‘Dark Patterns’ in Digital Economy: The curious case of regulating digital interfaces

Problem

Amid the ongoing pandemic crisis, there has been a surge in demand for online forms of services wherever possible. Unfortunately, the greater dependence on digital platforms has seen a rise in financial fraud as well. This may be partly attributed to Indian consumers’ digital illiteracy and inability to identify dubious digital features of user interfaces (UI) as deployed by clever service providers to entrap consumers. This calls for the government to introduce regulatory safeguards in the digital finance ecosystem to prevent service providers from leveraging the cognitive limitations of vulnerable consumers through in-app tricks.

Until recently it was common for online travel booking portals to bundle travel insurance with bookings. They used pre-checked consent boxes at the payment stage to default the users into buying insurance cover, even when the user had no active interest in purchasing the product. To the surprise of many, the Insurance and Regulatory Development Authority of India (IRDAI) reacted against this practice and directed insurance companies to “ensure that any portal or App providing the travel insurance coverage shall not pre-select the option of buying the travel cover as a default option”. IRDAI raised concerns that such clever in-app defaults impede consumers’ “informed choice”. This regulatory intervention was the first of its kind in India where a regulator objected to the use of dark patterns in UI and brought to light several concerns such practice entails with regards to consumer protection in the digital economy.

Background

The pre-checked buttons in digital interfaces is a classic example of a dark pattern. The term ‘dark pattern’ was coined by Harry Brignull, who defines them as interface designs that “trick users into doing things that they might not want to do, but which benefit the business in question”. In the example above, the use of ‘pre-checked boxes’ assume the user’s default preference as to purchase an add-on financial service even when it is not the case. Here the users are expected to be attentive to uncheck the box and opt-out. But as the UK’s Financial Conduct Authority has submitted, often consumers use digital services under time constraints and are less likely to opt-out or be aware of existing defaults. Therefore, beset by their cognitive vulnerabilities, limited rationality and the constraints on time and attention, a sizeable proportion of consumers end up buying services without informed consent.  

More worryingly, research suggests that individuals with lower levels of education and in urgent need of money make for easy targets for financial service providers. This has significant implications for India, which is characterised by low income, low levels of digital literacy and a sizeable proportion of first-time users of the internet. Such consumers having subscribed for financial services unintentionally and unknowingly get severely exploited. For instance, the Reserve Bank of India (“RBI”) recently mentioned the reports where individuals have fallen prey to dubious digital lending platforms which promised easy credit but trickily charged excessive interest rates and adopted high-handed and inappropriate recovery methods. RBI highlighted that digital platforms are ‘misusing’ in-app digital agreements to access data on the mobile phones of vulnerable consumers and sending messages to their contacts, categorising them as delinquents and using social shaming to recover credit. It is these tactics of digital lending apps that has now resulted in harassed consumers committing suicide, which eventually has prompted RBI to scrutinize lending platforms closely.

Solution

Dark patterns based interfaces are manipulative in sharp contrast to persuasive marketing efforts. The distinction between personalisation and manipulation has been at the heart of policy issues that stem from the use of personal information during the supply of financial services. It is crucial that a legal framework must be incorporated to identify manipulative dark patterns in the context of consumer’s choice, value-system, and socio-economic background.

Regulators with direct jurisdiction over dark patterns include data protection authority, consumer protection authority and the sectoral regulator(s) that has jurisdiction over the provider using dark patterns. Simultaneous jurisdiction can lead to duplication of regulation or regulatory arbitrage. In the US, Federal Trade Commission (“FTC”) is the federal body in charge of consumer protection and regulates dark patterns by using its power to punish “unfair and deceptive practices” under section 5 of the Federal Trade Commission Act. FTC v AMG Capital Management is an important ruling on dark patterns where AMG, a payday lender, deployed dark patterns in its digital loan agreement to auto-renew (instead of close) expensive payday loans as a default option. The FTC found AMG Capital Management guilty of unfair and deceptive practices.

In India, dark patterns such as hidden costs could fall under the remit of section 11(ii) of the Consumer Protection Act 2019 (“CPA”) and the Central Consumer Protection Authority (“CCPA”) to redress such issues. But the absence of broad terms like “unfair and deceptive practices” in the CPA could significantly constrain the regulator’s effectiveness in regulating other kinds of dark patterns. Therefore, consumer protection legislation could be amended to allow CCPA to regulate dark patterns comprehensively. Further, as significant as regulation is, it is important to design appropriate regulatory tools that regulators could use.

Implementation

  • CCPA shall issue guidelines clarifying which market practices could be considered manipulation or personalization. To achieve this, the regulator must crowd-in opinions from the community, engage in inclusive public consultations, conduct primary studies to gauge users’ privacy preferences and be transparent about their decision-making processes.
  • The success of regulators in regulating dark patterns will depend on the language of the existing statute and its ability to include dark patterns as the ‘cause of action’. To overcome dark patterns, existing consumer protection framework could be amended to equip them to deal with them.
  • Amended legislative framework should enable regulators to undertake audits looking for digital interfaces that foster deceptive and unsuitable selling or nudge users to share excessive personal information. Regulators could also lay out model interfaces or guidelines to help providers design user-friendly interfaces.
  • For cases in which intervention by more than one regulator is needed, a comprehensive legislation defining a mechanism for inter-regulatory coordination should be enacted.

A trend of Blockchain-MMORPGs and legal uncertainties surrounding MMORPGs

Background

Massive Multiplayer Online Role-Playing Games (“MMORPGs”) are virtual worlds in which players act as inhabitants and band together to engage in immersive gameplay.[1] There are MMORPGs which are real-world simulations, and allow players to create an avatar in the game and collect assets such as money, weaponry, clothing, land, or other goods that have “value” inside the game’s virtual world.  The characters purchase homes, cars and other everyday items with the use of in-game’s currency which could be in form of ‘credits’ or ‘tokens’. These credits are bought by players using real-money. These games also provide a marketplace where players can sell or trade the virtual assets to each other. Some MMORPG’s provide the option of cashing out the real money by redeeming the credits earned through trading of virtual assets. Therefore, certain numbers of MMORPGs have now become a source of generating revenue as well.

Objective

This blog traces and analyses a list of MMORPGs and the common practices they follow while serving online gamers.

Analysis

There are two categories of real-world simulation MMORPGs right now. One is traditional real-world MMORPGs, such as the Entropia Universe and Second Life, where players were given the option to trade virtual in-game currency back for fiat money. Others are blockchain based MMORPGs where players are actually buying in-game assets which are non-fungible tokens (NFTs) based assets or cryptocurrency based virtual currency and trading it back for fiat money.

Key difference: Blockchain based MMORPGs have cyptocurrency based assets, for instance if you buy a land which is based on ERC 20 tokens, you are effectively buying a ERC 20 token. This really allows a player to assert the absolute ownership over the virtual assets even if game ceases to exist. Unlike Entropia Universe, which charges subscription, taxes and maintenance fees for each asset you buy and if the site goes down, the in-game assets also cease to exist.[2] 

Please find the following list of popular MMORPGs along with their category:

S. No.Game Name (with hyperlinks to relevant whitepapers, code of ethics or ToU)Category
1.Entropia UniverseIn-game currency based MMORPG
2.Second LifeIn-game Currency based MMORPG
3.RobloxIn-game Currency based MMORPG
4.DecentralandBlockchain based MMORPG
5.The SandboxBlockchain based MMORPG
6.NeoworldBlockchain based MMORPG
7.CryptovoxelsBlockchain based MMORPG

Observations

Following takeaways can be made out on reading of whitepapers and legal documents released by the aforementioned games:

  • In blockchain based MMORPGs, land or assets are parcels based on non-fungible tokens (this varies extensively – ERC 2O, ERC 271, or ERC 1155) and, therefore, allows a player to be assure about his ownership to an in-game asset which he/she buys in exchange of money. It is just like buying a bitcoin.
  • All these platforms have marketplaces where players can buy virtual assets or credits for certain real money or fiat currency. The platforms have facilitated the movement of funds between buyers and sellers in these marketplaces. Surprisingly, they do not provide exhaustive code of conduct related to marketplaces.
  • The user-verification related process is not standard and inconsistent across all the platforms. Only one platform, Decentraland mentions about Know Your Client (KYC) process. In this situation, if a regulator scrutinizes a MMORPG platform from the money laundering perspective, then the platforms with no KYC/AML processes in place are likely to face the regulatory heat i.e. a possible ban.
  • All the platforms recognize the threat of uncertain regulatory environment, even in-game currency based MMORPGs, and they specifically mention in their disclaimer that continuity of services is subjected to regulatory actions in a particular jurisdiction.
  • Majority of successful platforms like Decentraland, Entropia Universe, and Second Life, acknowledge in terms of use, their responsibility to maintain records of finance for all funds transactions in connection with the use of the gaming service.
  • Out of all blockchain based MMORPGs, only Decentraland specifically acknowledges the risk associated with cryptocurrency – volatility risks, regulatory risks, and risk of drastic changes in Ethereum blockchain.
  • All the gaming platforms provide that in case of any tax will be required to pay for virtual assets and transactions owned by players in their jurisdiction, the player is responsible to pay that tax.
  • Only Entropia Universe clarifies that ‘gambling’ activities are expressly forbidden in its virtual in-game universe.

Conclusion

Following are the best practices that players interested in playing a MMORPG or developers interested in developing a MMORPG, shall consider to obviate risks in an environment of regulatory uncertainty: 

  • Platforms looking to incorporate a virtual currency into a game or app without triggering potential money laundering obligations must have proper KYC/AML procedures in place.
  • The virtual currency should be for in-game purchases only, such that there should be no ability for players to directly sell, exchange, transfer, or cash out any virtual currency they have purchased in exchange of cash.
  • As most of the popular platforms have deployed, avoid a claim that the in-game virtual currency represents fiat currency. Further, a disclosure that the virtual currency represents certain risk subject to prospective regulatory actions.
  • There should be a simple and readable policy related to marketplace transactions with focus on avoiding risks of assumption by players that the marketplace purchases imply any sort of ownership of virtual assets.

(Authored by Abhijeet Vaishnav, volunteer-researcher, with inputs from Aryan Babele)


[1] http://www.commonlii.org/in/journals/INJlLawTech/2006/4.pdf

[2] https://cryptobriefing.com/will-second-life-get-a-second-life-five-virtual-lands-on-the-blockchain/.

Comments on the NITI Aayog’s draft ‘Guiding Principles’ for the ‘Regulation of Online Fantasy Sports Platforms in India’

On 5th December 2020, NITI Aayog released a draft for discussion titled ‘Guiding Principles for the Uniform National-Level Regulation of Online Fantasy Sports Platforms in India’ (“Draft Report”), seeking comments from different stakeholders of fantasy sports industry. The Draft report hits two birds with one stone; firstly, it proposes to establish a single Self-Regulatory Organization (SRO) for Online Fantasy Sports Platforms (OFSP) so as to enable ‘light touch’ regulatory framework, secondly, these guidelines also act as a ‘regulatory sandbox’ for OFSP.  

A brief summary of our submission to NITI Aayog with comments, concerns and recommendations in relation to the Draft Report are as follows: 

Recognition for all categories of “pay-to-play” online games

Apart from online fantasy sports, there are many other pay-to-play format of online games like rummy, cricket simulation etc. that are offered using the same digital interface through which they offer online fantasy sports contests. For instance, Paytm First Games and Mobile Premier League, to name a few. We have raised the concern that governing only OFSP could result in complex situation for online gaming industry in general and such all-in-one online gaming platforms in particular. We recommend that by virtue of these guidelines all “pay-to-play” formats of online games should be recognised.

Specify definition and extent of the term ‘fantasy sports’

The Draft Report neither defines the term neither ‘fantasy sports’ nor enlists activities that might constitute the same under the proposed framework. The framework proposes that “all formats” of fantasy sports offered by OFSP must be skill-predominant. There is no clarity whether ‘free to play’ formats, which doesn’t involve any stake of players and are risk-free, are also required to be game of skill. In our comments, we have formulated an element-wise definition of ‘fantasy sports’ wherein we have specifically pleaded that the definition should exclude free to play format specifically from the definition of fantasy sports.

The proposed framework requires a platform to take approval from SRO if offering a fantasy format different from judicially determined game of skill. There are three HCs which have analysed the Dream 11’s format as game of skill and no definitive criteria have been laid down by any of them for determining whether a fantasy format is game of skill or not. Therefore, we believe that ‘judicially determined’ format of fantasy sports is subjective and the framework should itself provide objective test in the Draft Report itself.   

Uniform and diverse representation in the SRO

The Draft Report prescribes that only a fantasy sports industry body, which have as members OFSPs with registered user base, in aggregate, equivalent to at least 66 percent of registered users of online fantasy sports in India, could be recognised as SRO by the Government. This is an absurd eligibility criterion as the concentration of users is not uniform across OFSPs. In such a scenario, there is a risk of disadvantage to the interests of OFSPs with small user base.

The proposed model of membership of SRO leaves aside many other participants of the fantasy sports industry like advertisers, payment service providers, consumer bodies etc. We recommend that the eligibility criterion for recognition of an industry body as SRO must be based on diversity and number of members rather than the strength of user base of its members. This will lead to a holistic and pervasive regulatory framework.

Requirement of minimum safeguards in the organizational framework of SRO

Three internal bodies have been envisaged within the proposed SRO: an independent oversight board, a grievance redressal mechanism and an evaluation committee. We recommend that a governing body, in addition to the internal bodies, must be constituted. Further, basic principles and minimum safeguards must be incorporated in the framework to ensure independence of oversight board, transparency in working of grievance redressal body and evaluation committee, etc.

Clarity on how safe-harbour exemption will be implemented

The guiding principles proposed in the Draft Report grant safe-harbour exemption or a criminal immunity to all the member-OFSPs of the SRO. As “gambling and betting” is a subject of the state list, it is recommended that a clarificatory note be released by the NITI that fantasy sports be construed as a class apart from gambling rather than exception. In short, fantasy sports should be governed by the Union using its residuary powers under Entry 97 of List I.

(Authored by Eukti Garg, Volunteer-Researcher at LawforIT, with inputs from Aryan Babele)

Hiring a ‘ghost-writer’ in India: the question of copyright?

Ghost-writing can be described in any of the following four ways: (i) failing to list as an author someone qualified for authorship; (ii) failing to acknowledge writing support; (iii) dishonesty/plagiarism; and (iv) practices such as undisclosed authorship or undisclosed funding for writing support.[1] Alternatively, ghost-writing is a contractual arrangement under which a writer is hired and “paid to produce written work” with the understanding that “the buyer will claim and use it as his own”.[2]

Relevant Law

A copyright subsists in the “original literary works” such as the content of any book.[3] Authors of such copyrighted content or work enjoy certain economic rights or exclusive rights.[4] Also, the Copyright Act provides for the joint authorship when a work is prepared by more than one author in collaboration.[5] The Copyright Act 1957 (“the Act of 1957”) entitles the author or creator of the work as the first owner of copyright i.e. ghost-writer, and vests with author the exclusive right to reproduce, publish, perform, display, or create “derivative works” from its primary work.[6] Further, as per Section 57 of the Copyright Act, the author of a work has the moral right to be attributed as the author of his work even after the assignment, either wholly or partially, of the said copyright.[7] Lastly, Section 18 permits assignment by a prospective owner, i.e., a person who is not the first owner as defined in section 17, in a future work through a written agreement for assignment.[8] However, as per the proviso, parties can enter into an agreement for assignment of copyright in any future work, but the assignment itself takes place only after “the work” comes into existence and not before.[9]

Observation

An author may create a work on his own behalf or at the instance of another person for valuable consideration. The ghost writers are latter one. Such a work is, obviously, a form of plagiarism, however it is with consent of the actual author (the ghost writer) of the work and that makes it acceptable as a work of the ostensible author who is commissioning the work. Under Indian law, the legal position regarding such ghost-writing assignment is unclear in comparison to the international jurisdiction which specifically delineates legal standing on works made for hire (or commissioned works).[10]

Under Indian law, as per the Copyright Act, 1957, in absence of any agreement to the contrary, the person at whose instance the work is made is the owner of the copyright work under Section 17. Since there is no copyright in ideas even if they are original, the originator of the idea is not the owner of the copyright in the work which gives concrete form to the idea.[11] Therefore, where a person provides the material to another for writing a book and the latter (ghost writer) writes the book on the basis of the materials supplied then the latter becomes the owner of the copyright in the book.[12] In order to be an author of a work, a person must accordingly do more than contribute ideas to an author and it is not enough that he passed on his reminiscences to a ghost writer.[13]

In this context, Section 18, therefore, provides that in order to grant exclusive right in a literary work to a person, who is not the owner of copyright within the meaning of the Act to assign his rights in any future work, there should be a contract of assignment in existence.[14]  This way it will be treated as a contract of services and as per Section 17(b) of the Act, authors engaged under contract for service will lose the copyright.[15] Further, Section 57 of the Copyright Act, 1957 recognizes moral rights of the author, such that even after the assignment either wholly or partially of the said copyright, the author of a work shall have the right to claim the authorship of the work. Although, the jurisprudence in terms of waiver of moral rights is slightly unsettled but under several cases contract of services have been upheld and the “contracting out” has been made “permissible provided it is voluntary and does not deal with a matter of public policy”.[16]

Therefore, in the instant case, a collaboration agreement between hirer and the ghost author will form the essence of the copyright ownership. Absent a formal written agreement, ownership of the written work will be governed by the default provisions of the Copyright Act – and not necessarily according to the parties’ wishes. Under that situation, by virtue of Section 17 and Section 57, the ghost author will be the actual author or first owner of the work and consequently will be entitled to economic and moral rights, exclusively.

The best way to address this so that hirer has full ownership of a wriiten work:

To avoid such a situation, there should be a contract of assignment beforehand between the two parties such that the ghost writer will assign the rights of future work prospectively to hiring person. Following are certain steps that will help a hiring person in retaining the full ownership rights in creative works of authorship for a written work:

  • A hiring person should make it certain to have a written agreement with the ghostwriter who will actually author the written work and other allied works.[17]
  • The parties must specifically include in their written contract a provision that the ghost writer is assigning his copyright to the author that will serve as a back-up just in case the work fails to satisfy the ‘contract of services’ requirements of the Copyright Act.
  • The agreement should set extent of rights, deadlines, budgets, compensation, address author credit, decision-making, liability, death, disability, and, if properly drafted, outline a joint exit strategy.[18]
  • If the work fails to qualify as a work under contract of services, exercise, if possible, the defense of “joint authorship” to prevent the loss of “all” the rights in the work. This requires that a hiring person should mention in the collaboration agreement that he is also contributing the “expression of ideas” for the written work.

(Views are personal only. The content of this blog should not be construed as legal advice in any case)


References

[1]Lisa Tora et al, Ghostwriting in biomedicine: a review of the published literature., Journal Current Medical Research and Opinion  Vol 35(9) (2019), https://www.tandfonline.com/doi/full/10.1080/03007995.2019.1608101

[2] Nandita Saikia, Ghost-writing, Plagiarism and Copyright, IN Content Law, https://copyright.lawmatters.in/2010/09/ghost-writing-plagiarism-and-copyright.html.

[3] S. 13, The Copyright Act, 1957.

[4] S. 14, The Copyright Act, 1957.

[5] S. 2(z) and S. 13, The Copyright Act, 1957.

[6] S. 17, The Copyright Act, 1957; Eastern Book Company v. D.B. Modak, (2008) 1 SCC 1.

[7] S.57, The Copyright Act, 1957

[8] S. 18, The Copyright Act, 1957.

[9] Indian Performing Right Society Ltd. v. Eastern Indian Motion Pictures Association , (1977) 2 SCC 820

[10] Title 17 U.S.C. § 101, the Copyright Act.   

[11] R.G. Anand v. Delux Films , AIR 1978 SC 1613; Sreenivasulu N.S., Law relating to Intellectual Property, Penguin-Partridge Publications, Bloomington, Indiana, USA, First Edition, 2013, Pg. No: 485.

[12] R D Ryder and Sreenivasulu N. S., Copyright and Third Sector, 7 RMLNLUJ (2015) 39.

[13] Evans v. E Hulton & Co. Ltd., [1923-8] Macg Cop Cas 51.

[14] Diljeet Titus Advocate & Others v. Alfred A. Adebare & Others , 2006 (32) PTC 609 (Del)

[15] Gee Pee Film Pvt. Ltd. v. Pratik Chowdhury & Others , 2002 (24) PTC 392.

[16] Centrotrade Minerals and Metal. Inc. v. Hindustan Copper Limited, (2006) 11 SCC 245; Sartaj Singh Pannu vs Gurbani Media Pvt Ltd & Anr 2015 (63) PTC 590 Del; Ameet Datta, Moral rights: can authors waive their special rights?, Lexology, https://www.lexology.com/library/detail.aspx?g=0e35276b-9737-47dd-9c1a-94ef6d25036d.

[17] Kaplan v. Vincent, 937 F. Supp. 307 (SDNY 1996) (If the parties had a well-drafted collaboration agreement – as opposed to oral understanding — legal entanglements would have been avoided).

[18] Dorling Kindersley (India) Pvt. Ltd. v. Sanguine Technical Publishers & Others 2013 (56) PTC 40 (Del) at p. 62. (The territorial extent should be specified)

The case of Content Aggregator Platforms: PVR Ltd. v. Just Dial Ltd.

Content aggregation platforms like JustDial are sites that collate, index and distribute hyperlinks to third-party content and displays it on a single webpage for their users’ reference.[1] Aggregators ensure listing of businesses by associating latter’s websites with their platforms using various tools such as deep-links, framing and meta-tags.

Deep-links are hyper-links in the form of an image or text which on selection redirects the user to the specific content/webpage of the source’s website.[2]

Framing is the process by which multiple webpages of another websites are displayed as separate windows/frames on a single webpage of the aggregator’s platform.[3]

Meta-tags are words and phrases in the HTML code of the website, related to the particular content, which become identifiable and a part of the search results when a user searches using the terms on search engine corresponding to the embedded words and phrases.[4]

The case of copyright, trademark and/or other proprietary rights of entities listed on its platform

Content aggregator’s ability to publish or post the relevant content that it obtains from the third-party sources is limited by the copyright and trademark laws of India and by the terms of any agreement entered into with the content-provider or listed entities.[5]

Observation: Aggregator lists business entities on its platform in exchange for a fee. If any entity willingly lists itself on the platform after paying a fee and agrees to the client’s terms of use which provides for use of the information/links/metatags of the business by the aggregator then there will be no violation of the copyright, trademark and/or other proprietary rights of entities listed on the platform.[6] However, if JustDial provides information on its platform about any listed entity, without any prior agreement or consent for utilizing the deep-links or separate frames to the website of the entity, then such links shall inadvertently infringe copyrights or trademarks owned by the entity’s website, as it results in by-pass or duplication of the information contained in the linked webpage.[7] Further, aggregator’s use of meta-tags of such listed entity will result in misapprehension in the mind of the former’s customers that it is authorized by or associated with the latter entity.[8]

Relevant Law: Copyright subsists in the “original literary works” such as the content of any website.[9] The Copyright Act 1957 (“the Act of 1957”) entitles the first owner i.e. the listed entity, with the exclusive right to reproduce, publish, perform, display, or create “derivative works” from its website’s content (primary works). [10] Therefore, a copyright is “deemed to be infringed” if any of these exclusive rights (listed entity’s rights to publish or create “derivative works” through deep-linking or framing respectively to its website) are exercised by the infringer without the permission of the former.[11] Further, the Trademarks Act 1999 (“the Act of 1999”) provides an inclusive definition of “mark” which includes the meta-tags of a website as well.[12] By virtue of the Act of 1999, unauthorized use of trademarks as meta-tags constitutes infringement of registered trademark.[13] However, deep-links, frames and meta-tags could be utilized subjected to “fair use” and “nominative use” exceptions.[14]

In PVR Ltd. v. Just Dial Ltd,[15] the Delhi High Court prima facie held that unauthorised listing of information (ticket-booking details, movie schedule, addresses and pictures of PVR movie theaters), as available on PVR.com, by JustDial using deep-links and frames to and meta-tags of PVR.com, gives the public impression that there is a nexus between the both. Thus, it resulted in exploitation of PVR’s goodwill by JustDial that amounted to copyright and trademark infringement and passing-off. It is considered as the first case in India which deals with the legality of content aggregation tools collectively.

The legality of use of deep-links, frames and meta-tags has also been questioned multiple times in cases of major jurisdictions such as the USA, the UK and Canada.[16] The majority of courts of these jurisdictions have held that the unauthorised use of deep-links, frames and meta-tags of primary website is deceptive to the public and has granted an injunction against content aggregation platforms.   

What are the liabilities that the aggregator’s platform can incur due to the user reviews? What are the measures that aggregator’s platform can put in place to mitigate these liabilities?

Observation: Aggregator’s platform is also a user-review platform which gives its users the ability to review and rate the various businesses listed on its directories. Evaluation platforms/sites provide an opportunity for users to post comments on businesses, in addition to reviewing and ranking them.[17] Such reviews and ratings are usually couched in terms of opinion but could be extremely negative, false or defamatory at times. Since these reviews and ratings are entirely users’ opinions and user-generated contents, the consumer review site cannot be held liable for the same.[18]

Relevant Laws: A user-review platform is an ‘intermediary’ under the Section 2(w) of the Information Technology Act, 2000 (“IT Act”).[19] The ‘intermediaries’ like JustDial are granted an immunity under Section 79 of the IT Act from offences caused due to the user-generated content wherein such intermediary had no knowledge about the nature of content.[20] The Information Technology (Intermediary Guidelines) Rules, 2011 (“Intermediary Guidelines”) provide the due diligence requirements that must be observed by intermediaries to avail the safe-harbor protection (immunity).[21] However, upon receiving actual knowledge or being notified by the Government or its agency about any unlawful content on the platform, intermediaries are liable to take down or disable access to it.[22]

Indian Jurisprudence: In the case of Procentris India (Pvt,) Ltd. v. Mouthshut.com (Pvt.) Ltd.[23], Mouthshut (a popular consumer review site) was ordered by the Bombay High Court to delete reviews critical of Procentris. Subsequently, Mouthshut.com filed a writ petition in the Supreme Court for quashing the IT Rules, 2011 on account of it being violative of Articles 14, 19 and 21 of the Constitution of India. This case was clubbed with the petition in landmark case of Shreya Singhal v. Union of India which introduced ‘safe harbor’ provisions in India.[24]

International Jurisprudence: India doesn’t have enough record of litigations on the issue of liability incurred by consumer review sites due to user-reviews. However, there are significant precedents in international jurisdictions such as the USA, the UK and European Union which provide that no liabilities (except the take-down obligation on notice) are incurred by intermediaries (such as user-review sites) due to the false, incorrect and defamatory nature of the underlying user ratings and reviews as uploaded on their platforms.[25]

Recommended Measures:

In order to avoid liabilities with respect to user-reviews, an aggregator platform should put certain safeguards in its Terms and Conditions (“T&Cs”), in line with various international precedents, such as:

  • Add a mandatory set of Community Guidelines which should specifically prohibit user-reviews which are false, unlawful, misleading, defamatory, harassing, or otherwise objectionable.[26]
  • Add a clause in the T&C which will prevent users from posting user-reviews or ratings anonymously.[27]
  • Add a clause in its Community Guidelines which strictly mandates the user-reviews to be unbiased and objective in order to prevent conflict of interest.[28]
  • Forbidding users from posting any copyright or trademarked content in the user-reviews that they do not own.
  • The T&C shall contain a clause indemnifying the platform from any liability for users’ content including user-reviews.
  • The platform is required to deploy technology based automated tools or appropriate mechanisms with appropriate controls to proactively identify and remove access to unlawful content.[29]

(Views are personal only. The content of this blog should not be construed as legal advice in any case.)

References

[1] Jaani Riordan, The Liability of Internet Intermediaries, 28 (1st ed., 2016).

[2]Linking, Framing, Meta Tags and Caching, Berkman Klein Center for Internet & Society at Harvard University, Berkman Klein Center, available at https://cyber.harvard.edu/property00/metatags/main.html, last seen on 14/02/2020.

[3] Futuredontics Inc. v. Applied Anagramic Inc., 45 U.S.P.Q. 2d 2005 (1998, C.D. Cal.).

[4] World Wrestling Entertainment, Inc. v. Savio Fernandes, 2015 (62) PTC 573.

[5] Posting Third Party Content and Linking, American Bar Association, American Bar Association, available at https://www.americanbar.org/groups/business_law/migrated/safeselling/content/, last seen on 13/02/2020.

[6] Rajiv Kr. Choudhry, Data Extraction: Intersection of Copyright and IT laws in India, SpicyIP, available at https://spicyip.com/2013/10/data-extraction-intersection-of-copyright-and-information-technology-laws-in-india.html, last seen on 08/02/2020.

[7] TATA Sons Limited v. Hoop Anin and Ors., 2012 (188) D.L.T. 327; Washington Post v. Total News Inc., No. 97 Civ. 1190 (PKL) (1990, S.D.N.Y.).

[8] Mattel Inc. & Ors. v. Jayant Agarwalla & Ors., 2008 (153) D.L.T. 548.

[9] S. 13, The Copyright Act, 1957.

[10] S. 17, The Copyright Act, 1957; Eastern Book Company v. D.B. Modak, (2008) 1 SCC 1.

[11] S. 51, The Copyright Act, 1957.

[12] Ss. 2(m) & 2(zb), The Trade Marks Act, 1999; People Interactive (I) Pvt. Ltd. v. Gaurav Jerry & Ors., NMS (L) NO. 1504 of 2014.

[13] S. 29, the Trade Marks Act, 1999; Christian Louboutin Sas v. Nakul Bajaj, 2018 (76) PTC 508 (Del).

[14] S. 52, The Copyright Act, 1957; S. 30(2)(d), the Trade Marks Act, 1999.

[15] PVR Ltd. v. Just Dial Ltd., 2019 SCC OnLine Del 8181.

[16] Ticketmaster Corp. v. Microsoft Corp., No. 97-3055 DDP (1997, C.D. Cal.); Shetland Times Ltd. v. Jonathan Wills and Zetnews Ltd., S.C. 316 (1997, Court of Sessions); Imax Corp. v. Showmax Inc., (2000) 5 C.P.R. (4th) 81 (FCTD).

[17] A.S. Cheung & W. Schulz, Reputation Protection on Online Rating Sites, 21 Stanford Technology Law Review 310, 318 (2018).

[18] Braverman v. Yelp Inc., 5. No. 158299/2013 W.L. 712618, at 3 (2014, N.Y.S.C.).

[19] S. 2(w), The Information Technology Act, 2000.

[20] S. 79, The Information Technology Act, 2000. (“Safe-harbor” provisions)

[21] The Information Technology (Intermediary Guidelines) Rules, 2011.

[22] S. 79(3)(b), The Information Technology Act, 2000.

[23] NMSL 968-13 in SL 364-13-954.

[24] Procentris India (Pvt.) Ltd. v. Mouthshut.com (Pvt.) Ltd., AIR 2015 S.C. 1523.

[25] Mcgrath v. Dawkins, E.W.H.C. B3 (QB) (2012, U.K.H.C.) (This case is concerned with reviews and comments posted on the claimant’s book product page at Amazon.co.uk. The Court dismissed the claims of defamation against Amazon); Hassell v. Bird, 5 Cal. 5th 522 (2018, Cal. S.C.) (The US law firm sued its former client for defamation for posting a false negative review on the Yelp! platform, a consumer review site. The Supreme Court of California held that Yelp! clearly falls under Communications Decency Act, 47 U.S.C. § 230 immunity); Magyar Tartalomszolgaltatok Egyesulete v. Hungary, [2016] E.C.H.R. 135 (EU) (The Hungarian courts held the news portal liable for causing reputational harm to a business caused by “false and offensive” user comments. The European Court of Human Rights disagreed with national courts).

[26] Delfi A.S. v. Estonia, (2016) 62 E.H.R.R. 6. (The case concerned threats and anti-Semitic slurs in the user comments section of online newspaper portal, Estonian courts held, and the ECHR in 2015 affirmed, that the platform could be liable for those comments).

[27] Yelp Inc. v. Hadeed Carpet Cleaning, 752 S.E.2d 554, 568-69 (2014, (Va. Ct. App.). (The Court held that litigants may also target intermediaries with subpoenas seeking the identities of anonymous users for claims other than copyright, such as defamation)

[28] Moving & Storage, Inc. v. Panayotov, No. 12-12262-GA. (2014, U.S.D.C. D. Mass.) (when a moving-company review site owned by a particular moving company selectively deleted user-reviews that were beneficial to its competitors, the intermediary lost the “good faith” protection).

[29] Rule 9, The Information Technology [Draft Intermediaries Guidelines (Amendment) Rules] 2018.

National Digital Health Blueprint 2020 needs a review?

With an aim to fix the ailing healthcare facility of the country, Indian government (like other sectors – Finance, Public Distribution System etc.) has opted for digitization as a solution. In January, 2020, the government released a National Digital Health Blueprint which sets out a comprehensive framework for “Federated National Health Information System”. In March, soon enough the COVID-19 pandemic struck the country and underlined the importance of having the National Digital Health Blueprint in action. However, the pandemic situation has also highlighted the many areas of improvement for the Blueprint and the need for urgent action on such improvements. This blog post will put forth the author’s views on the need of studying the Blueprint again and including the concepts like digital therapeutics, digital diagnostics and telemedicine in its scope. The blogpost will also aim to present a picture of the diverse elements of a futuristic digital health ecosystem for India and the role that science, scientists and technology can play in establishing such an ecosystem.

Introduction

It seems like that Indian government has developed a formidable belief that technology is solution for all the deep-seated problems which are haunting the country’s socio-economic growth since independence. In 2015, the ambitious Modi government launched the “Digital India” programme with an aim to transform India into a knowledge economy, empowered with on-the-go access to information, governance and essential services. This ambition quickly received a reinforcement in the form of JIO’s success, which resulted in increasing the smartphone penetration rate and making India the second-fastest digital adopter in the world. Around the same time, the image of India’s healthcare remained pitiful and harrowing. In the Healthcare Access and Quality (HAQ) Index, India ranked below what can be considered as dismal position – 145th out of 195 countries.

India significantly lacks in implementing most of the World Health Organisation’s (WHO) recommendations regarding the adequacy in terms of doctors, nurses, medical technicians and healthcare facilities as required to cater the population. Owing to such inefficiencies, the country’s healthcare policy has been inconsistent such that India is overburdened with the task of eradicating infectious tuberculosis disease. It is only in this decade that India was able to get the polio-free status for itself. Our country is also facing exponential rise in cases of lifestyle disorders ensuing the endemic of diseases like diabetes and clinical depression. Simply put, these statistics are omen for India as a contender to be in the league of top three fastest growing economies of the world. The government of India itself has noted that in order to realize the real growth potential, the country has to fix the health systems on priority basis by investing adequate finance and manpower. Presently, Indian labor workforce is performing far below its optimum productivity due to many ill-health issues.

Therefore, the government, considering the nation’s emerging forte in digital space, has decided to go digital in healthcare reforms as well in order to analyse the consumption of health services by the population. As per the GoI, the future is technology, and India cannot accomplish its goal of ‘Health for All’ in the absence of digitization of health infrastructure and delivery. India is seeing Artificial Intelligence or Machine Learning as the foundation of accessible, affordable and quality health solutions at the intersection of technologies like biotechnology, robotics and computer science. The digital approaches for upgrading the conventional healthcare infrastructure could definitely be an antidote for the frail healthcare infrastructure given the nation’s population  is increasingly on-boarding various digital platforms. It can also be a great overall strategic direction for India to shape its influence in terms of policy-making in the context of global health. It is indeed a possibility given India’s competitive position in technology innovations and the fact that health-tech market is in a nascent stage, with all the countries almost on level playing field.   

The National Digital Health Blueprint 2020 (NDHB)

The ruling government is envisioning the digital health infrastructure as a system that will fit well or accurately with its larger aim to modernize (specifically ‘digitize’) the public health welfare system. In this line, the missions that have been already initiated by government are Ayushman Bharat, Swachh Bharat, Digital India, and Make in India.

The Ministry of Health and Family Welfare of India (MoHFW), pursuant to its afore-mentioned digital health policy initiatives, released NDHB in January 2020. This is the only detailed official explanation of PM Modi’s proposed National Digital Health Mission. It provides a picture of the entire framework of a “Federated National Health Information System”. It elaborates that the envisioned framework will inter-link systems of private and public health provider organisations serving across primary-, secondary- and tertiary-healthcare services. As the blueprint specifies, this is clearly in alignment with one of the objectives envisaged under the National Health Policy of 2017 i.e., to create an integrated health information system for all stakeholders in the health system, to improve efficiency, transparency and citizen experience.

The NDHB is indeed a well drafted document as it comprehensively shows the way the reformers have to tread in order to carry out the colossal task of developing an extensive database of electronic health records, which will be available as single source repository of health data per unique patient within India. Beyond this, state-wise datasets containing information of health-workers (doctors, nurses, paramedics) and health facilities, disease registries, inventories, and insurance claim records will also form the essential element in federated system. The blueprint provides that the database hub and key facilities will be hosted by the Health-Cloud (H-Cloud). Similar to the Aarogya Setu’s API release, the federated system will also be interoperable to allow seamless data exchange.

The blueprint obviously lists the standards for maintaining the privacy and security of the digitized health data (The next blogpost on the National Digital Health Mission will exhaustively deal with privacy and security related aspects – we also have interesting classified updates for you in that post). Project implementation will not be gradual or stage-wise, but it will follow the scheme of technology sandbox to test and roll-out the massive data-management infrastructure. The infrastructure will be further used for tracing the real-time stats related to population-wide health status. The customized and timely interventions will be made if the predictive analytics of the stats forecast community outbreaks or disease spread propensity by region. The running algorithms will be deployed to optimize data analysis and allocate scarce resources at district and state level, and more.

It has to be kept in mind, and can be inferred from the blueprint, that there are three prerequisites for successfully initiating the exercise that the NDHB proposes:

Uniform internet and telecommunications availability across the country;

An extensive network of primary healthcare centres for service delivery; and

Trained health workforce.

Presently, all these three are work in progress in India wherein Second and Third points really require a special focus.  Internet penetration in India has picked up a good rate but healthcare on field is definitely lacking. The government has to create a solid foundation through uninterrupted support, spirit and funding.

The envisioned integrated national-health data hub will be a vital asset to run process and analyze all the complex health data, which can be leveraged for creating accurate policy-designs and well-gripped implementation control. For example, through algorithms, timely automated intervention within the health system will increase cooperation. As soon as certain stat will touch a determined threshold, the notifications will trigger the appropriate health-crisis management authorities. The entire process will include relaying of targeted messages within the population, automated stock and inventory management warnings, and virtual medical training and research, to create a strong foundation for affordable and efficient healthcare. Once operational, the database is expected to connect and expedite India’s slow-moving fragmented health system. While this will not immediately fix the system entirely, it is surely a step towards making it efficient and future-ready.

Is everything right with the Blueprint?

The Blueprint definitely mentions about the great plan of futuristic healthcare infrastructure. However, it is still far from being an “all-encompassing vision document” which is needed to provide solution to two-fold issues: (a) A launch pad for India’s digital health ambition, and (b) Need of resolving the deeply entrenched issues with healthcare that persist for years now. Therefore, it is needed to trace specific to context use cases recognizing the problems that are unique to India.

Even the WHO’s guidance has made the point that digital-health interventions must be treated as supplements, not substitutes, for functioning health systems. The Blueprint requires major upgrades to its dimensions- which means priority push for digital policy on therapeutics, diagnostics and medicine.

Policy action needed to reform therapeutics and diagnostics in India must be aligned with the broader AI policy of India. The current version of India’s AI policy provides “healthcare” as one of the most promising areas but admits the obstacles it will face in creating a new path. India is not alone in this predicament. Recognizing best practices around the world and picking out unique use-cases, the following points must be considered to strengthen the policy in terms of therapeutics and diagnostics:

1. Promoting indigenous innovation in health-tech while maintaining technological sovereignty;

2. The use-cases with respect to healthcare must be selected keeping in mind the inherent infrastructure limitations and resource shortages;

3. While going digital, it is important to keep patient safety as priority through adopting regulatory frameworks that mandate scientific and clinical validation of products/services;

4. One thing that is essential to the traditional doctor-patient relationship is trust. The approach must invest in creating a reliable infrastructure.

5. Real-world transparency, data confidentiality, cyber security and ethics should be the foundational principles when an innovator envisages a health-tech innovation. Proper guidelines for medical software developers and policy on transparent data-sharing agreements wherein, rights of patients are protected must be rolled out at the earliest.

Conclusion

Therefore, it is important to say it again, the Digital Health is not the immediate relief given the limitations of the India’s healthcare, i.e. inadequate infrastructure and resource shortages. However, one thing we have learnt for sure is that a better-connected and digitized nation is better-prepared to achieve sustainable development goals if policy’s approach is inclusive in real sense, and to face unprecedented black swans of magnitude like Covid-19 pandemic. Digital health adoption will bring many changes in the functioning of the current system across the value chain. The benefits of public goods, products and services under this category must be maximized, with minimum disruption to the society. If all goes well i.e. policy implemented properly and limitations checked promptly, the NDHB could be a chance for India to get rid of its ailing healthcare infrastructure.

(These are personal views and opinions of the author and do not necessarily reflect views of any organisation)

Hopes and Doubts related to Telemedicine Guidelines in the context of Data Protection

Author is Vineet Gupta, Volunteer Researcher, LawforIT. He is actively involved in a research on privacy policies of different leading online medical consultation platforms. Policy paper will be soon available on the Blog.

Background

The Medical Council of India jointly with the NITI Aayog notified the Telemedicine guidelines in midst of the Coronavirus Pandemic. These guidelines can be seen as a first attempt in providing some amount of relief, in regards to legal gaps and anxieties around the practice of medicine by doctors via communication devices.

Although, historically (with the advent of technology) telemedicine has been widely performed in India, for long there has not been any type of legal mechanism for the same. From the introduction of the Communication channel by ISRO in 2001, linking Chennai’s Apollo Hospital with the Apollo Rural Hospital at Aragonda village in the Chittoor district of Andhra Pradesh[i] and to the hundreds of apps providing for online consultation today, we have come up a long way. With the technological up-gradation and boom in the telecommunication sector, it was quite common for a patient to seek recommendations from their family doctors on calls, WhatsApp messages, and even video conferencing. Realizing the potential around telemedicine and its outreach, the internet was flooded with many startups acting as intermediaries that provided a channel between patients and doctors for online medical consultation.

On one side telemedicine was gaining popularity and on the other side, there was also a certain amount of anxiety, backlash, and confusion around the practice of telemedicine. With no proper guidelines among the practice of telemedicine, the doctors were kind of hesitant in providing online/telephonic consultations. They were also pressurized by the medical associations (some of which even declared telecommunication as unethical and practice of which can lead to cancelation of license)[ii]. The patients were hesitant to get telemedicine and a little reluctant to provide their sensitive information online to unknown doctors. They were scared as for long there was no telemedicine and data protection law in place. Most importantly many people, especially the rural population were, and are unaware of the potential of telemedicine and its application in this Technological era. The introductory part of the guideline’s states that:

“In India, till now there was no legislation or guidelines on the practice of telemedicine, through video, phone, Internet-based platforms (web/chat/apps, etc). The existing provisions under the Indian Medical Council Act, 1956, the Indian Medical Council (Professional Conduct, Etiquette and Ethics Regulation 2002), Drugs & Cosmetics Act, 1940 and Rules 1945, Clinical Establishment (Registration and Regulation) Act, 2010, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 primarily govern the practice of medicine and information technology. Gaps in legislation and the uncertainty of rules pose a risk for both the doctors and their patients.[iii]

https://www.mohfw.gov.in/pdf/Telemedicine.pdf

The case of Deep Sanjeev Pawaskar and Anr. v. The state of Maharashtra[iv] was by the high court of Bombay a doctor provided advice to ailing patient online due to lack of unavailability of routine doctor and unfortunately, the patient died. The high court held the doctor as negligent for using telemedicine to treat the emergency. This case led to widespread criticism as the patient would have died irrespective, and telemedicine had no role to play. The above case triggered the need for new legislation, and the need for remote doctors in coronavirus pandemic led to the expeditious introduction of these much-awaited guidelines. These guidelines have opened a door to the future of telemedicine in India. While a lot has been discussed upon the salient features of this act, I will be strictly adhering to the examination the guidelines concerning personal data protection concerns.

Locating privacy under Telemedicine Guidelines

In the course of doctor-patient interaction, a significant amount of data exchange takes place from the side of the patient and the guidelines also makes it compulsory for the RMP to store and keep a record of all this electronic health record[v]. A Registered Medical Practitioner (RMP) is free to choose the mode of communication for providing telemedicine[vi]. The guidelines provide for various types of information related to health conditions which are needed to be provided by the patient to the RMP over telemedicine[vii]. Further, the guidelines provide for the maintenance of privacy as well as medical ethics following the Indian Medical Council act and rules[viii]. The guidelines also state that the RMP would have to follow and abide by various data protection laws such as the Information Technology Act and other data protection laws and rules (present as well as notified in future) which provides for the protection of patient’s data[ix]. The guidelines also highlight the breach of confidentiality by the doctors would be declared misconduct and will be penalized by IMC act, ethics, and other laws[x]. The doctors are exempted from charges in cases where there is reasonable evidence to believe that the breach is due to some technological error with no involvement of the RMP[xi].

Reading Telemedicine Guidelines with data privacy laws

Personal information and Data protection Rules 2011

It is quite clear that telemedicine guidelines would have to be read in conjuncture with data protection laws of the country to protect the privacy of the patients. After the judgment of K.S Putttuswamy v. Union of India[xii], privacy is well recognized as the part of the fundamental rights of the citizens. The data protection laws in India are governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under the IT act. The judgment of Puttuswamy has led forth the Personal Data Protection Bill, 2019 which is in the process of getting passed by the parliament any time soon this year or the coming year[xiii]. The IT rules of 2011, as well as the new personal data protection bill, treats ‘Health Records’ as ‘sensitive personal data or information (SPDI)’. Under the IT acts data protection rules, when a corporate body deals with SPDI (collection, storage, transfer, or processing of SPDI) the data protection rules get activated. The data protection rule considers consent as an important requirement so a doctor or institution is required by law to obtain the consent of the patient in writing for use of any of his data[xiv]. There is also a restriction of sharing SPDI to the third party without the consent of the patient[xv]. The institution collecting such SPDI also has to put a policy in place and mention clearly on their websites[xvi]. A standard of procedure to store data has to be maintained as well as there should be a requirement of modification[xvii] and opt-out[xviii] their SPDI if the need arises.

Role of Intermediaries

There are many e-health apps which just act as a facilitator between the patient and the doctors and are not as such directly involved in the transaction[xix]. In these types of cases, such apps or companies will act as an intermediary and would be subjected guidelines of IT act specifically for the intermediaries. Such intermediaries have to initiate certain due diligence such as including terms of use, the appointment of grievance officer, and removal of offending/unlawful content within 36 hrs of request.

Telemedicine Guidelines: gaps are still needed to be filled to protect mass sensitive data

With the advent of Corona virus pandemic even a lot of state governments are actively involved in providing their own guidelines[xx] and facility of telemedicine[xxi] through their empaneled state government doctors or through Public private partnership Apps and facilities. Although telemedicine has opened a whole new legal world still there are various legal inadequacies in the Telemedicine sector which the present telemedicine guidelines, IT act, and rules do not properly address.

Firstly the telemedicine guidelines make no difference between ‘data fiduciary’ (person who stores, collect and process massive volume of important data) and ‘social media intermediary’ and also what if both are the same. For instance, many corporate hospitals (eg Apollo)[xxii] which have a wide range of medical business are also providing telemedicine. Some pharmaceutical companies (eg. Lybrate)[xxiii] are also in the business of telemedicine.

E-Pharmaceutical companies are already facing uncertainties in regards to online sale of drugs with central government coming out with Draft Rules 2018 to regulate e-pharma amending earlier Drug and cosmetic rules of 1945[xxiv]. These rules will also throw light on protecting data of patients seeking medicines online. But how will draft rules and telemedicine guidelines be able to regulate e-pharma companies who are even providing telemedicine is an area government needs to focus on since these types of companies have huge amount of sensitive data of patients and prone to misuse. Many of these apps even provide for their internal channels of communication for doctors and patients. While taking services from these sites there would be the transmission of the huge amount of electronic medical records to these companies. Since doctors belong to the same company or use a communication channel of the company who is acting as social media intermediary, then believing that data is not shared between them is being very optimistic.

Access to such a huge amount of ‘sensitive personal data’ to the hands of corporates without any supervision is troublesome. These data might be used to create an algorithm for targeted advertising, sharing with 3rd parties, and moving huge data outside the country. In such a scenario if there is any data breach who would be liable? is a question on which the guidelines are silent. And as the data protection law stands today, there is not much to offer.

So, we have to go through the pending data protection bill[xxv] to find some answers. In the Data protection bill two types of entities have a huge due diligence obligation in terms of dealing with personal data’s namely ‘significant data fiduciary’ and ‘social media intermediary’. Under the bill, the obligation which is associated with the significant data fiduciary (a person holding a huge amount of important data to be notified government) is extended to the social media intermediary(‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services[xxvi]’). These significant data fiduciaries and social media intermediaries will be notified by the government.

In addition to provisions provided for significant data fiduciaries like maintenance of records[xxvii], data protection impact assessments[xxviii], an audit of policies[xxix], and appointment of a data protection officer[xxx], Social media intermediaries are obligated to put forth an option to the users (registering from India or using the services in India) for voluntary verification of their accounts. The provisions for ‘significant data fiduciary’ and ‘social media intermediary’ seems promising for companies dealing with electronic medical health records but whether these hospitals providing telemedicine would be notified under ‘significant data fiduciary’ or the e-health apps storing huge amount of data as ‘social media intermediaries’ is a question of time as the bill is still pending.

Parting note

The telemedicine guidelines are a huge breakthrough in the field of medical sciences. The guidelines have tried to address a huge amount of anxieties and uncertainties about the practice of telemedicine but in the context of data protection, the guidelines sadly have not much to offer. The guidelines have to be read along with data protection laws of the country and as the data protection laws of the country currently stand there is not enough impact to ensure the protection of sensitive patient data from the hands of big hospitals doing telemedicine themselves and e-health apps acting as an intermediary for telemedicine. The new data protection bill, 2019 if passed as it is, it would address a lot of these gaps provided the government notifies these hospitals and e-health apps as significant data fiduciary and social media intermediaries respectively. Another pending bill such as Digital Information Security in Healthcare Act (DISHA), a regulatory platform for sharing digital records among hospitals and will be based on setting digital health records in the country[xxxi].  DISHA  will be clubbed with Personal data protection bill along with telemedicine guidelines would be something to look forward.


[i] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6618173/

[ii] https://medicaldialogues.in/indian-medical-association-seeks-clear-cut-guidelines-on-telemedication-from-medical-council-of-india

[iii] https://www.mohfw.gov.in/pdf/Telemedicine.pdf

[iv] Criminal Anticipatory Bail Application No. 513 OF 2018

[v] Telemedicine guidelines 2020, section 3.7.2

[vi] Telemedicine guidelines 2020, section 1.4.1

[vii] Telemedicine guidelines 2020, section 3.5

[viii] Telemedicine guidelines 2020, section 3.7.1

[ix] Id

[x] Id

[xi] id

[xii] 2017 10 SCC 1

[xiii] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[xiv] Rule 5(1) of the Data Protection Rules

[xv] Rule 7 of the Data Protection Rules

[xvi] Rule 4(1) of the Data Protection Rules

[xvii] Rule 5(7) of the Data Protection Rules

[xviii] Id

[xix] https://www.dr-hempel-network.com/digital-health-startups/doctor-patient-platforms-in-india-success/

[xx] See Maharastra: https://www.maharashtramedicalcouncil.in/Files/Notifications_26032020_MCI%20Notification%20Regarding%20TELEMEDICINE.pdf, See Karnataka: https://www.mondaq.com/india/healthcare/905172/karnataka-government-notificationregulations-on-covid-19

[xxi] See kerela: https://economictimes.indiatimes.com/industry/healthcare/biotech/healthcare/kerala-govt to-use-telemedicine-service-e-sanjeevani-for-non-covid-patient-care/articleshow/76370573.cms?from=mdr,

See Westbengal : https://www.newindianexpress.com/nation/2020/jun/30/west-bengal-sets-up-covid-warrior-club-to-help-contain-pandemic-2163150.html, See Tamil Nadu: https://tsitn.org/telemedicine-facilities-in-tamil-nadu/, See Karnatka: https://economictimes.indiatimes.com/news/politics-and-nation/karnataka-govt-launches-apthamitra-helpline-and-app-to-fight-covid 19/articleshow/75293952.cms?from=mdr, See Delhi: https://www.newindianexpress.com/cities/delhi/2020/jul/04/aap-launches-district-surveillance-telemedicine-hub-to-help-with-covid-19-requirements-2165260.html, See Rajasthan: https://timesofindia.indiatimes.com/city/jaipur/rajasthan-government-starts-free-medical-tele-consultation-service/articleshow/75540116.cms

[xxii] id

[xxiii] id

[xxiv] https://www.mondaq.com/india/food-and-drugs-law/865476/regulations-for-online-sale-of-medicines and-drugs-in india#:~:text=India%3A%20Regulations%20For%20Online%20Sale%20Of%20Medicines%20And%20Drugs%20In%20India&text=The%20draft%20rules%20prescribe%20that,registered%20with%20the%20applicable%20authority.

[xxv] Supra

[xxvi] Section 26 (4) Private Data protection bill, 2019

[xxvii] Section 28 Private Data protection bill, 2019

[xxviii] Section 27 Private Data protection bill, 2019

[xxix] Section 29 Private Data protection bill, 2019

[xxx] Section 30 Private Data protection bill, 2019

[xxxi] https://pib.gov.in/Pressreleaseshare.aspx?PRID=1578929

Privacy Shield is dead. Now what? — A bigger picture

What’s happened? Schrems strikes again. We’re all going to have to find new ways to protect transfers of data to the US – or stop doing it. The ECJ today invalidated the Privacy Shield framework that was cobbled together in 2015 after the ECJ struck down Safe Habour in response to the original lawsuit Max […]

Privacy Shield is dead. Now what? — A bigger picture

A key takeaway from SBI’s call for applications for ‘Data Protection Officer’

State Bank of India, in my knowledge, is one of the first Indian Bankers to announce positions for the “Data Protection Officer”.  

I am considering this as a good  sign that the Bank has recognized the need for an exclusive officer. But with the Personal Data Protection Bill is still in consideration the call for applications for the positions might be driven more by the international demand from their foreign branches which should have received notices from some supervisory authorities of foreign jurisdictions but it could also be a slight of realization that data protection is a necessity of business.

The educational qualification required for the post are as following:

  • Graduation or its equivalent
  • Preferred Professional Certification:
  • Certified EU GDPR Foundation,
  • CIPP (Certified Information Privacy Professional),
  • CIPT (Certified Information Privacy Technologist),
  • CIPM (Certified Information Privacy Manager) etc

Post qualification work experience required is

  • Minimum 15 years’ post qualification work experience (as on 01.04.2020) as  executive/ Supervisor in Corporate Sector out of which at least  10 years’ experience should be in BFSI Sector.
  • Preferred: Experience in Data Privacy Laws & Regulations and other Data Security areas with associated IT skills.
  • The age restriction is 55 years and the appointment is a contractual for 2 years.

The requirement of following special skills have been specified

  • High level specialist knowledge in the General Data Privacy Regulation underpinned by theory and experience
  • Evidence of continuing professional and/ or personal self- development.
  • Expert knowledge of data privacy laws and practices.
  • Exposure to Data Privacy laws & regulations such as General Data Protection Regulation “GDPR”), UK Data Protection Act 1998 etc.
  • Knowledge of Information life-cycle, risk management & data security areas.
  •  Extensive knowledge of Information Governance disciplines.
  • Skill of interpretation of national guidance and legislation and subsequent local implementation.
  • Flair for managing staff and implementing budgets. Training Delivery.
  • Capacity to work with cross functional teams, attention to detail, organizational skills and multitasking.
  • Strong management, motivational & leadership skills with ability to drive large change management programs within organizations.
  •  Ability to maintain confidentiality and deal with situations in a sensitive manner.
  • Ability to communicate across all organizational boundaries in an appropriate manner.

Key Takeaway

The job description and specified qualifications, not at all mention about knowledge of the Indian data protection law either on the basis of the Information Technology Act 2000 or (Amendment) 2008 or on the basis of the proposed Data Protection Bill.

The usage of “etc” at various places may include the knowledge of such laws and may be taken into consideration when candidates are screened.

Overall, such announcement indicates that soon other Banks will also start considering these positions shortly and start opening opportunities for “Data Protection Professionals”.

Let us talk about E-Contracts (II): E-Commerce Business Models

Without any argument, new communication systems, especially digital payment technologies, have supplanted the snail-paced conventional systems of communication and transactions. Business communities and consumers are increasingly using digital means to send and receive information in electronic form. The reason is that the information technology (IT) has abridged the time and distance factor in transacting business. Nowadays, inflow and outflow of information have become instant and momentary. Therefore, one principal contribution of IT is in the field of contract-formation.

Electronic contracts (e-contracts) are born out of the need for speed, convenience and effectiveness. The law has already recognised contract-formation using facsimile, telex and other similar technologies.

Let us envision a contract between an Indian businessman and an English businessman. Away from digital means, one option is that one party first draws up two copies of the contract, signs them and sends (through postal or courier service) them to the other, who, in turn, signs both copies and sends one copy back. The other option would be that the two parties meet somewhere and sign the contract. However, within the digital world, the whole process can be completed in seconds, with both parties simply affixing their electronic signatures to the electronic copy of their contract. There is, thus, no need for tardy dispatching mechanism (postal or courier services) and/or supplementary travelling costs in such a situation.

Before proceeding with the E-Contracts, let us have a brief look at the basics of the business model and kinds of transactions under which e-contracts are mostly used.

E-Commerce Business Models

Electronic commerce (e-commerce), in a very general sense, refers to buying and selling products and services over the internet and the World Wide Web (www). E-commerce, however, in actuality, includes all forms of commercial transactions involving both—organisations and individuals—that are based upon the electronic processing and transmission of data including text, sound, and visual images; and involves transactions over the internet as well. In addition, e-commerce also refers to the effect that the electronic exchange of commercial information may have on the institutions and processes that support and govern commercial activities.

There are several ways of looking at e-commerce:

(1) From a communications perspective, it is the ability to deliver products, services, information, or payments via networks like the internet.

(2) From an interface view, it means information and transaction exchanges: business-to-business (B2B), business-to-consumer (B2C), consumer-to-consumer (C2C), and business-to-government (B2G).

(3) As a business process, e-commerce means activities that support commerce electronically by networked connections. For example, business processes like manufacturing and inventory and business-to-business processes, like supply chain management is managed by the same networks as business-to-consumer processes.

(4) From an online perspective, e-commerce is an electronic environment that allows sellers to buy and sell products, services, and information on the internet. The products may be physical, like cars; or services, like news or consulting, etc.

(5) As a structure, e-commerce deals with various media: data, text, web pages, internet telephony, and internet desktop video.

(6) As a market, e-commerce is a worldwide network. A local store can open a web storefront and find the world at its doorstep—customers, suppliers, competitors, and payment services. Of course, an advertising presence is essential.

Types of Online Transaction

Online transactions can be recognised and categorised in four ways:

Business to Customer (B2C)

It is the transaction where a business entity on one side and an individual customer, on the other hand, conduct business. The expression B2C has been commonly used to refer to a sale by a business enterprise or retailer to a person or ‘consumer’ conducted through the internet. For instance, Flipkart.com which provides facilities for customers to buy goods from the website—is an example of a B2C e-business. In this situation, the website itself serves the purpose of a shop. The B2C transactions can be in relation to both—tangible and intangible products. The focal point of this e-commerce application is on the consumer’s use of a merchant’s web storefront or website. Consumers from any place can browse and order for goods and services online at any time. B2C is an electronic equivalent of the conventional mail-order or telephone-based ordering system.

Business to Business (B2B)

It is the type of e-commerce where there is an exchange of products, services, or information between businesses using the internet, rather than between businesses and consumers. Alibaba.com is the prominent example of B2B model.

Customer to Business (C2B)

Customer to Business (C2B), also known as Consumer to Business, is the most recent e-commerce business model, where individual customers offer to sell products and services to companies that are prepared to purchase them. It is the opposite of the traditional B2C model. Example of this model is blogs or internet forums where the author offers a link back to an online business facilitating the purchase of some product (like a book on Amazon.com), and the author might receive affiliate revenue from a successful sale.

Customer to Customer (C2C)

It is the transaction which involves two or more customers with business entity merely providing a web-based interface to facilitate the consumer to consumer transactions (B2C). The expression C2C generally refers to the sale of a product pertaining to a consumer to another consumer either directly or through an intermediary exclusively dedicated for this activity. One best example of C2C website is Ebay.com, which is an online auction site, where any person can buy and sell, and exchange goods and articles using this website. This website provides the web-based interface (i.e. the website with its database and other functions) and users can transact freely with each other. Another example is Amazon, which in fact, acts as both a B2C and a C2C marketplace.

Recommended Readings

  • Alan Davidson, The Law of Electronic Commerce, Cambridge University Press, (2009).
  • R K Singh, Law Relating To Electronic Contracts (2017)