Law in the Internet Society

ADDRESSING THE REGULATORY VACUUM ON ARTIFICIAL INTELLIGENCE IN INDIA

-- By StutiShah - 22 Oct 2021 (Revised 8 Jan 2022)

Introduction

With an explosion in the volume of commodifiable data, availability of inexpensive computational power, and investment in technology, machine learning that uses pattern recognition and autonomous software-based decision-making, known as 'Artificial intelligence' (AI), is making inroads into every facet of our lives. Though the Government and large corporates in India have commenced leveraging the benefits of AI across sectors, in an unregulated environment such as India's, AI could prove to be counter-productive.

Data Privacy in an AI Regime

As aforementioned, there is currently no robust legislation governing AI in India. Since data primarily fuels AI, big corporates have been exploiting the loopholes in India's toothless data protection law, while collecting and processing personal data. Therefore, when a new personal data protection bill (PDP Bill) was published by the Indian Government in 2019, I was hopeful that it would address this vacuum. Though it is more nuanced and favorable to citizens than the prevailing law on data protection, I was disappointed that it had retained many of its drawbacks. Subsequently, a Joint Parliamentary Committee proposed recommendations to the PDP Bill on December 16, 2021 (Recommendations), which were even more problematic.

I have identified the proposals of the PDP Bill (alongwith the Recommendations), that are most detrimental to citizens in an AI-regime, below.

First, the PDP Bill is myopic by neither protecting citizens from the harms of automated profiling and decision-making, nor mandating that they be informed of the processes employed for the same. Similarly, though the Recommendations require the regulator to be informed of a data breach, they disregard the citizens’ right to be aware of a data breach. How can the user take action against the data processor, or fix the data breach, if she is unaware of it in the first place?

The opacity of the law and judicial processes in Franz Kafka's 'The Trial' is reflective of how AI applications function. They decide whether citizens are eligible for employment, a loan, or an insurance. However, citizens are oblivious to the processes employed by AI applications, and the basis on which they make decisions. This resonates with the experiences of the protagonist, K, who is ignorant of the reason of his arrest, because of which he cannot defend the charges against him. Similar to AI applications, even when the judiciary in 'The Trial' acts unscrupulously, it cannot be held accountable.

Furthermore, by retaining consent as the primary basis on which personal data is to be collected and processed, the drafters of the PDP Bill have continued with a futile formality, premised on an unfair bargaining power in favor of sellers and service providers, which cannot effectively safeguard citizens’ privacy.

Finally, the Government's think tank, NITI Aayog, has published a number of papers on harnessing AI's potential in India, and what struck me was how flagrantly they advocated for the installation of 'sophisticated surveillance systems' that could track people's movement and behavior. Since the PDP Bill keeps the Government immune from all compliances, and the Recommendations further expand the powers enjoyed by the Government under the PDP Bill, by introducing vague grounds such as ‘national security, public order, sovereignty and integrity of India’, surveillance measures such as these, can have dire consequences. Therefore, if these Recommendations are incorporated, the PDP Bill would keep the Government immune from all liability, in disregard of the Supreme Court’s decision in Puttaswamy v. Union of India. What troubles me more is that despite witnessing harrowing accounts of Government surveillance, reminding us of Bentham and Foucault's prescient writings on the Panopticon, Indians trust their Kafkaesque governments with their data (or rather have no choice but to do so).

Envisioning a Consumer-Centric Framework

It is important for India to adopt a policy for AI which protects citizens, and is dependent on their informed choice and consent. The policy should ensure that citizens’ data is not commodified.

In this regard, such policy on AI must incorporate the foundational principles set out below:

Agility: It should be nimble to adapt to the ever-evolving nature of AI.

Information Symmetry: It should incorporate transparency and adequate disclosures to address the inherent information asymmetry between citizens, and corporates and the Government. Care is to be accorded to disclosures made to vulnerable categories of citizens who may not have the capacity to understand digital products/services.

Accountability: It must identify and affix accountability on AI creators for breaches, specifically in light of various geographically de-localized and technologically de-centralized business models.

Non-discrimination: Businesses should not create or reinforce unfair biases in the programming of their software (especially in AI implantations), or in the manufacturing of their devises.

Positive Use: AI must be harnessed for the benefit of society, rather than be misused for purposes such as surveillance and racial profiling.

Additionally, India must urgently re-design her privacy law framework to incorporate structural protections such as privacy by design, accuracy, reliability and truth, such that automated decision-making and profiling are carried out in a transparent and non-discriminatory manner. Given the inherent harms involved in AI, an effective regulatory policy governing AI which protects consumers is only as good as its enforcement mechanism. Such a policy must also account for cross-border disputes, class action claims, redressal mechanisms, and set out strict consequences and penalties, which apply to corporates and the Government.

Implementation of these principles impacts aspects of consumer protection, which have conventionally not been a part of this framework. Such implementation would therefore involve bolstering the law on data protection, intermediary liability, net neutrality, and cybersecurity. Given the potentially extensive range of transactions that are enabled in AI, it would also require inputs from other disciplines including tax, competition, corporate, and human rights law.

Conclusion

Since big corporates have now assumed an unequal bargaining power compared to individuals, requiring them to adopt ethical self-regulatory frameworks is insufficient. As AI becomes increasingly ubiquitous, India must ensure that her legal framework is bolstered such that it can defend the privacy, autonomy, and choice of individuals.

Navigation

Webs Webs

r3 - 09 Jan 2022 - 01:27:58 - StutiShah
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM