CHATBOTS, PRIVACY AND DATA: INDIAN PERSPECTIVE

It is a widely appreciated and accepted concept that customer is king, and following this concept, solving customers’ problems and queries is an essential part of every business. A customer expects flexible engagement and fast resolution(s), and to resolve this, technology companies are developing AI based powerful chatbots. A chatbot is a software based on artificial intelligence that stimulates a text based online chat conversation, similar to messaging.

With the advent of this flexible and easy engagement software, that uses data provided by the customer, the concern for such data collection, usage, storage and transmission also arises. In the following paragraphs we will analyze, in brief, the rules and regulations that technology companies which provide and/or utilize chatbot services will have to adhere.

1. Incorporate Chatbot data collection, usage, transmission, possession in Privacy Policy

Section 43A of the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 requires every body corporate and/or individual in India, which collects, receives, possesses, stores, transmits, processes or can associate pretty much any other verb with ‘personal information’ directly under a contractual obligation with the provider of information, to have a privacy policy clearly displayed on their website or medium of usage. Apart from above several other international laws, such as Australian Privacy Act, 1988, the UK Data Protection Act, 1998, General Data Protection Regulations of the European Union, California Consumer Privacy Act specifically California’s Bot Disclosure Law (California Business and Professions Code § 17940) etc., also provide from similar obligations of displaying privacy policy.

Majority of technology companies, intermediaries, websites etc. (technology companies) in terms of the above mentioned provide a detailed privacy policy, elucidating the kind of data that is collected by them, the wat in which it shall be used and whether or not it shall further be transmitted to third party(ies).

It becomes essential for technology companies to incorporate within their privacy policy, the data that the Chatbot shall collect. Further the privacy policy shall have to incorporate how the data collected shall be utilized, processed, transmitted to a third party and whether or not it shall be stored. If, the Chatbot service it sourced through another third party, then the privacy policy shall include the details in which the third party provider shall process and utilize the data provided by the user and whether cookies shall be stored on the user’s machine.

2. Incorporate safeguards in terms and conditions of use

There could be an instance wherein the Chatbot could provide an incorrect information to the user which would lead to the user making a decision based on the information provided. Such decision made on wrongful information could lead to financial losses and or any other damage(s), which increases the chances of potential litigation. The technology company could thus incorporate clause(s) in its terms and conditions of use that could eventually safeguard its interest in the given circumstances.

3. Ensuring the Chatbot does not infringe or violate any law

The Chatbot, being a software driven by artificial intelligence, must be programmed in such a way that it does not violate any law of the land. Any communication conducted by the Chatbot based on the information fed to it shall be a civil communication and should neither be obscene, invasive of another’s privacy, libelous, harmful to children nor contain software virus or any other computer code designed to cause damage.

4. Compliance of the proposed Personal Data Protection Laws of India

The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology in December, 2019. The Bill seeks to provide for protection of personal data of individuals. The Bill governs the processing of personal data pertaining to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill provides that processing of data will be subject to certain purpose, collection and storage limitations, and further provides several measures and steps that shall have to be taken by technology companies to ensure protection of personal data of users.

The liability, reputational risk and accountability that is connected with the use of Chatbot(s) should be minimized by technology companies by keeping, amongst others, the above mentioned in mind while engaging with a user through AI.

Published by Pushkar Taimni

Pushkar Taimni heads the practice at Law Chambers of Pushkar Taimni. He can be contacted at pushkar@ptaimni.com or taimnico@gmail.com.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: