This article has been written by B S Pawan Kalyan pursuing a Diploma in US Technology Law and Paralegal Studies: Structuring, Contracts, Compliance, Disputes and Policy Advocacy from LawSikho.
This article has been edited and published by Shashwat Kaushik.
Table of Contents
An overview of General Data Protection Regulation
“Privacy is not something that can be cast aside or overruled at will. It’s a fundamental human right.” – Dalai Lama
Like land, house, car and other similar movable and immovable property, one’s personal information (Personal Data) can also be considered as his/her property, and each and every person shall have the right to treat his/her personal information in the way he/she wants including the right to protect their own personal data.
Personal Data can include, inter alia, his/her phone number, address, information pertaining to his/her health, or even his or her opinion or views on religion, politics or society. Even the IP address of a person’s device is classified as personal data as per the new European Union General Data Protection Regulation (EU GDPR).
There was already a law in place in the EU for the protection of personal data, Directive 95/46/EC (“Directive”), which was repealed by the institution of EU GDPR on May 25, 2018. The EU GDPR was established to overcome the limitations of the previous Directive, such as, the EU GDPR introduced extra-territorial jurisdiction, processor responsibility, different categories of personal data, etc.
As with the growing technological advancements worldwide, the introduction of the new data privacy regulation was extremely necessary, like the butterfly effect, European regulations also have their own effect called “the Brussels Effect”. The introduction of GDPR in Europe gave birth to many data privacy regulations all over the world as many countries started to adopt their own Data privacy laws inspired by the EU GDPR, which is why it’s also knows as the Mother of Data Protection Laws.
GDPR inspired many countries to establish their own privacy laws because it provides for stringent data protection principles and empowers data subjects (whose personal data is processed) with various rights such as the right to access, the right to erasure, the right to portability, etc. The GDPR beautifully reconciles the Interests of the controllers and processers with the fundamental rights and freedoms pertaining to the protection of personal data of a natural person.
GDPR can be described in the following manner:
- It’s a data privacy regulation from Europe that grants rights and control to individuals in the EU/EEA over their personal information.
- It also sets specific rules and principles that businesses worldwide must follow to process the precious personal data of EU citizens legally.
Key definitions under GDPR (Article 4)
Personal data
As per Article 4(1) of the EU GDPR, personal data means any kind of information that can tell us who a person is. It could be something obvious like their name or ID number, or it could be something less direct like where they are, something unique about their body, their health, the way they think, how much money they have, their customs, or other things that show who they are as an individual. GDPR has defined personal data in a very broad manner, which includes any information that can be used to identify a natural person, directly or indirectly.
Processing
As per Article 4(2) of the EU GDPR, the term processing covers almost everything that can be done with personal data, including collecting and keeping the data, organising it, changing it, finding and using it, sharing it with others, and even deleting it irrespective of whether these activities are done by a person or a computer, everything falls under the scope of the term processing.
Consent
As per Article 4(11) of the EU GDPR, the term consent of the data subject means the granting of permission by the data subject, which shall be given freely, knowing exactly what they are granting their permission to. Without any confusion or pressure, the permission to use the data subject’s data shall be obtained and shall be obtained in such a manner that the controller is able to demonstrate such freely given permission.
Controller
As per Article 4(7) of the EU GDPR, the term controller has been defined as a natural or legal person, public authority, agency or other body that individually or jointly decides the WHY (why the personal data is collected, i.e., for what purpose?) and HOW (means of the processing of personal data) of the processing of personal data.
Processor
As per Article 4(8) of the EU GDPR, the term processor has been defined as a person or organisation that handles personal information for the controller, like a chef cooking the food as per the recipe of the owner of the restaurant. In the same way, the processor processes the personal data on behalf of the controller as per the instructions of the controller, and if the processor steps out of his authority and performs certain acts that are not authorised by the controller and result in a violation of this regulation, in such cases, the processor will be liable to indemnify the controller for any such damage caused.
What is artificial intelligence (AI)
The European Union Artificial Intelligence Act (EU AI Act) defines AI as “AI system’ means a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments”.
Key principles and rights under GDPR
Data processing principles
The EU GDPR provides for stringent data processing principles, which the controllers and, where applicable, processors are obligated to follow. These principles didn’t just appear out of thin air; they have a significant historical background and have their foundation deeply rooted in the history of international and European data protection standards.
The Council of Europe Convention for the Protection of Natural Persons vis-a-vis Automated Processing of Personal Data (‘Convention 108’) was the first international legally binding document that prescribed the data protection principles. From a European perspective, the Directive (95/46/EC) embedded the essential principles of data protection. In the EU GDPR, the principles are clearly specified in Chapter 2 . And Article 5 of the regulation emphasises the principles relating to the processing of personal data, which include the following:
- Lawfulness, fairness, and transparency: Data must be processed legally, without adversely affecting the data subject, and with transparency regarding how it is used.
- Purpose limitation: Data should be collected for specific, clear, and legitimate purposes and not used in a way that is not compatible with those purposes.
- Data minimisation: Only the necessary data for the stated purposes should be processed.
- Accuracy: Personal data must be kept accurate and up-to-date.
- Storage limitation: Data should be identifiable only as long as necessary for processing purposes.
- Integrity and confidentiality: Data must be processed securely to prevent unauthorised access and damage.
There is also a 7th principle in the GDPR that I find none of the other articles or experts miss out on or don’t talk about, which, in my opinion, is the most important principle: ‘Accountability’.
Article 5 (2) says that the data controller is responsible for demonstrating compliance with all of the above principles mentioned in Article 5. This article binds the data controller with the obligation to follow all the principles of data processing, which makes it the most important principle.
Data subject rights
As discussed above, the European Union has always been ahead in protecting the personal data of individuals. European lawmakers are so up to date that when the Internet was still a novelty to Europe around 1989, within six years, they came up with a data protection directive to provide EU residents with a range of rights that protected them from the processing of their personal data by different organisations. However, as mentioned earlier, the Directive has many limitations due to such rapid advancement in the technological sector all over the world that it fails to provide extensive and complete protection from the present dynamics of how personal data is processed. The introduction of the GDPR offers a lot more rights and protection to the people living in the EU, as mentioned in Articles 12 to 23 under Chapter 3 of the GDPR:
Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
Article 12 of the GDPR states that the controller has to provide information to the data subjects in a clear, concise and accessible manner and should also provide assistance to the individuals in exercising their rights, respond to requests promptly and not charge fees for providing such services unless the requests of the data subjects are repetitive or not reasonable.
Article 13: Information to be provided when personal data is collected from the data subject
Article 13 of the GDPR states that, when the controller collects personal data from the data subject, he must inform individuals what type of organisation they are (essentially, the controller has to introduce himself to the data subjects and provide details of the organisations), why they are processing the personal data and for how long they are planning to keep it. Controllers are also obligated to inform the individuals about the rights they are entitled to (right to access, alter, erasure, portability, and complain to supervisory authority). The article also provides that if the original purpose for which the data was collected, changes in the future (data is now processed for a different purpose than for which it was originally collected) for example, if a company collects your phone number for the purpose of creating an account with them but later uses your phone number for targeted advertising without explicit consent for the same, the company would be in violation of this regulation.
Article 14: Information to be provided where personal data have not been obtained from the data subject
Article 14 of the EU GDPR provides for the same rules as Article 13. Additionally, it states that the controller shall also provide information about the source of the personal data to the data subject, along with the timeframe within which the controller shall provide the information to the data subject. It also outlines the exemptions in scenarios in which the controller need not provide such information to the data subject.
Article 15: Right of access by the data subject
Article 15 of the GDPR grants individuals the right to confirm if their personal data is being processed, access it, and receive detailed information about the processing. It outlines their rights to rectify, erase, or restrict data processing, lodge complaints, and understand automated decision-making impacts. Additionally, it ensures individuals are informed about data transfers to other countries and the safeguards in place.
Article 16: Right to rectification
Article 16 of the GDPR empowers individuals with the right to correct any personal data that is being processed inaccurately by the controller without unnecessary delay, including the right to complete any incomplete information, taking into account the purpose for which the data is processed.
Article 17: Right to erasure (‘right to be forgotten’)
Article 17 of the GDPR allows individuals to request the deletion of their personal data without unnecessary delay under certain conditions, such as when the data is no longer needed or consent is withdrawn. Controllers must also inform other parties processing the public data to erase it, subject to other conditions provided in the article.
Article 18: Right to restriction of processing
Article 18 of the GDPR provides individuals with rights to limit the processing of their personal data, subject to the conditions outlined in the article.
Article 19: Obligation to notify recipients
Article 19 of the GDPR provides that controllers must inform all recipients of personal data about any corrections, deletions or restrictions on processing that have been made. The purpose of this article is to ensure that changes are updated everywhere the data has been shared, subject to the conditions outlined in the article.
Article 20: Right to data portability
Article 20 of the GDPR gives individuals the right to receive their personal data in a structured, machine-readable format. They can then transfer this data to another controller without any obstacles. This right applies when the data processing is based on consent or a contract and is done automatically. However, it doesn’t apply if the processing is necessary for public interest or official authority. The goal is to make data more portable and empower individuals.
Article 21: Right to object
Article 21 of the GDPR gives individuals the right to stop the processing of their personal data, especially when it’s for direct marketing or based on certain legal grounds. If someone objects to their data being used for marketing, the processing must come to a halt.
Article 22: Right to not be subject to automated decision-making, including profiling
Article 22 of the GDPR gives individuals the right not to be subject to decisions based solely on automated processing (including profiling) that significantly affect them.
However, there are exceptions when the decision is necessary for a contract, authorised by law, or based on explicit consent. The controller must also implement measures to protect the individual’s rights and allow human intervention when needed. Decisions should not rely on the special categories of personal data referred to in Article 9(1) unless specific conditions apply.
Connection between GDPR and AI
With the GDPR coming into force on May 25, 2018, individuals now enjoy enhanced control of their personal data, supported by organised guidelines for data management. AI is not explicitly mentioned in the GPDR, but many provisions in the GDPR are relevant to AI, and some are indeed challenged by the new ways of processing personal data that are enabled by AI.
Before AI can be deployed, AI systems typically need to be designed, trained using training data, and tested to ensure they are performing as intended. Each of these stages frequently involves the use of personal data and is, therefore, subject to the GDPR. Once an AI system has been deployed, it will often also use personal data as an input to produce its outputs. This processing will also generally be subject to the GDPR.
Where an AI system processes input data obtained from terminal equipment or obtained via the use of cookies or similar technologies, the notice and consent requirements of the ePrivacy Directive will also be engaged.
The relative complexity of AI means AI systems provided by one party are often integrated into third-party services. Where the use of that third-party service also has the incidental effect of improving the underlying AI system, questions can arise as to who acts as the controller of the processing carried out by the AI system in connection with the third-party service.
AI systems that process personal data must be sufficiently transparent. In particular, where AI systems are used to make significant decisions about individuals with no human involvement, Articles 13 and 14 of the GDPR require data subjects to be provided with meaningful information about the logic involved, as well as the significance and intended consequences for the data subject. This can be challenging in light of the opaque manner in which many AI systems currently operate. In the United Kingdom, the ICO has, in conjunction with the Alan Turing Institute, produced detailed practical guidance on explaining decisions made with AI.
Impact of GDPR on AI
The EU’s data protection laws have long been regarded as a gold standard worldwide. Over the last 25 years, technology has transformed our lives in ways nobody could have imagined. The introduction of the GDPR had a seismic impact on the technology industry, reshaping how organisations handle personal data, prioritise privacy, and ensure transparency. As a result, the GDPR stands as a beacon for data protection, emphasising individual rights and accountability, and one of the most deeply affected sectors is the AI industry. The impact of GDPR on how the AI industry operates is immense. Data is the bread and butter of AI systems; from the training, testing of AI to improving the user experience of AI, everything needs data. As personal data becomes more abundant, so does the need for robust compliance within the AI industry. GDPR’s stringent requirements ensure that organisations handling personal data prioritise privacy, transparency, and accountability, reshaping the landscape for AI development and deployment.
All processing of personal data by an AI system that is subject to the GDPR must have a lawful basis under Article 6 of the GDPR. Because, as discussed above, AI systems often produce their output by considering a large number of information points about individuals, many of the considerations stated in Articles 6, 7 and 22 of the GDPR, such as lawful basis, consent, legitimate interest and automated decision making, in relation to targeted online advertising, will be relevant to AI systems more broadly. The EDPB has provided guidelines stating, in its view, that personal data cannot be used to improve a service on the basis of Article 6(1)(b) of the GDPR (contractual necessity). However, in the same guidelines, the EDPB also acknowledges that the personalisation of content may but does not always, constitute an intrinsic and expected element of certain services.
When determining the appropriate legal basis for processing carried out by AI systems, it may, therefore, be helpful to distinguish between the processing necessary to provide an intrinsically personalised service, and any wider processing that may take place to improve the AI system for the benefit of all users.
Where AI systems are trained on personal data on the basis of consent, the EDPB has noted that individuals must be able to withdraw consent so that their personal data is no longer processed for those purposes. However, they also helpfully clarify that this does not mean an AI model previously trained using that data must also be deleted. Controllers must, however, take measures to ensure the data cannot be reidentified from the model, for example, by means of reconstruction or membership inference attacks.
One key concern relating to AI systems is that they can produce biassed or discriminatory results. To detect and prevent such bias, it is often necessary to test AI systems. This sometimes requires the use of special categories of personal data. This requires a condition under Article 9(2) of the GDPR, which can create challenges.
AI systems have the potential to be used to make solely automated decisions with legal or similarly significant effects on individuals. Where this is the case Article 22 of the GDPR will apply.
For AI systems to comply with GDPR, they must ensure that they respect all the principles of personal data processing provided in Article 5 of the GDPR, and also respect the data subject rights that the GDPR empowers them with. Under Chapter 3, including all these, there are other elements of GDPR that affect AI systems, including, inter alia, the following:
Data protection by design and by default
AI systems must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This includes adhering to the principles of data protection by design and by default, requiring that data protection be integrated into the system designs and default settings (Article 25). When creating AI systems, prioritise data security and privacy right from the beginning. Don’t wait until later stages to address these concerns. AI system manufacturers should be mindful of privacy risks as they build AI applications. They should consider how data is collected, stored, and processed to protect individuals’ privacy. They should use techniques like data anonymization and pseudonymisation to safeguard personal information, this helps prevent direct identification of individuals, and if the information that is relevant to identify the natural person is not required to achieve the objectives or purposes of the controller, in such cases the GDPR mandates the controller to adopt appropriate technical and organisational safeguards, which include pseudonymisation of the data. Conduct Data Protection Impact Assessments (DPIAs) to evaluate potential risks posed by AI systems. Ensure that data subjects’ rights and freedoms are not compromised. Make AI decision-making processes transparent. Be accountable for how personal data is handled throughout the AI system’s life cycle.
International data transfers
AI systems that process data across borders must comply with GDPR provisions of international data transfers.
As per the European Data Protection Supervisor (EDPS) Guidelines , a two-step process must be followed:
- There shall be a valid lawful basis for the processing of data and all the requirements of Regulation (EU) 2018/1725 must be respected.
- Must adhere to all the provisions outlined in Chapter 5.
Ensuring that data transferred outside the EU is still protected. The EDPS, in its guidelines, also provides obligations that the controllers are obligated to follow:
According to the principle of accountability, controllers must make sure and demonstrate that all of their data processing, where applicable, data processing by processors, must follow the law, including in the case of transfers of data, it is important for the organisations to check and prove that they or anyone working on their behalf, handle data legally, especially when moving it around.
EU institutions, bodies, offices and agencies (EUIs) must carefully assess the necessity and proportionality of their envisaged transfers, including an assessment of the level of protection in the third country of destination, to justify the implied interference with individuals’ fundamental rights to private life and data protection.
EUIs should follow the EDPB guidelines and recommendations on transfers in addition to the EDPS ones.
Automated decision-making including profiling
Article 22 of the GDPR restricts purely automated decision making, including profiling, which has legal or similarly significant effects. Profiling in GDPR is defined under Article 4(4) as a form of automated processing of personal data that is used to evaluate certain personal aspects relating to a natural person, it is particularly used to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. However, you must note that under the EU AI Act, any AI systems that are used for profiling are prohibited. The GDPR ensures that AI decisions that significantly affect individuals cannot be based solely on automated processes. As mentioned earlier in this article while discussing the Rights of the data subjects, Article 22(4) of the GDPR provides that the data subject is entitled to not be subjected to a automated decision based solely on automated processing of special categories of personal data unless specific conditions apply, those conditions being, that the data subject has provided his explicit consent for the processing of this special category of personal data provided where there is no Union or Member state law that provides that even in case of explicit consent the controller cannot process special categories of personal data and second condition being that if the processing is necessary for public interest in accordance with EU or member state law, even if these conditions are met, there shall be suitable measures to safeguard the data subjects rights and freedoms to protect the personal data of the individual.
Data protection impact assessments (DPIAs)
Article 35 of the EU GDPR states that when a controller plans to use new technologies or process personal data in a way that could seriously affect data subjects rights and freedoms regarding the personal data, the controller must, before processing, carefully evaluate how their processing might impact the data subject’s personal data protection. Therefore, any controller of AI systems shall conduct DPIAs in accordance with this article for any new projects that could seriously affect data subject rights under this regulation or the fundamental right of privacy of the natural person, This helps ensure that privacy is respected and that any risks are managed properly.
Landmark judgments on General Data Protection Regulation in India
There have been several significant landmark judgements passed by Indian courts that address various aspects of data protection and privacy. These judgements have played a crucial role in shaping the legal landscape for data protection in India and have laid the foundation for future developments in this area.
Justice K.S. Puttaswamy (Retd.) vs. Union of India (2017)
One of the most notable judgements is Justice K.S. Puttaswamy (Retd.) vs. Union of India (2017), which recognised the right to privacy as a fundamental right under Article 21 of the Indian Constitution. This landmark judgement has far-reaching implications for data protection, as it establishes a constitutional basis for the protection of personal data. The Supreme Court held that the right to privacy includes the right to control and protect one’s personal data. This judgement has been cited as a precedent in subsequent cases involving data protection and has influenced the development of data protection laws and regulations in India.
Facebook Inc. vs. Union of India (2021)
Another important judgement is the Facebook Inc. vs. Union of India (2021) case, which dealt with the issue of data localisation and cross-border data transfers. In this case, the Supreme Court held that the right to privacy includes the right to control the transfer of one’s personal data outside of India. This judgement has significant implications for multinational companies operating in India, as it imposes restrictions on the transfer of personal data outside of the country. The court also emphasised the need for strong data protection laws and regulations to ensure the protection of personal data and prevent its misuse.
These landmark judgements have set a strong precedent for data protection in India and have helped to raise awareness about the importance of protecting personal data. They have also influenced policy discussions and legislative initiatives on data protection in India. As the digital landscape continues to evolve, it is likely that these judgements will continue to play a vital role in shaping the legal framework for data protection in India.
WhatsApp Inc. vs. Union of India (2021)
WhatsApp Inc. vs. Union of India (2021) was a landmark case that challenged WhatsApp’s privacy policy, which sought to share user data with its parent company, Facebook. The Delhi High Court held that WhatsApp’s privacy policy was violative of the users’ right to privacy and directed WhatsApp to modify its policy accordingly.
The case was filed by a group of digital rights activists who argued that WhatsApp’s privacy policy violated the users’ right to privacy under Article 21 of the Indian Constitution. They contended that WhatsApp’s policy allowed Facebook to collect and use personal information of WhatsApp users without their consent.
WhatsApp defended its privacy policy, arguing that it was necessary to improve the user experience and provide better services. The company also claimed that it had taken adequate steps to protect the privacy of its users.
The Delhi High Court, however, found that WhatsApp’s privacy policy was not in compliance with Indian law. The court held that WhatsApp’s policy was too broad and vague and that it did not provide users with sufficient information about how their data would be used. The court also found that WhatsApp had not obtained the consent of its users before sharing their data with Facebook.
The Delhi High Court’s decision was a significant victory for privacy advocates. The decision sent a strong message to companies that they cannot collect and use user data without their consent. The decision also highlighted the importance of transparency and accountability in data collection and sharing practices.
In response to the Delhi High Court’s decision, WhatsApp modified its privacy policy to address the concerns raised by the court. The new privacy policy provides users with more information about how their data will be used and it also requires WhatsApp to obtain the consent of users before sharing their data with Facebook.
The WhatsApp Inc. vs. Union of India case is a significant precedent for data privacy law in India. The case demonstrates the importance of protecting the privacy of users and it sets a high standard for companies that collect and use personal data.
These landmark judgements have significantly contributed to shaping the discourse on data protection in India. They have emphasised the importance of safeguarding individuals’ privacy and personal data and laid the foundation for future developments in data protection law and regulation.
Conclusion
Thus, it can be concluded that the GDPR deeply impacts AI industry with its strict standards for data privacy and security and it is important that organisations governed by the GDPR adhere to its regulations whenever they collect or receive personal data concerning identified or identifiable individuals to protect the rights of an individual.
Additionally, even if an organisation is not directly processing personal data, it may still be subject to the requirements outlined in the ePrivacy Directive.
References
- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504&qid=1532348683434
- https://ec.europa.eu/newsroom/article29/items/612053
- https://www.coe.int/en/web/data-protection/convention108-and-protocol
- https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2018/09-10/Convention_108_EN.pdf
- https://ec.europa.eu/futurium/en/european-ai-alliance/ecs-definition-ai-or-how-define-artificial-intelligence-real-and-concerned.html
- https://ec.europa.eu/futurium/en/system/files/ged/ai_hleg_definition_of_ai_18_december_1.pdf
- https://www.europarl.europa.eu/doceo/document/TA-9-2024-0138_EN.pdf
- https://eur-lex.europa.eu/eli/dir/1995/46/oj
- https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/explaining-decisions-made-with-artificial-intelligence/
- https://data.consilium.europa.eu/doc/document/ST-14278-2021-INIT/en/pdf
- https://data.consilium.europa.eu/doc/document/ST-5662-2024-INIT/en/pdf
- International transfers | European Data Protection Supervisor (europa.eu)
- https://european-union.europa.eu/principles-countries-history_en
- Guidelines, Recommendations, Best Practices | European Data Protection Board (europa.eu)