Regulating algorithms through data protection laws: Reigning the unruly horse

Artificial intelligence (“AI”) is increasingly deepening its inroads to human civilization. If statistics are to be relied on, the global market share of AI is expected to rise from 87 billion US dollars in 2021 to 1,591 billion US dollars in 2030[1].

The employability of AI has become all-pervasive, owing to its undeniable benefits. However, serious threats to privacy can potentially emerge because of such increasing reliance on AI. These threats can stem from the foundation of AI, that is, algorithms.

While algorithms are at the core of all AI-driven technologies, these form one of the most perceivable sources of threats to data protection and privacy. Algorithms, at times suffer from in-built biases and errors that distort operations, resulting in unintended or unwarranted outputs. At times, algorithms are ill-equipped to deal with external manipulations to data[2], thereby subjecting data to serious risks of unwarranted intrusion.

Understanding the global data protection landscape governing AI-induced risks to data

Risks to users’ data have been recognized by the data protection laws of major jurisdictions including European Union (“EU”). EU’s General Data Protection Regulation (“GDPR”) recognizes, inter alia, the risks of automated processing of data, and aims to resolve the same through a data protection impact assessment (“DPIA”)[3]. The assessment evaluates the degree of risk that such automated processing poses to the “rights and freedoms of natural persons” and imposes additional compliances to be undertaken prior to processing.

Recognizing the advancement in technology and consequently, the need to tighten the regulatory grip on AI, EU is on its way to materialize its proposal for a regulation laying down harmonized rules on Artificial Intelligence[4]. This proposal, inter alia, aims at identifying the data protection and privacy risks associated with the use of AI[5], thereby subjecting high risk data sets to appropriate data management and governance practices[6], complementing the GDPR. The necessity for an integrated regulatory mechanism concerning AI and algorithms has also been recognized through numerous resolutions adopted by EU, including its Resolution on Artificial Intelligence in a Digital Age[7].

In the United States, where data protection is governed by numerous data protection legislations framed to cater to different sectors, an integrated data protection law is yet to find its place. The proposed American Data Privacy and Protection Act, inter alia, aims at regulating data privacy rights through various measures concerning algorithmic practices including algorithm impact assessment and algorithm design evaluation[8] to prevent unwarranted algorithmic practices.

As another example, the United Kingdom’s Data Protection Act, 2018 explicitly recognizes the rights of users against unbridled data processing through AI, and bars solely automated decisions in certain conditions[9]. United Kingdom’s Parliament is also in the process of materializing two bills – Data Protection and Digital Information Bill[10] and Online Safety Bill[11]. Both the bills aim at regulating automated decision making by standardizing practices concerning data processing in an effort to regulate algorithms.

As can be inferred from the regulatory canvas of major jurisdictions, data protection laws necessarily contain regulations aimed at protecting the rights of users against unwarranted outcomes of automated decision making and similar AI-induced risks. Such inclusion reassures the competence of data protection law as an instrument to regulate algorithms and AI.

Regulation of AI in India

Much like India’s data protection regime, its regulations concerning AI-induced risks to data are yet to materialize. While there are numerous policy documents aimed at recognizing the necessity to regulate AI across multiple sectors in India, an integrated legislation addressing algorithm-induced risks to users’ data is absent.

The Personal Data Protection Bill, 2019 (“2019 Bill”) that has been recently withdrawn, recognized the rights of data principals (natural persons to whom the concerned data relates) against automated processing in a limited manner. It provided for an impact assessment in cases of significant risk of harm to data principals, and provided data principals with the right to obtain information about the use of their data in the case of automated processing subject to certain exceptions.[12] However, the Joint Parliamentary Committee through its recommendations in the form of Data Protection Bill, 2021 added further exceptions to the rights of data principals concerning automated processing of data[13], and restricted the already limited scope of the 2019 Bill.

The present status of uncertainty around regulation of AI and data protection in India calls for an integrated “comprehensive legal framework” including a redress to AI-induced risks to data.

[1]Bergur Thormundsson, ‘Market size and revenue comparison for artificial intelligence worldwide from 2018 to 2030’ (Statista, 27 June 2022) <https://www.statista.com/statistics/941835/artificial-intelligence-market-size-revenue-comparisons/> accessed 5 September 2022.

[2]Ibid.

[3]Regulation of the European Parliament and of the Council 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] art. 35(1), 35(3)(a), recitals 84, 90, 91 <https://gdpr-info.eu/ >

[4]European Union, Proposal for a Regulation laying down harmonized rules on Artificial Intelligence (2021/0106 (COD)), Explanatory Memorandum, para 5.2.4, recital 45, art 52 <https://digital-strategy.ec.europa.eu/en/library/proposal-regulation-laying-down-harmonised-rules-artificial-intelligence >.

[5]Ibid, recitals 15, 36.

[6]Ibid, art. 10.

[7]European Union, Resolution on Artificial intelligence in a Digital Age, 2022, 2020/2266(INI) , paras 22, 142, 271 <https://www.europarl.europa.eu/doceo/document/TA-9-2022-0140_EN.html >.

[8]American Data Privacy and Protection Act, H.R.8152, sec 207 < https://www.congress.gov/bill/117th-congress/house-bill/8152/text#toc-H6332551148B14109B1F2D9598E099E38 >.

[9]Data Protection Act, 2018, (2018 c. 12) art 49, 96 < https://www.legislation.gov.uk/ukpga/2018/12/contents>.

[10]Data Protection and Digital Information Bill, (Bill 143 2022-23), sec 11 < https://bills.parliament.uk/bills/3322 >.

[11]Online Safety Bill, (Bill 121 2022-23), sec 8(5), sec 23(5) < https://bills.parliament.uk/bills/3137>.

[12] Personal Data Protection Bill, 2019, sec 19, sec 27.

[13] Data Protection Bill, 2021, sec 19.

Authored by –

Gaurav G Arora, Partner, JSA and

Aditi Richa Tiwari, Student of Law

Disclaimer: The views expressed in this article are those of the author and do not necessarily reflect the views of ET Edge Insights, its management, or its members

Scroll to Top