanced stages of drafting and are expected to be released for industry-wide consultation in the near future. Given that both rules and provisions of the DPDP Act are likely to be notified over the next few months, all entities need to check whether and to what extent the DPDP Act applies to them and their operations.
For the purpose of preparing for, and complying with, obligations under the DPDP Act, it would be advisable for all organizations to undertake data mapping exercises and data audits inter alia in order to facilitate the identification and determination of ‘personal’ information from mixed or legacy databases and/or organizational datasets.
The EU’s New Law on Artificial Intelligence: Global Implications
Pursuant to ‘trilogue’ negotiations among major institutions of the EU, an agreement on a proposed regulation with respect to artificial intelligence (“AI”) was arrived at in Brussels a few months ago, the text of which may be approved, published, and subsequently enter into force later this year. This is the world’s first comprehensive law on AI (the “AI Act”). According to the current draft, the AI Act should apply two years after its entry into force, likely from the second quarter of 2026.
The broad focus of this new law is a risk-based approach, based on an AI system’s capacity to cause harm. Compared to prior legislative proposals, additional elements of the current agreement include rules on high-impact general-purpose AI models that can cause systemic risk in the future, as well as on high-risk AI systems. The AI Act may set a global standard for AI regulation in other jurisdictions, just like the EU’s General Data Protection Regulation (“GDPR”) did with respect to personal information. Moreover, similar to the GDPR, one of the most important effects of the AI Act will be its extraterritorial scope, involving obligations for non-EU businesses as well.
Can Deepfakes be Leveraged Responsibly?
‘Deepfakes’, which involve the creation of highly realistic content (images, video, audio) by harnessing the power of artificial intelligence (“AI”), raise important concerns related to misinformation, identity theft, fraud, privacy infringement and electoral democracy – including as recently witnessed in India via incidents involving media personalities and politicians. However, deepfakes also promise exciting possibilities in various fields and business applications, including for personalized marketing, virtual training simulations and operational efficiency.
As of date, India does not have a specific law to regulate deepfakes or AI. However, certain provisions under the Information Technology Act, 2000 and its corresponding rules (together, the “IT Act”) may be invoked by appropriate authorities in this regard, including with respect to potential misuse and related penalties. In addition, new legislation – such as the proposed Digital India Act and the recently published Digital Personal Data Protection Act, 2023, respectively – which, when acting together, remain poised to overhaul the IT Act in its entirety – may introduce bespoke rules on regulating AI and deepfakes in India.
As organizations navigate this transformative techno-legal landscape, the responsible use of deepfake technology – including through a combined adoption of ethical frameworks, transparent policies, security measures, technical collaborations and awareness campaigns – is necessary to ensure a positive impact on the business ecosystem.
India’s Digital Public Infrastructure Could Have All the Answers to Questions Under the DPDP Act
Confusion abounds among key stakeholders of India Inc. with respect to consent management and allied concerns under India’s newly published Digital Persona Data Protection Act, 2023. This is especially true in the context of age verification requirements, along with the means of obtaining verifiable parental consent for children’s data. However, India’s digital public infrastructure could provide all the right answers – eventually. This note explores and examines how.
Contractual Arrangements Under India’s New Data Protection Law: A Data Fiduciary’s Guide to the Data Processing Universe
In light of India’s new Digital Personal Data Protection Act, 2023 (the “DPDP Act”), organizations need to check whether and to what extent such new compliance regime applies to them and their operations. In this regard, they may need to improve their existing IT and cybersecurity systems. Relatedly, organizations should monitor entities in their supply chains with respect to data processing obligations. In particular, existing contractual arrangements may need to be reviewed, and future data processing agreements (“DPAs”) must be negotiated in light of the new law.
Unlike the GDPR which places certain direct regulatory obligations on data processors, the DPDP Act appears to attribute sole responsibility upon the main custodians of data even when the actual processing is undertaken by data processors pursuant to a contract or other arrangement. Therefore, organizations have to ensure that their own statutory obligations remain mirrored in their supply chain, as well as in delegated/outsourced data processing tasks.
Accordingly, this note discusses due diligence and risk assessment/mitigation strategies; key lessons from the GDPR; necessary clauses in a DPA; the possibility of transferring liability through, and the inclusion of appropriate indemnity provisions in, such DPAs; as well as ensuring confidentiality and security, along with business continuity and disaster recovery, in such contexts.
Grievance Redressal and Dispute Resolution Under the DPDP Act
India’s Digital Personal Data Protection Act, 2023, as recently published in the gazette (but not yet in force), provides a multilayered mechanism for redressing grievances and resolving disputes. This note provides a broad overview.
Yes Means Yes: Managing Consent Under India’s New Data Protection Law
Unlike the EU’s GDPR (which allows non-consensual data processing under various circumstances), India’s new Digital Personal Data Protection Act, 2023 (the “DPDP Act”) relies heavily on consent as a ground for processing personal data. Other than a few ‘legitimate uses’ specified in the DPDP Act, consent will be the only legal basis for processing digital personal data in India once the law enters into force. This note discusses the role of consent managers and the potential of notice-and-consent management platforms (both inhouse and outsourced) to help entities comply with their obligations under the DPDP Act.