DIGITAL PERSONAL DATA PROTECTION BILL, 2023
In August 2023, the Rajya Sabha passed the Digital Personal Data Protection Bill (DPDP), marking a crucial shift in India’s data protection framework. Once enacted, it will replace the dated provisions of the Information Technology Act, 2000, establishing a comprehensive regime focused on safeguarding personal data.
This is timely, as artificial intelligence is rapidly becoming indispensable in daily life. The DPDP Act ensures that AI systems, which depend on vast amounts of personal data, adhere to strict privacy standards, driving a move toward privacy-centric AI development.
NAVIGATING PRIVACY CHALLENGES IN AI
CONSENT MECHANISM
Implementing consent mechanisms across diverse languages and literacy levels.
DATA LOCALISATION
Ensuring localisation data for sensitive information
BIASES
Addressing biases in AI decisions TRANSPARENCY while complying with new regulations
TRANSPARENCY
Balancing transparency requirements with AI complexity.
In fact, the Global tech body Information Technology Industry Council (ITIC), a Council representing 80 technology firms including giants like Apple, Amazon, Google, and Microsoft, has urged the Indian government to strike a balance between individual privacy and innovation in the country.
INDIA’S DATA PROTECTION FRAMEWORK
Under the DPDP Bill, handling sensitive personal data—such as biometric or health data—requires more stringent controls. AI developers must implement robust mechanisms to classify and secure sensitive information, ensuring that it is only used for lawful and appropriate purposes.
The Data Protection Board of India (DPBI), which will be established once the Bill is notified, will monitor compliance and investigate any potential violations, imposing penalties up to INR 250 cr. if regulations are breached, thus making sensitive data protection a top priority for AI companies.
CONSENT AND PURPOSE LIMITATION
The DPDP Bill requires explicit, informed consent from data principals before collecting or processing their personal data. Consent must be in plain language and specify the intended purpose. The Bill emphasizes the principle of purpose limitation, which mandates that data can only be used for the purposes disclosed at the time of collection. If companies wish to use data for new purposes, fresh consent is required.
LEGAL FRAMEWORK FOR DATA LOCALISATION
The DPDP Bill introduces data localization rules, particularly for sensitive data like health and financial information, which must be stored and processed within India. AI systems relying on global data infrastructure will need to restructure their operations. Cross-border data transfers are allowed only under strict conditions, such as adequate protection in the recipient country or government-approved safeguards. These requirements force AI companies, particularly those with cloud-based or international operations, to restructure their data management systems to meet localization mandates. Therefore, ITIC has requested an 18–24 month grace period after the Act is notified to make their systems fully compliant with the localization mandates.
TRANSPARENCY & ACCOUNTABILITY
The DPDP Act will enforce strong transparency and accountability measures. Companies must clearly inform users about the collection, use, and sharing of their personal data through comprehensive privacy notices. Regular data audits, impact assessments, and reporting will be required to ensure compliance. Companies will be required to implement data governance frameworks and appoint Data Protection Officers (DPOs) where necessary. These measures will ensure that companies handle personal data responsibly while building user trust by fostering transparency in data processing activities.
CONCLUSION
The DPDP Act, 2023, once enacted, will mark a significant shift in India’s data privacy landscape. It will provide a robust framework for protecting personal data, impacting sectors that rely heavily on data processing, such as AI. By prioritizing privacy rights and setting high compliance standards, the DPDP Act will encourage companies to adopt more responsible data practices. For AI developers and businesses, the Act will demand a balanced approach, promoting innovation while ensuring that personal data is handled lawfully, ethically, and transparently.
Stay tuned for more legal insights.