Reassuring Digital Security: The Importance For Audit of Algorithms in India’s Data Protection Model

INTRODUCTION:

Algorithms are now considered to structure and design the foundations of recent digital era from working unseen in the background, they decide what an individual has to see in digital platforms, influence his ideas and selection process, impact his thought process and sometimes they also involve in the process where an individual need to get a employment interview as well. It has a broader scope in virtual era incepting from tendering feeds to digital platforms i.e., Social Media, approvals of debt from financial institutions to predictive policing and even digitalizing human health supervision, the decision making ability of algorithm are now highly ingrained and established not just in private and public governance, instead in all fields and places. Nevertheless, as these machine operated designs tend to be more stronger, their ambiguity project a serious legal and ethical dilemmas.

In the country which is highly populous ie, India, the statue of Digital Personal Data Protection Act, 2023 (DPDPA) is considered as an imperative move in safeguarding citizens rights, privacy of their data especially personal data in a scenario of inclining usage of algorithm system. Despite, the aforesaid act establishes data security and protection provision, it is completely quiet on one pivotal aspect that is audit of algorithm which mechanizes the personal data.

There exist an urgent addressing need for audit of algorithms even we tend to have gist at India’s transforming data safeguarding mechanism. It always emphasizes that, without intense and systematic audit procedure to ensure algorithmic principles such as Fairness, Accuracy and Transparency, the Digital Personal Data Protection Act lacuna becomes an vulnerable tool in the modern tech driven age.

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (DPDPA) – A Brief Insight:

This is regarded as India’s first detailed and comprehensive law on data protection and security. It aims to safeguard individual’s personal data in virtual age it also allows legal and obligated use of data by companies, government and organization, provisions relating to safety and precautionary measures to protect data privacy and confidentiality and appointment of Data Protection Officers (DPO) ,procedure to conduct Data Protection Impact Assessments (DPIA’s) and promotes principles like data principals, data accountability or  data fiduciary, consent etc. Overall, it does not throw light on algorithm governance leaving an important gap in regulation. In simple terms it states:

1. What data are to be collected and stored?
2. How it can be processed and used?
3. What control or rights one have towards the data?

MEANING OF ALGORITHMS AND IT’S LEGAL IMPORTANCE:

In a common parlance, an algorithm is a set of instructions or step by step procedures or mathematical and logical sequence that  guides the system to perform tasks, solve problems or generate desired outputs. Whereas the contemporary algorithm model which are enabled by Machine Learning (ML) and Artificial Intelligence (AI) are distant from being simple. They are designed to work on data including personal, general , structured etc and autonomously enhance their ability to perform task over time.

This actually come up with 3 key legal concerns such as :

1. Bias and Discrimination – Algorithm learn from the data but if the data generates any past human bias like caste, age , gender discrimination etc then AI can repeat such bias. In large they raise concerns about equality, accountability, fairness .
2. Absence of Transparency (Black Box Problem)– Algorithms at large, specially designed those using AI or Machine  Learning, they work in complicated ways that even their developers cant brief out. In short, we cant see or understand how decisions are made. 
3. Privacy- Algorithms are heavily relied on gathering and processing huge amount of personal data, absence of precautionary measures can lead to data leaks, tampering,  misuse or violations of privacy laws at large. Sometimes they can be hacked, manipulated to generate output which wrong.

Whenever algorithms makes decisions which affects community at large, it could be in the process of recruitment, social scoring or law enforcement, the law must be very sure it is to be done with utmost fairness, legitimate and transparently, this is where the concept of algorithmic audit comes into picture.

WHAT ARE ALGORITHMIC AUDIT?

It is an organized and systematic process of evaluation or inspection of an algorithmic design, its functioning process and its results to ensure compliance with legal, ethical and technical benchmarks. It includes transparency, fairness, accountability and privacy audits. Algorithmic audits are regarded to be the bridge the gap between technical complexity and public accountability.

Internationally, nations such as European Union (EU) and United States of America(USA) have commenced to implement algorithmic audit clause in their AI Models and respectively with their data protection laws. Per contra in our country the data protection law though progressive in nature does not yet recognize algorithmic audits as a mandate legal responsibility or obligation.

The DPDPA does not state “algorithm” or “automated decision making”. This lacuna arises debate about how individuals can get to know if a decision is automated, dispute outcomes or justify fairness in action. The Algorithmic Audit are therefore necessary to fill the gap between legitimate data usage and illegitimate data discrimination and bias.

NEED FOR ALGORITHMIC AUDIT:

1. To safeguard individual right of privacy and from decisions that affect large community such as screening applications related to jobs, granting of loans etc.
2. To perform periodical and timely audit which promote fairness, transparency in the tasks so performed.
3. To ensure data used is legitimate, accurate, updated , ethical and free from bias.
4. To promote accountability, credibility and trust worthiness among its users.
5. To mitigate data misuse or breach.
6. To meet with universal or global standards such as EU AI Act and Organization of Economic Cooperation and Development AI Principles.

BUILDING A GOVERNANCE STRUCTURE FOR ALGORITHM AUDIT IN INDIA:

1. Algorithm should always be audited before they are deployed and clause of regular and timely audit should be mandatory.
2. Audit to be performed by neutral experts and not the developers himself.
3. The company should come up with publication of audit reports, by stating how algorithm works or performs, what input it takes, what process are embedded to prevent bias and discrimination.
4. There should be always risk based classification of algorithm in order to ensure stringent audit.
5. Giving legal status to machines which takes decisions that would influence or have impact on the people at large.

CHALLENGES IN OPERATIONALISING ALGORITHM AUDIT IN INDIA:

1. There exist no rules and provisions for determining how audits should be performed.
2. The developers may restrict access to auditors due to their secrecy which makes audit inefficient.
3. In practicality, it is not possible to quantify fairness in technical terms.
4. It is not cost effective for start ups and small-medium enterprises.
5. No alignment of laws, there exist DPDPA, Information Technology (IT) Act and some regulations governing AI which creates ambiguity in defining which law governs which audit.
6. Shortage of expertised and experienced auditors who can audit complex AI System.

COMPARATIVE VIEW:

If we have a glance on EU AI Act and General Data Protection Regulation (GDPR), China’s Next Generation AI Development Plan and Regulations, US AI Rules  ie, New York Local Law 144, Singapore Model AI Governance Framework, all have stricter and compulsory provisions on algorithms audits. India should also imbibe similar provisions into its data protection mechanism so as to ensure the safety and security features.

RECOMMENDATIONS:

1. Create conscious among public at large.
2. Include the provisions of accountability and transparency of algorithm in the Act.
3. Impart necessary clause to promote algorithmic fairness.
4. Ensuring mandatory, effective compliance norms to adhere and impose strict rules without any scope of ignoring.

CONCLUSION:

There exist an impressive growth in India’s technology and in the same time there also arises need to promote the constitutional principles and values. They tend to reshape data safety into algorithmic justice which reaffirms that protecting individual rights is more than just valuing algorithm aspect ensuring effective audit to protect from data theft should be paramount initiative of the Legislators.