VIVEK PANDEY : We ended our last episode on the point that how AI and data, AI and competition, AI and copyright are separate episodes in themselves. So we'll take forward one of those topics today, that is AI and data. The way I see it is that this issue almost arose parallely with the technology itself. Because naturally, generative AI uses data to generate content. Now, when we are just surrounded with technology.

It is reshaping the way we are consuming our art, literature, fact, codes, etc. Everything. So I think it's necessary to discuss this in detail and what are the issues surrounding with respect to usage of data to train AI, advertisement, etc. So let's deep dive into it.

AMAN SHANKAR : Fundamentally speaking, if you're trying to regulate a technology which is so complex, has many use cases, it's also important to understand what lies beneath. For example, generative AI. Let's imagine it like a big cake which has many layers. The first layer being like a car has an engine, it's the hardware. The chips, GPU, supercomputers that are at play. Over top of it, the training data - the fuel of the car on which that model will train itself. Then comes the very brain or the very heart of those foundational models, the large language modules like we have OpenAI's GPT-4. Over top of it what we see as a user is the interface version of it. For example, let's take examples of legal AI tools that we have seen. It's nothing but a wrapper technology or in some cases a fine tuning of the foundational models. So it will be curated to a legal field so that it can receive those prompts, it can predict those prompts, it can give output on those prompts. So it's fine-tuning the use cases. And then ultimately, we as a user consume that technology to our own use. The generative AIs that we are using right now are also nothing but an interface with the help of APIs of that foundational model.

ABIR ROY : Coming back to the foundation model, I'll go one step back. In your car example is the fuel. You're talking about the data sets. So basically the AI deployment is based on those training data sets. Now what if the data sets itself has biases in it? So that is a huge issue which is there because recently there was an article in Economic Times when I read that AI is actually affecting elections, throughout the globe.

How do you deal with such a situation where in the data sets itself, what I call it as bias, where it can be electronic bias, it can be personal biases or what, as the case maybe. So how do we, I think we need to recognize the fact that there are certain biases in the system because they're training on that data.

VIVEK PANDEY : See the content moderation is something that is already there in the IT Act and IT rules who address such issues. But with AI coming into picture, yeah, I agree that it's slightly more challenging because there is autonomy involved in the AI system.

KUMUDAVALLI SEETHARAMAN : So when you're talking about IT rules, there's IT Act as well, right? I mean, yes, it doesn't specifically talk about AI and data, but there are provisions which can be used to mitigate that risk. There's criminalization offenses. For example, you can't show certain parts which are obscene to people, and that's criminalized. You have actual penalties, financial penalties that are imposed. So there are certain, you know, provisions or acts which can be used in this manner as well.

AMAN SHANKAR : Let's address the elephant in the room. For the IT Act at least, the enforcement is missing. Even the Justice Srikrishna Committee report, when it came out, said that the IT Act is a patchwork. It can't sustain an upkeep to the digital economy of future India. The issue is that the adjudicating authority that is there inside the Act is not akin to a court. It's more reactive rather than proactive in nature, especially for a tech, tech-driven sector that we are talking about. We have seen issues wherein section 66A of the IT Act was struck down as unconstitutional by the Supreme Court in the Shreyasinghal case, but till today cases are being registered under that section. So much so, the Supreme Court has to pass orders notifying all the police stations, state departments about this misuse. So first we need to have more teeth to the enforcement framework to have an effective vision of where we are trying to reach.

ABIR ROY : Like you said we are both talking about the IT Act and the rules so you're trying to say there has to be a new enforcement tool which is this perhaps a court.

AMAN SHANKAR : More focused, more nuanced to the technology that we are talking about.

ABIR ROY :  Yes, IT Act has certain issues, perhaps new ways or new tools have to be developed to basically tackle or regulate this technology.

AMAN SHANKAR : Yes.

VIVEK PANDEY : See there will be issues with respect to training it also like AI will use data sets that may include personal data which may naturally include sensitive personal data also which was earlier there in the IT rules. There are issues with respect to compliance etc and whatever if once the act is enforced.

AMAN SHANKAR : You know Vivek, when you talk about the training of data sets, especially on the personal data, the situation is more complicated when we talk about India. For example, the DPDP Act, the New Digital Personal Data Protection Act, it says and it covers all kinds of personal data, unlike the previous avatar of IT Act rules that were there, which only covered sensitive personal data. So the entire framework is based on consent architecture and there's no exemption like a legitimate interest that we find in GDPR.

The word that they use under the Act is “legitimate use” and it's not just a nomenclature difference from GDPR, it has a very significant meaning. Just to give a little background here, when we started in 2018 with the Sri Krishna Committee report, first it was said that there will be a reasonable purpose exemption. Then it was later transitioned somewhere around 2019-2022, deemed consent, that is implied consent. And then finally we transitioned to this legitimate use concept wherein the law says if a user has given, or a data principle to be precise, has given a data voluntarily for a specified purpose, then that is a legitimate use case. You need not take consent. For example, you just walk in a pharmacy and give your mobile number or name for billing purposes. That's voluntarily given data for a specific purpose of billing. What GDPR says is of legitimate interest, which has more corporate leeway, if you see. It says that, for example,  your business's legitimate interest would be advertisement. That's a huge interest. That's exempt. You do not take consent, which is absent under the Indian law. You also have an exemption wherein you need to perform your contractual obligations, let's say with your business partners. That's also exempted under GDPR, which is absent under the Indian law.

ABIR ROY : It was so interesting that you are saying this because the EU, this entire idea of GDPR emerged from the fact that it is a fundamental right of the European citizens to have privacy. Kind of what DPDP also said, it stemmed from the Puttuswami judgment. And GDPR is considered the gold standard where everybody wants to follow. Even in that gold standard, what Aman, what you are mentioning is that the legitimate interest, right? Interest is, there's a legitimate interest that is a corporate leeway which is absent. We are actually in one way or the other. Let's see how the act obviously is implemented in practice. We have actually gone beyond the gold standard where the gold standard actually says that, okay, fine, there is some corporate leeway for a company to deal with it. And that corporate leeway has been taken away in the Indian context.

AMAN SHANKAR : I think it's also because of the fiduciary nature that we are talking about.

KUMUDAVALLI SEETHARAMAN : You know, the internet is huge, it's wide, right? I can't as a user possibly keep track of where all my data is used, especially if it's used without consent, right? If there are AI models which are picking up my data, I wouldn't know what is happening. This seems counterproductive, if I can call it that. I'm talking about from the point of view of these AI 

developers. If they have to keep taking consent and the width of the internet and taking all this consent it seems kind of counterproductive to the whole idea of AI.

VIVEK PANDEY : So, this is quite an issue. I agree with your viewpoint and this takes us back to their point of legitimate interest in the EU. So, one may argue that using data sets that are in fact publicly available to train their AI models by a social media platform may be considered as a legitimate interest because that's how you build a platform. But the authorities in the EU took a different view and they in fact said that no, you can't use it. Then the platform had to introduce opt out policies etc. So, the point is that even legitimate interest defense cannot come to save corporations. Yeah and in fact, see that becomes an issue that how the law is interpreted and if we deviate the purpose from the objective then it does not come to rescue anyone and in fact, in India I think the situation is different. That won't apply in India because ultimately for any data is being put on social media that is a public data not a private data but still that is a food for thought as in how to interpret the law.

KUMUDAVALLI SEETHARAMAN : So, let's take this example, what you're saying is that in India if there is data publicly available, this provision is not going to apply, etc. If I sit on a computer and ask a chat box some question and I have put out some data relating to that question, my idea or my consent if I can call it that, to give that question to that chat box.

How is this, you know, express consent or consent or purpose, how do you define that here?

ABIR ROY : See the law is very clear, so all the proposal up because it has not been enforced yet. It's technology neutral. Our DPDP is technology neutral. What it essentially says is that A, you should take consent and B, there should be a purpose limitation. What are you taking consent from? So gone are the days where companies used to say we are taking this data for improving our goods and service quality. Those days are over. You have to very, very articulate the purpose. Because there is purpose limitation. Now in your example for what you said about chat box, you are giving the data to elicit a response. What are you giving the data for? You may have a question for example to chat box that what is the best hotels in Manali for example. It will throw a result and the purpose is solved. The purpose has ended. One may argue from a pure rights driven privacy driven perspective. The purpose has ended. Now

If the chat box stores your question and starts popping you other responses like the best time to go to Manali if there's, what are the good restaurants in Manali? Perhaps you're never given the consent to give those data. Although you have quote unquote “publicly asked that question”. It may be a public platform also. So those are the kind of issues which will come up because we not only have the consent, we also have the purpose limitation which is there. Now coming to your thing that you mentioned about publicly available data. So I don't think EU has that, but Indian law has that, right?

VIVEK PANDEY : Yes, so under Indian law, if there's any data that is being publicly made available, then that is not considered private naturally. I just read it out maybe that “the Act will not apply to any personal data that is made or caused to be made publicly available by the data principle to whom such personal data relates to.” Now, this has its rules in common law. Like if we see the defamation case, etc. The content is being considered as published as soon as any third person comes to knowledge of that content. So if I put a post on a social media platform, even if my account is private, at least let's say even five people see that, that is again a public information, no longer private.

AMAN SHANKAR : I think we should also pause a little bit here and analyze what happens in a situation, let's say, I visit a restaurant with my friends and one of them clicks a picture and uploads it on social media. Now, if you would read the law very sacrosanct, then it says consent from the data principle directly. I have not consented for my data to be on social media. Can it be used?

ABIR ROY : But you have put it on social media?

AMAN SHANKAR : My friend has put it. 

VIVEK PANDEY : See on top of my head, I'm just thinking out loud. See, you can take action against your friends separately. That is a different issue. But the fact is that the data is no longer private. Whosoever has made it public, you can take action against that person and under Tort law or whatever. The fact remains the same that the data is being seen by any third person. So it's no longer…

AMAN SHANKAR : No, because why I say this, I draw some bit of inspiration from a case that happened in the EU under the GDPR. So Article 9-2 of the GDPR, although it talks about sensitive personal data when it is manifestly made public. There was this case, if you all remember of ⁓ Meta, in which the Competition Authority of Germany was seized of the matter and said that they can also look into GDPR issues when it comes to assessing market power, etc. All this decision was appealed and went up to the European Court of Justice. And recently, I think, in 2023 the decision came when they interpreted the word manifestly made public. So they have to be active-conduct on my part as a data principal to do something to be made public. Otherwise one cannot simply assume that I meant to let, for example, I have my clicks on social media I have my likes on social media I have other things or activities or interactions on social media. Do I even intend because this word manifest if you remember in the constitutional law also we had arbitrariness principle then came the manifest arbitrariness principle right. So this word manifest makes the difference.

ABIR ROY : See there are a lot of permutation combinations. Yes, the act clearly says I tend to agree with Vivek where it says that if you made something which is public the idea is it should be the data privacy law means the data should be private in the first place. So I think the idea from the lawmakers is something which is there already on social media. Then why should I take consent because you have made publicly available. Now the friend example that you gave I'll give I'll let me top up more examples. I think we need to find the correct solutions which is there. We for go to a pub which is fine. You put up the photos which is still fine to an extent. But now for example, we eat something there and we put photos of our food what we are eating there. And then suddenly, the AI tool develops that okay fine these four perhaps like these kind of cuisine. We never consented to that. Perhaps the photo yes, but my preference is no. It may be argued if I am purely going by the rights model which is there. So there are many permutations and combinations.

AMAN SHANKAR : We are talking about AIs, I'm sure one of those apps in my iPad must be hearing about this.

ABIR ROY : 110 percent. So I guess the privacy is of A, the fact of the matter is, so for example, the US now has a Californian law. They don't have a federal law. The EU has GDPR. India is coming up. These are the various nuances which will come up. I think training is a huge issue. Training on datasets will be a huge issue. But I tend to agree with what you said. The Internet is right. If you are actually expecting an AI developer to individually take consent from Aman, Kumudda, Abir, Vivek, then I do know where it is going…

AMAN SHANKAR : Mechanically impossible and also a constant fatigue scenario.

ABIR ROY : Consent fatigue scenario. So yes, there are many more issues which one has to see in the future.