From India comes an interesting proposed bill on protection of data. If the Ganges is the lifeblood of India, then data is the lifeblood of AI. And so legislation on data becomes an important part of AI regulation.
Some interesting things about this bill:
- the data covered has to be in respect of a person who is directly or indirectly identifiable. Presumably meaning that absent identification of individuals, the data becomes fair game;
- the act deals with the “processing” of personal data. This is defined in a way that would certainly capture AI analysis of the data;
- a concept of a “data fiduciary” is created, being a person who determines the purpose and means of processing personal data. The data fiduciary holds quite a number of obligations to the person whose data is processed. Most interesting is the idea that such fiduciary must take reasonably steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purposes used;
- certain highly personal data is described as “sensitive personal data” and subject to higher protection standards;
- the government proposes to give itself lots of exemptions for dealings with data;
- the data fiduciary has lots of obligations and lots of reporting obligations and is auditable, much as you would imagine such legislation to be, had you ever read similar legislation;
- cross-border (outside the boundaries of India) transfer of data may be permitted (not for sensitive personal data). But a number of conditions apply, including that the government has prescribed transfers to a country, which it may only do if it finds that the protection of data in the recipient country is of an acceptable standard;
- and then the state gives itself more exemptions;
- and throws in some interesting ones, such as for journalists.
In any case, it’s pretty interesting to see that a potential statute that on its face is largely aimed at personal data protection has lots of elements that could trickle over to the regulation of AI. Certainly the term “processing” as defined would seem to be broad enough to capture that. As well the cross border element becomes interesting. Imagine a scenario where data is imported to India for processing but upon processing it cannot be reexported because the coutry of origin is not determined to have sufficient safeguard standards. A Data Protection Authority is proposed whose tasks include monitoring technological developments and commercial practices that may affect personal data protection as well as approving and issuing codes of practice for an industry (no reason why this couldn’t include the AI industry, in particular as the bill contemplates such codes in the areas of processing of data).
I am convinced that everything has come down to us from the banks of the Ganges, – Voltaire