In prescribing the AI usage regulations for the judiciary, the authors of the regulation encountered the need to recognize the overlapping legal provisions of ITA 2000 and DPDPA 2023 compliance as an added obligation. This has been indicated in Section 48 of the regulations.
Section 54 of the regulations explicitly state that the provisions of these regulations shall be in addition to and not in derogation of the provisions of the Information Technology Act, 2000 (21 of 2000) or the Digital Personal Data Protection Act, 2023 (22 of 2023) or any other law governing Courts, data protection, and AI for the time being in force and in the event of any inconsistency between these regulations and the provisions of any other law on the subject, the provisions of such law, as may be applicable, shall prevail.
However it leaves a statement of ambiguity that where these regulations afford a higher degree of protection to any person than administrative instructions or directions issued by any authority, the provisions of these regulations shall prevail over such instructions or directions to the extent of any inconsistency.
The text of Chapter VII on Data Protection and Cyber Security is reproduced here for immediate reference.
CHAPTER VII: DATA PROTECTION AND CYBER SECURITY
- Application of relevant laws.––All AI Systems deployed in Court processes shall comply with the provisions of the Digital Personal Data Protection Act, 2023 (22 of 2023), the Information Technology Act, 2000 (21 of 2000) and the applicable rules and regulations framed thereunder, and any other law governing the protection of personal data and judicial information for the time being in force.
- Sensitive judicial data.––
(1) Sensitive judicial data* shall not be transferred to any External System without the express written authorisation of the Appropriate Authority.
(2) All transfers of sensitive judicial data shall be subject to appropriate technical and contractual safeguards designed to prevent unauthorised access, disclosure, alteration, or misuse.
(3) The principle of data minimisation shall be applied in the selection and deployment of AI Systems and AI Systems that achieve the relevant operational objective while requiring lesser processing of personal data shall be preferred over those requiring greater data processing, particularly in Court processes involving sensitive personal information or matters affecting personal liberty.
(4) Anonymisation shall be applied to personal data to the extent technically feasible without compromising the utility of the data for the intended purpose, before it is used for the training, testing, or refinement of any AI System.
(5) Every AI System in use in Court processes shall be subject to regular cybersecurity audits at intervals not exceeding one year, or at such shorter intervals as the AI Secretariat may determine and the outcomes of cybersecurity audits shall be reported to the Appropriate Authority and recorded in the AI Register.
To recognize the impact of DPDPA 2023, the regulators found the necessity for defining a new term “Sensitive Judicial Data” as including any personal identifiable information of parties, witnesses, or legal representatives and any information processed in connection with a Court process, the unauthorised disclosure of which may cause harm; The definition of “harm” , in relation to AI Incidents, includes any kind of physical or financial damage, or damage to the reputation or rights of any individual, institution, or infrastructure.
DPDPA has not defined “Sensitive” data and only defined “Significant Data Fiduciary” as a fiduciary who handles the Sensitive data. If all data in the judicial system is “Sensitive”, Judicial authorities will become Significant Data Fiduciaries. Use of AI further reinforces this status.
Complete exemption of DPDPA 2023 is available only under Section 17(2) of the DPDPA 2023 and it does not include the Courts, unless they are “notified” as “instrumentalities of state” and the purpose being maintenance of “Public Order. Exemption under Sec 17(1) of the DPDPA 2023 is restricted to Chapter II of DPDPA 2023 (Establishing of Legal Basis), Chapter III (Rights of Data Principals), Section 16 (Cross Border transfer) excluding obligation under Section 8(5) of DPDPA related to being responsible for reasonable security practices.
Under Section 48 of the regulations Supreme Court has adopted the principle of data minimisation and anonymisation where relevant.
The non personal data processed by AI will fall under the ITA 2000 provisions.
It is suggested that MeitY declares the Court systems as exempted under Section 17(2) to avoid any perceived conflicts.
Naavi
