Regulating Algorithms through Data Protection Laws: Reigning the Unruly Horse
[Gaurav and Aditi are lawyers at JSA. The following article was first published on Lexology.]
Artificial intelligence (AI) is increasingly deepening its inroads to human civilization. If statistics are to be relied on, the global market share of AI is expected to rise from 87 billion US dollars in 2021 to 1,591 billion US dollars in 2030.
The employability of AI has become all-pervasive, owing to its undeniable benefits. However, serious threats to privacy can potentially emerge because of such increasing reliance on AI. These threats can stem from the foundation of AI, that is, algorithms.
While algorithms are at the core of all AI-driven technologies, these form one of the most perceivable sources of threats to data protection and privacy. Algorithms, at times suffer from in-built biases and errors that distort operations, resulting in unintended or unwarranted outputs. At times, algorithms are ill-equipped to deal with external manipulations to data, thereby subjecting data to serious risks of unwarranted intrusion.
Understanding the Global Data Protection Landscape Governing AI-Induced Risks to Data
Risks to users’ data have been recognized by the data protection laws of major jurisdictions including European Union (EU). EU’s General Data Protection Regulation (GDPR) recognizes inter alia the risks of automated processing of data and aims to resolve the same through a data protection impact assessment (DPIA). The assessment evaluates the degree of risk that such automated processing poses to the “rights and freedoms of natural persons” and imposes additional compliances to be undertaken prior to processing.
Recognizing the advancement in technology and consequently, the need to tighten the regulatory grip on AI, EU is on its way to materialize its proposal for a regulation laying down harmonized rules on AI. This proposal inter alia aims at identifying the data protection and privacy risks associated with the use of AI, thereby subjecting high risk data sets to appropriate data management and governance practices, complementing the GDPR. The necessity for an integrated regulatory mechanism concerning AI and algorithms has also been recognized through numerous resolutions adopted by EU, including its resolution on AI in a digital age.
In the United States, where data protection is governed by numerous data protection legislations framed to cater to different sectors, an integrated data protection law is yet to find its place. The proposed American Data Privacy and Protection Act inter alia aims at regulating data privacy rights through various measures concerning algorithmic practices including algorithm impact assessment and algorithm design evaluation to prevent unwarranted algorithmic practices.
As another example, the United Kingdom’s Data Protection Act 2018 explicitly recognizes the rights of users against unbridled data processing through AI, and bars solely automated decisions in certain conditions. United Kingdom’s Parliament is also in the process of materializing two bills – Data Protection and Digital Information Bill and Online Safety Bill. Both the bills aim at regulating automated decision making by standardizing practices concerning data processing in an effort to regulate algorithms.
As can be inferred from the regulatory canvas of major jurisdictions, data protection laws necessarily contain regulations aimed at protecting the rights of users against unwarranted outcomes of automated decision making and similar AI-induced risks. Such inclusion reassures the competence of data protection law as an instrument to regulate algorithms and AI.
Regulation of AI in India
Much like India’s data protection regime, its regulations concerning AI-induced risks to data are yet to materialize. While there are numerous policy documents aimed at recognizing the necessity to regulate AI across multiple sectors in India, an integrated legislation addressing algorithm-induced risks to users’ data is absent.
The Personal Data Protection Bill 2019 (2019 Bill), that has been recently withdrawn, recognized the rights of data principals (natural persons to whom the concerned data relates) against automated processing in a limited manner. It provided for an impact assessment in cases of significant risk of harm to data principals and provided data principals with the right to obtain information about the use of their data in the case of automated processing subject to certain exceptions. However, the Joint Parliamentary Committee through its recommendations in the form of Data Protection Bill 2021 added further exceptions to the rights of data principals concerning automated processing of data and restricted the already limited scope of the 2019 Bill.
The present status of uncertainty around regulation of AI and data protection in India calls for an integrated “comprehensive legal framework” including a redress to AI-induced risks to data.