Data Privacy

This article has been written by Sheetal Rangwar pursuing a Diploma in International Contract Negotiation, Drafting and Enforcement from LawSikho.

This article has been edited and published by Shashwat Kaushik.


In the coming generations, artificial intelligence will surround the world, which will empower humans to get addicted to the virtual reality of artificial intelligence. However, the constant innovations and advances in AI technology have raised great concern regarding privacy data. The further mechanism structure of AI relies on a large amount of personal data to analyse and make predictions.

Download Now

Generally, it raises concerns regarding AI breaching the data privacy of individuals and business enterprises. Thus, artificial intelligence is evolving in a fast-paced environment as AI modules work to access personal data information, and the consequence is a threat of severe data breaches.

AI technology focuses on virtual assistants, such as Siri and Alexa, by recognising facial expressions and promoting driverless vehicles; AI functions by processing massive amounts of data to strengthen their algorithm and improve performance, providing accurate results.

The more data they have access to, the better they learn and adapt to new situations. This data mainly comprises personal information such as a person’s name, address, phone number, and social security number.

With the vast amount of data available today, the use of AI raises concerns regarding the protection of personal information. Millions of pieces of data are collected and processed every day, and there is a high possibility the data may fall into the wrong hands of hackers. Mischievous hackers accessing the data unlawfully and illegally can cause distress to a person.

AI has changed human lives to some extent, such as by using AI for surveillance and monitoring. By using facial technology methods, law enforcement agencies can detect suspects and identify people in public places. But it also raises the question of the right to privacy.

AI technologies should be designed and addressed in significant space. For instance, AI tech companies working with AI should comply with GDPR (Global Data Protection Regulation), which aids in reducing biases and mitigating the risk of monitoring suspects.

Concerns about AI and data protection laws

Artificial intelligence (AI) has brought about transformative changes in various aspects of our lives, from how we interact with technology to how businesses operate. However, as AI becomes more sophisticated and pervasive, it also raises significant concerns about privacy and data protection laws.

  1. Increased data collection and processing: AI algorithms rely on vast amounts of data for training and decision-making, leading to increased data collection and processing by organisations. This poses several privacy risks, including:
    • Unlawful or unethical data collection: Organisations may collect data without proper consent or transparency, violating individuals’ privacy rights.
    • Data profiling and behavioural targeting: AI can be used to create detailed profiles of individuals based on their online behaviour, which can be used for targeted marketing or surveillance.
    • Algorithmic discrimination: AI algorithms may perpetuate and amplify biases, leading to discriminatory outcomes in areas such as employment, credit scoring, and healthcare.
  2. Automated decision-making and profiling: AI-driven systems often make decisions without human intervention, such as determining loan approvals, job applications, or insurance coverage. This raises concerns about the lack of transparency and accountability in decision-making processes:
    • Lack of explainability: AI algorithms can be complex and opaque, making it challenging to understand how decisions are made and the factors considered.
    • Bias and discrimination: Automated decision-making systems may inadvertently incorporate biases or errors, leading to unfair or discriminatory outcomes.
    • Right to explanation: Individuals may have the right to request an explanation of AI-driven decisions that affect their lives, but this right may not always be effectively implemented.
  3. Governmental use of AI for surveillance and law enforcement: Governments have increasingly adopted AI technologies for surveillance and law enforcement, which can pose significant privacy risks:
    • Mass surveillance: AI-powered surveillance systems can collect and analyse vast amounts of data from public spaces, raising concerns about the erosion of privacy and freedom of movement.
    • Facial recognition technology: Facial recognition technology has been used for law enforcement and identification purposes, but it raises concerns about potential misuse, false identification, and lack of consent.
    • Predictive policing: AI algorithms are used to predict crime and identify potential criminals, but this raises ethical concerns about profiling and the potential for discrimination.
  4. Data security and privacy breaches: AI systems themselves can become targets of cyberattacks, leading to data breaches and unauthorised access to sensitive information. Additionally, AI technologies can be used to enhance cyberattacks, making them more sophisticated and targeted.
  5. Legal frameworks and regulations: The rapid development of AI has outpaced the existing legal frameworks and regulations designed to protect privacy and data. This has led to a patchwork of laws and policies across jurisdictions, creating uncertainty and challenges for organisations and individuals. 

Things google did for privacy regulation

The usage of public data sets in training models

AI is mainly trained on vast amounts of public personal data. This data includes name, phone number, and address. As AI functions as a sophisticated network, existing laws evolve and update themselves for new circumstances. In the realm of legal privacy, the term is generally associated with the collection, processing, and accessing of data. The focus is on determining when data can be classified as personal and, therefore, protected versus when it can be used by the public. This distinction is critical in safeguarding sensitive information and ensuring that an individual’s privacy rights are respected.

Privacy regulation with new AI

Government agencies globally are focusing on how to implement new privacy laws to comply with existing ones. It is vital to consider how these new laws interact with the latest AI policy initiatives, including overlaps with existing laws. The recent White House order on the development and use of AI has included rules related to safety, security, innovation, and equity, along with several rules related to privacy and the interaction of AI and privacy law.

Children’s privacy regulation 

Children’s Online Privacy Protection Act (COPPA) pertains to the collection and use of data from children under 13 years of age in the United States. The Federal Trade Commission is responsible for establishing policies and regulations that govern this area. They ensure that AI products and developers should significantly consider the creation of data from children and how their AI system interacts with them. 

Make privacy a core element of the basic structure of the company 

Privacy should be adhered to with all regulatory compliance and investment in technology, which enables frequent and efficient privacy practices.

Simplify compliance

The company should mandate the employees to ensure privacy compliance as a measure of responsibility.

GDPR (General Data Protection Regulation)

The GDPR is the most widely adopted law regarding security and privacy. It was passed by the European Union and is applicable to anyone who collects and processes the personal data of individuals living in the EU or outside the union. The GDPR aims to give consumers control over personal data. It applies regardless of where the website is located. Consumers have the right to know how their data is being used by companies.

Highlights of GDPR

  • General purpose of GDPR- The law states the collection & guidelines for assessing the personal information of individuals. Consumers are allowed to know how the data is being used by companies. It applies to all, regardless of where the company is situated. The law states that companies cannot mislead consumers with vague and confusing language; thus, they must ensure
  • Notification- The data collection notification should be given to website visitors.
  • Lawfulness and transparency- The company should abide by the compliance rules led by GDPR and maintain transparency when they use personal data.
  • Purpose limitation- The collection of personal data must be for legitimate purposes and must be specified explicitly. The data shall not be used for incompatible purposes; however, the company may archive the data for further processing for public interest, scientific research, or statistical purposes. 
  • Data minimisation- The company can collect and process personal data that is subject to relevancy, adequacy, and limitations useful for necessary purposes. The organisation should never collect unnecessary personal data.
  • Accuracy of data- The organisation has to update the data regularly or periodically. It is a mandate for organisations that personal data that is inaccurate and not amended should be erased immediately. All reasonable steps must be taken to correct the data promptly.
  • Storage limitation- The controller who holds the personal data shall remove the data that ceases to be necessary. As there is no specific limit mentioned, the controller can hold the data for a longer period or save the archive when the subject of interest is public or scientific research. The organisation lets the individuals be aware of the retention period or the particular method that is used for calculation.

Digital Personal Data Protection Act 2023

The act seeks to form new legislation based on the major Supreme Court judgement delivered in the case of Justice K.S. Puttaswamy (Retd) vs. Union of India which raised questions about the Aadhar Scheme’s authenticity in providing adequate safety to citizens subject to existing privacy laws.

The act was passed by both houses of parliament on August 11, 2023, and has received the president’s assent.  However, the effective date of this act shall be notified by the official gazette publication.

Essential points of DPDP Act, 2023

  • It applies to all personal data, either digital or non-digital, that falls under the category of digital perception.
  • The overseas processing of data applies to Indian data subjects as well as the goods or services offered by Indian data controllers.
  • The data shall be processed lawfully under the rules of the DPDP Act. 
  • Only significant data should be collected.
  • The DPDP applies to all types of personal data; there are no subsections of personal data. 
  • The organisations shall provide the option of consent. It should be free, specific, unconditional, and unambiguous. 
  • The data principal shall be provided with notice for every request when they are processing personal data. If the request is assisted appropriately, the individual can exercise the right to withdraw consent. Along with notice and consent, the data principal shall comply with other languages as per the Eighth Schedule of the Indian Constitution. 
  • Data fiduciaries must compel compliance with the DPDP Act. For example, – Data fiduciaries can freely transfer data across borders unless the government restricts such transfers through notification.
  • The Constitution of the Data Protection Board of India, as an enforcement body, confers all powers to direct any urgent remedial or mitigation measures, issue receipt of a personal data breach, inquire about breaches, impose penalties, inspect any document, summon and ask any person for attendance. An appeal can be heard before the Telecom Disputes Settlement and Appellate Tribunal (‘TDSAT’) against any order of DPB. An appeal may be preferred before the Supreme Court of India against the TSAR.
  • The central government can ask for information from a data fiduciary or any intermediary and issue an order to block access by the public to any computer source of such information with regard to the public interest. The order shall be passed in writing once it is issued after being allowed to be heard.

Exemption under the DPDP ACT 

  • subject to the sovereignty of India, that is, the public interest and maintenance of public order,
  • case proceedings, legal rights, claims, amalgamations, mergers, investigations, prosecutions, etc,
  • personal, domestic or journalistic purpose.

Offence and penalties- Under this act, the authority may levy heavy penalties on data fiduciaries for various offences

  1.  non-compliance and failure to perform its duties
  2. violation of processing the data under this act
  3. Failure to notify the board can attract a penalty of more than Rs 5 crore or 2% of the worldwide turnover of the fiduciary penalty. 

Positive side of data protection laws in business and corporations.

  • Data transfer overseas- A data fiduciary can save a copy of all personal data that is stored within the country. This helps protect national interests from foreign attacks and prevents the transfer of crucial data overseas. However, it is the discretion of the board to frame what accounts for personal data and crucial data.
  • Trust tool- Banking, Financial Services, and Insurance (BFSI) and Fintech companies are increasing their technical and administrative procedures to ensure compliance. The BFSI and fintech companies have to abide by their existing applications, and their policies will be able to adapt quickly to changes in privacy laws. While having a strong privacy policy can build trust among customers, complying with regulations may come with additional costs that companies need to consider. 
  • Forensics- The major system that is affected by electronic discovery is computer forensics. However, the act asks for prior consent for the processing of computer forensics investigation. In a situation where a mistaken employee or group of employees are charged with noncompliance, the company would be forced to seek proper counsel for such forensic analysis.
  • More demand for privacy skills- In the technology industry, the role of data protection officer will be of great importance and there will be a rapid increase in skilled professionals and specialists.
  • Data portability- The law provides the right of data portability to another data fiduciary without any reluctance.
  • Special glimpse for sensitive data- The sensitive personal data cannot be processed unless consent is drawn in written form from a person to a data fiduciary obtained through letter, email, or fax from a particular person.  Sensitive personal data cannot be shared apart from specific purposes collected for welfare schemes and social protection laws.
  • Notification of breach- In case of any breach, the data controller must notify the particular person who is related to personal data, along with the authority to take measures against any harm caused by the breach, within 7 days.
  • Improving business- Once the act is enforced by notification, customers will be more reliant on business practices.
  • Reduction- It will reduce crime and corruption, bringing more transparency to the act.
  • Improving security- The right to privacy can provide businesses with greater security and help corporations cultivate better goodwill in the market.
  • Brand protection- While preparing for the worst, businesses can develop strategic steps to integrate IT security plans. Safeguarding customer privacy is a strategic opportunity for brand growth.

Negative side of data protection laws for businesses and corporations

  • Compliance- Compliance can be costly and time-consuming due to mandatory regulations, paperwork, and administrative tasks.
  • Effects on startups and companies- Data analytics are used by organisations to detect fraud. For example, details of small businesses/vendors against employees are used to identify conflicts of interest.
  • Effect on digital forensics- In a situation where an employee is being investigated for noncompliance, the organisation is forced to seek consent for such forensic analysis.
  • Technical and process change- The right to be forgotten and right to correction by online platforms must provide assistance and assessment of personal data for such requests by the customer. 
  • Additional cost of employment -Organisations need to appoint data security officers to ensure compliance with rules and regulations. 
  • Limitation- The data that is processed for these purposes should be clear, specific, and lawful. 
  • Time-consuming- The organisation that asked for KYC Aadhar verification through the online portal again has to revamp to a physical process, which is less time-consuming. The organisations have to opt for the uniform process, which asks for fewer privacy details.
  • Impact on communication services- WhatsApp and Facebook services are private companies performing public functions, and the big tech giants are answerable for any violation of privacy practices.
  • Job portals- The data on job portals has professional qualifications, experience, personal data, and contact details that are not safeguarded under the IT Rules 2000 and run under the ambit of the website’s terms and conditions. Now, with the effect of this law, a change can be enforceable for such practices.
  • Matrimonial websites- The threats that exist on matrimonial sites can lead to major privacy violations; for instance, the sale of data to any other third party, theft, or illegal leakage of data can be addressed by data protection law.
  • Insurance sector- The insurance sector contains a huge amount of data, which is vital to maintaining integrity and trust in this sensitive field. However, the major concern for privacy rights is neglected.
  • Banking and M-wallets- The situation of banking and M-wallets is similar to that of the insurance sector. The concept of privacy laws for customers must not be overlooked. Data protection laws can enhance the regulations for maintaining customer privacy.

Cases on data protection 

Justice K.S. Puttaswamy and Anr vs. Union of India (2018)

In this case, the Supreme Court discussed the validity of the Aadhaar Act, which was passed as a ‘Money Bill’, and its use of compulsory identification for state welfare schemes, though it is constitutionally valid. Also, Section 139 AA of the Act defines mandatory Aadhar and PAN card links; the court upheld this decision as valid.

Rochem Separation System Pvt. Ltd. v. Nirtech Pvt. Ltd. and Ors. (2022)

In this case, the Bombay High Court passed an ex parte injunction on the use of confidential data by an ex-employee of the company while working for the company. The ex-employee downloaded the client data, pricing data, and other personal data to his personal storage device and later moved out to the new company. He then contacted the previous company client using the data that he had downloaded. The ex-employee also solicited other colleagues to join a new company.

Aaradhya Bachchan & Anr vs. Bollywood Times and Ors. (2023)

In this case, Aradhya Bachchan seeks relief from the court for being presented wrongfully as a critically ill child. The Delhi High Court has issued severe critical directions and guidelines to step back for Non-Consensual Intimate Images (NCII) and personal data/ and information. 

The court strictly stated that the intermediaries are obligated to adhere to and remove the NCII content after receiving the court order and ensuring the protection of the individual online.

AI-related privacy concerns : real-life example

In the era of artificial intelligence (AI), privacy concerns have become increasingly prevalent. One notable example is the invasive nature of big tech companies, which have access to vast amounts of personal data.

Recently, I encountered a personal experience that highlighted these concerns. I watched a show on Amazon Prime using my Apple TV. Two days later, while browsing a Google app on my iPhone, I received news recommendations related to that show. This incident is particularly concerning because I never watched the show on my iPhone, nor did I perform any related searches or activities using that device.

This situation raises several privacy issues.

Firstly, it demonstrates the interconnectedness of various platforms and technologies. Despite using different devices and services, my viewing activity on Amazon Prime was tracked and linked to my Google account, potentially without my explicit knowledge or consent.

Secondly, it suggests that big tech companies may be engaging in data sharing or tracking practices that are not transparent to users. The fact that I received news recommendations related to the show on a different platform and device indicates that my data might have been shared across these platforms without my awareness.

Thirdly, this incident highlights the potential for targeted advertising and personalised content based on our online activities. While personalised recommendations can be convenient and enhance the user experience, they also raise concerns about surveillance and the erosion of individual privacy.

Addressing these privacy concerns requires a multifaceted approach. Big tech companies must be held accountable for their data practices and ensure transparency and user consent. Implementing robust privacy regulations and enforcing compliance can help protect users’ personal information. Users should be educated about the privacy implications of using various technologies and services. Raising awareness about data tracking and sharing practices can empower individuals to make informed decisions about their online activities. Developing privacy-enhancing technologies and tools can provide users with greater control over their data. Encryption, anonymization, and opt-out options can help mitigate the risks associated with data collection and sharing.

Overall, the privacy concerns raised by invasive Big Tech practices in the age of AI necessitate a collaborative effort involving regulatory bodies, technology companies, and users. By embracing transparency, respecting user consent, and empowering individuals with knowledge and tools, we can work towards a more balanced and privacy-conscious digital landscape.


In conclusion, the landscape of data protection and privacy regulations, particularly in the realm of artificial intelligence (AI), is rapidly evolving. As AI technology continues to advance, concerns surrounding the collection, processing, and use of personal data are becoming more pronounced. The proliferation of AI-driven applications, from virtual assistants to facial recognition systems, underscores the critical need for robust privacy safeguards.

Regulatory frameworks like the General Data Protection Regulation (GDPR) in the European Union and the Digital Personal Data Protection Act (DPDP Act) in India represent significant steps towards empowering individuals with control over their personal information. These laws impose obligations on organisations to be transparent about data collection practices, obtain explicit consent, and ensure the accuracy and security of personal data.

While such regulations offer essential protections for consumers, they also present challenges for businesses and corporations. Compliance efforts can be resource-intensive, requiring investments in technology, personnel, and process changes. Startups and smaller companies may face disproportionate burdens, while established organisations must navigate complex regulatory landscapes.

However, amidst the challenges lie opportunities. Embracing privacy regulations can enhance trust between businesses and consumers, leading to improved brand reputation and customer loyalty. Moreover, adherence to stringent data protection standards fosters innovation by encouraging responsible data-driven practices and promoting cybersecurity measures.

Nevertheless, policymakers, businesses, and individuals must remain vigilant in addressing emerging privacy concerns and adapting to evolving technological landscapes. By striking a balance between innovation and privacy protection, we can harness the full potential of AI while safeguarding fundamental rights and values in the digital age.



Please enter your comment!
Please enter your name here