Introduction
In the field of Artificial Intelligence, the focus is more on the actions of artificial entities than on physical individuals. While the illegal actions of AI cannot be remedied retroactively, they can be prevented. Our current deterrence-based legal frameworks do not effectively apply to AI regulation. With an increasing reliance on AI for emotional and work-related tasks, instances of AI malfunctioning or “going rogue” are on the rise. While AI-generated prompts streamline our daily lives, they also pose significant privacy risks. The more streamlined and personalized the responses, the more data is stored in databases, which AI then draws on to create future responses. This data can range from personal to general information. Challenges emerge when AI systems not only retain data but also process and potentially share it with third parties without consent, placing data privacy at the forefront of AI governance. When AI relies on extensive datasets, questions around the ownership, control, and protection of both personal and IP-related data become critical. AIās capacity to generate content, inventions, and insights from this data intensifies concerns, not only about ownership but also about copyright and trade secrets. This article delves into these aspects in detail, exploring the nuanced intersections of data privacy and intellectual property within AI.
Data Privacy
The recent uproar for some stringent data privacy laws stems from the frequent leaks and breaches of individuals’ personal data and the risk of its misuse. Data privacy in India gained momentum following the Justice Puttaswamy judgment, which established the Right to Privacy as a fundamental right under Article 21 of the Constitution, and the introduction of the Data Protection Act, 2023, inspired by the EU’s General Data Protection Regulation (GDPR). Under the Data Protection Act, “data” is defined as a representation of information, facts, concepts, opinions, or instructions in a form suitable for communication, interpretation, or processing by humans or automated systems. Although “data” is broadly defined, the law primarily focuses on “personal data,” meaning any information that can identify a natural person. Data protection laws aim to safeguard raw personal data and require consent-based processing of this data for legitimate purposes. They outline several rights for Data Principals, such as the right to portability, the right to erasure, and the right to nominate others. Additionally, they establish duties for Data fiduciaries or Data controllers, including obtaining consent before processing data, notifying authorities in the event of a data breach, and implementing measures to prevent such breaches.
Intellectual Property
Intellectual property law offers protection to intellectual creations of humankind. Through a bunch of IP laws like copyright, patent, and trade secrets, expressions, innovations, and confidential information are respectively protected. Copyright and trade secrets are the two main aspects with which data privacy laws are concerned. Copyright law offers protection to the creative expression of an individual. For instance, any poem, writing, or essay that satisfy the test for modicum of creativity. Memes and parodies are all protected by Intellectual Property law. Recently, the courts have also recognized the commercial right over oneās personal data as a part of intellectual property rights. These commercial rights, also known as personality rights, seek to protect the personal data of celebrities from potential misuse. They provide right over oneās image, voice, and likeness. In the upcoming section, we shall discuss the relation between personality rights and data privacy in detail.
The Interaction
The intersection of data privacy and intellectual property law in India dates back to 1994, when the courts first recognized the right to privacy as a fundamental right in R. Rajagopal v. State of Tamil Nadu. Personality rights, which protect an individualās personal attributes such as image, voice, and likeness from unauthorized commercial use, are safeguarded under Article 21, the fundamental right to privacy, as well as through trademark and copyright laws. For example, in Titan Industries Ltd. v. Ramkumar Jewellers, a jewelry advertisement featured a billboard with images of Amitabh and Jaya Bachchan, prompting legal scrutiny. The court held that the celebrities held copyright over the advertisement, and the defendantās use of a similar advertisement, along with reproducing the celebrities’ images, constituted copyright infringement. Here, the court upheld performers’ rights over their own images. Similarly, courts have protected the personal attributes of various celebrities, including Arijit Singhās voice, Rashmika Mandannaās image, and the trademarked name āSanju.ā These cases illustrate how IP laws, supported by contractual agreements, can regulate the commercial use of celebrities’ personal data. However, the law remains largely silent on the commercial exploitation of personal information for private individuals. Commoners can rely on Article 21 of the Constitution or the recent Data Protection Act to protect their personal data from misuse.
Though it seems that the public figure can regulate the usage of their personal data, in reality the data of celebrities and commoners is widely processed without their knowledge. The processing of personal data includes collecting, recording, organizing, storing, altering, transferring, publishing, modifying, or destroying the data through automated or non-automated means. Private and government entities collect and store massive amounts of personal information. This information is either for monitoring, surveillance, or generating profiles, or is sold or transferred to other entities for a hefty amount. These big data increases the risk of privacy and misuse. Instances of data breaches, such as the Facebook Analytica scandal, where data of American voters was sold to political parties for creating psychological profiles and using them for manipulating the election results, and data leaks of AIMS patient records, highlight these concerns. Such big data doesnāt just include general identifiable information; it encompasses personality-related details, such as likes, dislikes, and affiliations, which can be used to build personal profiles and target individuals with tailored advertisements and campaigns. Additionally, this data is often used to train AI, enhancing its ability to generate prompt, streamlined responses.
The data used by the Artificial Intelligence tools is not limited to the data sets on which it is trained. The tools also extract data from external sources such as public databases, document repositories, websites, APIs, paid subscription services, and others and store them in their large language models to generate improved responses. This leads to the usage of copyrighted material without proper authorization. If AI models operated solely on predefined datasets, prior consent could be obtained from the authors of the works within those sets, but the same is not possible when external sources are involved. AI-generated responses may either resemble original works, potentially infringing reproduction rights, or create derivative content that infringes when combined with the prompt. This makes it challenging for third-party rights holders to identify and enforce their rights against potential infringements.
A trade secret is defined as any business-related information that provides a company with a competitive advantage, and significant efforts are made to keep this information confidential. Formulas, business strategies, and other proprietary methods can qualify as trade secrets. However, AI poses a potential threat to the secrecy of this information due to its functionality. Tools like ChatGPT collect, store, and process vast amounts of data through user prompts. AIās capacity to detect patterns, connect unrelated information, and predict missing details may reveal proprietary methods or formulas. By leveraging minimal input and reverse engineering, AI could inadvertently recreate or disclose similar trade secrets. This risk has led companies like Samsung and Cognizant to ban AI tools like ChatGPT on client servers, as Samsung discovered that employee use of ChatGPT was inadvertently leaking their source code.
Concluding Remarks
Scholars advise against inputting confidential information into generative AI tools, recommending instead the use of alternative, similar information to obtain desired responses. In response, many companies have implemented preventive measures, such as banning AI tools in sensitive contexts. Writers are also encouraged to secure copyright registration for their work to support future enforcement in cases of infringement. Additionally, scholars suggest that countries could adopt flexible regulations, or “soft laws,” that can adapt to technological advancements. Itās also essential for AI companies to monitor the datasets and external sources their tools draw upon to generate responses.
Written by Khushee, an assessment intern @Intepat IP.
