14 minute read
Policy Paralyses in India’s Approach Towards Algorithmic and Information Governance
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
digital sovereignty developed to regulate the borderless internet.
Advertisement
Digital sovereignty refers to a nation state's capacity to govern both the digital infrastructure and information assets located inside its borders. When applied to governments' ability and attempts to control data assets and technical infrastructures located beyond their borders, this notion may take on a variety of shapes. Initially, such efforts were restricted to adopting "long-arm" laws that ensured prosecution of crimes committed against a nation state or its people regardless of the accused's country or location. Subsequently, it began to take on
additional forms, including (i) restrictions on cross-border data flows, (ii) hard or soft data sovereignty requirements, (iii) mandatory sharing, and (iv) local situs requirements –such as the formation of an incorporated entity or the appointment of officers within national boundaries, and others.
As stated in the preamble, the Bill protects individuals' private information in relation to personal data, clarifies the flow and use of personal data, establishes a trust relationship among individuals and companies processing personal data, protects the rights of individuals for whom the personal data are processed, and establishes a framework for organizational and technical measures. Additionally, the Bill aims to provide remedies for unlawful and harmful processing and to create a Data Protection Authority of India to carry out the above objectives and those associated with or incidental tothem.
The Bill's fundamental concepts are substantially comparable to those found in the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").
Policy Paralyses in India’s Approach Towards Algorithmic and Information Governance
Information Governance Issues
The world is overflowing with data. Adoption of the internet, smart devices, and cloud-driven apps, followed by increasing use
of AI-systems are the key causes because of which we are generating and consuming data at a blazing speed. Data generates economic value and wealth, in addition to social and public value. It is progressively taking the centre-stage in coretechnological businesses and economic sectors everywhere while also addressing numerous social and public administration issues. With the snowballing prominence and value that it generates, governments across the globe are realizing and comprehending the need to enable and regulate all aspects of data. World governments have suggested “Open Data Initiatives” and protocols related to personal data, like PDP Bill in India or GDPR in European Union. However, these governments, specifically India, has avoided to recognize technology sector as an independent area and its sectorial requirement. This is a new and emerging area of regulation and that is why there is a need to establish an authority that has specialized knowledge of data governance, knowledge of technology up-to-the-minute research and innovation and keep pace with the swiftly developing technological landscape. Information governance that guarantees that creation, storage, use, disclosure, archiving and destruction of information is handled in accordance with legal requirements and thereby maximize operational efficiency plays a vital role here. Currently, in India data protection and privacy is governed by Section 43A and Section 72A of the Information Technology Act, 2000 and the corresponding Information Technology (Reasonable Security Practices and Procedure and Sensitive Personal Data or Information) Rules, 2011. Additionally, the Policy on Open Standards for e-governance mandated by the Ministry of Communications & Information Technology is introduced with the objective to “provides a framework for the selection of Standards to facilitate interoperability between systems developed by multiple agencies… It aims for reliable long-term accessibility to public documents and information in Indian context.” (Government of India, 2010) This policy was intended to set out the principles of information governance across the country and to make clear the responsibilities and reporting lines for different organizations and the government departments that handle sensitive data. It is intended as an over-arching framework to give clarity about the scope of information
92
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
governance and to highlight key information and related policies to the citizens. The government must understand that it is imperative for data protection to be applied to all forms of data. Since data is vast and there are various categories of NPD, it is expected that a regulation on NPD is likely to lead to increased transparency, better quality services, improved efficiencies, more innovation and public welfare. The Ministry constituted a Committee of Experts to deliberate on a Data Governance Framework which released its report that sets out the context and proposal for the forthcoming regulations on NPD. Based on consultation, public comments and feedback, a comprehensive data framework governing NPD in India may be introduced in the near future.
Effects of Erroneous Data Governance
The one and only effect of erroneous data governance by either the government or private entities is data breach and it costs the people. The increase in data exposure and data leaks from within the organization is very palpable anyways, and must be seriously addressed. In fact, the daily news of data leaks are witness even today. In the three quarter of 2020, it was reported that there were almost 2900 public breaches, in some of the biggest companies like Twitter, Wattpad, Microsoft, Estee Lauder, Broadvoice, and Whisper. Two breaches exposed over 1 billion records each and four breaches exposed over 100 million records. Together these six breaches accounted for approximately 8 billion exposed records, or 22.3% of the records exposed through the end of the third quarter (Henquriez, 2020). Security issues arise from any unauthorized behaviour, while privacy is by-product of processing authorized personally identified information. As a precaution, it is suggested that impact assessments is done to personal data processing, identifying, and mitigating risks. It analyzes how an entity collects, uses, shares, and maintains personally identifiable information, related to existing risks. Privacy Impact Assessments (PIA), on the other hand, used to protect privacy by design. It identifies and minimizes risks associated with the processing of personal data. Risk Assessment provides actionable threat intelligence about organizations that have experienced a
data breach or leaked credentials. Therefore, it is imperative that the ones who collect data keep it with utmost responsibility and security.
Need of a Well-Crafted Policy
A well-crafted policy for information or data governance is something that India needs urgently right now. Such policy can fashions a governance framework that guarantees: a certain amount of oversight of the data resources of an organization based on its value and risk; steady, efficient and active supervision over the data resources of the organization, over time; and the protection and security planes for diverse groups of data, as established by the organization’s governance team. Such policy warrants that the enterprise data governance arrangement supports the organization's tactical vision for its data program, even while the aim is leveraging data to collect acumens that drive new profits or to utilize data to offer new facilities or to fuel digital transformation, generally. Even though each policy should be designed to the unique requirements of the enterprise, it usually should contain: the record of the data sources within the organization; the objectives of the organization's data governance program and metrics that would determine its success; the points in the organization that will administer essentials of the governance program; prospects around class of data and its lifecycle management along with data integrity and data integration; information regarding acceptable data usage; different classes of data like sensitive, confidential or publicly available accompanied by the stages of security required at the different levels; and finally, the laws that must be followed while accumulating and preserving that data and compliance requirements for the organization's data program.
Algorithmic Governance Issues
Practically, as per the 3 stages from coherentism to technocracy, India has some key problems to escalate. Here are the key issues with the Indian state which are elaborated further: • Indian Law is still incompetent to usurp or even digest the omnipotent and omnipresent nature of artificial intelligence due to the knowledge approaches as well as the economic ripples that such technologies can create.
94
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
• Indian Law does not comprehend how linear and cyclic consequentialism are to be even adjudicated, let alone arbitered or settled. A conscious legal system equipped by a mature jurisprudential literature is the need, which again escalates India back to the problem that there is a huge lack of experience in dealing with cases related to AI technologies. • India has not yet attempted to specify as to which approach to audit AI technologies should be adopted. In matters of global governance, it is real enough to observe when agreements are reached based on subjective consensuses of state parties being deliberated. Politically, diplomatically, and even legally, India’s legal acumen is skewed and much scattered. • Digital coloniality is being understood by the Union
Government reasonably, but the methodology adopted has been quite lackadaisical as well as feudal, backed by procedural dysfunctionality. Digital coloniality and feudalism can encourage the privatisation and dilution of state capacity, and without engineering specialist approaches for even expecting to develop any Indian de lege ferenda, India cannot develop strategic considerations. The inability of the state machinery at both Union and State levels, when it comes to implementation, cannot be justified by their inability and tendency to become dysfunctional, simply because the exacerbation is backed by the feudal way of governance – which again would procedurally repeat if accessibility to improve is not taken into important consideration. There is no doubt that the Union Government motivates digitisation and encouraging avenues of digital knowledge economies and societies. There are urban and rural-level initiatives which have been successful. However, there is not much preparation as of now to address issues related to competency, potential for auditability & strategic approach towards transforming de lege ferenda yet.
Each of the issues have been described in the sub-parts below:
Why Omnipresence and Omnipotence Needs to Be Consumed in the Cycle of Policymaking and Deliberations
In algorithmic governance, the role of AI technologies in strengthening and expanding the scope of governance of the institutions within a state in India is already happening. There are enough chat bots, or AI-based verification services operated by the Government of India, which have their own levels of efficacy and inefficacy. Some of them, are useful, while some of them do not have much usefulness. It could be a contentious question as to whether the source code and other technical details like them are owned by the Government and or not, and whether there is some backend process to ensure checks and balances or not. There are relevant government ministries, who handle such affairs in their own domain. However, instead of adopting an approach where AI technologies of minimal cause but significant reach and effect, should be taken into consideration not for the purposes of arbitrary scrutiny but to assess their effectiveness, and how they impact the all-comprehensiveness of the system of governance. Of course, the NITI Aayog and other Government bodies are concerned to some extent, and it is being assumed that some resourceful way of assessment could have been done to proceed with such AI technologies.
In the interest of India’s foreign policy as well, in the domain of international relations and technology diplomacy, it is recommended that India focuses on developing a joint division/body (not committees or statutory bodies, considering the relevance of the subject matter, and the reasons if there should be some protocols to govern) on AI Resilience and QA, which assists the NITI Aayog or the Ministries concerned with AI technologies, including those of Law and Information Technology in at least assessing anthropological information of the stages of the omnipotence and omnipresence of such AI technologies. This can happen in the current constitutional law framework as well, not just because the Part III of the Indian Constitution is to be taken into consideration. Beyond fundamental rights, omnipotence and omnipresence are double-edged because they can lead to some kinds of instrumental and procedural exploitations, which are described as follows:
96
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
• Self-exploitation and externalised form of exploitation of human dignity and integrity, considerably a violation of the fundamental rights to life and personal liberty of the consumers • Exploitation of the already unprepared positivist (coherentist) legal regime, wherein only extended interpretations convinced by the juridical literature of constitutionalism could be taken into consideration • Data exploitation and quality issues, with respect to data protection, processing, localisation, and democratization (access) For none of the issues stated above, any restrictive or protectionist approach is needed per se. However, the Indian state must realise that the role of an integrating technology like AI, be it in whatsoever form – or manifest availability, must be naturalized, harmonised, and even audited regularly, to trace its algorithmic activities. There should be a light-handed
approach, which must be central to data quality and efficacy – yet should also ensure that the regulators do have the
mobility to act.
The Limitations of Indian Jurisprudence in Understanding Algorithmic Governance
The current jurisprudence of India has several flaws, both systemic and specific. There are elements of coloniality in Indian jurisprudence, which does not specifically open options for nuanced and better approaches. Further, constitutionalism, which is solely based on juridical interpretations, expands the scope of the jurisprudence to develop coherentist positions on legal issues. The same can be done in the domain of technology and administrative law. However, the efficacy would be in question because of a lack of skill to strategize and emphasize upon critical legal issues on which adjudication must happen. The lack of understanding is then another issue. Of course, there cannot be a one-size-fits-all approach. However, the reason it is important to understand is that due to coloniality, most interpretations are an outcome of copying the aesthetic and skeletal components of such jurisprudential concepts from other countries, which again can be done, provided that the judgments
and orders passed are direct, crisp, specific and concise. The ratio decidendi and the obiter dicta of a judgment should be specific and must not be conflated if specificity is not decided. A third problem which can be observed is that in constitutional law, arguments are usually (and non-exhaustively) kept polemically, which is why the following is to be understood: • Policy interventions are usually done by the executive branch of the governments, and not the courts. In India, there is no proper form of separation of powers system, not because of the Indian Constitution, but because courts, in many ways – in the name of public interest, duty and even constitutional morality, have subjected themselves to policy interventions (Rajagopalan, 2021). Hence, when regulatory sovereignty would have to be strengthened, the courts would play a serious role in tackling disputes related to any disruptive technology, including AI, where their public law approaches are concise, clear, and reasonable. • Defining larger public interest is always a contentious matter in constitutional courts, which again, if gets polemical, then leads to problems, where public duty to protection is not properly safeguarded within the scope of the state, and there are very less mechanisms to even have balanced and adaptive form of interpretations. • Lack of literature in public law is a natural problem when newer cases would come in, and experiential considerations would form the precedents accordingly. It is therefore important that while comparative and international approaches are taken into consideration, a rigidly specific form of interpretation is adopted, which is consistent with policy projections that are developed in the state.
Consultative approaches can be adopted as well.
No Auditing or Regulatory Sandbox Approach has been Decided So Far
India has not yet specified its position worldwide on many complex issues of AI ethics, except maybe some consultations on Responsible AI and even Privacy rights, to some extent (Roy, 2021). Beyond that, the explainability of artificial intelligence is a more contentious problem, which needs to be reasonably
98
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
addressed to ensure that better auditing standards can be started to be achieved. There is a relevant lack of design making in achieving policy designs, despite some background research being developed by the government agencies. There also should be a regulatory sandbox framework, which can ensure that effective compliance standards can be achieved, at a preliminary level for better regulatory policy interventions.
No Decisive Approach of the Second and Third Order Effects of Digital Coloniality
Digital coloniality and the West-dominated understandings of AI ethics are being recognized by government institutions at the Union level (Roy, 2021). Yet, there is not much research produced about digital coloniality as of now. The inefficacy of the Indian state makes it feudal by its means of functionality and interaction, which also compromises its position on various tendencies which lead to digital colonization. An adaptive approach is therefore needed, where the Union Government clearly addresses adventurist policies of foreign digital-economic actors across the globe. The approach cannot be idealistic, and should assume principled realism as a foreign policy construct, based on ensuring human dignity and avoiding any tendencies of exploitation and reductionism in approaching and preventing innovation and R&D initiatives per se. Yes, predictability might not be expected much. There also cannot be an equilibrium approach to block avenues of action and cooperation. However, digital coloniality should be dealt with responsibility. The procedural role of digital feudalism has been tried to be dealt by the Union Government, when the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (PRS India, 2021) were implemented. However, such rules even have flaws in interpretation, implementation and even in matters related to checks and balances.
