IAMAI seeks amendment to use publicly available personal data for AI training
The Internet and Mobile Association of India (IAMAI) on Thursday requested the Centre to remove legal barriers to using publicly available personal data for training or fine-tuning of AI models.
The industry body pointed out that it is impractical for AI companies to verify if all publicly accessible personal data was voluntarily provided by users. As of now, data protection rules mandate that AI companies should determine if the data available on public platforms is voluntarily provided by the user.
If a user publicly shared personal data to comply with a legal obligation, it may be re-shared online by others without the user's consent, making it difficult for AI companies to determine the user's consent, the IAMAI pointed out.
IAMAI requested an amendment to the Digital Personal Data Protection Act, 2023 (DPDP Act) to this effect. "Union Government might, as an interim measure, consider exempting data fiduciaries from the DPDP Act’s provisions if they are processing personal data solely for training or fine-tuning of AI models," the release said.
Ambiguities in the DPDP Act on the processing of publicly available personal data might pose practical challenges for AI companies, particularly those using large datasets for training their models, the IAMAI told the Ministry of Electronics and Information Technology (MeitY).
Restrictions on access to publicly available personal data would impose undue compliance burdens on AI companies, hinder technological progress and the realisation of AI's potential. Such limitations would disproportionately affect startups and smaller companies developing AI models, the association said.
The DPDP Act is a comprehensive data privacy law to regulate the processing of digital personal data. It balances the rights of individuals to protect their personal data with the need for lawful data processing. It provides a framework to hold data fiduciaries accountable for personal data breaches. Data fiduciaries are required to implement appropriate technical and organisational measures to prevent personal data breaches by taking reasonable security safeguards.
