Regulation of commercial use of consumer data by artificial intelligence systems
- Yashraj Mandloi
- 7 days ago
- 16 min read
ABSTRACT
Regulation of commercial use of consumer data by artificial intelligence system. Artificial system has completely transformed how consumer data is used processed and collected and misused in Indias rapidly growing digital economy and becoming worlds-largest digital economy, while DPDPA 2023 marks India’s first step towards data protection, serious questions are raised that it gives complete data protection or not from data misuse. The study examines how AI systems commercially utilize consumer data, scope of DPDPA 2023 and identifies its critical gaps and compares Indias regulatory frameworks with international standards such as EU’s GDPR and AI act. using a doctrinal and comparative legal research methodology, the study finds that Indias framework fall slightly from international standards in areas of algorithmic accountability, regulatory independence, and consumer remedies. The study-conclude with required legal reforms for building fair transparent and accountable AI data governance frameworks in India.
KEY WORDS
Artificial intelligence, consumer data, data privacy, algorithmic profiling & accountability, law and technology, data governance, digital personal data protection act, 2023.
INTRODUCTION
Today almost everything we do online creates some data. Searching on google, online shopping platforms, watching videos, using social media or even when we accidently counter any type of ads. Everyone of us has noticed that if search any product on google suddenly their adds comes in our Instagram feeds and other social media platforms out of nowhere companies use this data to manipulate consumers in their decisions of buying any products. Companies collect this data and use artificial intelligence system to study consumer behaviour, predict interests, and influence their decisions. Ai made online services quicker but also made serious concerns about privacy and misuse of personal information, most consumers are not aware that their data is being collected and used to create adds and present theme on their habitual apps and manipulate decisions of theme. Most of us doesn’t know how our one simple google-search or a chat between friend on an online app regarding any product leads to several adds of same product within few minutes this shows serious concerns about data privacy and need of strict regulations for protection of same.
In recent years, India has witnessed rapid growth in digital economy. Online shopping has bombed all e-commerce websites, financial applications, social media companies heavily rely on consumer data for their business purposes. To address growing privacy concerns government of India enacted the digital personal data protection act, 2023 this act aims to provide legal protection to personal data and establish responsibilities for the platforms which uses such consumer data for their commercial purposes. However, with increasing use of AI technologies, an important issue arises, whether existing legal protections are sufficient t regulate commercial use of consumer data by AI driven systems.
AI systems work in way that is difficult to understand by common people they can collect large amounts of information, analyse patterns and make automated decisions without clear transparency. This creates risks as such manipulation of consumer choices and unauthorized sharing of personal information. Although legal framework attempt to regulate these practices, technology is evolving much faster than laws. The research paper examines the commercial use of consumer data by AI systems and analyses whether the digital personal data protection act, 2023 provides sufficient protection to consumers or not, and the study also compares the Indian legal framework with international standards such as EU’s AI act and (GDPR) general data protection regulation which are considered important global models for data and AI governance. The scope of the study is limited to the use of consumer data by AI driven systems and comparative analyses to international standards. The study mainly relies on secondary sources, including statutes, government reports, policy papers, case laws, journal articles and academic writings it does not involve empirical surveys or field research.
The research paper seeks to mainly answer four major questions, first how do AI driven systems use consumer data in digital economy, second are current regulations enough to protect consumer data from ai driven misuse, third what reforms are needed and last question compares Indian frameworks with international standards.
LITERATURE REVIEW
1. Many researchers have studied the relevant topics of our research paper they have different views and different approaches which helps us to understand our topic in deep and helps to analyse important points involved in commercial use of consumer data in AI. Several scholars -has written about data use by ai systems, Zuboff (2019) introduced the concept of surveillance capitalism arguing that technology companies-has built entire business on harvesting user data without meaningful consent, they-has built their entire revenue system based on user data by extracting it by AI models and making quick decisions and manipulating consumer decisions. She argued users are not customers but raw material, and ai systems are primary tools through which extraction happens.
Adding on this, Mayer-Schonberger and Cukier (2013) showed that big data fundamentally shifted decision-making power from individuals to corporations, creating deep information asymmetries. Pasquale (2015) further explored same in the black box society arguing that AI driven systems operate with very little transparency, making it nearly impossible foe consumers to understand how their data influences their decisions from credit scores to job opportunities.
Crain (2018) added that the advertising technology industry, which is heavily AI- dependent, has normalised the commercial surveillance of consumers to degree that existing legal frameworks were never designed to handle. This works collectively establish that AI’s commercial use of consumer data is not accidental but structural plan of companies to improve their revenue and influence consumers decisions.
2. The DPDPA 2023 establishes several regulations for protection of consumers as data principles in the act this include right to access information about how their data is being used and other similar important rights are granted. Bhandari & sane (2023) conducted one of the earliest and most cited analyses of the act and acknowledges important baselines for protections, they argued that acts consent frame work is overly simplified, relying on a yes and no option and which does not account for the complexity of the AI driven data processing, where data collected for one purpose is used for many other purposes with consent of one permission. Bhatia (2023) argued that section 17 exempts all government authorities from the act and this exemption is dangerously broad and sets a troubling precedent. Vijay Lakshmi v. state bank of India the court held that automated system used by financial institutions must be subject to human foresight and consumers must have meaningful remedy when such system cause harm. The case directly supports the argument that the DPDA’s silence on algorithmic decision making is critical gap.
3. Need algorithmic accountability and transparency, Pasqule (2015) argued that there should be mandatory government regulation for regulating AI decision making systems to protect consumers. Establishment of an independent regulatory authority Bhandari & Sane argued that the data protection board by DPDA is compromised by the fact that their appointment and accountability is subject to central government does it crate conflict between government and board when the breach or accused is government. The internet freedom foundation (2023) recommended that the government has genuinely established an independent board for AI regulation structured on basis of EUs GDPR, security of tenure etc, and has power to impose meaningful penalties without executive interference. Further Ramanathan (2023) argued that-their should be mandatory legal literacy programs requiring technology companies to inform consumers in plain language about their data rights and conditions of operating in the Indian market he said maximum consumers did not know about their own consumer rights. cross-border data governance systems Voigt & von Dem Bussche (2017) argued that cross border data transfers are one of the most significant vectors for consumer data misuse, because data transferred to jurisdictions with weaker protections can be processed by AI systems in ways that would be illegal in the country where it was originally collected.
4. DPDA v. EU’s GDPR and AI act, Puthenveetil notes that their rights mirror each other in principle, the DPDA’s formulation is more skeletal, leaving the substantive counters to subordinate rules yet to be finished. While functional equivalence of GDPR is more broadly accepted model.
Despite a growing research there are few gaps which need s to be filled, AI and commercial data is overlooked that how it exploit consumer data, consumers protection against AI misuse is understudied existing literature focuses on DPDA rather than is its real world practical effectiveness in protecting consumers, policy reforms and other require needs are neglected to much, and no real research has been done on comparing GDPR & DPDA.
METHODOLOGY
The study adopts and uses doctrinal and already present data for its research design, doctrinal research means the study is based on analysing existing laws, statutes, judgements and legal texts around the world rather then-collecting data from people through surveys or interviews. This approach is most suitable for legal research because it allows a deep and structured examination of how the law is written, how it is applied and where its gaps leis. The descriptive element helps to explain the current state of ai driven data regulations in India compared to international standard in clear and oraganized manner.
This research is qualitative in nature, it does not involve numbers, statistics or experimental data, instead it focuses on understanding the meaning, scope, and effectiveness of legal provisions, judicial decisions, and policy frameworks, as this all are related to commercial use of consumer data by AI driven systems. Qualitative legal research is widely accepted as the appropriate method for studies that seeks to evaluate, compare, and critique laws and regulatory frameworks of our country.
The study relies entirely on secondary data this-sources fall into three categories. The first category is primary legal sources, which include digital personal data protection act 2023, the information technology act 2000, the constitution of India the EU general data protection regulations and its AI act. The secondary legal sources are peer reviewed journal articles, working papers, policy reviews and critical law analysis, academic books written by law scholars, data protection articles and technology policy researchers. The third cate3gory is institutional sources, which includes reports and publications such as internet freedom foundation, the data governance network and European data protection board, and various research paper publishers which are available online.
The study uses comparative and analytical methods, the comparative method is used to compare Indian framework like DPDA and it act 2000 with international standards of EU’s GDPR and its AI act. The analytical method is used to critically examine whether existing Indian laws protect consumers and their data misuse from AI driven platforms and what reforms are needed to fully protect consumers.
The study is limited to the legal and regulatory frameworks governing and regulating consumer data by AI systems, with focus on Indian law and comparing it to international standards, the study dopes not include primary data collection such as surveys and interviews or fieldwork, additionally since AI systems are rapidly evolving some developments after I wrote this paper would not be there in findings.
MAIN BODY/ANALYSIS
Chapter-1
How Do Artificial Intelligence System Commercially Utilize Consumer Data In Digital Economy?
The fast growth of digital economy in India has made personal data as one of the most important source of income to big commercial units which uses AI models to detect and capture personal data and use accordingly to influence consumer decisions and misuse their personal data. The companies use big AI tools and extract consumer data at very fast speed which we cannot imagine, this chapter will examine how AI system works and uses consumer data.
How AI System Collect and Process Consumer Data-Every time we uses a food delivery app, searches something online, makes online payments through our digital wallets or does do a random search regarding anything or product or watch video on Youtube or any other social media platform data about our daily routine and behaviour is collected and feed to AI systems, this systems analyses pattern and predict future behaviour and uses theme commercially and shows you relevant adds or commercials on the very next moment all over your apps which you goes through, this means it shares your data with every app you use, every big company uses theme to profile your behaviour by monitoring your behaviour and daily habits which you does online. Zuboff in 2019 described this process as surveillance capitalism meaning extraction of data from our daily routine, India has rapidly growing and crossed this no. to 900 million in 2023, making it one of largest digital market in the world. The main concern is we all are unaware of the extent to which our personal data is commercially misused. Pasqualein 2015 explained that this ai systems operates as black boxes, processes consumer data with advanced algorithms that no one can understand nor regulators and not the users themselves, this problem that the complex systems can’t be easily understood and this creates gaps and ways for companies to escape liability.
Commercial Monetization of Consumer Data-The data in Indian digital economy is primarily collected through three systems, the first is targeted advertising, where based on your searches your data is sold to advertisers which shows you relevant advertisements, the second system is called dynamic pricing where people are charged according to data collected by AI of how much they spend and can spend, and the third system is third party data sharing where your data is shared to specific companies without your consent. Mayer-Schonberger & Cukier (2013) argued that consumers are treated as source of income to companies by selling their personal information, this raises serious concerns for protection of data privacy.
Chapter-2
Legal Framework Analysis- DPDPA, GDPR, AI Act.
The chapter will address two research questions-to what extent does DPDPA, 2023 protect consumers against AI driven systems and comparing Indian legal framework with international standards like GDPR and AI act and their comparative analysis.
Protection Under DPDPA And Its Gaps-The act is Indias first data protection legislation and it established several important consumer rights, they have right to information that how their data is being used, right to correction and get grievance redressal and right to represent a representative. The rights are meaningful if we compare theme with IT act 2000which almost had nothing about data protection. Whereas the literature review conducted for this study has identified many gapes in the DPDPA also which can be used to misuse consumer data, where data collected for one purpose is used for another without consent of the consumer. Bhandari & Sen argued that this consent thing makes the act weaker. The second concern is about section 17 which grants immunity to central government allowing any government agency to escape from liability, Bhatia in 2023argued that this exemption is broad and can be misused. The third is DPDPA is completely silent on algorithmic decision-making. It has no provisions equals to GDPR’ s section 22 which gives consumers right not to subjected to automated decision making, Wachter, Mittelstadt and Russell 2017 identified right to explanation for automated decisions, which are not there in DPDA. Fourth thing is the data protection board established under this act is not completely independent, the members are appointed by central government and they are answerable to central government creating conflicts, The internet freedom foundation noted this.
The GDPR And AI Act As International Standards-The EU’s general data protection regulation 2016 ad most comprehensive data protection framework in the world. Its core principles of purpose limitation, data minimization, accountability, transparency and section 22 give right to challenge automated decisions, this gives entire protection to consumers which is absent in India. Voigt & Von Dem Bussche 2017 noted that strength of GDPR not leis in its rights but in its enforcement mechanism, having genuine independent bodies ti impose fines ad obligations which is absent in DPDPA. The US’s AI act goes further gives risked based classification system, high risk applications like healthcare, employment, credit score are subject to law enforcement and strict transparency human oversight and accountability. Veale and Borgesius 2012 explains the risked based model is best practical approach to regulate AI decisions because it focuses on places where consumer harm is at higher risk.
Comparative Analysis and Gaps-The direct comparison with all three models shows that the Indian model DPDPA legs behind international standards such as GDPR and AI act of EU, and on several critical areas no right equivalent to section 22 of GDPR which gives right to challenge automated decisions, no algorithmic solutions for data misuse and no risk based profiling is present to protect consumers, and also India does not have a genuine independent body for redressal it’s largely impacted and affected on will of central government. Smuha (2021) argued that is regulatory gap is particularly is concerning because India digital economy is spread to every sector from education to healthcare everywhere. The identified gap clearly shows that Indian legal framework for consumer data protection ad protection of personal data lags to much from GDPR and AI act, its isolated and limited this-gaps leads to ai driven misuse of consumer data.
Chapter-3
Legal and Policy Reforms Necessary for India
After identifying the gaps in Indian regulatory framework regarding commercial use of consumer data by AI driven systems, and to address and answer our third research question we will discuss what regulatory frameworks are required for fair and accountable data protection and its regulation.
Recommended and required reforms.
The first and most urgent reform is we should introduce system and legislation for algorithmic accountability in our DPDPA or an-another new act to counter this- problems. This provision should aim to provide consumers right to get a meaningful explanation when their decisions are lightly influenced by AI driven systems and affecting and causing loss to theme, and a right to challenge such decisions before a human reviewer Pasqule 2015 and Wachter et al 2017 both recognised algorithmic accountability as important part of AI consume protection frameworks.
The second reform is restructuring the data board and lowering the influence of central government to make it independent in decision making and provide a proper structure and recruiting based on merit and skills of workers this will ensure fast, fair and speedy solution for consumers. Parsheera 2019 argued that board of GDPR of EU is independent that’s why its world standard data protection framework India data protection board required such autonomy to protect consumer rights.
The third reform should dedicated AI act or legislation for India because IT act 2000 and DPDPA 2023 is not sufficient we should follow EU’s model for better transparency and accountability of the system. Datta 2021argued that seeing such large Indian population we should adopt this key-legislations for consumer protections, adding significant and other required things rather then copy pasting from EU’s models.
The fourth reform is increasing penalties and limiting data misuse and data sharing between this apps and platforms, limiting data collection and introducing strict penalties. Solove 2013 identified structural limitation as important safeguard.
The fifth is bringing action against these companies, allowing to bring complaints against data exploiters, Bhatia 2023 argued that consumer data is exploited and they should have right to bring actions against those institutes or their-should be individual complaint system.
The sixth reform should be cross-border data transfer provisions should be added in the DPDPA, this will ensure consumer data which is transferred outside India remains and consumer rights are protected.
Finally-the last reform should be there should be a provision which deals with developing technology of AI and its new ways of data misuse this section will keep our regulation pace with the developing systems and will protect data from developing dangerous from the beginning.
DISCUSSIONS
The discussion part brings together the key findings from the main body and explain the meaning of the study collectively, this will include legal analysis, comparative framework and identified gaps to provide better understanding of our study and where does India stand and what reforms are urgently needed.
The analysis conducted along our three main chapters gives us a concerning image of our legal framework, because our digital economy is growing-rapidly we need important reforms to with fast growing of the digital and AI world we should work fast for their regulations and maintaining the pace with rising technology and protecting personal data of people.
The DPDPA has showed a genuine and important progress for the first time India has made a complete different legal framework for the AI accountability, however our study has shown the act has many gaps and it does not give complete data protection to consumers and has many weakness which needs to be fixed early, this things limits its performance the consent framework is to simple for handling complex AI data misuse. The government exemption from the act is to-broad, and the data protection board should be freed from central influence and made independent so they can take required actions without any burden. The most important thing is the act does not say anything about algorithmic decision making, leaving consumers without any legal protection from AI systems and they influence consumer decisions from every sector, health, education etc.
The comparison with GDPR and AI act of EU gives many visible gaps, they had spent years in building their regulatory frameworks that addresses both data protection and AI governance both are different but are connected challenges. India currently does not have a fully data protection and AI governance but placing it very behind from the international standards.
The literature gap identified in comparing three frameworks of GDPR and AI of EU with DPDPA with context to data protection and AI driven commercial misuse of consumer data confirms academic contribution this research makes. Scholars have examined the frameworks individually but rarely together in the Indian context, and therefore this study fulfils the space meaningfully.
While connecting our all four research questions the study has answered theme trough analysis, AI systems commercially exploit consumer data by behavioural profiling, targeted advertising and third-party data sharing. The DPDPA only provides partial protection against the data exploitation due to its structural gaps, legal and policy reforms are required stronger consumer remedies and are also urgently needed as EU’s GDPR and AI act both acts has international standards must be taken in note for better data protection.
CONCLUSION
The study had explained that how does artificial intelligence system commercially uses consumer data and misuse it. Consumer data in Indian digital economy and Indias current legal framework protects consumers data from AI misuse or not, through doctrinal and comparative analysis of DPDPA by GDPR and AI act. The study helps us to understand that although India has taken its first step for data protection but significant gaps remains that leaves many ways from which consumers can be harmed.
The DPDPA 2023 has established foundational consumer rights but falls in some critical areas like it does not have anything for algorithmic decision making, lack of independence and interference of central government and exemptions to government and many simple gaps we studies in this research this all factors weaken our legal framework against AI driven data misuse in commercial and Indian digital environment. The comparison with international standards explains that regulations just not required legal rights on paper but independent enforcement bodies, algorithmic accountability mechanism and risk-based approach is needed for AI governance and protection of consumer personal data.
Indias economy is one of fastest growing both in digital and actual form, in this growing world and developing technology we need systems and regulations that should protect rights not just today but after decades this reasonable actions will lead to future of India.
Based on finding of our study the following suggestions are purposed by me for better ai regulations, algorithmic accountability provisions, right of explanation and human review of automated decisions, data protection boards independence and restructuring, dedicated AI legislation, limitation of data collection and increased penalties, right to bring actions and better complaint systems and last the last thing their should be a provision which deals with developing technology and AI misuse which bans theme is they cause harm or misuse consumer data. And finally all my sources which I used for research and other things.
REFERENCES/BIBLIOGRAPHY
Legislation & Regulations1. Digital Personal Data Protection Act 2023 (India).2. Information Technology Act 2000 (India).3. Council Regulation 2016/679 (EU) (General Data Protection Regulation).4. Regulation (EU) 2024/1689 (Artificial Intelligence Act).
Books5. Mayer-Schönberger, Viktor & Cukier, Kenneth. Big Data: A Revolution That Will Transform How We Live, Work, and Think 77–83 (Houghton Mifflin Harcourt 2013).6. Pasquale, Frank. The Black Box Society: The Secret Algorithms That Control Money and Information 141–148 (Harvard Univ. Press 2015).7. Voigt, Paul & Von dem Bussche, Axel. The EU General Data Protection Regulation (GDPR): A Practical Guide 198–205 (Springer 2017).8. Zuboff, Shoshana. The Age of Surveillance Capitalism (Public Affairs 2019).9. Crain, Matt. Profit Over Privacy: How Surveillance Advertising Conquered the Internet (Univ. of Minnesota Press 2021).
Journal Articles10. Smuha, Nathalie A. ‘From a Race to AI to a Race to AI Regulation’ 57 Innovation & Technology 68 (2021).11. Veale, Michael & Zuiderveen Borgesius, Frederik. ‘Demystifying the Draft EU Artificial Intelligence Act’ 22 Computer Law Review International 97 (2021).12. Datta, Aritra. ‘Global AI Governance and the Developing World: Bridging the Regulatory Gap’ 6 Journal of Law & Innovation 112 (2021).13. Wachter, Sandra, Mittelstadt, Brent & Russell, Chris. ‘Counterfactual Explanations Without Opening the Black Box: Automated Decisions and the GDPR’ 31 Harvard Journal of Law & Technology 841 (2017).14. Solove, Daniel J. ‘Privacy Self-Management and the Consent Dilemma’ 126 Harvard Law Review 1880 (2013).
Working Papers & Reports15. Bhandari, Vikram & Sane, Renuka. ‘An Analysis of the DPDPA 2023’ Data Governance Network Working Paper No. 269 (2023).16. Internet Freedom Foundation. ‘Analysing the Digital Personal Data Protection Act 2023’ IFF Working Paper No. 41 (2023).17. Parsheera, Smirti. ‘Data Protection in India: The Road Ahead’ NIPFP Working Paper No. 269 (2019).
Blog Posts & Online Commentary18. Bhatia, Gautam. ‘The DPDPA: A Critical Analysis’ Indian Constitutional Law and Philosophy Blog (2023).19. Puthenveetil. ‘DPDPA v. GDPR: A Comparative Analysis’ DCU Law & Tech Blog (2024).
Newspaper & Periodical Articles20. Ramanathan, Usha. ‘Surveillance, Data and the Indian State’ Economic & Political Weekly, 14 October 2023, at 22.
Case Law21. Vijay Lakshmi v. State Bank of India, W.P. (C) No. 3918/2021 (Delhi High Court).


Comments