top of page

Subscribe to our newsletter

Write a
Title Here

I'm a paragraph. Click here to add your own text and edit me. I’m a great place for you to tell a story and let your users know a little more about you.

© Indic Pacific Legal Research LLP.

For articles published in VISUAL LEGAL ANALYTICA, you may refer to the editorial guidelines for more information.

The Digital Personal Data Protection Act & Shaping AI Regulation in India



As of August 11, 2023, the President of India has given assent to the Digital Personal Data Protection Act (DPDPA), and it is clear that the legal instrument after its notification in the Official Gazette, is notified as a law. Now, there have been multiple briefs, insights and infographics which have been reproduced and published by several law firms across India. This article thus focuses on the key provisions of the Act, and explores how it would shape the trajectory of AI Regulation in India, especially considering the recent amendments in the Competition Act, 2002 and the trajectory for the upcoming Digital India Act, which is still in the process.

You can read the analysis on the Digital India Act as proposed in March 2023 here. You can also find this complete primer of the important provisions of the Digital Personal Data Protection Act here, which have been discussed in this article. We urge you to download the file as we have discussed provisions which are described in this document.
 

General Review of the Key Provisions of the DPDPA


Let's begin with the stakeholders under this Act. The Digital Personal Data Protection Act, 2023 (DPDP Act) defines the following stakeholders and their relationships:

  • Data Principal: The individual to whom the personal data relates.

  • Consent Manager: A person or entity appointed by a Data Fiduciary to manage consents for processing personal data.

  • Data Protection Board (DPB): A statutory body established under the DPDP Act to regulate the processing of personal data in India.

  • Data Processor: A person or entity who processes personal data on behalf of a Data Fiduciary.

  • Data Fiduciary: A person or entity who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

  • Significant Data Fiduciary: A Data Fiduciary that meets certain thresholds, such as for example, having a turnover of more than INR 100 crores or processing personal data of more than 50 million data principals. However, it is to be noted that no specified threshold has been defined in the Act, as of now.

The relationships among these stakeholders are as follows:

  • The Data Principal is the owner of their personal data and has the right to control how their data is processed.

  • The Consent Manager is responsible for managing consents for processing personal data on behalf of the Data Fiduciary.

  • The DPB is responsible for regulating the processing of personal data in India. It has the power to investigate complaints, issue directions, and impose penalties.

  • The Data Processor is responsible for processing personal data on behalf of the Data Fiduciary in accordance with the Data Fiduciary's instructions.

  • The Data Fiduciary is responsible for determining the purpose and means of processing personal data. They must comply with the DPDP Act and the directions of the DPB.

  • A Significant Data Fiduciary has additional obligations under the DPDP Act, such as appointing a Data Protection Officer and conducting data protection impact assessments.


Key Stakeholders in the Digital Personal Data Protection Act, 2023 (India)
Figure 1: Key Stakeholders in the DPDPA

Data Protection Rights

Now, while the Act clearly has a set of rights for Data Principals and obligations attached to Data Fiduciaries, which is discussed further. However, a lot of the provisions in the Act, contain the clause "as may be prescribed". This means a lot of the provisions will remain subject to delegated legislation, which makes sense, because the Government could not integrate every aspect of data regulation and protection into the Act and could only propose specific and basic provisions, which could make sense, from a multi-stakeholder and citizen perspective. Now, like the General Data Protection Regulation in the European Union, the rights of a Data Principal are clearly defined in Sections 11-14 of the Act, stated as follows:

  • Right to access information about personal data which includes:

    • a summary of personal data

    • identities of Data Fiduciaries and Data Processors who have been shared the same

    • any other related information related to the Data Principal and the processing itself

  • Right to:

    • correction of personal data

    • completion of personal data

    • updating of personal data and

    • erasure (deletion) of personal data

  • Right to grievance redressal which has to be readily available

  • Right to nominate someone else to their exercise their data protection rights under this Act, as Data Principals

There are no specific parameters or factors defined when it comes to the Right to be Forgotten (erasure of personal data). Hence, we can expect some specific guidelines and circulars to address this issue, along with industry-specific interventions, for example, by the RBI in the fintech industry.


Now, the provisos containing a list of duties of a Data Principal are referred to for obvious reasons. That is done for a reflective perspective to estimate policy and ethical perspectives on the Data Protection Board's internal expectations. Like the Fundamental Duties, these duties also do not have any binding value, nor does it affect the data-related jurisprudence in India, especially on matters related to this Act. However, those duties could be invoked by any party to a data protection-related civil dispute for the purposes of interpretation and to elaborate on the purpose of the Act. Nevertheless, invoking the duties of Data Principals has a limited impact.


Legitimate Use of Personal Data


The following are considered as "legitimate use" of personal data by a Data Fiduciary:

  • Processing personal data for the Government with respect to any subsidy, benefit, service, certificate, licence or permit prescribed by the Government.

    • For example: to let people avail benefits of a government scheme or programme through an App, personal data would have to be processed

  • Processing personal data to:

    • Fulfil any obligation under any law in force or

    • Disclose any information to the State or any of its instrumentalities

      • This is subject to the obligation that processing of personal data is being done in accordance with the provisions regarding disclosure of such information in any other law

    • Processing personal data in compliance with:

      • Any judgment or decree or order issued in India, or

      • Any judgment or order relating to claims of a contractual or civil nature based on a law in force outside India

  • When a Data Principal voluntarily offers personal data to the Data Fiduciary (a company, for example).

    • This is applicable when it has not been indicated at all that the Data Fiduciary does not have consent to process data

    • This is therefore a negative obligation on the Data Fiduciary (a company, for example). If consent is not granted by indication, then data cannot be processed

There are other broad grounds as well, such as national security, sovereignty of India, disaster management measures, medical services and others.


Major Policy Dilemmas & Challenges with DPDPA


Now, there are certain aspects on the data protection rights in this Act, which must be understood.

  • Now, publicly available data as stated in the Section 3 of this Act, will not be covered by the provisions of this Act. This means that if you post something on social media (for example), or give prompts to generative AI tools, then they are not covered under the provisions of this Act in India, which is not the case in Western countries and even China overall. Since different provisions refer to the Data Protection Board having powers of a civil court on specific matters, under the Civil Procedure Code of 1908, and that the orders of the Appellate Tribunal under this Act, are executable as a civil decree, it clearly - and obviously signifies that most data protection issues would be commercial and civil law issues. In other countries, the element of public duty (emanated from public law) comes in. This also shows clearly that in the context of public law, India is not opening its approach to regulate the use of artificial intelligence technologies at macro and micro scales yet. I am certain this will be addressed in the context of high-risk and low-risk AI systems in the Digital India Act.

  • On the transnational flow of data and the issue of building bridges and digital connectivity between India and other countries, the Act gives unilateral powers to the Government to restrict flow of data whenever they find a ground to do so. This is why nothing specific as to the measures have been described by the Government yet, because of the trade negotiations on information economy between India and stakeholders such as the UK, the European Union and others, which useless get stuck. In fact, this is a general problem across the board for companies and governments around the world for the simple reasons - (1) the trans-border flow of data is a trade law issue, requiring countries to render diplomatic negotiations, without reaching at a consensus, due to the transactional aspect of it; (2) data protection law, which is a subset of technology law, has a historical inference to the field of telecommunications law, which is why the contractual and commercial nature of trans-border data flow since being related to telecom law, may not arrive at conclusions. This is relatable to the poignant issue of moratoriums on digital goods and services under WTO Law, which is subject to discussion in future WTO Ministerial Conferences. Here is an excerpt from the India & South Africa's joint submissions on 'E-commerce Moratoriums':

What about the positive impacts of the digital economy for developing countries? Should these not also be taken into account in the discussion on losses and the impact of the moratorium? After all, it is often said that new digital technologies can provide developing countries with new income generation opportunities, including for their Micro and Small and Medium Sized Enterprises (MSMEs). [...] Further, ownership of platforms is the new critical factor measuring success in the digital economy. The platform has emerged as the new business model, capable of extracting and controlling immense amounts of data. However, with ‘platformisation’, we have seen the rise of large monopolistic firms. UNCTAD’s Digital Economy Report (2019) highlights that the US and East Asia accounts for 90 percent of the market capitalization value of the world’s 70 largest digital platforms. Africa and Latin America’s share together is only 1 percent. Seven ‘super platforms’ – Microsoft, Apple, Amazon, Google, Facebook, Tencent and Alibaba – account for two-thirds of total market value. In particular, Africa and Latin America are trailing far behind.
  • Also, startups have been given exemptions from certain crucial compliances under this Act. While this may be justified as a move to promote the Digital India and startup ecosystem in India, and some may argue that it is against creating a privacy-compliant startup ecosystem, another aspect which is ignored by most critics of this Act (formerly a Bill), is the sluggishness and hawkishness of the bureaucratic mindset behind ensuring compliances. Maybe, this gives some room to ensure a flexible compliance environment, if the provisions are used reasonably. Plus, how would this affect fintech companies when it comes to data collection-related compliances would have to be seen. Although it is clear that the data protection law, for its own limits, will not supersede fintech regulations and other public & private law systems. This means, the fintech regulations on data collection and restrictions on the use of it, will prevail over this Data Protection law.

  • For Data Fiduciaries, if they would have to collect data every time, they would have to give a notice every time when they request consent from a Data Principal. It is argued rightfully that merely having a privacy policy would not matter. since there would be multiple instances of data collection in an app / website interface in multiple locations of the app / website. Here is an illustration from the Act, which explains the same.

X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to X, describing the personal data and the purpose of its processing.
  • Interestingly, the Act defines obligations for Data Fiduciaries, but not Data Processors, which seems strange. Or, it could be argued that the Government would like to keep the legal issues between the Data Fiduciary and their assigned Data Processors, subject to contractual terms. We must remember that for example, in Section 8(1) of the Act, the Data Fiduciaries are required to comply with the provisions of the Act (DPDPA), "irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act" considering any processing undertaken by the Data Processor. Now, the issue that may arise is - what happens if the Data Processor makes a shoddy mistake? What if the data breach is caused by the actions of the Data Processor despite due dilligence by the Data Fiduciary? This makes the role of Data Processors more of a commercial law issue or dilemma when contracts are agreed upon, instead of making it a civil or public law issue, in the context of the Act.

  • Finally, the Act introduces a new concept known as the "consent manager." Now, as argued by Sriya Sridhar - such a conceptual stakeholder could be related with one of the most successful stakeholder systems created in the RBI's fintech regulation framework, that i.e., Account Aggregators (AAs). Since the DPDPA would not have precedence over fintech regulations of the Reserve Bank of India, for example - and the role of data protection itself could be generalised and tailor-made subject to the best industry-centric regulatory practices, Consent Managers not being Data Fiduciaries, would be helpful for AAs as well. Some aspects related to the inclusion of artificial intelligence technology in the context of Consent Managers is discussed in the next section of this article.

The next section of this article covers all aspects covered related to the use of artificial intelligence in the Digital Personal Data Protection Act, 2023.


Key Definitions & Provisions in the DPDPA on Artificial Intelligence


Here are some definitions in Section 2 of the Act, which must be read and understood, to begin with:

(b) “automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;
(f) “child” means an individual who has not completed the age of eighteen years;
(g) “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;
(h) “data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;
(i) “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
(j) “Data Principal” means the individual to whom the personal data relates and where such individual is —
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf;
(k) “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;
(n) “digital personal data” means personal data in digital form;
(s)(vii) every artificial juristic person, not falling within any of the preceding sub-clauses;
(t) “personal data” means any data about an individual who is identifiable by or in relation to such data;
(x) “processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;

Key Definitions of the Digital Personal Protection Act on Artificial Intelligence
Figure 2: Key Definitions of the Digital Personal Protection Act, 2023 on Artificial Intelligence

Now, with reference to Figure 2, the four most important definitions with respect to artificial intelligence, are in the Section 2, especially sub-sections (b), (s)(vii) and (x). The definition of the term "automated" clearly states that "automated" means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data. This means that AI systems that are capable of making decisions without human intervention are considered to be "automated" for the purposes of the Act. Of course, this recognition was impliedly done, as the integration of AI systems in data processing is a long-known reality. However, the wording makes it meticulously clear. This definition is broad enough to encompass a wide range of AI systems, including:

  • Machine learning systems: These systems are trained on large amounts of data to learn how to make predictions or decisions. Once they are trained, they can make these decisions without human intervention.

  • Natural language processing systems: These systems can understand and process human language. They can be used to generate text, translate languages, and answer questions.

  • Computer vision systems: These systems can identify and track objects in images and videos. They can be used for tasks such as facial recognition and object detection.

It would be intriguing to observe how this plays out when the Digital India Act is released, since the Act is proposed to cover high-risk, medium-risk and low-risk AI systems.


Artificial Juristic Person


Furthermore, the definition of "every artificial juristic person" as defined in the sub-section 2(s)(vii) of the Act is interesting, considering that the Act uses the word "person" at least 30+ times, which is obvious. is important because it helps to clarify what types of AI systems are considered to be "legal persons" for the purposes of the law.


The definition states that "artificial juristic person" means every artificial juristic person, not falling within any of the preceding sub-clauses. This means that AI systems that are not explicitly defined in the preceding sub-clauses, such as companies, firms, and associations of persons, may still be considered to be "artificial juristic persons" if they have the capacity to acquire rights and incur liabilities.


The wording is important to notice simply because it allows the Act to apply to AI systems that are not traditionally considered to be "legal persons." This is important because AI systems are becoming increasingly sophisticated and are capable of making decisions that have a significant impact on people's lives. By classifying AI systems as "legal persons," the Act helps to ensure that these systems are held accountable for their actions and that they are subject to the same legal protections as humans.

It could be argued that the definition of "artificial juristic person" in the DPDPA would evolve, as AI technology continues to develop and the integration of assessing AI-relate