India is taking significant steps towards regulating artificial intelligence (AI) with the introduction of a new draft to enhance and extend protections provided by the Digital Personal Data Protection (DPDP) Act to AI systems. The Act outlines a comprehensive framework to govern high-risk AI systems, ensuring they are developed and deployed responsibly. In this blog we will explore the draft, how it augments the DPDP Act, and the evolving privacy landscape in India.

Click here to register for the final part in our Mastering AI Governance Webinar Series featuring Jon Leibowitz, Former Chairman of the FTC on state and federal AI legislation and the intersection with privacy law

Key Features of the Model Artificial Intelligence Law (MAIL) v.2.0 

Definition and Regulation of High-Risk AI Systems 

• Establishes a legal framework for identifying and regulating high-risk AI systems. 

• Introduces a quality testing framework for regulatory models, algorithmic accountability, zero-day threat assessments, AI-based ad-targeting, and content moderation. 

Privacy and Data Protection 

• Aligns AI governance with the DPDP Act to ensure consumer privacy is respected. 

• Emphasizes secure cyberspace by empowering agencies like CERT-In for cyber resilience. 

• Strengthens the penalty framework for non-compliance and issues advisories on data security practices. 

Content Monetization and Periodic Risk Assessments 

• Sets rules for monetizing platform-generated and user-generated content. 

• Requires periodic risk assessments to maintain accountability and uphold constitutional rights. 

Deterrent Penalties and Disclosure Norms 

• Proposes effective, proportionate, and dissuasive penalties for violations. 

• Mandates disclosure norms for data collected by intermediaries exceeding certain thresholds. 

Standards for Anonymized Data 

• Establishes standards for the ownership and management of anonymized personal data collected by data intermediaries. 

Gen AI and the Evolving Privacy Landscape 

We’ve seen this approach before in the United States with the California Privacy Protection Agency’s draft ADMT rules augmenting the existing privacy regulations under CPRA. Despite the robust frameworks in CPRA & the DPDP, Generative AI (Gen AI) presents several privacy challenges due to its data-intensive nature. These challenges include: 

Data Collection and Processing 

• Gen AI models often require massive datasets, potentially containing personal information. 

• The DPDP Act’s principles of data minimization and informed consent are crucial for compliance and responsible data collection. 

Data Bias and Discrimination 

• Gen AI models trained on biased data can perpetuate discriminatory outcomes. 

• The DPDP Act emphasizes fairness, non-discrimination, and individual access rights, enabling individuals to challenge biased outcomes. 

Deepfakes and Synthetic Media 

• Gen AI’s ability to create realistic deepfakes poses risks to individual reputation and national security. 

• The DPDP Act addresses these concerns with provisions on sensitive personal data, harmful content, and individual redress mechanisms. 

Data Anonymization and De-identification 

• The DPDP Act recognizes the limitations of anonymization and promotes a risk-based approach to data protection. 

• Data controllers must use robust anonymization methods and consider potential re-identification risks. 

 Strategies for Responsible Gen AI Development  

To address the inherent challenges presented by the rapidly evolving AI landscape, responsible development and deployment of Gen AI should follow comprehensive strategies aligned with the DPDP Act. These recommendations highlight common threads among recommendations for a safe approach to the adoption of AI innovation no matter which current or future AI regulations for which your company may be in scope.  

Privacy-by-Design Approach 

• Integrate privacy considerations throughout the Gen AI development process. 

• Minimize data collection, implement robust security measures, and obtain informed, granular consent. 

Transparency and Accountability 

• Ensure transparency in data collection practices, algorithms, and potential risks. 

• Implement accountability mechanisms such as data protection impact assessments (DPIAs) and audits. 

Collaboration with Stakeholders 

• Engage with data privacy lawyers, data scientists, and civil society organizations to develop ethical guidelines and best practices. 

• Ensure compliance with the DPDP Act through collaborative efforts. 

Leveraging the Data Protection Authority (DPA) 

• The DPA plays a critical role in enforcing data privacy regulations related to Gen AI. 

• Developers and data controllers should proactively engage with the DPA for guidance and compliance. 

 A Continuous Journey Towards Responsible Innovation 

The synergy between Gen AI and the DPDP Act has the potential to create a better future for individuals. By fostering collaboration, engaging proactively with the DPA, and adhering to ethical principles, India can harness the transformative power of Gen AI while upholding individual rights and privacy. Balancing technological innovation with data protection is crucial for building a secure and ethically-driven digital future. 

India’s draft AI Governance Act, along with the evolving DPDP Act, sets a comprehensive framework for AI regulation. By addressing high-risk AI systems, ensuring privacy and data protection, and promoting responsible Gen AI development, these laws aim to safeguard individual rights and foster innovation. As the regulatory landscape continues to evolve, businesses and developers must stay informed and compliant to navigate this new era of AI governance effectively.