The UNESCO Guideline on AI Regulation

A resolution adopted by UNESCO 41st Session in Paris held between 9th and November 2021 has put out a guidance note for the member nations which was published in 2022.

A copy of the note is available here: 

The G20 meet of 2020 had also flagged the issue in 2020. The EU even brought out a draft AI Act last year.

However, with the release of ChatGPT and the possibility of other similar models of AI being released from Google shortly, the world has reached a stage similar to when a Nuclear Reactor goes critical. The pot of AI is now boiling. If we can control it’s use, we may direct its energies to the benefit of the society.

But if we remain complacent or think that the dooms day is far off and relax, we will soon see the uncontrolled developments of AI that will kill the society.

In the long run the human race is facing the existential threat. In the short term we will see a spurt of Cyber Crimes and a disruption of such magnitude that we are not aware of.

Before the matter goes out of control, the society needs to act positively and try its best to delay the inevitable.

The danger of AI should be seen in combination with the developments in the Neuro Technology that will provide a direct entry of AI into human minds and also the developments in the  VR as a new immersive way of taking over the human faculties by computes.

We therefore request all the responsible members of the society to start addressing this immediate need.

Naavi.org has already started a Community to discuss this on a Telegram platform. Naavi has also raised this issue in a G 20 forum.

Additionally Naavi is addressing the public today through a YouTube live session to place the concerns on the public platform.

Please do attend the session either on Zoom or on YouTube streaming today on 26th January 2023  at 11.30 am (IST)

The link is given below.

Zoom Meeting
https://us02web.zoom.us/j/88675200348?pwd=cGZLOGZ4eVM5TzdFMEJHTXdsSEhPZz09

Or

https://www.youtube.com/@VijayashankarNa/streams.

Today is the “Republic Day” in India but it is the right time to start discussion on this topic which is most relevant from the point of view of preserving the future of human race.

Naavi

PS:

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Data Protection Hexagon.. An Approach to being compliant

To Be compliant with Data protection or Privacy Protection through Personal Data Protection, an organization needs to implement a systematic approach like a project implementation.  The “Privacy By Design” is a term used in the industry to indicate the approach.

In implementing an effective Personal Data Protection Program (PDPP),  we need to consider that the most important part is to

a) Involve the entire work force in the compliance plan as a Team Effort

b) Keep the workforce motivated to implement the plan and maintain it as a continuing requirement.

Naavi recommends a Six step process to motivate the workforce to collectively implement the Privacy Program for an organization.

The six steps shown in the diagram as six elements of a Hexagon are

    1. Awareness
    2. Acceptance
    3. Role Identification
    4. Tools
    5. Incentives
    6. Sanctions

Awareness building is the common implementation step which is easily understood as conducting necessary trainings so that target audience (Employees) understand the requirements of the Data Protection Laws. This can be done at two levels, namely one at the Management Level and another at the workforce level.

Acceptance Building is a process where the workforce agree from the bottom of their heart the learnings of the awareness building exercise. A commitment from the member of the workforce to be compliant is always a good strategy to ensure that trainings donot remain only matters for ticking the check boxes.

Role Identification is a process where from the knowledge of what is required for data protection compliance built over the awareness building, is applied to an individual’s work responsibilities so that they can identify whether they do access personal data and if so how within their sphere of influence they need to implement the compliance requirements.

Tools provision is the responsibility of the organization and consists of Policy documents (properly explained to the workforce) and technical tools required for discovery of personal data, consent tagging, Encryption, data leak prevention etc.

Incentives are an important aspect of positive motivation so that good compliance culture exhibited by the workforce is rewarded in some manner whether financially or otherwise.

Sanctions are also essential since non conformance need to have a consequence without which the value of Incentivisation also will be less and complacency will set in.

This Hexagonal Approach to Data Protection Motivation is inspired by the Theory of Information Security Motivation and the Pentagon model that Naavi had published several years back.

As had been indicated in the Pentagon model, where five elements of motivations were considered as five walls of a pentagon rather than a hierarchical model of one after another, the Hexagonal Model of Data Protection Compliance should also be considered as a “Compact Hexagon” where each of the elements are walls of the Hexagon and are closed.

As a Closed Hexagon, all six elements are expected to be present simultaneously and not built on a hierarchical model where some elements like Training are provided with Policy documents and expect the workforce to maintain a compliance culture.

FDPPI’s framework of Data Protection Compliance Standard of India (DPCSI) is geared towards implementing a compliance program in conformity with this Hexagonal motivational model.

The “Distributed Responsibility” concept used in DPCSI is a unique binding factor that enhances the efficiency of the Compliance program and to make it work, this Hexagonal Model of motivation would be useful.

Comments welcome.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Naavi responding to the UNESCO call for AI Regulation

Naavi has been advocating a Neuro Rights Act for India for some time now. The website www.neurorights.in  captures the developments in Neuro Technology building a logic for Neuro Rights legislation.

In the meantime, the advent of GPT3/GPT4/DALL-E etc have opened up new doors of excitement in the AI world and simultaneously triggered the concerns of one section of civil society whether AI taking over of Human race is nearer than we think.

Most experts watching the development of AGI (Artificial General Intelligence) and ASI (Artificial Super Intelligence) as against the ANI (Artificial Narrow Intelligence) that may be common, suggest that in the next 30-40 years, there is a potential risk of ASI s taking over decision making in the creation and development of AI devices/algorithms.

30-40 years is within the lifespan of today’s youth and looks much more dangerous than any other risk to human mankind other than an alien attack. Alternatively the ASI robots may themselves represent the aliens who will wipe out the mankind. An Astroid hit risk today is manageable and a Nuclear war may only affect parts of our planet. But a rogue army of ASI robots could enslave the human kind the way the “Raise of the Planet of Apes” suggest and this could happen sooner than we think.

To some, this may look like speculation and fear mongering. But there is no harm in guarding against the fear even if it does not materialize. Current generation is being urged to plant trees, reduce use of fossil fuels etc for preserving the planet for the future generation. A whole lot of activities are geared towards protecting Earth from the plundering through mining, deforestation etc.

We now need a movement in the IT domain to ensure that AI does not become a threat to the mankind and we need to start flagging this possibility and start working towards finding solutions.

UNESCO has already called for member nations to work on regulations the way UNCITRAL gave a call for E Commerce  laws in 1996 which gave birth to Information Technology Act 2000. Now India is in the verge of a new Digital India Act. It is the right time to consider Digital India Act (DIA) to include the requirements of Artificial Intelligence Act (AIA). More appropriately like the Telecom Regulatory Act, UIDAI Act, DPDPB2022 etc standing apart from ITA 2000, Artificial Intelligence Act can be a separate Act since it has many nuances to be considered before it becomes a full fledged law and combining it with the amendment to ITA 2000/8 would delay other amendments for which Government might be ready now.

Naavi.org will therefore start taking some action in mobilizing the experts into a task force for developing an Artificial Intelligence Act of India. At some point of time in the future, the MeitY may set up a similar committee. However, in order not to waste time, we have initiated some action immediately.

This year, India is presiding over the G 20 conference and G 20 has also adopted a preliminary resolution in 2020 about working on AI regulation. It is therefore suggested that this year G 20 work on taking the discussion on AI regulation in India further.

Naavi has tried to bring together like minded persons into a common message group and those interested in joining this group may contact Naavi. This group will work not only on AI Act but also on Neuro Rights Act and try to develop a draft legislation for both.

Naavi

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Re-skilling from IT to Data Protection

“Disruption” is a word familiar to the technology world. Several technology developments have disrupted several industries in the past. At that time we welcomed the development as part of the innovation trend. Now Artificial intelligence, the Open-ai project is having its impact on making many jobs in IT redundant. In particular, Coding professionals are finding that their functions are being efficiently replaced by GPT3 tools.

As a consequence of these developments many IT professionals are being laid off. Those working in Amazon, Microsoft are the recent sufferers of this development though this is an industry wide disruption.

In a way the “Bhasmasura” effect of technology development is showing its uglier side effects.

While the debate on whether this is a short term phenomenon or whether the employees can re-skill themselves into new jobs that may be created in the AI itself is a debate for the future.

At present, we would like to provide some support to the community by providing opportunities to enable some of these IT professionals to gather additional knowledge and skills in the field of Data Protection.

Accordingly Cyber Law College will be planning a DPO training program at a concessional fee structure for a limited time. This will prepare IT aware professionals to be able to understand the requirements of data protection and move into the Data Audit domain. Initially they can team up with other legal professionals and later develop themselves into independent DPOs or Data Auditors. Some of them can also team up with audit firms and support them with technical skills.

We also expect that some of the Coding specialists may turn into “Code Auditors from Data Protection Perspective.

Please let me have your views in this regard.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Take this Data Privacy Pledge as part of International Data Privacy Day 2023

FDPPI is embarking on celebration of the International Data Privacy Day 2023 with a unique project to obtain a “Data Privacy Pledge” from the community.

Those who take the pledge would be issued a certificate as below.

The pledge can be taken at this URL: https://forms.gle/o1jwDf1L3KuDDUd36

The pledge reads as follows:

Pledge of Data Privacy

On the occasion of International Data Privacy Day 2023,  I hereby take a voluntary pledge to uphold the cause of “Privacy as a Human Right” by taking all steps necessary for Protection and Privacy of Personal data which I shall come across in my Professional and Personal life with due regard to the Principles of Fairness and Lawfulness of processing.

In particular:

I shall adhere to the requirement of obtaining informed consent of the data principals whose personal information comes within my control and shall use, disclose such information only as per the choice of the data principal and in accordance with the applicable laws.

I shall adhere to the principle of Minimal and  purpose oriented Collection of personal data and shall ensure that it shall be shared only on a need to know basis.

I shall take necessary steps to stop using personal information if the purpose for which it came into my possession has been completed.

I shall take necessary steps to ensure that the personal data is kept updated from time to time.

I shall not disclose the personal information except as provided under law or in the genuine interest of the individual or the community.

I shall at all times take steps to ensure the security of the personal data from unauthorized access or modification or denial of access for authorized purposes.

I shall take all necessary steps to comply with the data protection law with regard to reporting of data breach or any other requirement of compliance.

I shall endeavor to keep myself aware of the data protection laws and also spread awareness in my organization and with my professional and personal contacts.

CLICK HERE TO TAKE THE PLEDGE

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Cross Border Transfer of Data as an International Property issue

“Data” is accepted as an “asset”. “Personal Data” is in practice considered as an “asset belonging to the data subject”, the limited use of which can be transferred to a Data Controller under a contractual arrangement.

In India we consider “Data Subject” as a “Data Principal” and “Data Controller” as a “Data Fiduciary”. We have not gone into defining whether Data is an “Asset belonging to an individual” or a “Right” that can be assigned.

However,  PDPB 2019 referred to “Nomination” of personal data. Though this did not become a law, there are some inferences that can be drawn from the draft provisions that the Government had an intention to consider “Personal Data” as a property that can be bequethed by a written instrument like a Will.

This was possible through a written document since ITA 2000 does not recognize the Will in electronic form. The drafting committee of PDPB 2019 over looked the ITA 2000 and introduced the element of “Nomination” without specifying that a normal “Notice for Consent” given in the form of Privacy Policy in electronic form cannot be used for “Nomination” of Personal data.

However since a written Will (An instruction that will become valid only on the death of the person and will survive the death unlike a normal contract) is possible, “Nomination of Personal Data through a paper based Will is a possibility”.

Naavi had proposed a detailed system for handling the accounts of deceased data principals (earlier articles in this regard are available in this site) in which “Personal Data” was considered as an “Asset” and just like we settle a claim of money lying in the Bank account of a deceased person or more appropriately in the Bank locker of a deceased person, a method was proposed to handle the personal data of the deceased.

In the process Naavi had also proposed that “Unclaimed Personal Data” should be considered as a sovereign property and taken over to the control of a Data Custodian of the Government and not allowed to be left with the Data Fiduciaries. (Again similar to unclaimed Bank accounts etc).

The Government already recognizes some parts of “Non Personal Data” as “Sovereign Asset” and this was part of the recommendations of the Kris Gopalakrishna Committee report. This is an acceptable thought which will be acceptable even in the global scenario though countries including EU have failed to recognize the problem of “Personal Data of Deceased Data Subjects”.

If we therefore consider that for practical purposes “Personal Data” is like any other “Personal Asset”, we come across another issue related to the International Relationship of different countries.

Our laws recognize that the legal response of the Government is dependent on the need to ensure “Sovereignty and Integrity of the country” and “Friendly relations with other countries”.  The data protection law does not however specify clearly the dealing with the “Personal Data” of foreign citizens particularly if it belongs to “Unfriendly countries” or “Enemy Countries”.

If Personal Data is property, then  the Country in which a data subject exercises citizenship rights should be considered as having sovereign rights on the personal data of its citizens.

In case of transfer of personal data for processing to foreign  countries, there could be an issue of the “Property” of a “Citizen” being transferred to the custody of a foreigner.

EU GDPR through the Schrems judgement established a right of EU data subjects (essentially the EU Citizens) to demand that their rights be protected against foreign data processors in the foreign jurisdiction and over ruling the local law. This is consistent with the thought that the Personal Data of a Citizen is indirectly the sovereign data of the Government.

The approach to be adopted by India in DPDPB 2022 to negotiate data transfer countries in the form of Mutual Assistance treaties between countries for determination of “Adequacy” is a pointer in this direction. The contracts like SCC also need to be considered under the International contract law.

While treating “Personal Data” a property of the Citizen and subjecting it to the rules of “Property transfer across borders” is an acceptable proposition, in the context of free movement of data in the cloud storage situation, a doubt occurs if an Indian Cloud owner can store the data of a Pakistan citizen (Though Pakistan is not a declared enemy country, if a war breaks out, such a situation may arise), considering that Pakistan may  not a “Friendly country” under the acceptable definition of the term under the law in India.

Does this mean that an Indian cloud operator is taking on a responsibility to manage the assets that belongs to the Pakistan Government indirectly?

If tomorrow either the Indian Government or the Pakistani Government is unhappy with the way the data has been used, processed or disclosed, can there be a charge from either of the countries that the Company has acted against the sovereign interests of their country?

Suppose due to some negligence or cyber attack the data is destroyed, then can the owner country allege conspiracy to destroy its national asset? or the destination country allege conspiracy to assist a foreign power?

These questions may be in the realms of speculation today. However taking into account the hidden value of the personal data (or any other data), which may include a Crypto Currency or NFT it is difficult to ignore the possibilities of a war breaking out between two countries because the data assets of one country was destroyed or taken over by  another country.

What if a Pakistan or Chinese entrepreneur is managing a Crypto Exchange and its Government nationalizes the company and takes over the data?… The value may run into billions of rupees and more harmful than enemy army taking over some buildings inside our territory.

During the Ukraine conflict, the US Government did impose sanctions that extended to data assets and tried to arm twist foreign Governments to shut TV channels, stop IT services to Russia etc.

As we go forward and the value of data is more and more recognizable, the demand of sovereign rights over personal data will only grow.

Currently  our ITA 2000 nor the DPDPB 2022 does not address this situation.

I therefore request MeitY to consider through a CERT IN guideline to release a notification that

-Processing of Personal Data of citizens of designated countries shall be handled with care and under report to CERT In.

-Such data should be held in a separate custody as  “Foreign Properties of designated countries

-The possibility of a normal data breach becoming a trigger for International dispute needs to be flagged as a “Data Security Risk” with appropriate security measures.

-The  processing of such data of foreign citizens should be also reported to the data protection authority of the data exporting country in addition to the data protection authority/CERT-IN in India.

-If no exemption is provided for Data from being treated as “Property”, then laws applicable to properties of citizens in foreign countries will apply automatically and this has to be factored in as a Cyber Risk factor

I request MeitY/CERT-In to clarify in this matter.

In the current year when India is the Chairperson of G-20, we need to raise this “Handling of Data Transfer across Borders” as not a simple Section 17 -DPDPB 2022 issue or Article 44 of GDPR but as an issue involving transfer of property across borders and work out a resolution for such disputes.

Naavi

(Request for comments)

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment