Is consent from data principals required for sharing data under the DEPA training framework?
As per modern privacy laws, there are several legal bases for processing data. For instance, Article 6 of the European Union’s General Data Protection Regulation (GPDR), outlines six legal bases for processing data legally. One of which is consent from the data principals. Others include, performance of a contract; compliance with a legal obligations; protect vital interests of the data subject or of another natural person; public interest or in the exercise of official authority; and for the purposes of the legitimate interests.
In India, the Digital Personal Data Protection Act, 2023 outlines two legal bases for processing personal data of data principals for lawful purposes. One is consent and the other is for certain legitimate uses. The Act under Chapter IV also lays down certain exemptions for securing consent. In Clause 2 (b), the Act states that provisions will not apply in cases where personal data is necessary for research, archiving or statistical purposes as long as the personal data is not used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.
Since the DEPA training framework is an incidental use case of aggregated personal data, is not used to make any decision specific to a Data Principal and also provides technical guardrails based on privacy-preserving technologies to diminish the risk of privacy violations, the exemption within Chapter IV Clause 2 (b) applies and obviates the need for seeking fine-grained, explicit consent from data principals for every training cycle. However, depending on the scenario, SROs may stipulate that TDPs collect appropriate course-grained consent describing the broad purpose for which their data will be used before including a data principal's data in aggregated datasets.
Are signed contracts legally valid documents?
Yes. Signed digital contracts as defined in the DEPA training framework are given evidentiary value within the Indian Evidence Act.
Are there any guardrails against societal harms caused by models trained using the DEPA training framework?
The DEPA training framework requires TDCs to include any reported and anticipated risks from their AI model in contracts. See AI Governance Framework for a detailed list of risks tools to help identity and assess risks for a specific model.