According to John McCarthy, Artificial Intelligence is defined as "the
science and engineering of making intelligent machines, especially intelligent
computer programs."1 It is a machine that can perceive and analyze data to make
decisions autonomously. From self-driving cars to robots in manufacturing plants
‚ AI systems are now being used in many different industries around the world.
Starting from the moment when McCarthy coined the term artificial intelligence
in 1956, there has been no looking back for this sacred word.
AI has invaded our lives in more ways than one can always fathom. AI is
well-honed for collecting, storing, and analyzing data, although we might not
even know it. AI can do so through algorithms as it collects recent search
history, age, gender, demographics, etc. Although the analysis of such data may
initially seem harmless, cybercriminals can use these data to carry out
fraudulent activities.
One of the major examples is facial recognition systems. These systems are used
for security purposes. Facial recognition systems are being used in cities and
airports in America and other countries. However, various cities such as
Brookline, Cambridge, Northampton, and Somerville in Massachusetts have adopted
such technology bans.
Privacy concerns in AI:
- The issue of privacy violation: AI systems require a vast amount of data and personal information. If this data lands in the wrong hands, they can be manipulated to commit crimes such as identity theft and cyberbullying.
- Data abuse practices: AI can be used to create convincing fake images and videos through morphing.
- The power of Big Tech companies: Huge tech companies such as Google, Amazon, and Meta (Owners of Instagram, Facebook and WhatsApp) have access to large amounts of data. As time passes, we can ensure that these big tech companies can create entirely new virtual ecosystems and have more control over consumer behavior.
- Quantum Computing: Quantum computers can break traditional encryption algorithms currently used to secure sensitive data, such as financial transactions, medical records, and personal information. This is because quantum computers can calculate much faster than classical computers, allowing them to crack encryption keys and reveal the underlying data.
- In 2023, India's cybercrime rate is 129 cases per 1,00,000 citizens. The emergence of AI has posed a massive threat to cybersecurity. The major threats include brute force, denial of service, AI-generated deepfakes, and social engineering attacks. As AI tools become more affordable and accessible, the rate of cybercrimes is also increasing. Deepfake videos, in particular, enable gender-based violence against women. After the launch of ChatGPT, cybercriminals have used the tool to create convincing messages, enabling more complex attacks that evade traditional security systems. Thus, the protection of privacy in this AI-driven world is a constant struggle that will continue alongside the development of AI.
Right to Privacy:
According to Black's Law Dictionary "right to be let alone; the right of a
person to be free from any unwarranted publicity; the right to live without any
unwarranted interference by the public in matters with which the public is not
necessarily concerned"3 is defined as Privacy.
Article 21 of the Constitution of India states that "No person shall be deprived
of his life or personal liberty except according to procedure established by
law". The term 'life' includes all those aspects of life which make a person's
life meaningful and worth living such as food, shelter, clothing, etc. These
aspects also include the right to privacy as well.
The right to privacy is broadly interpreted and it extends to the protection of
privacy of data, personal health relationship matters, etc. The emergence of the
digital era has led to rising concerns regarding the infringement of the right
to privacy. Upkeeping privacy is important as it helps in protecting your
personal safety, security, freedom and dignity. Henceforth, the understanding of
privacy and data protection in this digital age is essentially important.
Earlier, the right to privacy was not considered a part of the Right to life
under part III of the Constitution. In the case of MP Sharma vs. Satish Chandra
(1954)4, the question of the right to privacy was put forward in the Supreme
Court. However, it was held that the search and seizure of property is not
violative of any such right.
In the case of
Govind vs. the State of MP (1975)5, the Madhya Pradesh government
instituted regulations 855 and 856 of the Madhya Pradesh Police Regulations
according to which, a person who is shown to have a constant tendency of
criminal behaviour, must be kept under constant surveillance. This law was
challenged by Govind who was frequently visited and assaulted by the policemen
under the regulation. The court held that since the right to privacy is not
mentioned explicitly in the Indian constitution, the regulations are not
violative of the constitutional provisions. The court held that these visits
made by the policemen were not violative and they were only conducted to ensure
public safety and security.
In the landmark judgement of the Supreme Court of the People's Union of Civil
Liberties vs Union of India (1996)6, the Court dealt with the widespread
telephone tapping by the state and its privacy concerns. The court held that the
right to hold a telephone conversation in the privacy of one's home or office
without interference can be held as a right to privacy.
The turning point for the right to privacy in India was the judgement of KS
Puttaswamy vs Union of India (2017)7. The nine-judge bench decided that the
right to privacy is a fundamental right, and it is protected as an intrinsic
part of the right to life. The judgment also focuses on the concerns over
surveillance and profiling from the state, as well as non-state actors.
Therefore, it is well-established that the right to privacy is a fundamental
right that cannot be denied except by due process of law. These judgements paved
the way for the furnishing of the data protection bill and the Digital Personal
Data Protection Act 2023.
How does Artificial intelligence create privacy concerns?
It can never be doubted for a second that AI and machine learning have proven to
be highly efficient. However, the amount of personal data it feeds upon to
produce these results is potentially dangerous. Various foreign judgments show
the misuse of data to train AI models.
In
Dinerstein v. Google LLC8, the plaintiff filed a lawsuit against Google
claiming that the company illegally accessed hundreds of medical patients'
records through the data mining company, DeepMind. Google used this data to
train machine learning algorithms. However, the claims were dismissed by the Ld.
Judge, which shows that the laws are additional statutory protections are
supposed to be placed for such cases.
Another case is
Brown et al v Google LLC 9, where a lawsuit was filed against
Google in June 2020 in which it was alleged that Google continued to track users
in incognito mode which put the personal and sensitive activities of the users
in jeopardy. The lawsuit had sought $5 Billion. Later, the suit was settled
through mediation.
In the case,
Janecyk v. International Business Machines10 the photographer Tim Janecyk filed a lawsuit against IBM for using his publicly available photos from
the site Flickr to create a dataset called "Diversity in Faces" (DiF). This
dataset, containing 99 million images, was used to train AI models and aimed to
reduce bias in facial recognition. Despite IBM's intention, the lawsuit alleges
that the company violated the Illinois Biometric Information Privacy Act and if
found liable, they could face fines of $1,000 to $5,000 per violation to each
resident.
In
Mutnick vs Clearview AI Inc.11, the plaintiff filed a class action lawsuit
against Clearview AI for creating a facial recognition database using more than
3 billion photos from social media platforms. The suit claims that Clearview
sold the database of millions of Americans, including Biometric data, to
hundreds of law enforcement agencies without their consent. The same was also
discussed in the case of Burke vs Clearview AI Inc.12, and it also raised an
additional question about the company's failure to inform the purposes of the
data being collected and how it was going to be used.
How do India's data privacy laws protect us from AI overreach?
To determine how India's data protection laws protect us from privacy concerns
caused by AI, we need to understand what are the major legislations that provide
data protection.
-
IT Act, 2000: Several provisions in the IT Act address data privacy. Section 43A of the act requires organizations that handle sensitive data to maintain reasonable security measures to protect that data. Moreover, Section 72A punishes the intentional disclosure of personal information without the consent of the person.
-
The Government's response to WhatsApp policy update: In January 2021, WhatsApp introduced a controversial privacy policy update that required users to share additional data with Facebook, its parent company. In response, the Ministry of Electronics and Information Technology took prompt action, issuing a formal notice to WhatsApp and urging them to withdraw the contentious changes, citing concerns over user privacy and data protection.
-
The Digital Personal Data Protection Act, 2023: In 2019, the Personal Data Protection Bill was introduced in the Lok Sabha by then Minister of Electronics and Information Technology, Ravi Shankar Prasad. However, they were withdrawn from the Lok Sabha in 2022. After multiple expert recommendations, certain changes were made to the bill, and the Digital Personal Data Protection Act was passed. The act applies to the processing of digital data within the territory of India and the processing of digital data outside of India if it involves providing goods or services to the data principles in India. The Act also mandates the appointment of a Data Protection Officer (DPO) by a significant data fiduciary to oversee the compliance of data privacy rules. The act also follows simple language, making it easily understandable to laypersons. The act has a penalty clause and non-compliance of provisions by data fiduciaries can lead up to a penalty of Rs. 250 Crores. The act also provides for organizations to conduct a Data Protection Impact Assessment, to identify activities that could pose a high threat to privacy. This assessment is supposed to be conducted by a Data Protection Officer. It also provides for a right to lodge complaints.
-
The launch of the Data Protection Board of India: It is an independent body established under the DPDP Act to oversee the implementation and enforcement of privacy laws. They are endowed with the power to summon people to appear, examine them under oath, and inspect documents to impose penalties.
-
Appointment of National Cyber Security Coordinator: The National Cybersecurity Coordinator is responsible for providing strategic policy guidance, overseeing the monitoring of communication metadata, and addressing potential cybercrime threats. He/she is appointed under the Indian Cyber Crime Coordination Centre, established by the Ministry of Home Affairs.
Drawbacks of the Digital Personal Data Protection Act, 2023:
The DPDP Act is a major development concerning data privacy laws in India.
However, there are some critical areas of concern in the act. These include:
- The Government has the power to demand data from companies and exempt itself from the DPDP Act.
- The act does not apply to personal data publicly shared by the user. This allows companies to process publicly available data without any consent. This data can be used by them for training or other purposes.
- The Act weakened the scope of the RTI Act by stating that the government is not obliged to disclose personal information, even in the light of public interest.
- It also does not provide compensation for the people whose data has been breached, although it does impose a penalty of up to Rs.250 Crores.
- Sensitive data classifications, such as health, biometric, and financial information, which previously had additional safeguards in the 2019 bill, are no longer included in the new Act.
- There is also a concern regarding the independence of the Data Protection Board. The act mentions that it is an independent body, however, since it is being appointed by the government, there are doubts regarding its independence.
Conclusion:
It is undeniable that the advent of Artificial intelligence has changed lives
and transformed industries, for better or for worse. It is now playing a very
important role in our daily lives. However, there are privacy concerns due to
the extensive data collection done by AI systems. Emerging threats such as
deepfakes and quantum computing pose challenges to safeguarding personal
privacy. The increasing power of big tech companies and the potential for misuse
of AI further amplify these concerns.
In India, the legal framework for data protection has evolved with the
introduction of the Digital Personal Data Protection Act, of 2023, which aims to
address these privacy challenges. While this legislation represents a
significant step forward in protecting personal data and ensuring
accountability, there are notable areas of concern, such as the scope of
government exemptions and the lack of compensation for data breaches.
It is evident that Indian laws must be strengthened to ensure robust protection
and privacy in the age of AI. While the introduction of the DPDP Act represents
a huge leap forward, the growing technology demands more stringent rules.
Additionally, raising awareness regarding privacy laws and the right to privacy
is crucial. This will empower people to seek their rights when they are
infringed. They should also be aware of why their data is being collected and
how it will be used. These measures would help us better navigate the
development of AI and protect our privacy.
References:
- McCarthy, J. (2007). What is Artificial Intelligence?
- Indian Cybercrime Coordination Centre (I4C)
- Black, H. C. (2019). Black's Law Dictionary (11th ed.)
- M.P. Sharma v. Satish Chandra, (1954) 1 SCC 385
- Govind vs State Of Madhya Pradesh & Anr (1975) 2 SCC 148
- People's Union for Civil Liberties v. Union of India AIR 1997 SC 568
- K.S. Puttaswamy (Privacy-9J.) v. Union of India, (2017) 10 SCC 1
- Dinerstein v. Google LLC, 20-3134 (7th Cir 2023)
- Brown et al v. Google LLC et al, 20-3664
- Janecyk v. International Business Machines Corporation, 1:20-cv-00783 (N.D. Ill.)
- Mutnick v. Clearview AI, Inc., 1:20-cv-00512
- Burke v. Clearview AI, Inc. (3:20-cv-00370)
- Act No. 22 of 2023
Please Drop Your Comments