The recently enacted Digital Personal Data Protection Act, 2023 is a significant milestone for India in enforcing data protection laws. This new Act is instrumental in safeguarding privacy and empowering individuals with more control over their personal data. The Act not only provides definitions of data and the primary demarcation of the elements involved but also introduces compliance requirements that must be adhered to while collecting or processing digital personal data. There is also the introduction of the concept of consent – with every individual being vested with the right to provide as well as withdraw consent, and have the personal data be processed only for a lawful purpose. Additionally, this is mandated that the consent provided by the individuals is free, informed, specific, and unambiguous, in the form of any affirmation or action in agreement of processing their personal data.
While this introduction of consent is a paradigm shift in the domestic law, the extent of enforceability of the same in a modern setting can be questioned. The integration of artificial intelligence (AI) into everyday operations has propelled innovation but also raises pertinent ethical concerns. A primary concern being the usage of data available for AI training without obtaining consent, as in case of the publicized incident of IBM’s usage of the photos uploaded onto the internet by users in 2019. The company without obtaining consent or issuance of a warning released a collection of photographs of online social media users to researchers for training and development of AI and an attempt towards reducing bias in facial recognition. While IBM promoted this as a progressive step toward AI training and the reduction of bias, their act accounts to a massive invasion of privacy of the online users whose pictures were not only used without consent but also coded according to their facial appearance, such as facial geometry and skin tone.
A significant concern that has arisen is AI being used as a tool of exploitation by corporations. In 2023, a lawsuit was filed against Shein and their alleged use of AI algorithms to exploit user data without explicit consent. Shein, a major player in the fast fashion industry, is often in spotlight for numerous intellectual property , labour and environmental law violations. A group of independent designers filed a lawsuit accusing Shein of stealing intellectual property, engaging in racketeering activities, and using a secret algorithm to engage in plagiarism. The algorithm, allegedly, tracked popular artwork and designs online and then copied these independent designs for Shein’s merchandise online, thereby, identifying emerging fashion trends and producing a constrained number of each item for sale. Further, Shein employs complex corporate strategy to hide their activities enabling them to dismiss any claims of plagiarism. The corporation also made significant monetary prospects through the combination of this illicit algorithm and corporate framework strategy that permits illegal activities , infringement of artist’s intellectual property and violation of privacy rights.
The reliance on AI in everyday life by most individuals without laws to govern or protect such usage opens avenue for data leak and use for AI training. An experience that has gained significant popularity in the past years is Augmented Shopping Reality and it can be credited to convenience. This has aided in the formation of an exceptional symbiotic relationship between customers and retailers since it offers a chance to customers to “try on” items of purchase within their own space. However, in offering a personalized experience, augmented shopping typically involves the processing of significant personal data. This may take the form of a selfie, uploaded to try on different eyewear or lipstick shades (such as Lenskart’s or MAC Cosmetics’ “Virtual Try-On” feature), or a picture of a living room, uploaded to see how an armchair would suit a particular corner of the room (IKEA Place feature). This collection and storage of personal data raise concerns about transparency, consent, and data security. Since some augmented shopping experiences also incorporate facial recognition technology to identify customers or enable personalized interactions, privacy concerns are often raised, as it involves capturing and analyzing biometric data without explicit consent as well as without provision of adequate information about the purpose and retention period of the data. The issue of tracking and profiling can also be associated with this expereince since it uses tracking technologies leading to questions on about the level of surveillance and the potential for invasive tracking without individuals’ knowledge or consent. However, this issue could beyond just invasive tracking to unfair surveillance, discrimination and blacklisting.
The Madison Square Garden and Radio City Hall incidents is the most recent example of the danger – by the usage of facial recognition technology, individuals were identified and denied entry due to their involvement in a lawsuit against MSG Entertainment. The implementation of this ban is based on a list created by the company through a facial recognition system identifying the lawyers through their pictures on the respective company websites. The ability of such technologies to be weaponized by the ones in power forms a primary reason for the enforcement of more stringent privacy laws. The use of facial recognition system is an increasing significantly on a global and domestic level. In India, a popular employment of the system is the DigiYatra application at certain major airports. While this feature implemented at security checks is a mode to seamless travel experience, the concern of personal data protection remains due to the sensitive nature of the information. The application collects sensitive personal information including, Aadhaar, facial biometric data and so on. The concerns revolve around not just the misuse or theft of the collected passenger information but also the passengers being prey to data leak and surveillance, particularly since the DigiYatra application was developed in the absence of a data protection law.
The Digital Personal Data Protection Act, 2023 at the outset promises to address the existing concerns of data protection and privacy as well as modern issues through the provisions –
Purpose Limitation and Collection Limitation: The Act incorporates essential principles such as the Purpose Limitation Principle which mandates the personal data to be only processed for lawful purposes that the data principal has given its consent. It also incorporates the Collection Limitation Principle which mandates collection data that is necessary or limited to the purpose.
Consent and Rights of Data Principal: The Act mandates that the consent must be procured prior or during the collection through a consent notice with specifications as stated. This is to ensure that the consent obtained is free, specific, informed and unconditional and unambiguous. If a data principal agrees to provide personal data to Lenskart such as phone, email, address, and so on for a specific purpose, it would entail that notice prescribing the method and purpose of collection would have to be specifically provided, and cannot be used for any purpose not stated. Under the Act, the user or data principal has been vested with the right to withdraw consent at any time with same level of ease with which consent was obtained. On withdrawal, company or data fiduciary would need to withdraw their data.
Cross Border transfer of Personal Data: There is a restriction placed on the cross-border transfer of data. The Act prohibits the cross-border transfer of personal data unless that country is a part of the white list prescribed by the central government.
Prevention and Notification of Data Breach: Under the Act, the data fiduciary (organization) would have to notify the users / data principal in case of a data leak, irrespective of the scope of the breach. The Act also mandates the company or organisation to ensure the implementation of appropriate technical and organisational measures for the compliance with the requirements of the Act and also take reasonable security safeguards to prevent personal data breach.
While the DPDP Act is provides a necessary shift in the data protection laws, the possible introduction of “Data protection by design and default” as provided in General Data Protection Rule (GDPR) could strengthen the fight against modern issues. This would signify that the data fiduciary and data processor, by implementing technical measures at an organization level , would be able to collect the specific data necessary for the purposes stated in the notice of consent and introduce accountability at the grassroot level.
Author : Nanditha Vijay (Intern – May 2023)