Algorithmic Decisions: India's Evolving Stance Amidst Global Frameworks
The landscape of algorithmic decision-making (ADM) is rapidly evolving, posing complex challenges for privacy and data protection. As India’s Digital Personal Data Protection Act, 2023 (DPDPA) moves towards full implementation, Indian businesses, particularly those with global footprints, must navigate domestic requirements alongside stringent international regulations. This analysis compares India’s approach to ADM, primarily through the DPDPA, against the explicit provisions of GDPR Article 22, the comprehensive framework of the EU AI Act, and the pioneering state-level Colorado AI Act.
The Indian Framework: DPDPA’s Indirect Approach
The DPDPA, 2023, while a landmark privacy legislation, does not contain a specific provision directly addressing automated individual decision-making in the manner of its European counterparts. There is no explicit “right not to be subject to a decision based solely on automated processing.” Instead, the DPDPA’s general principles and data principal rights offer indirect avenues for addressing concerns related to ADM. For instance, the requirement for clear and affirmative consent for processing personal data (Section 6) implies that data fiduciaries must inform data principals if their data will be used in automated decision-making that could have significant effects. The “notice” obligation (Section 10) further mandates providing an itemised notice about the purposes of processing. Data principals also have the right to information about their personal data and its processing (Section 12(1)(b)), and the right to correction and erasure (Section 12(1)(d), (e)), which could be invoked if an automated decision is based on inaccurate data. Beyond the DPDPA, sector-specific regulations, such as those issued by the Reserve Bank of India (RBI) for financial services, often impose requirements for fairness, transparency, and explainability in automated lending or fraud detection systems, offering a degree of protection in specific domains where DPDPA is silent.
GDPR’s Direct Right and the EU AI Act’s Risk-Based Approach
In contrast to the DPDPA, the European Union offers explicit and comprehensive protections. The General Data Protection Regulation (GDPR) Article 22 grants data subjects the explicit right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right comes with limited exceptions (e.g., necessity for a contract, authorised by law, or explicit consent) and crucial safeguards, including the right to obtain human intervention, express one’s point of view, and contest the decision (Article 22(3)). This makes GDPR significantly stricter than DPDPA regarding direct individual rights against ADM. Building on this, the recently enacted EU AI Act introduces a comprehensive, risk-based regulatory framework for Artificial Intelligence systems. It categorises AI systems based on their potential to cause harm, with “high-risk” AI systems (often those involved in critical ADM in areas like employment, credit scoring, law enforcement, and education) facing stringent requirements. These include robust risk management systems, data governance for bias mitigation, transparency obligations (Article 13), human oversight (Article 14), accuracy, and cybersecurity. While not a direct “right not to be subject to ADM” like GDPR Article 22, the EU AI Act’s requirements for high-risk AI systems provide strong indirect protection by mandating fairness, explainability