Abstract
“Data is the new oil” and its usage and connecting dots are expanding every second and has become a part of human survival. Artificial Intelligence is growing at a rapid stage and aiding at all scales of development but at the cost of privacy of humans. The cyber security threat for all the business houses is increasing and so is the annual budget allocation for securing data from all kinds of cyber threat. In totality almost 69% of enterprises in Australia believe that they need AI to respond to Cyber threats.[1] India has a total market of $3.1 billion for the AI development[2] but has no legislative framework to control its impact and usage. AI is the only solution to secure all the data breach and AI is the only reason behind all the data breach. The human life is so much surrounded in the usage of AI that privacy breach has become a part of life. India alone accounts to 20% of global data breach[3]. A right way forward could be implementing a data protection bill which would prevent the unethical use of data and help in building a responsible AI solution which is also guided with the human centric approach. The Australian Federal Privacy Act[4] could be the guiding force towards the Indian legislative framework, alongside taking key valuables from the umbrella framework of United States on data protection with a sector specific approach.[5] This paper holds an analytical study aiming towards implementing a data protection bill and establishing a Data Governing Council to secure all the data regulations in India.
Keywords– Artificial Intelligence, Data Protection, Privacy Act, Data Breach, Cyber Threat
Introduction
The internet evolution has submerged the entire world leading to its highest paid users in India into the smart age era. Every transaction or activity here requires the usage of data, big companies don’t own any tangible asset but hold data as their only biggest asset. The development and innovation is the key to the human growth but along with digital advancement the data privacy of individuals should also be safeguarded. The government has a huge role to play by establishing tech driven administrative boundary towards all unethical data usage practice and privacy breach by big business houses. One of the developing industries that is proving to be a stand-in for human brains is mine. Without the need for a person, it carries out a number of business tasks like interacting with customers and promoting brands on social media. Numerous industries, including healthcare, insurance, banking, and marketing, are being significantly transformed by AI[6]. Data protection laws are the need but should not come underway of the innovation and development of the nation. Currently the data protection laws are facing some problems due to absence of proper legislative framework. The data is being stolen on large scale and is moving at a very fast track on different continental lines. In coming years due to lack of e-governance, India can become the largest epicentre of cyber crimes due to being the largest host of outsourced data unit. The already existing bodies like the Data Security Council of India (DSCI) and Department of Information Technology (DIT)[7] must also combine their joint efforts in regards to countering the AI threat which India is facing and this can only be addressed on full range with full legislative provisions.
As we all know that India currently lacks an express legislation on data protection. Although a Personal Data Protection Bill was introduced in the parliament in 2006 which is still finding its root of implementation and no light has fallen on the said framework till date. The bill has worked under certain general guidelines for personal data protection and appointment of Data Controllers who will have power to regulate both government and private enterprises. The main aim of this paper is suggesting the concerned legislative authority in implementing the same measures as discussed above. The Bill is set on the right direction but due to paucity of attention is not being headed towards implementation.
The Information Technology Act, 2000 has recently been amended to meet the challenges of digital threat and cyber-crime the country is facing. The two important provisions added are sections 43A and 72A[8] which are inserted through the IT Act but the grey area still exists where no provisions are detailed over data security and confidentiality. The comparison between Indian law with the law of developed countries can fulfil the necessary requirements which are needed by the developing country to under pass basic privacy secured model for the nation. Australian Federal Privacy Act[9] was introduced in the year 1988 to promote and protect privacy of Individuals at all scale and also to hold a key point in regulating the Australian Government agencies and organisations working towards public information domain and regulate such data. Considering the fact of the potential of AI, alone in the year 2022-23, the public funding for the digital India mission increased by 67% to achieve US$ 1.29 billion, towards transforming the economy and various other sectors of India[10]. An AI based solution for all types of data breach and unethical use of data should be tackled and some regulatory framework can also be borrowed from Australian Federal Privacy Act which can closely be monitored that the personal information is not sold to any foreign firm, leading to any type of national threat. Indian defence sector is all set with highly modified AI tools to tackle any military threat the country faces but in the present time the entire world is facing the biggest war which the Data war and it is not visible and the impact cannot be addressed on a primary level. The digital war or the war of data can only be tackled with the legislative framework, governing all the international as well as national agencies who collect data on large scale for their organisational or national development.
Research Methodology
This paper follows the doctrinal research procedure, leading to a comparative analysis structure in achieving the aim of the paper. All secondary sources are referred and used to derive the optimal purpose of the research findings. Various journals, Government websites, books, articles and legislative digest are used for the research purpose.
Review of Literature
In 21st century Artificial Intelligence (AI) has become such a prominent and important area of research in almost all fields like engineering, science, education, medicine, military and contributing to the national development[11]. AI development is benefiting humans across all ages but the hidden threat associated to it by the exploitation of data breach and privacy concern is very alarming. The growth of Artificial Intelligence would be the reason of threat towards national security and most importantly the threat towards data exploitation of 140 billion people who are accessing everything on digital platform where all their personal information is getting leaked and being stored to be used by some unidentified unit for some unknown purpose. The paper has major findings from the sources listed below-
- The data about the Australian Privacy Act was taken from the official website of the office of the information commissioner, Australian Government and this source was very elaborative about the rights and responsibilities which the citizen hold over their delivery of personal information.
- The International Comparative Legal Guide was the very prominent source which recorded the key findings about the US Sector specific laws on privacy and data protection and how US ranks as the safest cyber secure country in the world.
- The article published by the Data Scientist Aishwarya Srinivasan on LinkedIn was very elaborative about the primary stage set up of Personal Data Protection (PDP), Bill of 2022 and how it can grow further by not affecting the growth and innovation of AI.
An overview of Australian Federal Privacy Act 1988
- Rights under the Privacy Act.
The Australian model has been chosen due to its well extended legislative framework which covers every possible sector of Australian geographics. Firstly, the very important personal information is controlled and handled under the Privacy Act, by giving the right to an individual to have greater control over the way the personal information is handled. The key features are that an individual can have the right to know that why the personal information is being collected, how it is going to be used and where finally it would be disclosed to fulfil the task. The individuals are also given right to have an option of not identifying themselves and disabling this right from the host party who is trying to have access. The party involved in receiving information are bound to give access to the individuals who are giving their information and also have right to access health information[12]. Many a times we as Individuals receive a lot of random messages through WhatsApp or direct message on our phone but citizens of Australia have the control to stop receiving unwanted direct marketing messages. There is no room for any forgery by asking an individual to change the personal information that is incorrect to be corrected. Any incident or activity which proves that any registered organization are mishandling the personal information given, then an individual can file a complaint.
- Who holds responsibilities under the Privacy Act?
The host of the responsibilities are Australian Government and registered organisation with an annual turnover more than $3 million. Both these bodies have to follow some procedures of responsibilities in tackling the data management under the Privacy Act, which also subject to some exceptions. The Privacy Act also defines the role of various organisation which may comprise of an individual, including a sole trader, a corporate body which is registered under different heads alongside a partnership, any other unincorporated association or well recognised trust functioning in the territory of Australia.[13] The Privacy Act also gives certain exception to certain category of organisation like a state or territory government agencies, including a state and territory public hospital. Also, to a university who is not recorded as the private university and the Australian National University, along with a public centred school hold exception in their way of organisational work. A big relief is provided to the media houses who are in their course of journalism and are publicly committed in observing published privacy standards.
The Australian Federal Privacy Act also clubs itself with the Information Privacy Act 2014 (ACT), which is directly used to Australian Capital Territory for the agencies registered under public sector circle.[14] The Territory Privacy Principles (TPPs) covers the collection, storage, mode of usage, personal information.[15] Adopting some of the key points from Australian legislative framework would be very useful for the country like India which is known to be the world’s largest democracy and less to no restrictions are there in this democratic land for freedom of speech and expression which makes this place open to all kind of user friendly data usage and data collection hub.
Sector Specific Data Protection in United States.
Where India is struggling to establish its single data protection and privacy laws to control the negative impact of Artificial Intelligence in extorting data usage, United States have moved above line in establishing not a single principal data protection legislation but a jumble of hundreds of laws which protects the personal data of US residents. The Federal Trade Commission (FTC) brings enforcement actions to protect its consumers from all scale of unfair and deceptive practices. Any company who breaches their published privacy promises are reported under deceptive practices and adds to company failure in taking necessary precautions. The umbrella framework of having sector specific legislation is very effective and holds a favourable stand in data protection. Like there is Driver’s Privacy Protection Act of 1994 (DPPA)[16], which governs over personal data protection and privacy when information is collected by the Departments of Motor Vehicles. Next sector specific legislation is of the children who are governed under the Children’s Online Privacy Protection Act (COPPA)[17], it focuses towards prohibiting the collection of any source of information from a child under the age of 13 online and across all digitally connected devices and if any such information has to be collected then verifiable parental consent is taken.
There are almost a different set of rules and guidelines towards sector specific approach in USA where there are different privacy rules and data protection laws like a very varied set for credit banking and insurance sector, under a different code for Health information Probability. In general, there is sector specific approach followed and implemented in United States. There are also a broad range of agencies who are responsible in regulating the data protection, through sectoral laws, like of the Comptroller of Currency (OCC), the Securities and Exchange commission, the office of Health and Human Services Commission (HHS)[18] and many more.
Currently undoubtedly United States is the country with the best infrastructure to tackle it and has the most cybersecurity firms in the world. In the entire geographic region, only 2.89% of mobile devices are infected with malware and a very small ratio of devices are infected with ransomware trojans and banking.[19]
India’s Data Protection Bill and Artificial Intelligence
There has been a gross negligence on the part of various agencies and data breach which is constantly taking place in India. Through a report it has been recorded that around 3 lakh cybersecurity incidents were reported in 2019 alone, recorded by the Indian Computer Emergency Response Team (CERT-In)[20]. Some of the highly noted and high- profile data breach which took place in India are the Air India data breach which had an impact of 4.5 million, passenger personal data worldwide. There was also a story of data breach, where CAT burglar strikes again and exploited 2 lakh CAT applicant’s data. In a major fall back the entire customer base of Upstox had to reset their password due major data breach.[21]
The AI is a very magical model which can make human like decision at a very high range. It is estimated by International Data Corporation (IDC), that the Indian Market for AI will grow around $7.8 billion by 2025.[22] The Data Protection Bill could change the face of AI application in India and would also result in safeguarding people’s personal data. For any AI expansion data is the only major asset and if the government controls the regulation of such data, then the entire nation could be secured from all types of hidden data exploitation which takes place in the lure of innovation and development.
The key highlights of the Personal Data Protection (PDP) bill of India, which is still hunting for its light from the legislature is a great base which have been established and if the government works on it with right vision, then it can really turn out to be one of the greatest assets for the nation. The following are the bill’s main highlights[23]:
- Purpose-based data collection and usage – The bill requires organisations to only gather specified categories of users’ personal data that are deemed necessary for the goals the organisation has set. Data collection by the organisation must not go beyond what is necessary for the usage and the data must only be utilised for the defined use and not be transferred to other use-cases.
- Consent for data collection: Under the bill, organisations must present a consent that users can accept or reject. Users’ data should only be gathered from those who have given their agreement to share it.
- Individuals’ Data Rights – The bill gives people the right to access and examine the data that is being gathered on them, the right to ask for the data’s deletion if it is inaccurate, and the right to recommend changes.
- Data Localization: According to the statute, “Critical data” must be processed locally in India. A copy of “sensitive personal data”[24] (such as biometric data, government identifiers, and financial information) must be kept in India even if it is moved outside of the country.
- Data Protection Authority: The proposed legislation calls for the establishment of a central body to oversee and enforce the laws outlined in the Data Protection Bill.
A major concern that revolves around the corner of Data Protection Bill is, “Will the data Protection bill cause a disruption or stoppage to the AI advancements and innovations “, the answer to this is a big NO, because the Data Protection bill will prevent the unethical use of data and which would further build a responsible AI application which knows its boundaries of expansion and will be conducive to sustained use of technology which would be built on human touch and will be very much human-centric in approach.[25]
Suggestions
The paper through its comparative study states that the country like India should have a legislative set up to respond to the AI advancements which are the one side of the development and growth and the other darker side is the cyber threat India faces due to its large amount of data breach and unethical data usage. The paper suggests to adapt a sector specific approach like United states in framing data protection laws and establishing a Data Governing Council which would be the eagle eye of the entire data world and would act as a parent body for regulation and observation of huge data breach.
Conclusion
Through various International and different countries data protection model the paper concludes that India should look ahead in its approach of data protection as AI is a blessing as well as a curse to human society and all forms of species. Have we ever thought that why Instagram, Facebook or any other giant firm providing us free access on their portal. All these giant firms work on an algorithm of noting down user preference and being biased over delivering content in order to promote and expand their firm. The Australian Model needs some major reforms because though they have Australian Federal Privacy Act of 1988 but still Australia ranks into top 10 unsafe cyber secured countries list. Major agencies whether private or government are not added in the list, which should be added. On the other hand, United States adopted a sector specific approach by establishing a different set of data protection guidelines for different sectors which would benefit the government in keeping record of the offenders and barring them from future practice. India as a nation holds a great potential of AI development and innovation but under the light of expansion, data breach and data exploitation should not be tolerated. Data protection bill of 2006 should be taken base and further guidelines should be adopted from United States and Australia. Along with legislative framework Data Governing Council should also be established in a high diversity country like India.
NAME – Prateek Akash
INSTITUTION – CHRIST (Deemed to be University), Bangalore
[1] Gerard Mondaca, 33 emerging artificial intelligence statistics, EFTSURE (Dec 2022), https://eftsure.com/statistics/artificial-intelligence-statistics/#
[2] Aishwarya Srinivasan, India’s Data Protection Bill in the light of Responsible AI , https://www.linkedin.com/pulse/indias-data-protection-bill-light-responsible-ai-aishwarya-srinivasan/
[3] Ians, BUSINESS STANDARDS (June 2023), https://www.business-standard.com/article/current-affairs/india-ranks-2nd-in-total-number-of-data-breaches-exposed-in-2022-report-123030100878_1.html
[4] Office of the Australian Information Commissioner, AUSTRALIAN GOVERNMENT, https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act#:~:text=The%20Privacy%20Act%201988%20was,other%20organisations%2C%20handle%20personal%20information.
[5] Data Protection Laws and Regulation USA (2022-2023), ICLG, https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa#:~:text=There%20is%20no%20single%20principal,Code%20%C2%A7%2041%20et%20seq.)
[6] E-Paper, BUSINESS STANDARD, (June 2023), https://www.business-standard.com/article/current-affairs/india-ranks-2nd-in-total-number-of-data-breaches-exposed-in-2022-report-123030100878_1.html
[7] Mohammed N Khan, Does India have a Data Protection Law, LSI, https://www.legalserviceindia.com/article/l406-Does-India-have-a-Data-Protection-law.html
[8] Information Technology Act 2000, CENTRAL PUBLIC PROCUREMENT PORTAL, (June 2000), https://eprocure.gov.in/cppp/rulesandprocs/kbadqkdlcswfjdelrquehwuxcfmijmuixngudufgbuubgubfugbububjxcgfvsbdihbgfGhdfgFHytyhRtMjk4NzY=
[9] Office of the Australian Information Commissioner, AUSTRALIAN GOVERNMENT, https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act#:~:text=The%20Privacy%20Act%201988%20was,other%20organisations%2C%20handle%20personal%20information.
[10] Future of Data Science and AI in India, IBEF (May 2023), https://www.ibef.org/research/case-study/future-of-data-science-and-ai-in-india#:~:text=The%20global%20AI%20market%20in,US%24%203.1%20billion%20in%202020.
[11] Sunday Ayoola Oke, UNIVERSITY OF LAGOS (Jan 2004), https://www.researchgate.net/publication/228809837_ARTIFICIAL_INTELLIGENCE_A_REVIEW_OF_THE_LITERATURE
[12] Rights and Responsibilities, Office of Australian Information Commissioner, AUSTRALIAN GOVERNMENT, https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act/rights-and-responsibilities#:~:text=The%20Privacy%20Act%20allows%20you,information%20(including%20your%20health%20information)
[13] Rights and Responsibilities, Office of Australian Information Commissioner, AUSTRALIAN GOVERNMENT, https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act/rights-and-responsibilities#:~:text=The%20Privacy%20Act%20allows%20you,information%20(including%20your%20health%20information)
[14] Rights and Responsibilities, Office of Australian Information Commissioner, AUSTRALIAN GOVERNMENT, https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act/rights-and-responsibilities#:~:text=The%20Privacy%20Act%20allows%20you,information%20(including%20your%20health%20information)
[15] “Ibid”
[16] Data Protection Laws and Regulation USA (2022-2023), ICLG, https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa#:~:text=There%20is%20no%20single%20principal,Code%20%C2%A7%2041%20et%20seq.
[17] Data Protection Laws and Regulation USA (2022-2023), ICLG, https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa#:~:text=There%20is%20no%20single%20principal,Code%20%C2%A7%2041%20et%20seq.)
[18] “Ibid”
[19] Know the risk: The Best and Worst Countries for Cybersecurity, BROADBANDSEARCH, https://www.broadbandsearch.net/blog/best-worst-countries-cybersecurity
[20] Soumik Ghosh, The biggest data breaches in India, CSO (May 2021), https://www.csoonline.com/article/3541148/the-biggest-data-breaches-in-india.html
[21] Soumik Ghosh, The biggest data breaches in India, CSO (May 2021), https://www.csoonline.com/article/3541148/the-biggest-data-breaches-in-india.html
[22] Aishwarya Srinivasan, India’s Data Protection Bill in the light of Responsible AI , https://www.linkedin.com/pulse/indias-data-protection-bill-light-responsible-ai-aishwarya-srinivasan/
[23] Aishwarya Srinivasan, India’s Data Protection Bill in the light of Responsible AI , https://www.linkedin.com/pulse/indias-data-protection-bill-light-responsible-ai-aishwarya-srinivasan/
[24] Aishwarya Srinivasan, India’s Data Protection Bill in the light of Responsible AI , https://www.linkedin.com/pulse/indias-data-protection-bill-light-responsible-ai-aishwarya-srinivasan/
[25] “Idib”