Regulating Algorithms with Data Protection Laws: Making the Unruly Horse Rule

Artificial intelligence (“AI”) is increasingly deepening its inroads into human civilization. According to statistics, the global AI market share is expected to grow from US$87 billion in 2021 to US$1,591 billion in 2030.

The employability of AI has become ubiquitous, due to its undeniable benefits. However, serious privacy threats can potentially emerge due to such a growing reliance on AI. These threats can come from the foundations of AI, i.e. algorithms.

Although algorithms are at the heart of all AI-based technologies, they are one of the most noticeable sources of threats to data protection and privacy. Algorithms sometimes suffer from built-in biases and errors that distort operations, leading to unintended or unwarranted exits. Sometimes the algorithms are ill-equipped to deal with external manipulations of the data, thus subjecting the data to serious risks of unwarranted intrusion.

Understand the global data protection landscape governing AI-induced risks to data

The risks to user data have been recognized by the data protection laws of major jurisdictions, including the European Union (“EU”). The EU General Data Protection Regulation (“GDPR”) recognizes, among others, the risks of automated data processing, and aims to address them through a Data Protection Impact Assessment (“DPIA”). The assessment assesses the degree of risk that such automated processing poses to the “rights and freedoms of natural persons” and imposes additional compliance measures to be undertaken prior to processing.

Recognizing the technological progress and, therefore, the need to tighten the regulatory grip on AI, the EU is in the process of implementing its proposal for a regulation establishing harmonized rules on artificial intelligence. This offer, among others, aims to identify the data protection and privacy risks associated with the use of AI, thereby subjecting high-risk datasets to appropriate data management and governance practices, in addition to GDPR. The need for an integrated regulatory mechanism regarding AI and algorithms has also been recognized by many resolutions adopted by the EU, including its resolution on artificial intelligence in the digital age.

In the United States, where data protection is governed by numerous data protection laws designed to cater to different industries, an integrated data protection law has yet to find its way. The US Privacy and Data Protection Bill, among othersaims to regulate data privacy rights through various measures regarding algorithmic practices, including algorithm impact assessment and algorithm design evaluation to prevent unwarranted algorithmic practices.

As another example, the UK Data Protection Act 2018 explicitly recognizes users’ rights against rampant AI data processing and only prohibits automated decisions under certain conditions. The UK Parliament is also in the process of bringing two bills through – the Data Protection and Digital Information Bill and the Online Safety Bill. Both bills seek to regulate automated decision-making by standardizing practices regarding data processing for the purpose of regulating algorithms.

As can be inferred from the regulatory canvas of major jurisdictions, data protection laws necessarily contain regulations aimed at protecting users’ rights against the unwarranted results of automated decision-making and similar risks induced by AI. Such inclusion reassures the competence of data protection law as an instrument for the regulation of algorithms and AI.

AI regulation in India

Much like India’s data protection regime, its regulations regarding AI-induced risks to data have yet to come to fruition. Although there are numerous policy documents aimed at recognizing the need to regulate AI across multiple sectors in India, comprehensive legislation addressing algorithm-induced risks to user data is absent.

The Personal Data Protection Bill, 2019 (“Bill 2019”), which was recently withdrawn, recognized the rights of data subjects (individuals to whom the data subject relates) against the automated processing of limited way. It provided for an impact analysis where there was a significant risk of harm to data controllers and granted data controllers the right to obtain information about the use of their data in the event of automated processing subject to certain exceptions. However, the Joint Parliamentary Committee, through its recommendations in the form of the Data Protection Bill, 2021, added new exceptions to the rights of data controllers regarding automated data processing and restricted the already limited scope of the 2019 bill.

The current state of uncertainty around AI regulation and data protection in India calls for an integrated “comprehensive legal framework” that includes redress for AI-induced risks to data.

The article was first published in ET Edge Insights.

Sharon D. Cole