Even as generative artificial intelligence (AI) platforms like ChatGPT and Google Bard have now come under the ambit of Digital Personal Data Protection (DPDP) Act, the government might face issues in tracing the data breaches which might happen through these platforms, according to experts.
One of the concerns which may pose a challenge is the data traceability, which means identifying the source using which generative AI platforms take personal information of people to train their models and then share the information accordingly with other users based on the query. In instances like these, it also becomes difficult to fix any kind of responsibility on these platforms, unlike any other data fiduciary who can be easily held accountable in case of violation of data protection provisions.
“There is a possibility that a generative AI platform collects and scrapes all the data and says that I am not providing it for the Indian users and not covered under the Act,” said Rakesh Maheshwari, former senior director and group co-ordinator, cyber laws and data governance at ministry of electronics and information technology (MeitY).
“With regard to generative AI, certain restrictions are put in place. We will have to see in what way it finally shapes out,” Maheshwari added.
While these generative AI platforms will have to follow the disclosure norms regarding the personal data they are processing, the information they collect using AI algorithms and then train their data sets can not be mapped.
This means that even if they collect any personal information in the form of text, video or image and use it without the consent of users, no one can prove that the platform used certain data sets to generate a certain output.
Besides data protection, other concerns around generative AI remain around copyright issues, misinformation, and bias of algorithms.
“Generative AI platforms have control over the data only till the time they have not fed the data collected by them to train their model. They themselves lose control of how and where the information will be split when a response is given towards a prompt,” said Vinay Phadnis, an AI expert and CEO of technology company Atomic Loops.
According to Phadnis, it is very difficult to do one-on-one mapping of these neural networks and do traceability of information because of the nature of the technology. Neural networks such as Google assistant, ChatGPT, Bard, etc, are widely used in a variety of applications, including image recognition, predictive modeling and natural language processing.
One of the solutions which Phadnis suggested to identify the source of origin and data sets these generative AI platforms are using, is to put a hallmark or AI signature at the end of audio, text, video or any kind of responses generated by these organisations.
AI signature will not only provide authenticity of data but also tell what kind of data sets the information is trained on, if these are nationalised data sets and complied to security.
While the government is also working on the Digital India Act to come up with certain guardrails for new age technologies, experts also flagged concerns about the awareness among people to use these open AI models.
Pavan Duggal, supreme court advocate and cybersecurity expert said, “Privacy policy of ChatGPT itself says it is a work in progress and technology in happening and users should not share personal information”. Despite that, eight out of ten users log-in to ChatGPT through their personal accounts.
According to Duggal, people are not understanding how they are actually sharing their personal data on generative AI and how it is going to come back and hunt. He further added that the law needs to evolve in terms of including AI crimes as well going forward.
The DPDP Act empowers citizens to intimate to all digital platforms to delete their past data.
The firms concerned will need to collect data afresh from users and spell out clearly its purpose and usage. They will be booked for data breach if they depart from the purpose for which it was collected, according to the provisions of the Act.
The government is also expected to notify the Data Protection Board (DPB) and the rules of the Digital Personal Data Protection (DPDP) Act by next month end.