Is AI regulation built into DPDPB 2022?

Jurisprudence is an interpretation of law by experts. One narrow view of “Jurisprudence” is that it is restricted to the views of a Court like the Supreme Court which is considered binding for the lower Courts. But this is a narrow view and needs to be modified.

A larger view of Jurisprudence is that is a scientific study of law and involves not only the history and philosophy of law but also the views and opinions of the Judiciary as well as the subject matter experts.

Interpretation of statutory texts is also “Jurisprudence”.

It may take time for the Indian legal community to come out of its shell and adopt this open view that Jurisprudence can originate from outside the Courts.

The last 22 years of Naavi.org indicates that a large part of Cyber Jurisprudential principles in India originated here and Courts took their own time in accepting these views.

One classic example which should go into the study of Law in India is that the interpretation of Section 65B of Indian Evidence Act was first made from the school of Naavi and also used and adopted in the Suhas Katti case in 2004. In 2005 Supreme Court had a differential view and only in 2012, Supreme Court adopted the Naavi’s thought process on the mandatory nature of Section 65B. The logic for the intervention of a human witness to convert the digital evidence into an admissible evidence in a Court has been explained by Naavi in many professional circles and despite some disagreements here and there arising out of the difficulty for unlearning the age old concepts of “Primary” and “Secondary Evidence” and inability to switch to interpretations based on “Digital Documents” are gradually adopting the views of Naavi.  This is an example of how “Jurisprudence” can develop outside the Judiciary and may get assimilated in the system.

Naavi.org and Naavi has been propounding several new  thoughts such as the Theory of Data , The ” Privacy Protection Law” as an extension of ITA 2000 etc and in due course they are likely to be tested in a Court of Law and hopefully adopted by the Judiciary.

One such Jurisprudential thought that arises out of the Digital Personal Data Protection Bill 2022 (DPDPB 2022) which is in the form of a draft before the Parliament is link between this draft and the discussion on Artificial Intelligence and Neuro Rights regulation.

In our earlier article  we had discussed how  ITA 2000 can be extended for AI regulation through a proper interpretation of Section 11 of ITA 2000.

Now let us see how we can consider DPDPB 2022 as extending to AI regulation.

The definition of Automated Processing under DPDPB 2022 states

(1) “automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data; 

This definition can be extended to all forms of AI including ANI, AGI. Coupled with Section 11 of ITA 2000, accountability of AI will rest with the “Person who caused the automated system to behave in a given manner either with specific instructions or otherwise through a self learning machine learning process”.

What can now be added to the body of law is the “Ethics” in the form of rules and notifications. The notification under DPDPB 2022 can include the Code of Ethics that are required by AI industry to follow and make it part of the current regulation under ITA 2000 and DPDPB 2022 (which could become DPDPA2023 when passed)

With this interpretation, AI will be subject to all the regulations that include

a) Informed Consent

b) Purpose oriented consent

c) Minimal collection and retention

d)Rights of information, accuracy, withdrawal and grievance redressal etc

Further, the regulator of DPDPB 2022 namely the Data Protection Board becomes the regulator for AI related ethical violations. Penalties under DPDPB 2022 will also apply for AI related violations.  The exemptions and deemed consent provisions will apply as stated in the DPDPB 2022.

Further, the provisions of “Significant Data Fiduciaries”, DPIA, DPO appointment, Data Auditor appointment etc will also apply to AI companies.

It is time for us to also look at PDPSI once again and see if any minor modifications are required to be indicated in the DTS calculation.

Overall we are ready to get into the AI regulatory world with DPDPB 2022.

Naavi

Posted in Cyber Law | Leave a comment

Governance by Data is the new Corporate Mantra for the next decade

The world of Business Management has undergone a substantial change in the last decade with the advent of Information and Communication Technology (ICT). The impact of ICT was first felt in establishing an effective communication channel with Customers and Business Associates of an organization with the use of Internet, E Mail, Mobiles, Messaging services etc.  In the second generation of the use of ICT in business we saw the development of E Commerce where both purchases and sales were effectively handled online. Along with these, Customer service and HR functions also started using Online technologies. Some of the industries which really bloomed with the growing use of Internet in the broadband era were education, Online consultancy etc.

The next generation of Business Development with Technology is happened with the use of Data for Business decision making.  But now we have come beyond all these developments and started finding new uses of Data in Business. The future of Business Management is closely integrated with  innovative use of Data in Business.

Data for Business efficiency is the past. Data for New Business is the future.

Data is today an “Asset” of business and business managers need to find ways of using data not only for decision making and improving operational efficiency but to generate new products and services.

Today’s Business Management strategies are therefore directed on how to use “Data for creating more Revenue”.  Revenue can be generated both by saving on current operations (like replacing manpower with better use of ChatGPT ?)  and also through finding new products and services.

Where feasible, 3D printing can enable development of physical products including prototype development, customization, spare part production etc Products can be embedded with smart  chips to provide feedback for improvement.

What is the future however is to find new “Data Products”, “Produce Data Products”, “Market Data Products”, “Finance data Products” and find the manpower for managing Data Products.

In other words we are looking at a future of Technology Oriented companies where “Data” is the raw material of business and the entire business structure of production, marketing, finance and human resources have to be planned around ” Data as a Business Asset”.

Correspondingly R&D has to be developed to understand the Data Product needs of the consumers. This requires conducting market surveys related to Consumer’s Data Consuming and Usage habits. This is precisely the point where the “Data Protection Laws” create a hurdle for the Data Business. The Data Business Managers therefore need to have a good understanding of the Data Protection Laws and ensure that they are compliant with the law but continue to explore and harness business opportunities with the use of Data.

If therefore EU with GDPR is too restrictive, the choice of business location has to be in a place where the Data Protection Law is industry friendly. At the same time just because land is cheap we cannot put up a factory in a desert. We need to look at other resources and their availability. Similarly the Data Dirven business need to be set up in a location where regulations make it feasible to start and grow the business without un necessary harassment but where the resources such as manpower, Internet connectivity etc are also available.

The “Feasibility” analysis has to be therefore conducted with reference to the Product Idea vis a vis the regulatory restrictions along with the availability of other resources.

It is therefore considered that the knowledge of Data Protection and Laws related to Data Protection is an important input for the Business Management Community.

The future of Corporate Governance is “Governance by Data” and the Business Management education needs to incorporate elements of the new technology developments such as AI, Meta Verse etc from Management perspective along with the relevant regulations.

Privacy Activists and Courts should also remember that they cannot always take a stand against business since this could result in deceleration of business growth. Law Makers need to also ensure that while technology has to be regulated, the regulation should ensure that growth occurs in the desired direction.

Naavi

Posted in Cyber Law | Leave a comment

Will Ministry of Consumer Affairs Pre-empt MeitY on AI regulation?

While many are rejoicing the success of Chat GPT 3 and waiting for the Google’s Bard to come up with a more efficient NLP system, there is an underlying fear that the growth of AGI and ASI may soon pass the critical stage and start creating rogue and malicious AI programs.

We can soon expect many variants of ChatGPT to surface with many ChatBots on different websites all trying to proclaim that they are “AI Powered”.

The Indian Government has taken the first step where the Ministry of Consumer Affairs is mandating that companies who want to project their projects or services as “AI Enabled” will be subjected to certain guidelines.

One concern would be that the “AI tag” could be used to mislead the public and hence the Ministry of Consumer Affairs may bring out some “Disclosure Standards” for claiming “AI empowered” tag.

The accompanying news report suggests that Bureau of Indian Standards is working on standards and will put them in public domain.

Just as Google was caught unprepared with the release of ChatGPT by Open AI, MeitY has been caught off-guard with the announcement that the Ministry of Consumer affairs will come out with an AI standard.

In a way, MeitY should be concerned that in an area where they should have taken a lead, another department has started acting before them.

While we need to appreciate the Ministry of Consumer Affairs and BIS for the initiative, it is necessary for MeitY to also join them and work in collaboration to develop a standard which is sound.

The definition of “AI” may be wide and encompass a simple script that automates some activity to  IoTs and robots working in deep learning domain and fixing some standards for disclosure for Consumer awareness would be tough.

It is possible that there will also be many of the small time players providing ChatBots which provide incorrect responses. Some may be hacked and taken over by malicious characters which will cheat the consumers with the “AI Empowered Certification”.

The Ministry of Consumer Affairs will not be able to make a proper assessment of the AI activity since it requires deep understanding of the technology.

However, one aspect that we have been asking for as the first regulatory principle namely “Registration of AI development companies” and “Code stamping of the Registration ID” can be done by the BIS registration.

While incorporation of other ethics of AI may take some time, I advocate that we adopt the known laws to cover the AI regulation at least as an immediate measure.

The Suggested Solution

The solution I suggest is to consider AI products as the responsibility of its owners just as we make parents and guardians responsible for the acts of the Minors.

The transport department has already made rules that if vehicles are driven by minor children the parents will be fined.

We can adopt the same principle here and introduce penalties for

a) Not registering an AI development (applicable to developers)

b) Not registering the use of AI in products (Which BIS may be thinking now)

c) Making the owner of AI liable for any adverse consequence of an AI algorithm even if they are registered (So that Registration does not become a certification of assurance of the functional quality)

This law can be brought in without any new law just by a notification of an explanation under Section 11 of Information Technology Act 2000,

This section already states

Attribution of Electronic Records

An electronic record shall be attributed to the originator

(a)if it was sent by the originator himself;

(b)by a person who had the authority to act on behalf of the originator in respect of that electronic record; or

(c)by an information system programmed by or on behalf of the originator to operate automatically

This automatically means that an output of an AI is attributed to the owner of the AI program. Hence if the output is faulty, malicious or damaging the responsibility falls on the owner of the algorithm. The laws such as IPC can be invoked where necessary.

The owner of the AI algorithm initially is the developer and subsequently the liability should be transferred to the user though the ownership for other reasons of licensing or IPR may remain with the developer.

Hence an explanation can be added to this section to mean the following:

Explanation:

Where the information system is programmed by one person and used by another person, the legal liability arising out of the functioning of the AI algorithm shall be borne by the user.

Where the user is the absolute owner of the algorithm the transfer contract shall include disclosure of the functionalities, the default configurations and the code.

Where the user is only a licensee, the license agreement shall disclose the licensor and the default configuration that affects the functional impact on the consumers.

If the developer does not disclose the required information, he shall be considered as liable for the acts of the AI algorithm.

This suggestion is some what similar to the concept of “Informed Consent” being obtained where the Data Controller discloses the details of processing and data processors to the data subject in a data protection law. The requirement would be a reverse of this consent mechanism where the transferor of the license rights provides an “Informed Disclosure” which the transferee shall further disclose to the consumers.

Since this suggestion does not need any change of law, it can be implemented immediately even before BIS comes up with its recommendations and our own UNESCO recommendation based AI law can be formulated.

Naavi

(Comments welcome)

Posted in Cyber Law | Leave a comment

MHA introduces Cyber Crime Reporting Number

Posted in Cyber Law | Leave a comment

Citi Bank Customers in India face a sudden closure of account

Posted in Cyber Law | Leave a comment

Who is responsible for the CitiBank fiasco?

It is time for a PIL to explore the inconvenience and business disruption caused to customers of Citi Bank because of the acquisition of its consumer  business to Axis Bank. The damage caused to individual businesses whose cheques would have been returned and pending credits would have bounced etc  was entirely un necessary and reflects a failure of proper supervision of the entire process.

Perhaps an RTI on RBI is a starting point and some lawyer needs to take this case.

I refer to this post on Axis Bank website which states that the Acquisition of CitiBank Consumer business was handled by Axis Capital and Credit Suisse as financial advisors and Khaitan & Co as legal advisors. Additionally PricewaterhouseCoopers and Boston Consulting Group were involved as Business Consultants

I request that these professional firms need to explain to the public how they let the CitiBank fiasco to happen.

In cases of total merger of one entity to another such as Corporation Bank and Andhra Bank to Union Bank etc., the entire IT systems of one entity was transferred to the merged entity. Though there were technical glitches in migration, the old account numbers and chequebooks continued and there was not much of business disruptions like what the Axis Bank-Citi Bank deal caused.

I understand that in this case it was not possible for Citi Bank to provide control of its entire systems to Axis Bank. However it was possible to set up a middleware system which could have handled the customer issues over a period of time sufficient to allow the data to be  migrated. This was a technical failure and the financial, Business and legal consultants were incapable of suggesting this issue. There was a need for involving a Cyber Security and IT Consultant with experience in Banking in the process to handle the migration.

It also appears that this issue was handled as a business acquisition of a division and RBI has failed to exercise supervision. I request the Governor of RBI to initiate its own enquiry into the failure of its oversight mechanism.

It was clear to customers who had visited Citi Bank recently that Citi Bank executives were not even interested in suggesting continuation of the customer relationship and were happy to close the  accounts. This was indicative that they were not concerned either for their customers or for Axis Bank as their client.

While Axis Bank failed to market itself to the customers of Citi Bank, some card marketing activity continued on behalf of Citi Bank until a few days back.

The least that the two Banks could have done was to release a joint news paper advertisements to warn the customers to shift their accounts or face disruptions. Axis Bank should have setup a technical facility to migrate accounts if it required “Explicit Consent”.

It is surprising that this Rs 12325 crore deal was handled so shabbily. While on paper the deal looked great for Axis Bank, it now appears that Axis Bank will fail to get all the 3 million customers of Citi Bank whom they could have happily acquired at one stroke. Shareholders of Axis Bank should question the management on this failure.

A statement from the top management of Axis Bank  on how and why they let down the erstwhile customers of Citi Bank is expected.

PS:

Some of my readers have pointed out that they did receive several reminders from Citi Bank and they exited from the Bank. It appears that several others found the notice inadequate and were taken by surprise.

Personally I had a Credit card account only and I continued to get reminders for renewal till a few days back which I simply ignored.

Whoever is responsible for the fiasco, there will be a debate on what is “Due Diligence” under such circumstances and whether there will be liabilities for some body on causing denial of service.

Naavi

I received the following experience from one of my readers on how he handled the 9th February issue.

Quote

It was not easy,  I spent 6 hours with them to get back my 9.75 lakhs balance

  • CITIBank initiated the consent obtaining process to switch to Axisbank 4 months ago but till 7th feb evening it was showing an option to remind me later.
  • On 8th evening I received a message Cheque-book and debit card deactivated, I thought Internet banking will be working and tried to login on 9th Morning but it was not working.
  • Call center was not accepting my account number as a parameter (Account deactivated) to access the customer support, but I reached the customer support with the lost card option.
  • Customer support informed; I will receive a demand draft of balance within 15 working days to the official address.
  • 9th at 11 am I reached the South-end circle branch and found the branch working normal and still accepting cash deposits and many other activities, They gave a token number “A20” but it was looking like “420” 🙂
  • I was restless and started enquiring other members about their reasons and found more than 20 members waiting for the same reason.
  • I approached the branch manager and explained this is not a correct process and demanded to  re activate the account but they refused
  • Also they directed me to fill the “account closure request form” and “balance transfer request form”,
  • I refused and mentioned I will go to the Police station and RBI banking ombudsman customer grievance cell.
  • Around 1.30 PM another senior manager approached me and assured me of the transfer of funds  to my alternative account within 2 hours. Once again he asked me to fill the account closure request form, I refused and filled only the “balance transfer request form” and reached back to my office.
  • Around 3.30 PM the NEFT fund transfer to my alternative account initiated and I got acknowledgement from my other bank around 6 PM
  • Funny part is my both CITIBank credit cards are  still active, I can use it  but I can’t access my internet banking to manage my limits , enable disable card options of Credit cards.
  • I have seen branch staff including Branch manager were clueless on the chaos created somewhere in the boardroom.
  • I remember the CITIBank motto statement “CITI never sleeps” but now on “CITIBank customer also never sleeps” 🙂

Unquote

Posted in Cyber Law | Tagged , , , , , | 1 Comment