A trend of Blockchain-MMORPGs and legal uncertainties surrounding MMORPGs

Background

Massive Multiplayer Online Role-Playing Games (“MMORPGs”) are virtual worlds in which players act as inhabitants and band together to engage in immersive gameplay.[1] There are MMORPGs which are real-world simulations, and allow players to create an avatar in the game and collect assets such as money, weaponry, clothing, land, or other goods that have “value” inside the game’s virtual world.  The characters purchase homes, cars and other everyday items with the use of in-game’s currency which could be in form of ‘credits’ or ‘tokens’. These credits are bought by players using real-money. These games also provide a marketplace where players can sell or trade the virtual assets to each other. Some MMORPG’s provide the option of cashing out the real money by redeeming the credits earned through trading of virtual assets. Therefore, certain numbers of MMORPGs have now become a source of generating revenue as well.

Objective

This blog traces and analyses a list of MMORPGs and the common practices they follow while serving online gamers.

Analysis

There are two categories of real-world simulation MMORPGs right now. One is traditional real-world MMORPGs, such as the Entropia Universe and Second Life, where players were given the option to trade virtual in-game currency back for fiat money. Others are blockchain based MMORPGs where players are actually buying in-game assets which are non-fungible tokens (NFTs) based assets or cryptocurrency based virtual currency and trading it back for fiat money.

Key difference: Blockchain based MMORPGs have cyptocurrency based assets, for instance if you buy a land which is based on ERC 20 tokens, you are effectively buying a ERC 20 token. This really allows a player to assert the absolute ownership over the virtual assets even if game ceases to exist. Unlike Entropia Universe, which charges subscription, taxes and maintenance fees for each asset you buy and if the site goes down, the in-game assets also cease to exist.[2] 

Please find the following list of popular MMORPGs along with their category:

S. No.Game Name (with hyperlinks to relevant whitepapers, code of ethics or ToU)Category
1.Entropia UniverseIn-game currency based MMORPG
2.Second LifeIn-game Currency based MMORPG
3.RobloxIn-game Currency based MMORPG
4.DecentralandBlockchain based MMORPG
5.The SandboxBlockchain based MMORPG
6.NeoworldBlockchain based MMORPG
7.CryptovoxelsBlockchain based MMORPG

Observations

Following takeaways can be made out on reading of whitepapers and legal documents released by the aforementioned games:

  • In blockchain based MMORPGs, land or assets are parcels based on non-fungible tokens (this varies extensively – ERC 2O, ERC 271, or ERC 1155) and, therefore, allows a player to be assure about his ownership to an in-game asset which he/she buys in exchange of money. It is just like buying a bitcoin.
  • All these platforms have marketplaces where players can buy virtual assets or credits for certain real money or fiat currency. The platforms have facilitated the movement of funds between buyers and sellers in these marketplaces. Surprisingly, they do not provide exhaustive code of conduct related to marketplaces.
  • The user-verification related process is not standard and inconsistent across all the platforms. Only one platform, Decentraland mentions about Know Your Client (KYC) process. In this situation, if a regulator scrutinizes a MMORPG platform from the money laundering perspective, then the platforms with no KYC/AML processes in place are likely to face the regulatory heat i.e. a possible ban.
  • All the platforms recognize the threat of uncertain regulatory environment, even in-game currency based MMORPGs, and they specifically mention in their disclaimer that continuity of services is subjected to regulatory actions in a particular jurisdiction.
  • Majority of successful platforms like Decentraland, Entropia Universe, and Second Life, acknowledge in terms of use, their responsibility to maintain records of finance for all funds transactions in connection with the use of the gaming service.
  • Out of all blockchain based MMORPGs, only Decentraland specifically acknowledges the risk associated with cryptocurrency – volatility risks, regulatory risks, and risk of drastic changes in Ethereum blockchain.
  • All the gaming platforms provide that in case of any tax will be required to pay for virtual assets and transactions owned by players in their jurisdiction, the player is responsible to pay that tax.
  • Only Entropia Universe clarifies that ‘gambling’ activities are expressly forbidden in its virtual in-game universe.

Conclusion

Following are the best practices that players interested in playing a MMORPG or developers interested in developing a MMORPG, shall consider to obviate risks in an environment of regulatory uncertainty: 

  • Platforms looking to incorporate a virtual currency into a game or app without triggering potential money laundering obligations must have proper KYC/AML procedures in place.
  • The virtual currency should be for in-game purchases only, such that there should be no ability for players to directly sell, exchange, transfer, or cash out any virtual currency they have purchased in exchange of cash.
  • As most of the popular platforms have deployed, avoid a claim that the in-game virtual currency represents fiat currency. Further, a disclosure that the virtual currency represents certain risk subject to prospective regulatory actions.
  • There should be a simple and readable policy related to marketplace transactions with focus on avoiding risks of assumption by players that the marketplace purchases imply any sort of ownership of virtual assets.

(Authored by Abhijeet Vaishnav, volunteer-researcher, with inputs from Aryan Babele)


[1] http://www.commonlii.org/in/journals/INJlLawTech/2006/4.pdf

[2] https://cryptobriefing.com/will-second-life-get-a-second-life-five-virtual-lands-on-the-blockchain/.

Comments on the NITI Aayog’s draft ‘Guiding Principles’ for the ‘Regulation of Online Fantasy Sports Platforms in India’

On 5th December 2020, NITI Aayog released a draft for discussion titled ‘Guiding Principles for the Uniform National-Level Regulation of Online Fantasy Sports Platforms in India’ (“Draft Report”), seeking comments from different stakeholders of fantasy sports industry. The Draft report hits two birds with one stone; firstly, it proposes to establish a single Self-Regulatory Organization (SRO) for Online Fantasy Sports Platforms (OFSP) so as to enable ‘light touch’ regulatory framework, secondly, these guidelines also act as a ‘regulatory sandbox’ for OFSP.  

A brief summary of our submission to NITI Aayog with comments, concerns and recommendations in relation to the Draft Report are as follows: 

Recognition for all categories of “pay-to-play” online games

Apart from online fantasy sports, there are many other pay-to-play format of online games like rummy, cricket simulation etc. that are offered using the same digital interface through which they offer online fantasy sports contests. For instance, Paytm First Games and Mobile Premier League, to name a few. We have raised the concern that governing only OFSP could result in complex situation for online gaming industry in general and such all-in-one online gaming platforms in particular. We recommend that by virtue of these guidelines all “pay-to-play” formats of online games should be recognised.

Specify definition and extent of the term ‘fantasy sports’

The Draft Report neither defines the term neither ‘fantasy sports’ nor enlists activities that might constitute the same under the proposed framework. The framework proposes that “all formats” of fantasy sports offered by OFSP must be skill-predominant. There is no clarity whether ‘free to play’ formats, which doesn’t involve any stake of players and are risk-free, are also required to be game of skill. In our comments, we have formulated an element-wise definition of ‘fantasy sports’ wherein we have specifically pleaded that the definition should exclude free to play format specifically from the definition of fantasy sports.

The proposed framework requires a platform to take approval from SRO if offering a fantasy format different from judicially determined game of skill. There are three HCs which have analysed the Dream 11’s format as game of skill and no definitive criteria have been laid down by any of them for determining whether a fantasy format is game of skill or not. Therefore, we believe that ‘judicially determined’ format of fantasy sports is subjective and the framework should itself provide objective test in the Draft Report itself.   

Uniform and diverse representation in the SRO

The Draft Report prescribes that only a fantasy sports industry body, which have as members OFSPs with registered user base, in aggregate, equivalent to at least 66 percent of registered users of online fantasy sports in India, could be recognised as SRO by the Government. This is an absurd eligibility criterion as the concentration of users is not uniform across OFSPs. In such a scenario, there is a risk of disadvantage to the interests of OFSPs with small user base.

The proposed model of membership of SRO leaves aside many other participants of the fantasy sports industry like advertisers, payment service providers, consumer bodies etc. We recommend that the eligibility criterion for recognition of an industry body as SRO must be based on diversity and number of members rather than the strength of user base of its members. This will lead to a holistic and pervasive regulatory framework.

Requirement of minimum safeguards in the organizational framework of SRO

Three internal bodies have been envisaged within the proposed SRO: an independent oversight board, a grievance redressal mechanism and an evaluation committee. We recommend that a governing body, in addition to the internal bodies, must be constituted. Further, basic principles and minimum safeguards must be incorporated in the framework to ensure independence of oversight board, transparency in working of grievance redressal body and evaluation committee, etc.

Clarity on how safe-harbour exemption will be implemented

The guiding principles proposed in the Draft Report grant safe-harbour exemption or a criminal immunity to all the member-OFSPs of the SRO. As “gambling and betting” is a subject of the state list, it is recommended that a clarificatory note be released by the NITI that fantasy sports be construed as a class apart from gambling rather than exception. In short, fantasy sports should be governed by the Union using its residuary powers under Entry 97 of List I.

(Authored by Eukti Garg, Volunteer-Researcher at LawforIT, with inputs from Aryan Babele)

Hiring a ‘ghost-writer’ in India: the question of copyright?

Ghost-writing can be described in any of the following four ways: (i) failing to list as an author someone qualified for authorship; (ii) failing to acknowledge writing support; (iii) dishonesty/plagiarism; and (iv) practices such as undisclosed authorship or undisclosed funding for writing support.[1] Alternatively, ghost-writing is a contractual arrangement under which a writer is hired and “paid to produce written work” with the understanding that “the buyer will claim and use it as his own”.[2]

Relevant Law

A copyright subsists in the “original literary works” such as the content of any book.[3] Authors of such copyrighted content or work enjoy certain economic rights or exclusive rights.[4] Also, the Copyright Act provides for the joint authorship when a work is prepared by more than one author in collaboration.[5] The Copyright Act 1957 (“the Act of 1957”) entitles the author or creator of the work as the first owner of copyright i.e. ghost-writer, and vests with author the exclusive right to reproduce, publish, perform, display, or create “derivative works” from its primary work.[6] Further, as per Section 57 of the Copyright Act, the author of a work has the moral right to be attributed as the author of his work even after the assignment, either wholly or partially, of the said copyright.[7] Lastly, Section 18 permits assignment by a prospective owner, i.e., a person who is not the first owner as defined in section 17, in a future work through a written agreement for assignment.[8] However, as per the proviso, parties can enter into an agreement for assignment of copyright in any future work, but the assignment itself takes place only after “the work” comes into existence and not before.[9]

Observation

An author may create a work on his own behalf or at the instance of another person for valuable consideration. The ghost writers are latter one. Such a work is, obviously, a form of plagiarism, however it is with consent of the actual author (the ghost writer) of the work and that makes it acceptable as a work of the ostensible author who is commissioning the work. Under Indian law, the legal position regarding such ghost-writing assignment is unclear in comparison to the international jurisdiction which specifically delineates legal standing on works made for hire (or commissioned works).[10]

Under Indian law, as per the Copyright Act, 1957, in absence of any agreement to the contrary, the person at whose instance the work is made is the owner of the copyright work under Section 17. Since there is no copyright in ideas even if they are original, the originator of the idea is not the owner of the copyright in the work which gives concrete form to the idea.[11] Therefore, where a person provides the material to another for writing a book and the latter (ghost writer) writes the book on the basis of the materials supplied then the latter becomes the owner of the copyright in the book.[12] In order to be an author of a work, a person must accordingly do more than contribute ideas to an author and it is not enough that he passed on his reminiscences to a ghost writer.[13]

In this context, Section 18, therefore, provides that in order to grant exclusive right in a literary work to a person, who is not the owner of copyright within the meaning of the Act to assign his rights in any future work, there should be a contract of assignment in existence.[14]  This way it will be treated as a contract of services and as per Section 17(b) of the Act, authors engaged under contract for service will lose the copyright.[15] Further, Section 57 of the Copyright Act, 1957 recognizes moral rights of the author, such that even after the assignment either wholly or partially of the said copyright, the author of a work shall have the right to claim the authorship of the work. Although, the jurisprudence in terms of waiver of moral rights is slightly unsettled but under several cases contract of services have been upheld and the “contracting out” has been made “permissible provided it is voluntary and does not deal with a matter of public policy”.[16]

Therefore, in the instant case, a collaboration agreement between hirer and the ghost author will form the essence of the copyright ownership. Absent a formal written agreement, ownership of the written work will be governed by the default provisions of the Copyright Act – and not necessarily according to the parties’ wishes. Under that situation, by virtue of Section 17 and Section 57, the ghost author will be the actual author or first owner of the work and consequently will be entitled to economic and moral rights, exclusively.

The best way to address this so that hirer has full ownership of a wriiten work:

To avoid such a situation, there should be a contract of assignment beforehand between the two parties such that the ghost writer will assign the rights of future work prospectively to hiring person. Following are certain steps that will help a hiring person in retaining the full ownership rights in creative works of authorship for a written work:

  • A hiring person should make it certain to have a written agreement with the ghostwriter who will actually author the written work and other allied works.[17]
  • The parties must specifically include in their written contract a provision that the ghost writer is assigning his copyright to the author that will serve as a back-up just in case the work fails to satisfy the ‘contract of services’ requirements of the Copyright Act.
  • The agreement should set extent of rights, deadlines, budgets, compensation, address author credit, decision-making, liability, death, disability, and, if properly drafted, outline a joint exit strategy.[18]
  • If the work fails to qualify as a work under contract of services, exercise, if possible, the defense of “joint authorship” to prevent the loss of “all” the rights in the work. This requires that a hiring person should mention in the collaboration agreement that he is also contributing the “expression of ideas” for the written work.

(Views are personal only. The content of this blog should not be construed as legal advice in any case)


References

[1]Lisa Tora et al, Ghostwriting in biomedicine: a review of the published literature., Journal Current Medical Research and Opinion  Vol 35(9) (2019), https://www.tandfonline.com/doi/full/10.1080/03007995.2019.1608101

[2] Nandita Saikia, Ghost-writing, Plagiarism and Copyright, IN Content Law, https://copyright.lawmatters.in/2010/09/ghost-writing-plagiarism-and-copyright.html.

[3] S. 13, The Copyright Act, 1957.

[4] S. 14, The Copyright Act, 1957.

[5] S. 2(z) and S. 13, The Copyright Act, 1957.

[6] S. 17, The Copyright Act, 1957; Eastern Book Company v. D.B. Modak, (2008) 1 SCC 1.

[7] S.57, The Copyright Act, 1957

[8] S. 18, The Copyright Act, 1957.

[9] Indian Performing Right Society Ltd. v. Eastern Indian Motion Pictures Association , (1977) 2 SCC 820

[10] Title 17 U.S.C. § 101, the Copyright Act.   

[11] R.G. Anand v. Delux Films , AIR 1978 SC 1613; Sreenivasulu N.S., Law relating to Intellectual Property, Penguin-Partridge Publications, Bloomington, Indiana, USA, First Edition, 2013, Pg. No: 485.

[12] R D Ryder and Sreenivasulu N. S., Copyright and Third Sector, 7 RMLNLUJ (2015) 39.

[13] Evans v. E Hulton & Co. Ltd., [1923-8] Macg Cop Cas 51.

[14] Diljeet Titus Advocate & Others v. Alfred A. Adebare & Others , 2006 (32) PTC 609 (Del)

[15] Gee Pee Film Pvt. Ltd. v. Pratik Chowdhury & Others , 2002 (24) PTC 392.

[16] Centrotrade Minerals and Metal. Inc. v. Hindustan Copper Limited, (2006) 11 SCC 245; Sartaj Singh Pannu vs Gurbani Media Pvt Ltd & Anr 2015 (63) PTC 590 Del; Ameet Datta, Moral rights: can authors waive their special rights?, Lexology, https://www.lexology.com/library/detail.aspx?g=0e35276b-9737-47dd-9c1a-94ef6d25036d.

[17] Kaplan v. Vincent, 937 F. Supp. 307 (SDNY 1996) (If the parties had a well-drafted collaboration agreement – as opposed to oral understanding — legal entanglements would have been avoided).

[18] Dorling Kindersley (India) Pvt. Ltd. v. Sanguine Technical Publishers & Others 2013 (56) PTC 40 (Del) at p. 62. (The territorial extent should be specified)

The case of Content Aggregator Platforms: PVR Ltd. v. Just Dial Ltd.

Content aggregation platforms like JustDial are sites that collate, index and distribute hyperlinks to third-party content and displays it on a single webpage for their users’ reference.[1] Aggregators ensure listing of businesses by associating latter’s websites with their platforms using various tools such as deep-links, framing and meta-tags.

Deep-links are hyper-links in the form of an image or text which on selection redirects the user to the specific content/webpage of the source’s website.[2]

Framing is the process by which multiple webpages of another websites are displayed as separate windows/frames on a single webpage of the aggregator’s platform.[3]

Meta-tags are words and phrases in the HTML code of the website, related to the particular content, which become identifiable and a part of the search results when a user searches using the terms on search engine corresponding to the embedded words and phrases.[4]

The case of copyright, trademark and/or other proprietary rights of entities listed on its platform

Content aggregator’s ability to publish or post the relevant content that it obtains from the third-party sources is limited by the copyright and trademark laws of India and by the terms of any agreement entered into with the content-provider or listed entities.[5]

Observation: Aggregator lists business entities on its platform in exchange for a fee. If any entity willingly lists itself on the platform after paying a fee and agrees to the client’s terms of use which provides for use of the information/links/metatags of the business by the aggregator then there will be no violation of the copyright, trademark and/or other proprietary rights of entities listed on the platform.[6] However, if JustDial provides information on its platform about any listed entity, without any prior agreement or consent for utilizing the deep-links or separate frames to the website of the entity, then such links shall inadvertently infringe copyrights or trademarks owned by the entity’s website, as it results in by-pass or duplication of the information contained in the linked webpage.[7] Further, aggregator’s use of meta-tags of such listed entity will result in misapprehension in the mind of the former’s customers that it is authorized by or associated with the latter entity.[8]

Relevant Law: Copyright subsists in the “original literary works” such as the content of any website.[9] The Copyright Act 1957 (“the Act of 1957”) entitles the first owner i.e. the listed entity, with the exclusive right to reproduce, publish, perform, display, or create “derivative works” from its website’s content (primary works). [10] Therefore, a copyright is “deemed to be infringed” if any of these exclusive rights (listed entity’s rights to publish or create “derivative works” through deep-linking or framing respectively to its website) are exercised by the infringer without the permission of the former.[11] Further, the Trademarks Act 1999 (“the Act of 1999”) provides an inclusive definition of “mark” which includes the meta-tags of a website as well.[12] By virtue of the Act of 1999, unauthorized use of trademarks as meta-tags constitutes infringement of registered trademark.[13] However, deep-links, frames and meta-tags could be utilized subjected to “fair use” and “nominative use” exceptions.[14]

In PVR Ltd. v. Just Dial Ltd,[15] the Delhi High Court prima facie held that unauthorised listing of information (ticket-booking details, movie schedule, addresses and pictures of PVR movie theaters), as available on PVR.com, by JustDial using deep-links and frames to and meta-tags of PVR.com, gives the public impression that there is a nexus between the both. Thus, it resulted in exploitation of PVR’s goodwill by JustDial that amounted to copyright and trademark infringement and passing-off. It is considered as the first case in India which deals with the legality of content aggregation tools collectively.

The legality of use of deep-links, frames and meta-tags has also been questioned multiple times in cases of major jurisdictions such as the USA, the UK and Canada.[16] The majority of courts of these jurisdictions have held that the unauthorised use of deep-links, frames and meta-tags of primary website is deceptive to the public and has granted an injunction against content aggregation platforms.   

What are the liabilities that the aggregator’s platform can incur due to the user reviews? What are the measures that aggregator’s platform can put in place to mitigate these liabilities?

Observation: Aggregator’s platform is also a user-review platform which gives its users the ability to review and rate the various businesses listed on its directories. Evaluation platforms/sites provide an opportunity for users to post comments on businesses, in addition to reviewing and ranking them.[17] Such reviews and ratings are usually couched in terms of opinion but could be extremely negative, false or defamatory at times. Since these reviews and ratings are entirely users’ opinions and user-generated contents, the consumer review site cannot be held liable for the same.[18]

Relevant Laws: A user-review platform is an ‘intermediary’ under the Section 2(w) of the Information Technology Act, 2000 (“IT Act”).[19] The ‘intermediaries’ like JustDial are granted an immunity under Section 79 of the IT Act from offences caused due to the user-generated content wherein such intermediary had no knowledge about the nature of content.[20] The Information Technology (Intermediary Guidelines) Rules, 2011 (“Intermediary Guidelines”) provide the due diligence requirements that must be observed by intermediaries to avail the safe-harbor protection (immunity).[21] However, upon receiving actual knowledge or being notified by the Government or its agency about any unlawful content on the platform, intermediaries are liable to take down or disable access to it.[22]

Indian Jurisprudence: In the case of Procentris India (Pvt,) Ltd. v. Mouthshut.com (Pvt.) Ltd.[23], Mouthshut (a popular consumer review site) was ordered by the Bombay High Court to delete reviews critical of Procentris. Subsequently, Mouthshut.com filed a writ petition in the Supreme Court for quashing the IT Rules, 2011 on account of it being violative of Articles 14, 19 and 21 of the Constitution of India. This case was clubbed with the petition in landmark case of Shreya Singhal v. Union of India which introduced ‘safe harbor’ provisions in India.[24]

International Jurisprudence: India doesn’t have enough record of litigations on the issue of liability incurred by consumer review sites due to user-reviews. However, there are significant precedents in international jurisdictions such as the USA, the UK and European Union which provide that no liabilities (except the take-down obligation on notice) are incurred by intermediaries (such as user-review sites) due to the false, incorrect and defamatory nature of the underlying user ratings and reviews as uploaded on their platforms.[25]

Recommended Measures:

In order to avoid liabilities with respect to user-reviews, an aggregator platform should put certain safeguards in its Terms and Conditions (“T&Cs”), in line with various international precedents, such as:

  • Add a mandatory set of Community Guidelines which should specifically prohibit user-reviews which are false, unlawful, misleading, defamatory, harassing, or otherwise objectionable.[26]
  • Add a clause in the T&C which will prevent users from posting user-reviews or ratings anonymously.[27]
  • Add a clause in its Community Guidelines which strictly mandates the user-reviews to be unbiased and objective in order to prevent conflict of interest.[28]
  • Forbidding users from posting any copyright or trademarked content in the user-reviews that they do not own.
  • The T&C shall contain a clause indemnifying the platform from any liability for users’ content including user-reviews.
  • The platform is required to deploy technology based automated tools or appropriate mechanisms with appropriate controls to proactively identify and remove access to unlawful content.[29]

(Views are personal only. The content of this blog should not be construed as legal advice in any case.)

References

[1] Jaani Riordan, The Liability of Internet Intermediaries, 28 (1st ed., 2016).

[2]Linking, Framing, Meta Tags and Caching, Berkman Klein Center for Internet & Society at Harvard University, Berkman Klein Center, available at https://cyber.harvard.edu/property00/metatags/main.html, last seen on 14/02/2020.

[3] Futuredontics Inc. v. Applied Anagramic Inc., 45 U.S.P.Q. 2d 2005 (1998, C.D. Cal.).

[4] World Wrestling Entertainment, Inc. v. Savio Fernandes, 2015 (62) PTC 573.

[5] Posting Third Party Content and Linking, American Bar Association, American Bar Association, available at https://www.americanbar.org/groups/business_law/migrated/safeselling/content/, last seen on 13/02/2020.

[6] Rajiv Kr. Choudhry, Data Extraction: Intersection of Copyright and IT laws in India, SpicyIP, available at https://spicyip.com/2013/10/data-extraction-intersection-of-copyright-and-information-technology-laws-in-india.html, last seen on 08/02/2020.

[7] TATA Sons Limited v. Hoop Anin and Ors., 2012 (188) D.L.T. 327; Washington Post v. Total News Inc., No. 97 Civ. 1190 (PKL) (1990, S.D.N.Y.).

[8] Mattel Inc. & Ors. v. Jayant Agarwalla & Ors., 2008 (153) D.L.T. 548.

[9] S. 13, The Copyright Act, 1957.

[10] S. 17, The Copyright Act, 1957; Eastern Book Company v. D.B. Modak, (2008) 1 SCC 1.

[11] S. 51, The Copyright Act, 1957.

[12] Ss. 2(m) & 2(zb), The Trade Marks Act, 1999; People Interactive (I) Pvt. Ltd. v. Gaurav Jerry & Ors., NMS (L) NO. 1504 of 2014.

[13] S. 29, the Trade Marks Act, 1999; Christian Louboutin Sas v. Nakul Bajaj, 2018 (76) PTC 508 (Del).

[14] S. 52, The Copyright Act, 1957; S. 30(2)(d), the Trade Marks Act, 1999.

[15] PVR Ltd. v. Just Dial Ltd., 2019 SCC OnLine Del 8181.

[16] Ticketmaster Corp. v. Microsoft Corp., No. 97-3055 DDP (1997, C.D. Cal.); Shetland Times Ltd. v. Jonathan Wills and Zetnews Ltd., S.C. 316 (1997, Court of Sessions); Imax Corp. v. Showmax Inc., (2000) 5 C.P.R. (4th) 81 (FCTD).

[17] A.S. Cheung & W. Schulz, Reputation Protection on Online Rating Sites, 21 Stanford Technology Law Review 310, 318 (2018).

[18] Braverman v. Yelp Inc., 5. No. 158299/2013 W.L. 712618, at 3 (2014, N.Y.S.C.).

[19] S. 2(w), The Information Technology Act, 2000.

[20] S. 79, The Information Technology Act, 2000. (“Safe-harbor” provisions)

[21] The Information Technology (Intermediary Guidelines) Rules, 2011.

[22] S. 79(3)(b), The Information Technology Act, 2000.

[23] NMSL 968-13 in SL 364-13-954.

[24] Procentris India (Pvt.) Ltd. v. Mouthshut.com (Pvt.) Ltd., AIR 2015 S.C. 1523.

[25] Mcgrath v. Dawkins, E.W.H.C. B3 (QB) (2012, U.K.H.C.) (This case is concerned with reviews and comments posted on the claimant’s book product page at Amazon.co.uk. The Court dismissed the claims of defamation against Amazon); Hassell v. Bird, 5 Cal. 5th 522 (2018, Cal. S.C.) (The US law firm sued its former client for defamation for posting a false negative review on the Yelp! platform, a consumer review site. The Supreme Court of California held that Yelp! clearly falls under Communications Decency Act, 47 U.S.C. § 230 immunity); Magyar Tartalomszolgaltatok Egyesulete v. Hungary, [2016] E.C.H.R. 135 (EU) (The Hungarian courts held the news portal liable for causing reputational harm to a business caused by “false and offensive” user comments. The European Court of Human Rights disagreed with national courts).

[26] Delfi A.S. v. Estonia, (2016) 62 E.H.R.R. 6. (The case concerned threats and anti-Semitic slurs in the user comments section of online newspaper portal, Estonian courts held, and the ECHR in 2015 affirmed, that the platform could be liable for those comments).

[27] Yelp Inc. v. Hadeed Carpet Cleaning, 752 S.E.2d 554, 568-69 (2014, (Va. Ct. App.). (The Court held that litigants may also target intermediaries with subpoenas seeking the identities of anonymous users for claims other than copyright, such as defamation)

[28] Moving & Storage, Inc. v. Panayotov, No. 12-12262-GA. (2014, U.S.D.C. D. Mass.) (when a moving-company review site owned by a particular moving company selectively deleted user-reviews that were beneficial to its competitors, the intermediary lost the “good faith” protection).

[29] Rule 9, The Information Technology [Draft Intermediaries Guidelines (Amendment) Rules] 2018.

National Digital Health Blueprint 2020 needs a review?

With an aim to fix the ailing healthcare facility of the country, Indian government (like other sectors – Finance, Public Distribution System etc.) has opted for digitization as a solution. In January, 2020, the government released a National Digital Health Blueprint which sets out a comprehensive framework for “Federated National Health Information System”. In March, soon enough the COVID-19 pandemic struck the country and underlined the importance of having the National Digital Health Blueprint in action. However, the pandemic situation has also highlighted the many areas of improvement for the Blueprint and the need for urgent action on such improvements. This blog post will put forth the author’s views on the need of studying the Blueprint again and including the concepts like digital therapeutics, digital diagnostics and telemedicine in its scope. The blogpost will also aim to present a picture of the diverse elements of a futuristic digital health ecosystem for India and the role that science, scientists and technology can play in establishing such an ecosystem.

Introduction

It seems like that Indian government has developed a formidable belief that technology is solution for all the deep-seated problems which are haunting the country’s socio-economic growth since independence. In 2015, the ambitious Modi government launched the “Digital India” programme with an aim to transform India into a knowledge economy, empowered with on-the-go access to information, governance and essential services. This ambition quickly received a reinforcement in the form of JIO’s success, which resulted in increasing the smartphone penetration rate and making India the second-fastest digital adopter in the world. Around the same time, the image of India’s healthcare remained pitiful and harrowing. In the Healthcare Access and Quality (HAQ) Index, India ranked below what can be considered as dismal position – 145th out of 195 countries.

India significantly lacks in implementing most of the World Health Organisation’s (WHO) recommendations regarding the adequacy in terms of doctors, nurses, medical technicians and healthcare facilities as required to cater the population. Owing to such inefficiencies, the country’s healthcare policy has been inconsistent such that India is overburdened with the task of eradicating infectious tuberculosis disease. It is only in this decade that India was able to get the polio-free status for itself. Our country is also facing exponential rise in cases of lifestyle disorders ensuing the endemic of diseases like diabetes and clinical depression. Simply put, these statistics are omen for India as a contender to be in the league of top three fastest growing economies of the world. The government of India itself has noted that in order to realize the real growth potential, the country has to fix the health systems on priority basis by investing adequate finance and manpower. Presently, Indian labor workforce is performing far below its optimum productivity due to many ill-health issues.

Therefore, the government, considering the nation’s emerging forte in digital space, has decided to go digital in healthcare reforms as well in order to analyse the consumption of health services by the population. As per the GoI, the future is technology, and India cannot accomplish its goal of ‘Health for All’ in the absence of digitization of health infrastructure and delivery. India is seeing Artificial Intelligence or Machine Learning as the foundation of accessible, affordable and quality health solutions at the intersection of technologies like biotechnology, robotics and computer science. The digital approaches for upgrading the conventional healthcare infrastructure could definitely be an antidote for the frail healthcare infrastructure given the nation’s population  is increasingly on-boarding various digital platforms. It can also be a great overall strategic direction for India to shape its influence in terms of policy-making in the context of global health. It is indeed a possibility given India’s competitive position in technology innovations and the fact that health-tech market is in a nascent stage, with all the countries almost on level playing field.   

The National Digital Health Blueprint 2020 (NDHB)

The ruling government is envisioning the digital health infrastructure as a system that will fit well or accurately with its larger aim to modernize (specifically ‘digitize’) the public health welfare system. In this line, the missions that have been already initiated by government are Ayushman Bharat, Swachh Bharat, Digital India, and Make in India.

The Ministry of Health and Family Welfare of India (MoHFW), pursuant to its afore-mentioned digital health policy initiatives, released NDHB in January 2020. This is the only detailed official explanation of PM Modi’s proposed National Digital Health Mission. It provides a picture of the entire framework of a “Federated National Health Information System”. It elaborates that the envisioned framework will inter-link systems of private and public health provider organisations serving across primary-, secondary- and tertiary-healthcare services. As the blueprint specifies, this is clearly in alignment with one of the objectives envisaged under the National Health Policy of 2017 i.e., to create an integrated health information system for all stakeholders in the health system, to improve efficiency, transparency and citizen experience.

The NDHB is indeed a well drafted document as it comprehensively shows the way the reformers have to tread in order to carry out the colossal task of developing an extensive database of electronic health records, which will be available as single source repository of health data per unique patient within India. Beyond this, state-wise datasets containing information of health-workers (doctors, nurses, paramedics) and health facilities, disease registries, inventories, and insurance claim records will also form the essential element in federated system. The blueprint provides that the database hub and key facilities will be hosted by the Health-Cloud (H-Cloud). Similar to the Aarogya Setu’s API release, the federated system will also be interoperable to allow seamless data exchange.

The blueprint obviously lists the standards for maintaining the privacy and security of the digitized health data (The next blogpost on the National Digital Health Mission will exhaustively deal with privacy and security related aspects – we also have interesting classified updates for you in that post). Project implementation will not be gradual or stage-wise, but it will follow the scheme of technology sandbox to test and roll-out the massive data-management infrastructure. The infrastructure will be further used for tracing the real-time stats related to population-wide health status. The customized and timely interventions will be made if the predictive analytics of the stats forecast community outbreaks or disease spread propensity by region. The running algorithms will be deployed to optimize data analysis and allocate scarce resources at district and state level, and more.

It has to be kept in mind, and can be inferred from the blueprint, that there are three prerequisites for successfully initiating the exercise that the NDHB proposes:

Uniform internet and telecommunications availability across the country;

An extensive network of primary healthcare centres for service delivery; and

Trained health workforce.

Presently, all these three are work in progress in India wherein Second and Third points really require a special focus.  Internet penetration in India has picked up a good rate but healthcare on field is definitely lacking. The government has to create a solid foundation through uninterrupted support, spirit and funding.

The envisioned integrated national-health data hub will be a vital asset to run process and analyze all the complex health data, which can be leveraged for creating accurate policy-designs and well-gripped implementation control. For example, through algorithms, timely automated intervention within the health system will increase cooperation. As soon as certain stat will touch a determined threshold, the notifications will trigger the appropriate health-crisis management authorities. The entire process will include relaying of targeted messages within the population, automated stock and inventory management warnings, and virtual medical training and research, to create a strong foundation for affordable and efficient healthcare. Once operational, the database is expected to connect and expedite India’s slow-moving fragmented health system. While this will not immediately fix the system entirely, it is surely a step towards making it efficient and future-ready.

Is everything right with the Blueprint?

The Blueprint definitely mentions about the great plan of futuristic healthcare infrastructure. However, it is still far from being an “all-encompassing vision document” which is needed to provide solution to two-fold issues: (a) A launch pad for India’s digital health ambition, and (b) Need of resolving the deeply entrenched issues with healthcare that persist for years now. Therefore, it is needed to trace specific to context use cases recognizing the problems that are unique to India.

Even the WHO’s guidance has made the point that digital-health interventions must be treated as supplements, not substitutes, for functioning health systems. The Blueprint requires major upgrades to its dimensions- which means priority push for digital policy on therapeutics, diagnostics and medicine.

Policy action needed to reform therapeutics and diagnostics in India must be aligned with the broader AI policy of India. The current version of India’s AI policy provides “healthcare” as one of the most promising areas but admits the obstacles it will face in creating a new path. India is not alone in this predicament. Recognizing best practices around the world and picking out unique use-cases, the following points must be considered to strengthen the policy in terms of therapeutics and diagnostics:

1. Promoting indigenous innovation in health-tech while maintaining technological sovereignty;

2. The use-cases with respect to healthcare must be selected keeping in mind the inherent infrastructure limitations and resource shortages;

3. While going digital, it is important to keep patient safety as priority through adopting regulatory frameworks that mandate scientific and clinical validation of products/services;

4. One thing that is essential to the traditional doctor-patient relationship is trust. The approach must invest in creating a reliable infrastructure.

5. Real-world transparency, data confidentiality, cyber security and ethics should be the foundational principles when an innovator envisages a health-tech innovation. Proper guidelines for medical software developers and policy on transparent data-sharing agreements wherein, rights of patients are protected must be rolled out at the earliest.

Conclusion

Therefore, it is important to say it again, the Digital Health is not the immediate relief given the limitations of the India’s healthcare, i.e. inadequate infrastructure and resource shortages. However, one thing we have learnt for sure is that a better-connected and digitized nation is better-prepared to achieve sustainable development goals if policy’s approach is inclusive in real sense, and to face unprecedented black swans of magnitude like Covid-19 pandemic. Digital health adoption will bring many changes in the functioning of the current system across the value chain. The benefits of public goods, products and services under this category must be maximized, with minimum disruption to the society. If all goes well i.e. policy implemented properly and limitations checked promptly, the NDHB could be a chance for India to get rid of its ailing healthcare infrastructure.

(These are personal views and opinions of the author and do not necessarily reflect views of any organisation)

Hopes and Doubts related to Telemedicine Guidelines in the context of Data Protection

Author is Vineet Gupta, Volunteer Researcher, LawforIT. He is actively involved in a research on privacy policies of different leading online medical consultation platforms. Policy paper will be soon available on the Blog.

Background

The Medical Council of India jointly with the NITI Aayog notified the Telemedicine guidelines in midst of the Coronavirus Pandemic. These guidelines can be seen as a first attempt in providing some amount of relief, in regards to legal gaps and anxieties around the practice of medicine by doctors via communication devices.

Although, historically (with the advent of technology) telemedicine has been widely performed in India, for long there has not been any type of legal mechanism for the same. From the introduction of the Communication channel by ISRO in 2001, linking Chennai’s Apollo Hospital with the Apollo Rural Hospital at Aragonda village in the Chittoor district of Andhra Pradesh[i] and to the hundreds of apps providing for online consultation today, we have come up a long way. With the technological up-gradation and boom in the telecommunication sector, it was quite common for a patient to seek recommendations from their family doctors on calls, WhatsApp messages, and even video conferencing. Realizing the potential around telemedicine and its outreach, the internet was flooded with many startups acting as intermediaries that provided a channel between patients and doctors for online medical consultation.

On one side telemedicine was gaining popularity and on the other side, there was also a certain amount of anxiety, backlash, and confusion around the practice of telemedicine. With no proper guidelines among the practice of telemedicine, the doctors were kind of hesitant in providing online/telephonic consultations. They were also pressurized by the medical associations (some of which even declared telecommunication as unethical and practice of which can lead to cancelation of license)[ii]. The patients were hesitant to get telemedicine and a little reluctant to provide their sensitive information online to unknown doctors. They were scared as for long there was no telemedicine and data protection law in place. Most importantly many people, especially the rural population were, and are unaware of the potential of telemedicine and its application in this Technological era. The introductory part of the guideline’s states that:

“In India, till now there was no legislation or guidelines on the practice of telemedicine, through video, phone, Internet-based platforms (web/chat/apps, etc). The existing provisions under the Indian Medical Council Act, 1956, the Indian Medical Council (Professional Conduct, Etiquette and Ethics Regulation 2002), Drugs & Cosmetics Act, 1940 and Rules 1945, Clinical Establishment (Registration and Regulation) Act, 2010, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 primarily govern the practice of medicine and information technology. Gaps in legislation and the uncertainty of rules pose a risk for both the doctors and their patients.[iii]

https://www.mohfw.gov.in/pdf/Telemedicine.pdf

The case of Deep Sanjeev Pawaskar and Anr. v. The state of Maharashtra[iv] was by the high court of Bombay a doctor provided advice to ailing patient online due to lack of unavailability of routine doctor and unfortunately, the patient died. The high court held the doctor as negligent for using telemedicine to treat the emergency. This case led to widespread criticism as the patient would have died irrespective, and telemedicine had no role to play. The above case triggered the need for new legislation, and the need for remote doctors in coronavirus pandemic led to the expeditious introduction of these much-awaited guidelines. These guidelines have opened a door to the future of telemedicine in India. While a lot has been discussed upon the salient features of this act, I will be strictly adhering to the examination the guidelines concerning personal data protection concerns.

Locating privacy under Telemedicine Guidelines

In the course of doctor-patient interaction, a significant amount of data exchange takes place from the side of the patient and the guidelines also makes it compulsory for the RMP to store and keep a record of all this electronic health record[v]. A Registered Medical Practitioner (RMP) is free to choose the mode of communication for providing telemedicine[vi]. The guidelines provide for various types of information related to health conditions which are needed to be provided by the patient to the RMP over telemedicine[vii]. Further, the guidelines provide for the maintenance of privacy as well as medical ethics following the Indian Medical Council act and rules[viii]. The guidelines also state that the RMP would have to follow and abide by various data protection laws such as the Information Technology Act and other data protection laws and rules (present as well as notified in future) which provides for the protection of patient’s data[ix]. The guidelines also highlight the breach of confidentiality by the doctors would be declared misconduct and will be penalized by IMC act, ethics, and other laws[x]. The doctors are exempted from charges in cases where there is reasonable evidence to believe that the breach is due to some technological error with no involvement of the RMP[xi].

Reading Telemedicine Guidelines with data privacy laws

Personal information and Data protection Rules 2011

It is quite clear that telemedicine guidelines would have to be read in conjuncture with data protection laws of the country to protect the privacy of the patients. After the judgment of K.S Putttuswamy v. Union of India[xii], privacy is well recognized as the part of the fundamental rights of the citizens. The data protection laws in India are governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under the IT act. The judgment of Puttuswamy has led forth the Personal Data Protection Bill, 2019 which is in the process of getting passed by the parliament any time soon this year or the coming year[xiii]. The IT rules of 2011, as well as the new personal data protection bill, treats ‘Health Records’ as ‘sensitive personal data or information (SPDI)’. Under the IT acts data protection rules, when a corporate body deals with SPDI (collection, storage, transfer, or processing of SPDI) the data protection rules get activated. The data protection rule considers consent as an important requirement so a doctor or institution is required by law to obtain the consent of the patient in writing for use of any of his data[xiv]. There is also a restriction of sharing SPDI to the third party without the consent of the patient[xv]. The institution collecting such SPDI also has to put a policy in place and mention clearly on their websites[xvi]. A standard of procedure to store data has to be maintained as well as there should be a requirement of modification[xvii] and opt-out[xviii] their SPDI if the need arises.

Role of Intermediaries

There are many e-health apps which just act as a facilitator between the patient and the doctors and are not as such directly involved in the transaction[xix]. In these types of cases, such apps or companies will act as an intermediary and would be subjected guidelines of IT act specifically for the intermediaries. Such intermediaries have to initiate certain due diligence such as including terms of use, the appointment of grievance officer, and removal of offending/unlawful content within 36 hrs of request.

Telemedicine Guidelines: gaps are still needed to be filled to protect mass sensitive data

With the advent of Corona virus pandemic even a lot of state governments are actively involved in providing their own guidelines[xx] and facility of telemedicine[xxi] through their empaneled state government doctors or through Public private partnership Apps and facilities. Although telemedicine has opened a whole new legal world still there are various legal inadequacies in the Telemedicine sector which the present telemedicine guidelines, IT act, and rules do not properly address.

Firstly the telemedicine guidelines make no difference between ‘data fiduciary’ (person who stores, collect and process massive volume of important data) and ‘social media intermediary’ and also what if both are the same. For instance, many corporate hospitals (eg Apollo)[xxii] which have a wide range of medical business are also providing telemedicine. Some pharmaceutical companies (eg. Lybrate)[xxiii] are also in the business of telemedicine.

E-Pharmaceutical companies are already facing uncertainties in regards to online sale of drugs with central government coming out with Draft Rules 2018 to regulate e-pharma amending earlier Drug and cosmetic rules of 1945[xxiv]. These rules will also throw light on protecting data of patients seeking medicines online. But how will draft rules and telemedicine guidelines be able to regulate e-pharma companies who are even providing telemedicine is an area government needs to focus on since these types of companies have huge amount of sensitive data of patients and prone to misuse. Many of these apps even provide for their internal channels of communication for doctors and patients. While taking services from these sites there would be the transmission of the huge amount of electronic medical records to these companies. Since doctors belong to the same company or use a communication channel of the company who is acting as social media intermediary, then believing that data is not shared between them is being very optimistic.

Access to such a huge amount of ‘sensitive personal data’ to the hands of corporates without any supervision is troublesome. These data might be used to create an algorithm for targeted advertising, sharing with 3rd parties, and moving huge data outside the country. In such a scenario if there is any data breach who would be liable? is a question on which the guidelines are silent. And as the data protection law stands today, there is not much to offer.

So, we have to go through the pending data protection bill[xxv] to find some answers. In the Data protection bill two types of entities have a huge due diligence obligation in terms of dealing with personal data’s namely ‘significant data fiduciary’ and ‘social media intermediary’. Under the bill, the obligation which is associated with the significant data fiduciary (a person holding a huge amount of important data to be notified government) is extended to the social media intermediary(‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services[xxvi]’). These significant data fiduciaries and social media intermediaries will be notified by the government.

In addition to provisions provided for significant data fiduciaries like maintenance of records[xxvii], data protection impact assessments[xxviii], an audit of policies[xxix], and appointment of a data protection officer[xxx], Social media intermediaries are obligated to put forth an option to the users (registering from India or using the services in India) for voluntary verification of their accounts. The provisions for ‘significant data fiduciary’ and ‘social media intermediary’ seems promising for companies dealing with electronic medical health records but whether these hospitals providing telemedicine would be notified under ‘significant data fiduciary’ or the e-health apps storing huge amount of data as ‘social media intermediaries’ is a question of time as the bill is still pending.

Parting note

The telemedicine guidelines are a huge breakthrough in the field of medical sciences. The guidelines have tried to address a huge amount of anxieties and uncertainties about the practice of telemedicine but in the context of data protection, the guidelines sadly have not much to offer. The guidelines have to be read along with data protection laws of the country and as the data protection laws of the country currently stand there is not enough impact to ensure the protection of sensitive patient data from the hands of big hospitals doing telemedicine themselves and e-health apps acting as an intermediary for telemedicine. The new data protection bill, 2019 if passed as it is, it would address a lot of these gaps provided the government notifies these hospitals and e-health apps as significant data fiduciary and social media intermediaries respectively. Another pending bill such as Digital Information Security in Healthcare Act (DISHA), a regulatory platform for sharing digital records among hospitals and will be based on setting digital health records in the country[xxxi].  DISHA  will be clubbed with Personal data protection bill along with telemedicine guidelines would be something to look forward.


[i] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6618173/

[ii] https://medicaldialogues.in/indian-medical-association-seeks-clear-cut-guidelines-on-telemedication-from-medical-council-of-india

[iii] https://www.mohfw.gov.in/pdf/Telemedicine.pdf

[iv] Criminal Anticipatory Bail Application No. 513 OF 2018

[v] Telemedicine guidelines 2020, section 3.7.2

[vi] Telemedicine guidelines 2020, section 1.4.1

[vii] Telemedicine guidelines 2020, section 3.5

[viii] Telemedicine guidelines 2020, section 3.7.1

[ix] Id

[x] Id

[xi] id

[xii] 2017 10 SCC 1

[xiii] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[xiv] Rule 5(1) of the Data Protection Rules

[xv] Rule 7 of the Data Protection Rules

[xvi] Rule 4(1) of the Data Protection Rules

[xvii] Rule 5(7) of the Data Protection Rules

[xviii] Id

[xix] https://www.dr-hempel-network.com/digital-health-startups/doctor-patient-platforms-in-india-success/

[xx] See Maharastra: https://www.maharashtramedicalcouncil.in/Files/Notifications_26032020_MCI%20Notification%20Regarding%20TELEMEDICINE.pdf, See Karnataka: https://www.mondaq.com/india/healthcare/905172/karnataka-government-notificationregulations-on-covid-19

[xxi] See kerela: https://economictimes.indiatimes.com/industry/healthcare/biotech/healthcare/kerala-govt to-use-telemedicine-service-e-sanjeevani-for-non-covid-patient-care/articleshow/76370573.cms?from=mdr,

See Westbengal : https://www.newindianexpress.com/nation/2020/jun/30/west-bengal-sets-up-covid-warrior-club-to-help-contain-pandemic-2163150.html, See Tamil Nadu: https://tsitn.org/telemedicine-facilities-in-tamil-nadu/, See Karnatka: https://economictimes.indiatimes.com/news/politics-and-nation/karnataka-govt-launches-apthamitra-helpline-and-app-to-fight-covid 19/articleshow/75293952.cms?from=mdr, See Delhi: https://www.newindianexpress.com/cities/delhi/2020/jul/04/aap-launches-district-surveillance-telemedicine-hub-to-help-with-covid-19-requirements-2165260.html, See Rajasthan: https://timesofindia.indiatimes.com/city/jaipur/rajasthan-government-starts-free-medical-tele-consultation-service/articleshow/75540116.cms

[xxii] id

[xxiii] id

[xxiv] https://www.mondaq.com/india/food-and-drugs-law/865476/regulations-for-online-sale-of-medicines and-drugs-in india#:~:text=India%3A%20Regulations%20For%20Online%20Sale%20Of%20Medicines%20And%20Drugs%20In%20India&text=The%20draft%20rules%20prescribe%20that,registered%20with%20the%20applicable%20authority.

[xxv] Supra

[xxvi] Section 26 (4) Private Data protection bill, 2019

[xxvii] Section 28 Private Data protection bill, 2019

[xxviii] Section 27 Private Data protection bill, 2019

[xxix] Section 29 Private Data protection bill, 2019

[xxx] Section 30 Private Data protection bill, 2019

[xxxi] https://pib.gov.in/Pressreleaseshare.aspx?PRID=1578929

Privacy Shield is dead. Now what? — A bigger picture

What’s happened? Schrems strikes again. We’re all going to have to find new ways to protect transfers of data to the US – or stop doing it. The ECJ today invalidated the Privacy Shield framework that was cobbled together in 2015 after the ECJ struck down Safe Habour in response to the original lawsuit Max […]

Privacy Shield is dead. Now what? — A bigger picture

A key takeaway from SBI’s call for applications for ‘Data Protection Officer’

State Bank of India, in my knowledge, is one of the first Indian Bankers to announce positions for the “Data Protection Officer”.  

I am considering this as a good  sign that the Bank has recognized the need for an exclusive officer. But with the Personal Data Protection Bill is still in consideration the call for applications for the positions might be driven more by the international demand from their foreign branches which should have received notices from some supervisory authorities of foreign jurisdictions but it could also be a slight of realization that data protection is a necessity of business.

The educational qualification required for the post are as following:

  • Graduation or its equivalent
  • Preferred Professional Certification:
  • Certified EU GDPR Foundation,
  • CIPP (Certified Information Privacy Professional),
  • CIPT (Certified Information Privacy Technologist),
  • CIPM (Certified Information Privacy Manager) etc

Post qualification work experience required is

  • Minimum 15 years’ post qualification work experience (as on 01.04.2020) as  executive/ Supervisor in Corporate Sector out of which at least  10 years’ experience should be in BFSI Sector.
  • Preferred: Experience in Data Privacy Laws & Regulations and other Data Security areas with associated IT skills.
  • The age restriction is 55 years and the appointment is a contractual for 2 years.

The requirement of following special skills have been specified

  • High level specialist knowledge in the General Data Privacy Regulation underpinned by theory and experience
  • Evidence of continuing professional and/ or personal self- development.
  • Expert knowledge of data privacy laws and practices.
  • Exposure to Data Privacy laws & regulations such as General Data Protection Regulation “GDPR”), UK Data Protection Act 1998 etc.
  • Knowledge of Information life-cycle, risk management & data security areas.
  •  Extensive knowledge of Information Governance disciplines.
  • Skill of interpretation of national guidance and legislation and subsequent local implementation.
  • Flair for managing staff and implementing budgets. Training Delivery.
  • Capacity to work with cross functional teams, attention to detail, organizational skills and multitasking.
  • Strong management, motivational & leadership skills with ability to drive large change management programs within organizations.
  •  Ability to maintain confidentiality and deal with situations in a sensitive manner.
  • Ability to communicate across all organizational boundaries in an appropriate manner.

Key Takeaway

The job description and specified qualifications, not at all mention about knowledge of the Indian data protection law either on the basis of the Information Technology Act 2000 or (Amendment) 2008 or on the basis of the proposed Data Protection Bill.

The usage of “etc” at various places may include the knowledge of such laws and may be taken into consideration when candidates are screened.

Overall, such announcement indicates that soon other Banks will also start considering these positions shortly and start opening opportunities for “Data Protection Professionals”.

Let us talk about E-Contracts (II): E-Commerce Business Models

Without any argument, new communication systems, especially digital payment technologies, have supplanted the snail-paced conventional systems of communication and transactions. Business communities and consumers are increasingly using digital means to send and receive information in electronic form. The reason is that the information technology (IT) has abridged the time and distance factor in transacting business. Nowadays, inflow and outflow of information have become instant and momentary. Therefore, one principal contribution of IT is in the field of contract-formation.

Electronic contracts (e-contracts) are born out of the need for speed, convenience and effectiveness. The law has already recognised contract-formation using facsimile, telex and other similar technologies.

Let us envision a contract between an Indian businessman and an English businessman. Away from digital means, one option is that one party first draws up two copies of the contract, signs them and sends (through postal or courier service) them to the other, who, in turn, signs both copies and sends one copy back. The other option would be that the two parties meet somewhere and sign the contract. However, within the digital world, the whole process can be completed in seconds, with both parties simply affixing their electronic signatures to the electronic copy of their contract. There is, thus, no need for tardy dispatching mechanism (postal or courier services) and/or supplementary travelling costs in such a situation.

Before proceeding with the E-Contracts, let us have a brief look at the basics of the business model and kinds of transactions under which e-contracts are mostly used.

E-Commerce Business Models

Electronic commerce (e-commerce), in a very general sense, refers to buying and selling products and services over the internet and the World Wide Web (www). E-commerce, however, in actuality, includes all forms of commercial transactions involving both—organisations and individuals—that are based upon the electronic processing and transmission of data including text, sound, and visual images; and involves transactions over the internet as well. In addition, e-commerce also refers to the effect that the electronic exchange of commercial information may have on the institutions and processes that support and govern commercial activities.

There are several ways of looking at e-commerce:

(1) From a communications perspective, it is the ability to deliver products, services, information, or payments via networks like the internet.

(2) From an interface view, it means information and transaction exchanges: business-to-business (B2B), business-to-consumer (B2C), consumer-to-consumer (C2C), and business-to-government (B2G).

(3) As a business process, e-commerce means activities that support commerce electronically by networked connections. For example, business processes like manufacturing and inventory and business-to-business processes, like supply chain management is managed by the same networks as business-to-consumer processes.

(4) From an online perspective, e-commerce is an electronic environment that allows sellers to buy and sell products, services, and information on the internet. The products may be physical, like cars; or services, like news or consulting, etc.

(5) As a structure, e-commerce deals with various media: data, text, web pages, internet telephony, and internet desktop video.

(6) As a market, e-commerce is a worldwide network. A local store can open a web storefront and find the world at its doorstep—customers, suppliers, competitors, and payment services. Of course, an advertising presence is essential.

Types of Online Transaction

Online transactions can be recognised and categorised in four ways:

Business to Customer (B2C)

It is the transaction where a business entity on one side and an individual customer, on the other hand, conduct business. The expression B2C has been commonly used to refer to a sale by a business enterprise or retailer to a person or ‘consumer’ conducted through the internet. For instance, Flipkart.com which provides facilities for customers to buy goods from the website—is an example of a B2C e-business. In this situation, the website itself serves the purpose of a shop. The B2C transactions can be in relation to both—tangible and intangible products. The focal point of this e-commerce application is on the consumer’s use of a merchant’s web storefront or website. Consumers from any place can browse and order for goods and services online at any time. B2C is an electronic equivalent of the conventional mail-order or telephone-based ordering system.

Business to Business (B2B)

It is the type of e-commerce where there is an exchange of products, services, or information between businesses using the internet, rather than between businesses and consumers. Alibaba.com is the prominent example of B2B model.

Customer to Business (C2B)

Customer to Business (C2B), also known as Consumer to Business, is the most recent e-commerce business model, where individual customers offer to sell products and services to companies that are prepared to purchase them. It is the opposite of the traditional B2C model. Example of this model is blogs or internet forums where the author offers a link back to an online business facilitating the purchase of some product (like a book on Amazon.com), and the author might receive affiliate revenue from a successful sale.

Customer to Customer (C2C)

It is the transaction which involves two or more customers with business entity merely providing a web-based interface to facilitate the consumer to consumer transactions (B2C). The expression C2C generally refers to the sale of a product pertaining to a consumer to another consumer either directly or through an intermediary exclusively dedicated for this activity. One best example of C2C website is Ebay.com, which is an online auction site, where any person can buy and sell, and exchange goods and articles using this website. This website provides the web-based interface (i.e. the website with its database and other functions) and users can transact freely with each other. Another example is Amazon, which in fact, acts as both a B2C and a C2C marketplace.

Recommended Readings

  • Alan Davidson, The Law of Electronic Commerce, Cambridge University Press, (2009).
  • R K Singh, Law Relating To Electronic Contracts (2017)

Let us talk about E-Contracts (I): Electronic agents and conclusion of online contracts

The advancements in the internet as means of facilitating contract formation does not, at first read, present a situation different from that applicable to a facsimile or telex. An e-contract can be created either via the exchange of e-mails or by the completion of a document as a website which is submitted to another party electronically. While it is true that to the great extent that e-contracts are modernised methods of contract formation but they don’t require any particular changes to the law. Still, there are some particular issues arising from their electronic form. This post will discuss the international instruments that provide legal recognition to e-contracts and very advanced facets of it.

A contract is concluded if the parties intend to be legally bound, and they reach a sufficient agreement. Conclusion of contract with offer and acceptance. A contract can be concluded by the acceptance of an offer.

There are various ways to conclude e-contracts. The significant and interesting ones are as follows:

Forming contracts via electronic communications (such as e-mails)

The simplest e-contract is concluded by the exchange of text documents via electronic communications, such as e-mail. Offers and acceptances can be exchanged totally by e-mails, or can be combined with paper documents, faxes, telephonic discussions, etc.

Acceptance of orders placed on online marketplaces

The vendor/ supplier can offer goods or services (such as air tickets, software, etc.) through his website. The vendee, in such cases, places an order by completing and transmitting the order form provided on the website. The merchandise may be physically delivered later (e.g., in case of outfits, CDS, books, etc) or be immediately delivered electronically (e.g., in case of e-tickets, software, etc).

Online agreements

In some cases, users are required to accept an online agreement in order to be able to avail the services e.g. clicking on ‘I agree’ while installing software or clicking on ‘I agree’ while signing up for an e-mail account.

The electronic data interchange (EDI)

It is the inter-process of communication of business information in a standardised electronic form. That is, they are contracts used in trade transactions which enable the transfer of data from one computer to another in such a way that each transaction in the trading cycle (for example, commencing from the receipt of an order from an overseas buyer, through the preparation and lodgment of export and other official documents, leading eventually to the shipment of the goods) can be processed with virtually no paperwork. In this case, the data is formatted by means of standard protocols, so that it can be implemented directly by the receiving computer. EDI is, frequently, used to transmit standard purchase orders, acceptances, invoices, and other records, and thus, reduces paperwork and the potential for human errors. In this type of contracts, in contrast to the above methods, there is an exchange of information and completion of contracts between two computers and not an individual and a computer.

Through electronic agents/ bots

It is possible for computer users to instruct the computer to carry out transactions robotically. For instance, in today’s supermarket, the computer updates its inventory as items are scanned for sale. When the stock of an item falls to a predetermined level, the computer is programmed, without human involvement, to contact the computer of the supplier and place an order for replacement stock. The supplier’s computer, exclusive of human intervention, accepts the order and the next morning automatically prints out worksheets and delivery sheets for the supply and transport staff.

These electronic agents are programmed by and with the authority of the purchaser and supplier. The legal status of electronic agents has not been clarified by the courts, but the most common view is that like any other piece of equipment under the control of the owner, the owner accepts responsibility. A computer is a tool programmed by or with a person’s authority to put into operation their intention to make or accept contractual offers.

According to Russell and Norving, ‘An agent is anything that can be viewed as perceiving its environment through sensors and acting upon that environment through effectors. A human agent has eyes, ears, and other organs for sensors, and hands, legs, mouth, and other body parts for effectors. A robotic agent substitutes cameras and infrared range finders for the sensors and various motors for the effectors. A software agent has encoded bit strings as its percepts and actions.’

Such electronic agents and devices have features which facilitate humans in their normal interaction and functions, such as, intelligence, autonomy and pro-activeness. The idea of having intelligent systems—to assist human beings with routine tasks, to shift through an enormous amount of information available to a user and select only that which is relevant—is not novel and a lot of work and results have already been achieved in the field of artificial intelligence (‘AI’).

Legal recognition of electronic agents

The E-COMMERCE DIRECTIVE 2000/31/EC of The European Parliament and of the Council of 8 June 2000 does not take in hand the issue of automated transaction made through electronic agents. The explanatory notes of the proposal of the Ecommerce Directive state that the Member States should refrain from preventing the use of certain electronic systems such as intelligent electronic agents for making a contract. But, the final version makes no reference to electronic agents in the main text or in the recital. The deletion of the proposed text furnishes a sign of the EU’s failure to respond to the tremendous growth of e-commerce. It is also not in consonance with the preamble to the Directive, which states that the purpose of the Directive is to stimulate economic growth, competitiveness and investment by removing many legal obstacles to the internal market in online provision of electronic commerce services. However, the exclusion of the provision giving legal recognition to electronic agents is a step backwards and a failure to recognise the role of electronic agents in fostering the development of e-commerce such as lower transaction costs, facilitate technology and adherence to international conventions.

The United Nations Convention on the Use of Electronic Communications in International Contracts 2005 (hereinafter referred to as the ‘UNCUECIC’) contains provisions dealing with issues such as determining a party’s location in an electronic environment; the time and place of dispatch and receipt of electronic communications and the use of automated message systems for contract formation. Art.12 of the UNCUECIC, which deals with the use of automated message systems for contract formation, states, ‘A contract formed by the interaction of an automated message system and a natural person, or by the interaction of automated message systems, shall not be denied validity or enforceability on the sole ground that no natural person reviewed or intervened in each of the individual actions carried out by the automated message systems or the resulting contract.’ The objective behind the adoption of the uniform rules was to remove obstacles to the use of electronic communications in international contracts, including obstacles that might result from the operation of existing international trade law instruments, and to enhance legal certainty and commercial predictability for international contracts and help States gain access to modern trade routes.

In the USA, the Uniform Electronic Transactions Act, 1999 (UETA) expressly recognises that an electronic agent may operate autonomously, and contemplates contracts formed through the interaction of electronic agents and those formed by the interaction of electronic agents and individuals.

Section 14 of the UETA reads as follows:

In an automated transaction, the following rules apply:

(1) A contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents’ actions or the resulting terms and agreements.

(2) A contract may be formed by the interaction of an electronic agent and an individual, acting on the individual’s own behalf or for another person, including by an interaction in which the individual performs actions that the individual is free to refuse to perform and which the individual knows or has reason to know will cause the electronic agent to complete the transaction or performance.

(3) The terms of the contract are determined by the substantive law applicable to it.

Section 14 of the UETA, which is based upon Article 11 of the UNICTRAL Model Law on Electronic Commerce, deals with ‘automated transaction’. This Section states that contracts can be formed by machines functioning as ‘electronic agents’ for parties to a transaction. It wipes out any claim that lack of human intent, at the time of contract formation, prevents contract formation. When machines are involved, the requirement of intention flows from the programming and use of the machine. It is quite evident that the main purpose of this provision of the UETA is to remove barriers to electronic transactions while leaving the substantive law, e.g., law of mistake, law of contract formation, unaffected to the greatest extent possible. Also, the Uniform Computer Information Transaction Act (UCITA) also has provisions supporting the ability of electronic agents to make binding contracts.

Recommended Readings

  • Wooldridge & Jennings, ‘Intelligent Agents: Theory and Practice’, Knowledge Engineering Review, (June 1995) Vol. 10 No. 2, Cambridge University Press (1995).
  • Alan Davidson, The Law of Electronic Commerce, Cambridge University Press, (2009).
  • R K Singh, Law Relating To Electronic Contracts (2017)