Data Privacy

 Summary of the Digital Data Protection Act 2013. Key insights into the
consumer rights specified and any operational regulations for AI service
providers. Comparison with EU’s General Data Protection Regulation
(GDPR).

Digital Data Protection Act 2023 summary:

The DPDP Act, of 2023, is a landmark law shaping India's data privacy landscape. It offers
robust rights to consumers while ensuring businesses maintain compliance. However,
government exemptions and regulatory uncertainties for AI firms remain areas of debate.
The effectiveness of the Data Protection Board of India (DPBI) and future amendments will
determine its long-term impact.
Practically speaking, the DPDP is not yet enforceable as the government still needs to
establish the Data Protection Board of India (Board), which will serve as the enforcement
authority for the law. The Board, in turn, must implement certain legally binding rules before
the DPDP becomes fully operational.
Operational Challenges:
Establishment of enforcement entity: Data Protection Board of India.
Public review and drafting of specific rules.
Establishing consent frameworks – consent artifacts, mobilizing consent managers.
Clarity on exemptions of consent and data processing of children and in the research context.

Data Principal – The individual whose personal data is being processed.

Data Fiduciary – The entity (organization, company, government) that determines the
purpose and means of processing personal data.
Significant Data Fiduciary (SDF) – Large entities that handle sensitive or large-scale data,
subject to stricter obligations.
Data Processor – An entity processing data on behalf of a Data Fiduciary.

Example : Ramesh makes an Amazon Account (Data Principal). Amazon online shopping
collects his data and decides whether to use it for recommendation, marketing etc.( Data
Fiduciary). Amazon processed data of a large consumer base and hence is a SDF, i.e it needs
to appoint a DPO and conduct DPIAs. Amazon can also employ AWS for cloud services and
Razorpay for processing Ramesh’s payment.(Data Processors).

Addressing Consumer Grievances: E-Daakhil Portal and Data Protection Board of India
(DPBI).
Data Breach Reporting: The rules under the DPDPA will likely stipulate the maximum time
frame within which a "personal data breach" must be reported to the Data Protection Board
of India. Likely to be aligned with GDPR timeframe of within 72hrs after awareness of
breach.
 Scope:
a. Only applies to digital personal data - The DPDP Act only applies to personal data, whether
collected in digital form or non-digital data which is digitized subsequently.

b. Overseas applicability - The DPDP Act applies to digital personal data that is processed
outside India, only if such processing is in connection with any activity related to the offering
of goods or services to data principals (data subjects) in India.

c. Exclusions - The DPDP Act does not apply to: (i) personal data processed by an individual for
any personal or domestic purpose; or (ii) personal data made publicly available by the data
principal herself or any other person under a legal obligation.

Rights and Obligations of Stakeholders

1. Rights of Consumers (Data Principals)

Consumers (or Data Principals) gain several rights under this Act, including:
1. Right to Consent & Withdrawal
o Personal data cannot be processed without explicit, informed consent.
o Consumers can withdraw consent at any time.
o As per the act consumers are to be provided with consent notice in multiple
languages.
2. Right to Information & Access
o Individuals can seek details on how their data is being processed.
o They can request copies of their personal data held by Data Fiduciaries.
3. Right to Correction & Erasure
o Users can demand correction, updating, or deletion of their data.
4. Right to Grievance Redressal
o Users can file complaints with Data Fiduciaries and escalate unresolved grievances to
the Data Protection Board of India (DPBI).
5. Right to Nominate a Representative
o Users can appoint a nominee to exercise their rights in case of death or incapacity.
6. Rights of Children and persons with disability
o Regulations against targeted advertisements for children. Prohibits behavioral
tracking detrimental to child welfare. Exemptions in certain cases for data fiduciaries
to process data of teens, pre-teens.

2. Obligations of Companies and AI Service Providers (Data Fiduciaries & Processors)

AI service providers and other businesses handling personal data must comply with:
1. Lawful Data Processing
o Data can only be processed for specific, legitimate purposes with user consent.
2. Purpose Limitation
o Companies must collect data only for stated purposes and cannot use it beyond the
agreed scope.
3. Data Minimization
 o Only necessary data should be collected and stored.
4. Data Security Measures
o Entities must implement safeguards (encryption, cybersecurity) to prevent breaches.
5. Accountability & Compliance
o Large firms (Significant Data Fiduciaries) must appoint Data Protection Officers
(DPOs) and conduct Data Protection Impact Assessments (DPIAs).
6. Cross-Border Data Transfers
o Personal data can be transferred abroad except to blacklisted countries designated
by the government.
7. Grievance Mechanisms
o Companies must have an internal redressal system for data-related complaints.
8. Obligations for AI Service Providers
o AI firms using personal data for model training must ensure data privacy compliance.
o AI-generated content that processes personal user data must comply with informed
consent and transparency requirements.

3. Role of the Government

 Exemptions for State Functions
o The Union and State Governments can process data without consent for national
security, public interest, or legal compliance.
o Government agencies can be exempted from certain provisions in specific cases.
 Blacklist for Cross-Border Transfers
o The government can restrict data transfers to certain countries for national security
concerns.
 Power to Frame Rules
o The law allows the central government to frame specific rules through delegated
legislation.

4. Data Protection Board of India (DPBI) – Enforcement & Penalties

 The DPBI is an independent regulatory body responsible for enforcement, handling
complaints, and imposing penalties.
 Penalties for Non-Compliance:
o ₹50 crore – failure to prevent a data breach.
o ₹200 crore – violation of significant obligations (e.g., large-scale breaches).
o ₹250 crore – failing to protect children’s data.
 Consumers can escalate complaints to the DPBI if companies do not resolve issues.

Impact on Various Stakeholders

1. Consumers (Data Principals)

Pros:

 Stronger control over personal data.

 Right to transparency and deletion of data.
 Mandatory grievance redressal mechanisms.

Cons:

 Exemptions for government use limit privacy rights.

  No explicit provisions on algorithmic transparency (e.g., AI decision-making).

2. AI Service Providers & Businesses

Pros:

 Clearer compliance rules for AI and tech firms.

 Flexibility in cross-border data flows (except for blacklisted countries).

Cons:

 Heavy compliance burden (especially for large firms).

 Restrictions on data processing can affect AI model training.
 High penalties for breaches and non-compliance.

3. Government Agencies

Pros:

 Can process data for governance and security without restrictions.

 Maintains authority over cross-border data transfers.

Cons:

 Potential concerns over government surveillance and privacy violations.

Challenges for Businesses:

Organization-wide implementation: Regular training, and simulation for ensuring
compliance in handling data across all levels in the organizational hierarchy.
Data Inventory Management: Identification and classification of large volumes of personal
data to comply with data minimization rules.
Implementing consent mechanisms: Establish tech to track consent activity, and provide
access to granular consent requirements.
Review Contractual agreements with Data processors: Ensure compliance of third-party
tech service providers, isolating applicable liabilities.
Navigating consumer sensitivity to privacy concerns: Maintain consumer trust through
transparent communication to maintain brand value. Essential to continuously update as per
the changing regulatory environment.
Huge fines: The DPB has the power to impose fines of up to INR250 crore for failure to
implement reasonable security safeguards to prevent a personal data breach.

 Estimate investments in cybersecurity to prevent external threats of a

data breach, data of losses incurred due to breaches, and cost savings
due to preventive measures.

Businesses should invest in cybersecurity infrastructure and conduct regular training

sessions and awareness programs to instill readiness among in-house departments like legal,
 IT, business and customer services, and procure adequate cyber liability insurance policies to
offer comprehensive protection. Critical to ensure the formulation of security policies.

 Research various levels of data encryption followed at the backend of

AI cos, and identify optimal strategies.
Cyber infra costs

 Research how AI service providers ensure transparency in user data

collection and implement plagiarism checks for generated content.

Implementing Plagiarism Checks for AI-Generated Content

1. Use of Advanced Detection Tools: AI service providers employ sophisticated tools to detect
AI-generated content and potential plagiarism. For example, Copyleaks utilizes advanced
machine learning algorithms to compare text against extensive databases, identifying
instances of copying or paraphrasing. Scribbr+5ZDNET+5Codecademy+5
2. Integration of AI Content Detectors: Tools like GPTZero, Copyleaks, and Writer are integrated
into platforms to assess the originality of content. These detectors analyze text
characteristics to distinguish between human and AI-generated content. BioMed
Central+1Codecademy+1
3. Continuous Monitoring and Updates: Given the rapid evolution of AI models, providers
continuously update their detection systems to recognize new patterns in AI-generated text,
ensuring ongoing content integrity.