Artificial Intelligence
Spread the love for law

About the Author:

Swankit Kumar Nanda is a law student in KIIT School of Law, Bhubaneshwar


The world has evolved and it will keep evolving. Sometimes it would evolve for the better and some other times it would settle for less. The world does not sleep, and changes day by day, hour by hour. In this ever changing world technology plays a key role, technology has changed the way we do things, even the way we think. The previous eras of evolution were the biological evolution of humans but in this era, it is all about the technological evolution of humans. We as an individual person, as a city, as a country are continuously thriving ourselves to become technologically sound. Without withdrawing any credits from technology, it has made our life easy and convenient but at the same persisting time without us knowing much it has complicated our life as well.

The question that follows from the last line is – ‘Are we using technology responsibly’, the answer goes without saying is a big NO, if that would have been the case, then cyber crime would not have come into the picture in the first place. But in this write up we are not discussing traditional cyber crime, but will try to visualize the bigger picture and try to analyse the dynamic challenges that technology will throw at us in the future course of time.

In this write up we will deal with AI, Bigdata and ML, potentially they all form the same part of the problem. But we will delve into a brief definition of the three aforementioned terms- 


Bigdata, as the name suggests literally goes with its name that is the data which is so gargantuan that human without using machine or technology cannot process it, which become useless if such data cannot be processed. Bigdata are collected over years through developing algorithms that can later be processed and derive substantial information. Bigdata are stored and processed in super computers. Considering an example will make the case clear – the websites and mobile app of flipkart or amazon track your browsing history, order history and many more other components to develop algorithms which they again use to give you a personalised shopping experience by showing pop-ups like ‘products based on your choice’ or sometimes even suggesting you with what you should buy.


Artificial intelligence is the capacity of machines or robots to mimick or act like humans or to do work that humans do, or to perform the works which humans cannot. Or sometimes it goes beyond doing the work more effectively and efficiently than humans. The robots or machines are able to perform such tasks by acquiring and processing the bigdata algorithms. Now let’s consider an example – Swiggy uses a microbot to address the queries and complaints of customers through chats. The microbot gives advice or addresses the complaints like humans, they reply to your texts just like humans does.


The decision making ability of a machine by acquiring and processing algorithms that are developed through collections of data.

From the above definition, it stands clear that all the three aforementioned concepts are closely related to each other and cannot be separated from each other.  Or we can also conclude that the basis of AI and ML is bigdata.


 Presently in India, there are no statutes or rule regulating bigdata, as there is no regulation there is no restriction or disclosure requirement on the quantum of personal data collected by the app and website we use. They can collect whatever data they want from us. Allegedly an Israeli company NSO group has sold spyware to the Indian govt. It is further alleged that the spyware was used to collect sensitive personal data from the devices of 300-400 odd individuals, we are not delving into the fact that whether sensitive personal data was collected or not, but considering the reason for such allegations is crucial.

Current provisions of IT rules do not contain a definition of ‘personal data’ however it defines personal information and includes within the ambit of it –

  • Password
  •  Sexual orientation
  • Physical, psychological and mental health conditions
  • Financial information such as bank account, credit card etc.
  • Medical record and history
  • Biometric information

A bare reading of the provision feels like it is sufficient enough to protect our personal privacy but if we really delve deep into the matter, we would realise that bigdata collector does not collect any of the aforementioned categories. They on the other hand track us through our browsing activities[1].

This present definition of private data revolves around the identification of persons (data that can be used to identify a person) it lacks in addressing the data that is already been collected from an identified person, I.e his online behaviour, his liking, his disliking, sexuality etc. This is not barred by the current provisions of IT laws. Privacy and security are a major concern in bigdata.[2]

Here comes into picture the concept of information privacy, which means to have some control over the usage and the way of usage of personal information of individual or a group. One major grave privacy issue is identification of personal information while it is transmitted through internet.[3]

Due to cloud computing storage of bigdata is not a concern but security of the stored data is. If at any point of time the data so collected or the algorithm so developed got sacrificed then it would be disruptive in individual level.[4]  data security has three major dimensions out of which two are predominantly connected to the privacy of the individual or the data provider I.e. confidentiality and integrity of data.[5] Moreover the algorithm developed by collecting data are opaque in nature, the usage of such algorithm is not disclosed to the data providers I.e the Individual persons or a group of persons. 


In India, there is ofcourse IT act which defines different kinds and types of cyber crimes but in India, there is no data protection legislation which can set a threshold on the quantum of data that is to be collected in order to develop algorithms, imminently private data of individuals are at stake due to this lacunae in Indian scenario. In the UDHR (Universal Declaration of Human Rights) privacy is recognized as a fundamental rights. So in India as well the right to privacy is declared as fundamental rights[6]

Rule 5(1) of the information technology rule 2011, provides that everybody corporate in each instance before collecting data obtain permission or consent from the data provider. In a scenario where data are being collected without human interaction on a real time basis it seems impossible to seek permission or consent every time.

Rule 5(6) of the information technology rule 2011 prescribes that a body corporate should provide with a notice every time highlighting the details of the reasons as to why the data are being collected and for what purpose it would be used by the body corporate. Above all it prescribes that body corporate shall not retain any data beyond the time frame for which the data are required for lawful purpose but again in the real time collection of data without human interaction this provision become quiet stringent and far from applicability.[7] 

All the provisions would be difficult to implement on bigdata, where the colossal amount of data are being collected in real time and ongoing basis without the individual even knowing. In this rule as well the provisions only talks about disclosure of information it does not address the sharing of information or auto sharing of information that is enabled in network devices. 


Pretty much inspired and inculcated from the GDPR (General Data Protection Regulation) of EU, No doubt that, the data protection bill of 2019 will solve many of the problems once it gets implemented. It is expected and aimed to solve problems like cross border transfer of data without the permission of the data provider, no corporate based in India or outside India would be able to transfer data from India to any other part of the globe without the consent of the data provider.

Moreover the data can only be transferred to countries to which the central govt of India prescribes in its list. Exception to this provision is the data should not fall under the restricted category, data falling under this category cannot be transferred anywhere. The main lacunae that the bill fails to address is, it do not cover under its ambit the central government. Agencies of central government are not included and the provisions of the bill do not apply to them. The reason being cited is sovereignty, security and integrity of the state.[8] But who decides upto what quantum our personal data would be used for the purpose. The exemption granted to the agencies of the central government may result in vulnerability and misuse of sensitive personal data of individuals.

The next big concern is the data protection bill of 2019 is silent on retrospective applicability, which means the personal data that had already been collected would not fall under the purview of this bill/legislation. That further means until the date the bill gets enacted  the personal data of individuals are at stakes in the hand of corporate and other agencies who collects or tracks personal data. [9]


As India is a tech hub of the world, it goes without saying that India ought to have in place a multi dimensional legislation to cover the ever evolving lacunae. The major concerns the legislation shall address are –

  • Unification of use of bigdata, the legislation shall fix a threshold limit on quantum as to what degree; body corporate can use the personal information of individuals.
  • Purpose of collecting the data shall be transparent, Individual has the right to know the fact that, why they are being subject to a pool of data as a component of it and how the data would be used.
  • The bigdata algorithms shall be regulated in a way that it shall not breach the personal privacy. Per say, a person browsed about headphone on flipkart or amazon the next moment he sees add of headphones on his social media platform. This kind of inter connectivity shall not be the case. The algorithms shall be used on a particular platform on a particular instance.
  • The Bigdata, AI, IOT etc specific legislation shall have enough room to evolve and it must take into consideration different class of people such as Data developer, Programmer, Data analyst, and such other stakeholder.
  • There should be defined parameter on the usage of sensitive personal data of individual by the state.
  • Developing  a data repository might help to great extent, where anonymous data are stored, pooled and can be utilised as per requisite parameters. [10]

[1]Aditi Subramaniam and Sanuj Das,  ‘The Privacy, Data Protection and Cybersecurity Law Review: India’, available at

[2]By Ellonoi Hiskok, Bigdata And Information Technology ( Reasonable Practise And procedure And Sensitive Personal Data Or Information) The Centre for Internet & Society, Available at

[3]Porambage P, et al. The quest for privacy in the internet of things. IEEE Cloud Comp. 2016;3(2):36–45.

[4]Sokolova M, Matwin S. Personal privacy protection in time of big data. Berlin: Springer; 2015.

[5]Xiao Z, Xiao Y. Security and privacy in cloud computing. In: IEEE Trans on communications surveys and tutorials, vol 15, no. 2, 2013. p. 843–59

[6]KS Puttaswamy & Anr v Union of India & Ors. W.P (C) NO 494 OF 2012

[7]By Ellonoi Hiskok, Bigdata And Information Technology ( Reasonable Practise And procedure And Sensitive Personal Data Or Information) The Centre for Internet & Society, Available at

[8]Ministry: Law and Justice, The Personal Data Protection Bill, 2019, (May. 5, 2020, 8:05 PM),

[9]By Yamini Jain & Gaurav Sandeep Karwa, Impact of retrospective applicability of PDP Bill, 2019, Ipleaders, available at :,the%20enforcement%20of%20this%20legislation.

[10]Kumari Purva, Kunal Lohani, Divjyot Singh, AI ML & Bigdata 2020|india , Global Legal Inside, Available at –


  1. Pingback: Artificial Intelligence in Judiciary: Applications & shortcomings - Dream Legal

Leave a Comment

Your email address will not be published. Required fields are marked *