The case of Content Aggregator Platforms: PVR Ltd. v. Just Dial Ltd.

Content aggregation platforms like JustDial are sites that collate, index and distribute hyperlinks to third-party content and displays it on a single webpage for their users’ reference.[1] Aggregators ensure listing of businesses by associating latter’s websites with their platforms using various tools such as deep-links, framing and meta-tags.

Deep-links are hyper-links in the form of an image or text which on selection redirects the user to the specific content/webpage of the source’s website.[2]

Framing is the process by which multiple webpages of another websites are displayed as separate windows/frames on a single webpage of the aggregator’s platform.[3]

Meta-tags are words and phrases in the HTML code of the website, related to the particular content, which become identifiable and a part of the search results when a user searches using the terms on search engine corresponding to the embedded words and phrases.[4]

The case of copyright, trademark and/or other proprietary rights of entities listed on its platform

Content aggregator’s ability to publish or post the relevant content that it obtains from the third-party sources is limited by the copyright and trademark laws of India and by the terms of any agreement entered into with the content-provider or listed entities.[5]

Observation: Aggregator lists business entities on its platform in exchange for a fee. If any entity willingly lists itself on the platform after paying a fee and agrees to the client’s terms of use which provides for use of the information/links/metatags of the business by the aggregator then there will be no violation of the copyright, trademark and/or other proprietary rights of entities listed on the platform.[6] However, if JustDial provides information on its platform about any listed entity, without any prior agreement or consent for utilizing the deep-links or separate frames to the website of the entity, then such links shall inadvertently infringe copyrights or trademarks owned by the entity’s website, as it results in by-pass or duplication of the information contained in the linked webpage.[7] Further, aggregator’s use of meta-tags of such listed entity will result in misapprehension in the mind of the former’s customers that it is authorized by or associated with the latter entity.[8]

Relevant Law: Copyright subsists in the “original literary works” such as the content of any website.[9] The Copyright Act 1957 (“the Act of 1957”) entitles the first owner i.e. the listed entity, with the exclusive right to reproduce, publish, perform, display, or create “derivative works” from its website’s content (primary works). [10] Therefore, a copyright is “deemed to be infringed” if any of these exclusive rights (listed entity’s rights to publish or create “derivative works” through deep-linking or framing respectively to its website) are exercised by the infringer without the permission of the former.[11] Further, the Trademarks Act 1999 (“the Act of 1999”) provides an inclusive definition of “mark” which includes the meta-tags of a website as well.[12] By virtue of the Act of 1999, unauthorized use of trademarks as meta-tags constitutes infringement of registered trademark.[13] However, deep-links, frames and meta-tags could be utilized subjected to “fair use” and “nominative use” exceptions.[14]

In PVR Ltd. v. Just Dial Ltd,[15] the Delhi High Court prima facie held that unauthorised listing of information (ticket-booking details, movie schedule, addresses and pictures of PVR movie theaters), as available on PVR.com, by JustDial using deep-links and frames to and meta-tags of PVR.com, gives the public impression that there is a nexus between the both. Thus, it resulted in exploitation of PVR’s goodwill by JustDial that amounted to copyright and trademark infringement and passing-off. It is considered as the first case in India which deals with the legality of content aggregation tools collectively.

The legality of use of deep-links, frames and meta-tags has also been questioned multiple times in cases of major jurisdictions such as the USA, the UK and Canada.[16] The majority of courts of these jurisdictions have held that the unauthorised use of deep-links, frames and meta-tags of primary website is deceptive to the public and has granted an injunction against content aggregation platforms.   

What are the liabilities that the aggregator’s platform can incur due to the user reviews? What are the measures that aggregator’s platform can put in place to mitigate these liabilities?

Observation: Aggregator’s platform is also a user-review platform which gives its users the ability to review and rate the various businesses listed on its directories. Evaluation platforms/sites provide an opportunity for users to post comments on businesses, in addition to reviewing and ranking them.[17] Such reviews and ratings are usually couched in terms of opinion but could be extremely negative, false or defamatory at times. Since these reviews and ratings are entirely users’ opinions and user-generated contents, the consumer review site cannot be held liable for the same.[18]

Relevant Laws: A user-review platform is an ‘intermediary’ under the Section 2(w) of the Information Technology Act, 2000 (“IT Act”).[19] The ‘intermediaries’ like JustDial are granted an immunity under Section 79 of the IT Act from offences caused due to the user-generated content wherein such intermediary had no knowledge about the nature of content.[20] The Information Technology (Intermediary Guidelines) Rules, 2011 (“Intermediary Guidelines”) provide the due diligence requirements that must be observed by intermediaries to avail the safe-harbor protection (immunity).[21] However, upon receiving actual knowledge or being notified by the Government or its agency about any unlawful content on the platform, intermediaries are liable to take down or disable access to it.[22]

Indian Jurisprudence: In the case of Procentris India (Pvt,) Ltd. v. Mouthshut.com (Pvt.) Ltd.[23], Mouthshut (a popular consumer review site) was ordered by the Bombay High Court to delete reviews critical of Procentris. Subsequently, Mouthshut.com filed a writ petition in the Supreme Court for quashing the IT Rules, 2011 on account of it being violative of Articles 14, 19 and 21 of the Constitution of India. This case was clubbed with the petition in landmark case of Shreya Singhal v. Union of India which introduced ‘safe harbor’ provisions in India.[24]

International Jurisprudence: India doesn’t have enough record of litigations on the issue of liability incurred by consumer review sites due to user-reviews. However, there are significant precedents in international jurisdictions such as the USA, the UK and European Union which provide that no liabilities (except the take-down obligation on notice) are incurred by intermediaries (such as user-review sites) due to the false, incorrect and defamatory nature of the underlying user ratings and reviews as uploaded on their platforms.[25]

Recommended Measures:

In order to avoid liabilities with respect to user-reviews, an aggregator platform should put certain safeguards in its Terms and Conditions (“T&Cs”), in line with various international precedents, such as:

  • Add a mandatory set of Community Guidelines which should specifically prohibit user-reviews which are false, unlawful, misleading, defamatory, harassing, or otherwise objectionable.[26]
  • Add a clause in the T&C which will prevent users from posting user-reviews or ratings anonymously.[27]
  • Add a clause in its Community Guidelines which strictly mandates the user-reviews to be unbiased and objective in order to prevent conflict of interest.[28]
  • Forbidding users from posting any copyright or trademarked content in the user-reviews that they do not own.
  • The T&C shall contain a clause indemnifying the platform from any liability for users’ content including user-reviews.
  • The platform is required to deploy technology based automated tools or appropriate mechanisms with appropriate controls to proactively identify and remove access to unlawful content.[29]

(Views are personal only. The content of this blog should not be construed as legal advice in any case.)

References

[1] Jaani Riordan, The Liability of Internet Intermediaries, 28 (1st ed., 2016).

[2]Linking, Framing, Meta Tags and Caching, Berkman Klein Center for Internet & Society at Harvard University, Berkman Klein Center, available at https://cyber.harvard.edu/property00/metatags/main.html, last seen on 14/02/2020.

[3] Futuredontics Inc. v. Applied Anagramic Inc., 45 U.S.P.Q. 2d 2005 (1998, C.D. Cal.).

[4] World Wrestling Entertainment, Inc. v. Savio Fernandes, 2015 (62) PTC 573.

[5] Posting Third Party Content and Linking, American Bar Association, American Bar Association, available at https://www.americanbar.org/groups/business_law/migrated/safeselling/content/, last seen on 13/02/2020.

[6] Rajiv Kr. Choudhry, Data Extraction: Intersection of Copyright and IT laws in India, SpicyIP, available at https://spicyip.com/2013/10/data-extraction-intersection-of-copyright-and-information-technology-laws-in-india.html, last seen on 08/02/2020.

[7] TATA Sons Limited v. Hoop Anin and Ors., 2012 (188) D.L.T. 327; Washington Post v. Total News Inc., No. 97 Civ. 1190 (PKL) (1990, S.D.N.Y.).

[8] Mattel Inc. & Ors. v. Jayant Agarwalla & Ors., 2008 (153) D.L.T. 548.

[9] S. 13, The Copyright Act, 1957.

[10] S. 17, The Copyright Act, 1957; Eastern Book Company v. D.B. Modak, (2008) 1 SCC 1.

[11] S. 51, The Copyright Act, 1957.

[12] Ss. 2(m) & 2(zb), The Trade Marks Act, 1999; People Interactive (I) Pvt. Ltd. v. Gaurav Jerry & Ors., NMS (L) NO. 1504 of 2014.

[13] S. 29, the Trade Marks Act, 1999; Christian Louboutin Sas v. Nakul Bajaj, 2018 (76) PTC 508 (Del).

[14] S. 52, The Copyright Act, 1957; S. 30(2)(d), the Trade Marks Act, 1999.

[15] PVR Ltd. v. Just Dial Ltd., 2019 SCC OnLine Del 8181.

[16] Ticketmaster Corp. v. Microsoft Corp., No. 97-3055 DDP (1997, C.D. Cal.); Shetland Times Ltd. v. Jonathan Wills and Zetnews Ltd., S.C. 316 (1997, Court of Sessions); Imax Corp. v. Showmax Inc., (2000) 5 C.P.R. (4th) 81 (FCTD).

[17] A.S. Cheung & W. Schulz, Reputation Protection on Online Rating Sites, 21 Stanford Technology Law Review 310, 318 (2018).

[18] Braverman v. Yelp Inc., 5. No. 158299/2013 W.L. 712618, at 3 (2014, N.Y.S.C.).

[19] S. 2(w), The Information Technology Act, 2000.

[20] S. 79, The Information Technology Act, 2000. (“Safe-harbor” provisions)

[21] The Information Technology (Intermediary Guidelines) Rules, 2011.

[22] S. 79(3)(b), The Information Technology Act, 2000.

[23] NMSL 968-13 in SL 364-13-954.

[24] Procentris India (Pvt.) Ltd. v. Mouthshut.com (Pvt.) Ltd., AIR 2015 S.C. 1523.

[25] Mcgrath v. Dawkins, E.W.H.C. B3 (QB) (2012, U.K.H.C.) (This case is concerned with reviews and comments posted on the claimant’s book product page at Amazon.co.uk. The Court dismissed the claims of defamation against Amazon); Hassell v. Bird, 5 Cal. 5th 522 (2018, Cal. S.C.) (The US law firm sued its former client for defamation for posting a false negative review on the Yelp! platform, a consumer review site. The Supreme Court of California held that Yelp! clearly falls under Communications Decency Act, 47 U.S.C. § 230 immunity); Magyar Tartalomszolgaltatok Egyesulete v. Hungary, [2016] E.C.H.R. 135 (EU) (The Hungarian courts held the news portal liable for causing reputational harm to a business caused by “false and offensive” user comments. The European Court of Human Rights disagreed with national courts).

[26] Delfi A.S. v. Estonia, (2016) 62 E.H.R.R. 6. (The case concerned threats and anti-Semitic slurs in the user comments section of online newspaper portal, Estonian courts held, and the ECHR in 2015 affirmed, that the platform could be liable for those comments).

[27] Yelp Inc. v. Hadeed Carpet Cleaning, 752 S.E.2d 554, 568-69 (2014, (Va. Ct. App.). (The Court held that litigants may also target intermediaries with subpoenas seeking the identities of anonymous users for claims other than copyright, such as defamation)

[28] Moving & Storage, Inc. v. Panayotov, No. 12-12262-GA. (2014, U.S.D.C. D. Mass.) (when a moving-company review site owned by a particular moving company selectively deleted user-reviews that were beneficial to its competitors, the intermediary lost the “good faith” protection).

[29] Rule 9, The Information Technology [Draft Intermediaries Guidelines (Amendment) Rules] 2018.

Hopes and Doubts related to Telemedicine Guidelines in the context of Data Protection

Author is Vineet Gupta, Volunteer Researcher, LawforIT. He is actively involved in a research on privacy policies of different leading online medical consultation platforms. Policy paper will be soon available on the Blog.

Background

The Medical Council of India jointly with the NITI Aayog notified the Telemedicine guidelines in midst of the Coronavirus Pandemic. These guidelines can be seen as a first attempt in providing some amount of relief, in regards to legal gaps and anxieties around the practice of medicine by doctors via communication devices.

Although, historically (with the advent of technology) telemedicine has been widely performed in India, for long there has not been any type of legal mechanism for the same. From the introduction of the Communication channel by ISRO in 2001, linking Chennai’s Apollo Hospital with the Apollo Rural Hospital at Aragonda village in the Chittoor district of Andhra Pradesh[i] and to the hundreds of apps providing for online consultation today, we have come up a long way. With the technological up-gradation and boom in the telecommunication sector, it was quite common for a patient to seek recommendations from their family doctors on calls, WhatsApp messages, and even video conferencing. Realizing the potential around telemedicine and its outreach, the internet was flooded with many startups acting as intermediaries that provided a channel between patients and doctors for online medical consultation.

On one side telemedicine was gaining popularity and on the other side, there was also a certain amount of anxiety, backlash, and confusion around the practice of telemedicine. With no proper guidelines among the practice of telemedicine, the doctors were kind of hesitant in providing online/telephonic consultations. They were also pressurized by the medical associations (some of which even declared telecommunication as unethical and practice of which can lead to cancelation of license)[ii]. The patients were hesitant to get telemedicine and a little reluctant to provide their sensitive information online to unknown doctors. They were scared as for long there was no telemedicine and data protection law in place. Most importantly many people, especially the rural population were, and are unaware of the potential of telemedicine and its application in this Technological era. The introductory part of the guideline’s states that:

“In India, till now there was no legislation or guidelines on the practice of telemedicine, through video, phone, Internet-based platforms (web/chat/apps, etc). The existing provisions under the Indian Medical Council Act, 1956, the Indian Medical Council (Professional Conduct, Etiquette and Ethics Regulation 2002), Drugs & Cosmetics Act, 1940 and Rules 1945, Clinical Establishment (Registration and Regulation) Act, 2010, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 primarily govern the practice of medicine and information technology. Gaps in legislation and the uncertainty of rules pose a risk for both the doctors and their patients.[iii]

https://www.mohfw.gov.in/pdf/Telemedicine.pdf

The case of Deep Sanjeev Pawaskar and Anr. v. The state of Maharashtra[iv] was by the high court of Bombay a doctor provided advice to ailing patient online due to lack of unavailability of routine doctor and unfortunately, the patient died. The high court held the doctor as negligent for using telemedicine to treat the emergency. This case led to widespread criticism as the patient would have died irrespective, and telemedicine had no role to play. The above case triggered the need for new legislation, and the need for remote doctors in coronavirus pandemic led to the expeditious introduction of these much-awaited guidelines. These guidelines have opened a door to the future of telemedicine in India. While a lot has been discussed upon the salient features of this act, I will be strictly adhering to the examination the guidelines concerning personal data protection concerns.

Locating privacy under Telemedicine Guidelines

In the course of doctor-patient interaction, a significant amount of data exchange takes place from the side of the patient and the guidelines also makes it compulsory for the RMP to store and keep a record of all this electronic health record[v]. A Registered Medical Practitioner (RMP) is free to choose the mode of communication for providing telemedicine[vi]. The guidelines provide for various types of information related to health conditions which are needed to be provided by the patient to the RMP over telemedicine[vii]. Further, the guidelines provide for the maintenance of privacy as well as medical ethics following the Indian Medical Council act and rules[viii]. The guidelines also state that the RMP would have to follow and abide by various data protection laws such as the Information Technology Act and other data protection laws and rules (present as well as notified in future) which provides for the protection of patient’s data[ix]. The guidelines also highlight the breach of confidentiality by the doctors would be declared misconduct and will be penalized by IMC act, ethics, and other laws[x]. The doctors are exempted from charges in cases where there is reasonable evidence to believe that the breach is due to some technological error with no involvement of the RMP[xi].

Reading Telemedicine Guidelines with data privacy laws

Personal information and Data protection Rules 2011

It is quite clear that telemedicine guidelines would have to be read in conjuncture with data protection laws of the country to protect the privacy of the patients. After the judgment of K.S Putttuswamy v. Union of India[xii], privacy is well recognized as the part of the fundamental rights of the citizens. The data protection laws in India are governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under the IT act. The judgment of Puttuswamy has led forth the Personal Data Protection Bill, 2019 which is in the process of getting passed by the parliament any time soon this year or the coming year[xiii]. The IT rules of 2011, as well as the new personal data protection bill, treats ‘Health Records’ as ‘sensitive personal data or information (SPDI)’. Under the IT acts data protection rules, when a corporate body deals with SPDI (collection, storage, transfer, or processing of SPDI) the data protection rules get activated. The data protection rule considers consent as an important requirement so a doctor or institution is required by law to obtain the consent of the patient in writing for use of any of his data[xiv]. There is also a restriction of sharing SPDI to the third party without the consent of the patient[xv]. The institution collecting such SPDI also has to put a policy in place and mention clearly on their websites[xvi]. A standard of procedure to store data has to be maintained as well as there should be a requirement of modification[xvii] and opt-out[xviii] their SPDI if the need arises.

Role of Intermediaries

There are many e-health apps which just act as a facilitator between the patient and the doctors and are not as such directly involved in the transaction[xix]. In these types of cases, such apps or companies will act as an intermediary and would be subjected guidelines of IT act specifically for the intermediaries. Such intermediaries have to initiate certain due diligence such as including terms of use, the appointment of grievance officer, and removal of offending/unlawful content within 36 hrs of request.

Telemedicine Guidelines: gaps are still needed to be filled to protect mass sensitive data

With the advent of Corona virus pandemic even a lot of state governments are actively involved in providing their own guidelines[xx] and facility of telemedicine[xxi] through their empaneled state government doctors or through Public private partnership Apps and facilities. Although telemedicine has opened a whole new legal world still there are various legal inadequacies in the Telemedicine sector which the present telemedicine guidelines, IT act, and rules do not properly address.

Firstly the telemedicine guidelines make no difference between ‘data fiduciary’ (person who stores, collect and process massive volume of important data) and ‘social media intermediary’ and also what if both are the same. For instance, many corporate hospitals (eg Apollo)[xxii] which have a wide range of medical business are also providing telemedicine. Some pharmaceutical companies (eg. Lybrate)[xxiii] are also in the business of telemedicine.

E-Pharmaceutical companies are already facing uncertainties in regards to online sale of drugs with central government coming out with Draft Rules 2018 to regulate e-pharma amending earlier Drug and cosmetic rules of 1945[xxiv]. These rules will also throw light on protecting data of patients seeking medicines online. But how will draft rules and telemedicine guidelines be able to regulate e-pharma companies who are even providing telemedicine is an area government needs to focus on since these types of companies have huge amount of sensitive data of patients and prone to misuse. Many of these apps even provide for their internal channels of communication for doctors and patients. While taking services from these sites there would be the transmission of the huge amount of electronic medical records to these companies. Since doctors belong to the same company or use a communication channel of the company who is acting as social media intermediary, then believing that data is not shared between them is being very optimistic.

Access to such a huge amount of ‘sensitive personal data’ to the hands of corporates without any supervision is troublesome. These data might be used to create an algorithm for targeted advertising, sharing with 3rd parties, and moving huge data outside the country. In such a scenario if there is any data breach who would be liable? is a question on which the guidelines are silent. And as the data protection law stands today, there is not much to offer.

So, we have to go through the pending data protection bill[xxv] to find some answers. In the Data protection bill two types of entities have a huge due diligence obligation in terms of dealing with personal data’s namely ‘significant data fiduciary’ and ‘social media intermediary’. Under the bill, the obligation which is associated with the significant data fiduciary (a person holding a huge amount of important data to be notified government) is extended to the social media intermediary(‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services[xxvi]’). These significant data fiduciaries and social media intermediaries will be notified by the government.

In addition to provisions provided for significant data fiduciaries like maintenance of records[xxvii], data protection impact assessments[xxviii], an audit of policies[xxix], and appointment of a data protection officer[xxx], Social media intermediaries are obligated to put forth an option to the users (registering from India or using the services in India) for voluntary verification of their accounts. The provisions for ‘significant data fiduciary’ and ‘social media intermediary’ seems promising for companies dealing with electronic medical health records but whether these hospitals providing telemedicine would be notified under ‘significant data fiduciary’ or the e-health apps storing huge amount of data as ‘social media intermediaries’ is a question of time as the bill is still pending.

Parting note

The telemedicine guidelines are a huge breakthrough in the field of medical sciences. The guidelines have tried to address a huge amount of anxieties and uncertainties about the practice of telemedicine but in the context of data protection, the guidelines sadly have not much to offer. The guidelines have to be read along with data protection laws of the country and as the data protection laws of the country currently stand there is not enough impact to ensure the protection of sensitive patient data from the hands of big hospitals doing telemedicine themselves and e-health apps acting as an intermediary for telemedicine. The new data protection bill, 2019 if passed as it is, it would address a lot of these gaps provided the government notifies these hospitals and e-health apps as significant data fiduciary and social media intermediaries respectively. Another pending bill such as Digital Information Security in Healthcare Act (DISHA), a regulatory platform for sharing digital records among hospitals and will be based on setting digital health records in the country[xxxi].  DISHA  will be clubbed with Personal data protection bill along with telemedicine guidelines would be something to look forward.


[i] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6618173/

[ii] https://medicaldialogues.in/indian-medical-association-seeks-clear-cut-guidelines-on-telemedication-from-medical-council-of-india

[iii] https://www.mohfw.gov.in/pdf/Telemedicine.pdf

[iv] Criminal Anticipatory Bail Application No. 513 OF 2018

[v] Telemedicine guidelines 2020, section 3.7.2

[vi] Telemedicine guidelines 2020, section 1.4.1

[vii] Telemedicine guidelines 2020, section 3.5

[viii] Telemedicine guidelines 2020, section 3.7.1

[ix] Id

[x] Id

[xi] id

[xii] 2017 10 SCC 1

[xiii] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[xiv] Rule 5(1) of the Data Protection Rules

[xv] Rule 7 of the Data Protection Rules

[xvi] Rule 4(1) of the Data Protection Rules

[xvii] Rule 5(7) of the Data Protection Rules

[xviii] Id

[xix] https://www.dr-hempel-network.com/digital-health-startups/doctor-patient-platforms-in-india-success/

[xx] See Maharastra: https://www.maharashtramedicalcouncil.in/Files/Notifications_26032020_MCI%20Notification%20Regarding%20TELEMEDICINE.pdf, See Karnataka: https://www.mondaq.com/india/healthcare/905172/karnataka-government-notificationregulations-on-covid-19

[xxi] See kerela: https://economictimes.indiatimes.com/industry/healthcare/biotech/healthcare/kerala-govt to-use-telemedicine-service-e-sanjeevani-for-non-covid-patient-care/articleshow/76370573.cms?from=mdr,

See Westbengal : https://www.newindianexpress.com/nation/2020/jun/30/west-bengal-sets-up-covid-warrior-club-to-help-contain-pandemic-2163150.html, See Tamil Nadu: https://tsitn.org/telemedicine-facilities-in-tamil-nadu/, See Karnatka: https://economictimes.indiatimes.com/news/politics-and-nation/karnataka-govt-launches-apthamitra-helpline-and-app-to-fight-covid 19/articleshow/75293952.cms?from=mdr, See Delhi: https://www.newindianexpress.com/cities/delhi/2020/jul/04/aap-launches-district-surveillance-telemedicine-hub-to-help-with-covid-19-requirements-2165260.html, See Rajasthan: https://timesofindia.indiatimes.com/city/jaipur/rajasthan-government-starts-free-medical-tele-consultation-service/articleshow/75540116.cms

[xxii] id

[xxiii] id

[xxiv] https://www.mondaq.com/india/food-and-drugs-law/865476/regulations-for-online-sale-of-medicines and-drugs-in india#:~:text=India%3A%20Regulations%20For%20Online%20Sale%20Of%20Medicines%20And%20Drugs%20In%20India&text=The%20draft%20rules%20prescribe%20that,registered%20with%20the%20applicable%20authority.

[xxv] Supra

[xxvi] Section 26 (4) Private Data protection bill, 2019

[xxvii] Section 28 Private Data protection bill, 2019

[xxviii] Section 27 Private Data protection bill, 2019

[xxix] Section 29 Private Data protection bill, 2019

[xxx] Section 30 Private Data protection bill, 2019

[xxxi] https://pib.gov.in/Pressreleaseshare.aspx?PRID=1578929

Public health surveillance in India: concerns of an individual’s liberty and privacy amid a pandemic

(This article extensively borrows from another article that authors wrote for and first published on the Leaflet)

The world is grappling with the kind of situation that it has never seen before. The rapid pace of COVID-19 spread made it necessary for the governments around the world to use extreme means and measures that would otherwise be considered Orwellian. These emergency measures by the governments are attempts to effectively enforce a lockdown and strictly prohibit movement of the citizens in a bid to break the chain of infection.

As Governments are attempting to contain the contagious virus, the use of technology for monitoring people undergoing quarantine has doubled in order to combat the spread of the virus. Ordinarily, under such developing Orwellian state of affairs, civil liberty activists and privacy advocates stir commotion; considering the scale of the crisis, they seem to tacitly embrace these measures. It is obvious that this pandemic is reshaping our relationship with surveillance technology, albeit to the fear of some the surveillance that could become a norm.

World under surveillance

Across the globe, countries are expansively deploying tech-enabled surveillance infrastructure of Face Recognition Technology (FRT) based CCTVs, drones and cell phone tracking devices for contact tracing and enforcing quarantine. Growing number of countries such as Israel and South Korea are ‘contact tracing’ using mobile applications or cell phone records. It is a process of mapping travel history of an infected person by analyzing location records of the cell phones. It is followed by pinpointing the other contacts for quarantine that might have come in contact with such a person. Meanwhile, Taiwan has gone a step further in quarantining the traced contacts by deploying an ‘electronic-fence’. If a mobile user’s SIM card is tracked beyond the reach of a network station or found to be switched off, law enforcement authorities quickly approach the suspect.

In India, law enforcement authorities across the nation are increasingly using technology to monitor and restrict the spread of the virus. In several states such as Rajasthan, Punjab and Delhi, local authorities have published a list of personal details, in online media and newspaper, of those suspected or infected of COVID-19. The Karnataka government has taken this to an inordinate level by mandating all quarantined persons to send a selfie with geo-tags through an official app named ‘CoronaWatch’ every hour, except between sleeping time 10 PM to 7 AM. Now, the Ministry of Electronics and Information Technology (MeitY) has also launched an app- ‘Aarogya Setu’, which uses Bluetooth and GPS to alert an individual if they come within six feet of a Covid-19 infected person.

The case of “Public Health Surveillance”

Law enforcement agencies of different countries are carrying out tech-enabled surveillance on their citizens to ensure compliance with the rules of social distancing and lockdown. In normal times, such measures are targeted against terrorists or criminals; while also scrutinized vide privacy and civil liberty concerns.

However, even the World Health Organisation (WHO) has sought to play down privacy concerns in these unprecedented times, by terming the measure as “public health surveillance”. The WHO has simply legitimized the governments’ argument that the extraordinary situation of COVID-19 pandemic necessitates the use of an extraordinary measure of mass surveillance. The public health emergency of such magnitude is being touted as a valid justification for deploying tech-enabled mass surveillance and subversion of individual rights.

Is surveillance a matter of concern for India?

There are certain unique reasons due to which implementation of these emergency measures, in India, are worrisome.

No clarity on the legal basis for surveillance measures

Firstly, in India, neither the central government nor the state governments have provided any legal basis for directing such tech-enabled surveillance measures. For instance, neither of the official press release of the Aarogya Setu app and Karnataka’s ‘mandatory selfie direction mention any legal grounds for such directions nor have they provided any privacy policy with it. The absolute abandonment of civil liberties and privacy in the interest of public health, without the bare minimum legal foundation, portends negative consequences

The government has invoked the Epidemics Diseases Act, 1897 and Disaster Management Act (DMA), 2005 to deal with the COVID-19 outbreak. Both, the colonial era Epidemics Diseases Act and NDMA, do not cover surveillance in their scope. Although, there is an argument that basic residuary power to take ‘necessary’ steps to curb the spread of virus, under the mentioned laws accord a legitimate authority to government for surveillance.

It is unclear why the government has not availed these very basic residuary powers to also notify the standing rules on privacy or lawful manner of deployment of tech-enabled surveillance measures. As a natural consequence, government directives infringing an individual’s right to privacy cannot be tested for their legality without any standing rules for arbitrariness and lack of accountability. This is particularly dangerous in a country like India where a data protection statute does not exist.

The use of unregulated novel technologies for surveillance provides no legal checks and oversight

Secondly, the details regarding the technological capabilities of the government for surveillance are largely a secret. It is the sudden outbreak of pandemic that has forced the government to openly introduce a deluge of unregulated, contemporary and emerging technologies for mass surveillance. There is a growing concern among certain privacy advocates that the tech-enabled surveillance could persist beyond the pandemic once it gets accepted and normalized in the present emergency times. History is witness that world’s most dictatorships and authoritarian regimes emerge amid the crises.

There is no information available about the extent and scope of the government’s capability and techniques. The secrecy about the techniques of surveillance impedes the legislative checks or institutional audits. If the public is unaware of how a technology works (due to non-disclosure by the Executive), the said manner of surveillance then cannot be even challenged in a court of law. Therefore, such secrecy is nullifying the system of checks and balances in favor of the ever-augmenting executive power.

Several surveillance techniques are disproportionate and unnecessary

Thirdly, due to the use of technologies of varying level of invasiveness, there are doubts regarding the necessity and proportionality of such measures in relation to the right to privacy and individual liberty.

The Puttaswamy (I) judgment upheld, explicitly recognized in reference to public health, that to legitimately restrict fundamental rights such as privacy and liberty for implementing a measure, such measure should be proportionate in nature. In the case, the SC held that a government measure is proportionate if it satisfies following four criteria: 1) that the measure should pursue legitimate purpose; 2) that the measure should be rationally connected to the purpose; 3) that there should no less intrusive alternative measure available; 4) that the measure should accrue public benefit greater than the extent of infringement of a constitutional right.

More than half of the population of the country doesn’t have access to the internet services. In the context of such a scenario, how is surveillance through mobile application is a necessary measure? Further, several state governments are taking extreme measures of disclosing the home addresses and other personal details of infected and suspected persons, which grossly fall afoul of three prongs of the constitutional test upheld in the Puttaswamy I judgment. An obviously lesser intrusive measure such as informing at a locality level about the presence of infected cases in areas could have sufficed. Allahabad HC also held such practices, publishing personal details of anti-CAA protestors in public, of the UP government as “arbitrary invasion of privacy”.

Karnataka has rolled out a mobile application which comprehensively discloses the location history and home addresses of persons infected and quarantined. Also, some of the states are publicly listing such details wide in social media channels. Such invariable disclosure of private information of infected and suspected persons has prompted concerns and possibilities of social intimidation.

There have already been reports from across the nation of infected and suspected patients facing the stigmatisation, and various forms of discrimination which are further resulting in a negative social impact. For instance, in Maharashtra, public listing of coronavirus suspects on social media led to several cases of forceful eviction of quarantined people by their landlords.

Such events question the proportionality and necessity of the measure as it would have been a satisfactory measure if the government has alternatively chosen a lesser intrusive measure.

Ways to resolve the concerns

There is no denying that certain limitations can be imposed on civil liberties given the urgency of the COVID-19 crisis. However, in a democratic set up like India it is expected from the government that its actions should be transparent and provide a window to the public to assess the government’s accountability. All the worrisome aspects related to public health surveillance measures can be subdued by making concerted efforts to introduce legal backing for its actions, to establish institutional oversight and to use the least intrusive means.

For providing the legal basis, the government can issue the standing rules that would lay down the legal and accountability measures for the responsible local authorities undertaking public health surveillance. The governments should avail the residual powers under the NDMA and the Epidemic Diseases Act to also issue the ad-hoc rules and guidelines in addition to the emergency surveillance measures. These rules and guidelines will provide the mechanism under which surveillance can be carried out without causing deterrence to an individual’s privacy and liberty.

The government can presently provide such ad-hoc rules for privacy protection based on similar principles as delineated in the Personal Data Protection Bill 2019 (“PDPB 2019”) for the data collection during health emergencies. Clause 12 of the PDPB 2019 exempts the data fiduciaries from taking consent under urgencies like pandemic, but strictly imposes requirements of data minimization or purposes limitation, lawful processing, transparency and accountability. Introduction of such principles will ensure that the information collected surveillance is being handled under the constitutional checks to maintain privacy as much as possible

Such ad-hoc rules will obligate the government as a data fiduciary to follow principle of purpose limitation such that the authorities should only collect the minimum possible data which is sufficient for tracing contact, enforcing quarantine and any other lawful and specific purpose. The government shall use the anonymised data only and adopt all security measures to prevent leaks and maintain confidentiality of personal data of data subject. The rules will also mandate the government to delete the collected data at the earliest after it has been used for the specified purpose. This will automatically shun away the emerging concern that the surveillance’s effect could persist beyond pandemic. Further, it will inhibit the misuse of personal data and abuse of surveillance measures.

The surveillance measures aim to keep people in quarantine and check the spread of infection for their benefit, therefore it is suggested that the government should hold no secrets about its surveillance techniques and manners. It should adopt a method of “Public Notice” system such that the local district administration has to notify the model of surveillance to the public before conducting surveillance.

At the very least, this notice should disclose the legal rules governing the tech-enabled surveillance measure, and its purpose. It should be clear on the authorization required for the retention, access, and use of information collected through the use of such novel technology. Such a notice would provide the transparency in the process of imposition of surveillance and allow the legislature and public to exercise meaningful control and oversight over the manner of deployment of unregulated technologies for surveillance.

Parting note

Unarguably, the present situation calls for the governments to take substantial measures to protect the lives and health of public at large, but this should not happen in the utter disregard of constitutionally recognized rights to privacy and individual liberty. The policies and techniques of government should be legitimate and proportionate in order to maintain the democratic principles of public trust and transparency. There is no hard choice between public health and individual’ right to privacy and liberty. Both can mutually co-exist under the legal framework that guarantees the challenge to unnecessary expansion of the surveillance regime.

As pointed out by Deborah Brown, senior digital-rights researcher at Human Rights Watch, “surveillance measures should come with a legal basis, be narrowly tailored to meet a legitimate public health goal, and contain safeguards against abuse”.

Therefore, the government should definitely focus on the situation of urgency for many, instead of investing focused efforts in ensuring rights for few but should not absolutely ignore its accountability towards any section of the community. These fundamental rights are lung to the edifice of our entire constitutional system. The government should make efforts to prevent any injuries to it as much as possible.

COVID-19 crisis is changing Tech related Law and Policy: Surveillance, Fake news, Telemedicine, and Internet

As I view things and events around the world from the comfort of my home, this blog is my take on how regulations related to technology will get impacted due to the COVID-19 pandemic. As they say, sudden and unexpected events often lead to systematic and permanent changes.  Work from home is a mandate now, as the fear of personal contact and surface contact is prevalent, everyone has uncertainty about the impact of infection. There are even doubts on the globalization given the infection is spreading from one corner of the world to another.

Given the fact that COVID-19 is a pandemic, the authorities have commanded us to practice ‘social distancing’ (trending buzz word on social media) under the twenty-one days lockdown. Hence, there is an unwillingness to engage socially among masses now. As there are shifts in perceiving the world now, there is a shift in the understanding of technology as well. Governments around the world are now valuing its role more than ever and understanding the need for the well-drafted technology policy, as they rush to contain the spread of COVID-19.

Following are the potential changes that we can see in the technology policy of India during and after the COVID-19 crisis.

Increase in the adoption of internet services

With the reach of the internet increasing up to 500 million users and over 660 million broadband subscriptions, internet penetration in India is much evident. However, the present situation is proof that it has been a boon for us that Jio entered the market and made the internet more accessible than ever. The internet is an essential service and something that has kept the masses engaged and sane in their homes during the nationwide lockdown. India has the cheapest internet access in the world, but still, as the crisis gets over, the government will definitely consider more options of making internet services more accessible to the poor of the country which is largely suffering in this crisis. In the present lockdown state, it is important to mention the situation that exists in Kashmir where just the 2G internet is available with the speed which is good for nothing.

India has the cheapest mobile data in the world with 1GB costing just Rs 18.5 (USD 0.26) as compared to the global average of about Rs 600, research by price comparison site Cable.co.uk showed. Average Wireless Data Usage per wireless data subscriber per month is 10.37 GB.

Work from Home

Zoom, a video-meeting app, has seen a significant rise in its download over the last week. With employees are unable to attend offices, video conferencing services that work over the internet has become significant. Again, such applications make access to internet an essential service for operating the business online (a fundamental right). As the employment laws are being discussed these days to understand the place of Work from Home in the law, post the crisis policymakers will definitely deliberate on this and provide a permanent solution for it.

Certain important points for reference of readers from the advisory issued by the government in relation employment laws:

The Ministry of Labour & Employment, Government of India advised on March 20, 2020, that all public and private organizations are to refrain from terminating the services of their employees or reducing their wages.

The Ministry of Labour & Employment has extended the deadline for filing the Unified Annual Return for 2019 under eight laws that were filed on the Shram Suvidha Portal to April 30, 2020 (the previous deadline was February 1, 2020). The notification further states that authorities are not to take action against any entity that did not meet the earlier deadline.

The Employees’ State Insurance Corporation (ESIC), through its communication dated March 16, 2020, has extended the dates for filing of ESI contribution and payment. Accordingly, all contributions for the months of February 2020 and March 2020 can be filed and paid up to April 15, 2020 and May 15, 2020, instead of March 15, 2020 and April 15, 2020, respectively.

The Government of India will contribute the employer contribution (on behalf of companies) and employee contribution (on behalf of employees of those companies) towards the Employee Provident Fund Organization (EPFO) for the next three months for establishments with up to 100 employees meeting certain base salary thresholds.

All EPFO members (employees) will now be able to withdraw up to 75 percent of their total EPFO fund or an amount equivalent to three months of their salary, whichever is lower. The amount withdrawn from EPFO shall be non-refundable, and the employees do not need to return the same to their EPFO account.

Streaming services and regulations

In the process of home quarantine, the dependence on the streaming services is so much that the internet service providers have asked streaming platforms like Netflix and Amazon Prime to reduce the bits rate, in order to lower the stress on networks. The streaming platforms have duly conceded to this demand considering the continuous requirement of providing services to consumers. Consumers are realizing the benefits of streaming platforms and hence there is going to be a potential increase in subscriptions going forward, converting to paying users. In terms of policy-making, if streaming services have the potential to displace traditional entertainment services, the Indian government will look for regulating the content more than ever. Government is already in consultation with the stakeholders regarding options of self-regulation or government regulation.

Increase in demand for spectrum to meet the consumer demand

The percentage of connections that are based on a wireless medium is a staggering 96% approx. Therefore, in the light of increased adoption of the internet for continuous entertainment and work at home has led to increased stress on telecom operators. Therefore, with the 20% sudden increase in demand, telecom operators have sought more spectrum allotment from the government.

A new perspective for e-commerce

The government has rightly considered E-commerce as the provider of essential services during the present situation. Their adequate performance under the lockdown can provide them with a deep sigh of relief, as for the past few months, their food and grocery delivery services have been under the strict supervision of the government. There are several lobbies representing the brick and mortar retailers of groceries and food that have targeted e-commerce market and posed it as a threat to the business of offline retailers across the country. The opportunity for them to legitimize the need for online service during the lockdown has done what demonetisation did for digital payments.

Offline print becomes the victim

Online media channels are also opportunists that are gaining certain traction in terms of consumers. The newspaper industry seems to have been hurt by contact to contact the spreading nature of the COVID-19. Various online posts and WhatsApp threads are flowing in the online media that newspapers are potential vectors of COVID-19. In one of the cases, the Times Group has sent a legal notice to The Print for an article which suggested that COVID-19 can potentially spread through newspapers as well. Therefore, there could be a rise in online media usage and could lead to a rift between offline and online media.

A struggle to contain fake news or misinformation

The sensational way in which COVID-19 crisis has led to the nationwide lockdown is much due to the sensationalized content related to COVID-19 which is spreading through the social media across the country faster than the virus itself. The amount of misinformation spreading about COVID-19 is at large scale, and platforms are struggling to deal with it, especially given the lack of continuous moderation by social media platforms which are not warranted legally. This has given several blows to the effectiveness of lockdown given the people believed on certain misinformation such as cow urine is the cure of COVID-19, the religious congregation will protect from the disease etc, which led to people not take lockdown seriously. Understanding the struggles with automatic moderation of the content on the internet, the government can sooner than before enforcing its strict moderation policy which undermines the right to free speech.

The twenty-one days lockdown recently faltered when an exodus of the large number of migrant workers from urban cities like Delhi and Jaipur came in light. The Supreme Court’s division bench in a hearing on Tuesday, while reviewing the steps that the central government has taken to provide relief to the poor migrant workers during the lockdown, expressed serious concern over spread of fake news or misinformation regarding lockdown’s duration on social, electronic and print media causing the mass exodus of migrant worker from cities to their homes in villages. Read the SC’s order here. Centre in this light has sought direction from SC that no media stakeholders should publish COVID-19 news without ascertaining facts with government. Although, The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.

Privacy, necessity and proportionality

While the right to free speech could be threatened in the future due to the present crisis, the right to privacy has already dealt with several blows. Considering the situation of emergency and lack of any comprehensive law protecting the privacy, the privacy of a number of citizens have been compromised. The health status of quarantined/ or infected is open to all as their homes are being marked and personal details are being made public on social media. Governments are openly surveilling quarantined people for ensuring the enforcement of quarantine and inviting bids from technology companies to procure technology that can make continuous surveillance more effective. In India, several governments are already tracking citizens by keeping a tab on their phones or utilizing geofencing. The crisis has legitimized much longing plans of the government to create an infrastructure which can assist in surveilling its citizens whenever the need arises. Given the opportunity, the Department of Science and Technology has invited proposals and has set up a task force for building surveillance, AI and IoT tools.

As several privacy activists have opinions against the government’s plan to keep track of infected persons. If litigation arises, the question is whether the present circumstances will meet the necessity and proportionality test in order to justify the violations of privacy?

Drones as part of law enforcement

Drones, in some cities, are being used for surveillance to ensure that the current curfew is not violated. Drones allow the police to surveill and document, in a low risk manner. In cities like Chennai, they are being used to disinfect areas. If all goes well in these difficult times of crisis, then expect that police will place more orders for drones going forward, and many tasks will be automated.

Telemedicine guidelines

One of the prime examples of the proposition that experience of COVID-19 crisis will pace up the policy-making with respect to regulate technology is the rollout of a set of guidelines for telemedicine or remote delivery of medical services. Telemedicine practice means that doctors will now be allowed to use information and communication technologies as per guidelines for the exchange of valid information for diagnosis and treatment of ailments with patients. In order to assure steady and quick medical services during the nationwide lockdown, Ministry of Health and Family Welfare finally sanctioned the guidelines that have been proposed ten years ago. Globally, telemedicine has emerged as a front-line weapon against the COVID 19 pandemic. The situation under present crisis motivated the government to provide the concept of telemedicine among masses explaining that the unnecessary exposure of people involved in the delivery of healthcare can be avoided using telemedicine, as patients can be screened remotely.

Delhi HC has expanded the scope of injunction orders in Internet jurisdiction: Geo-blocking to Global-blocking in IT law

This post has borrowed extensively from an earlier blog-publication by Aryan Babele on Tech Law Forum @ NALSAR.

On 23rd October 2019, the Delhi HC has delivered an impactful judgment authorizing Indian courts to issue “global takedown” orders to Internet intermediary platforms like Facebook, Google and Twitter against illegal content as uploaded, published and shared by their users. The Delhi HC delivered the judgment on the plea filed by Baba Ramdev and Patanjali Ayurved Ltd. requesting the global takedown of certain videos which are defamatory in nature.

The Court passed the order in the context of its observation that there is a ‘hare and tortoise race’ between technology and law such that the ‘technology gallops, the law tries to keep pace’. Such observation reflects that the Court’s intention is to interpret IT law in the manner which will ensure the effective implementation of the judicial orders throughout the internet jurisdiction and mitigate the circumvention of such orders by use of the advanced technology.

However, the Court’s order is attracting criticism globally from several internet-freedom activists. It seems that the Court has made a hasty attempt to win the ‘hare and tortoise race’ and has missed on considering the far-reaching implications of it on the IT law jurisprudence and conflict of law provisions. This article aims to analyze and indicate the significant points in the Delhi HC’s judgment, which the Court lacked in considering while relying on the unsettled jurisprudence of global injunction orders.

Background- The case of Swami Ramdev v. Facebook

In Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC], Swami Ramdev (a prominent yoga guru and public figure) filed a case before the Court against Facebook, Google, YouTube and Twitter, inter-alia, praying for the global take down of defamatory contents (videos) as uploaded, published and shared by users of these intermediary platforms.

The given case stems out of the publication of videos on defendants’ platforms, which are based on those particular offending portions of the book titled “Godman to Tycoon: The Untold Story of Baba Ramdev’ by Priyanka Pathak Narain, which are already undergoing an ad-interim injunction as granted by the Court in Swami Ramdev v. Juggernaut Books [CM (M) 556/2018] in May 2018.

Subsequently, in January 2019, the Court passed an interim injunction against the defendants’ platforms to disable access to the offending URLs and weblinks for the Indian domain as per Section 79 of the Information Technology Act, 2000, [hereinafter referred as IT Act 2000] i.e. ordered geo-blocking.

However, the plaintiff argued that the geo-blocking is an ineffective solution as the objectionable content is widely available on the global internet and internet users in India can still access such content using VPNs and other such mechanisms. Therefore, the only effective remedy, according to the submission of plaintiff, is to issue a global blocking order.

Internet intermediaries have contended against such a global take down mechanism as it poses a number of technical and legal difficulties for them. Firstly, cross-jurisdictional laws vary in standards for determining defamation, and hence disabling access globally will breach the principles of international comity. Secondly, in order to globally disable access to the content, the intermediary platforms have to monitor every upload on their platforms which is technically difficult and legally wrong.

The Delhi HC’s Judgment

The Court agreeing with the plaintiffs’ submission went on to held that the online intermediary platforms can be ordered to take down content globally by a competent court in India, as the content is published on their global services. It observed that the complete removal is needed because there are easy –to-use technology applications available widely that helps local users in circumventing the geo-blocking and render the take-down order useless. Therefore, an absolute removal globally is an absolute remedy, as per the Court’s observations.[1]

Further, the following directions, hereby in brief, have been put forth by the Court to support its order:

  • The Court broadened the interpretation of Shreya Singhal v. Union of India: As per the Court, Section 79 of the IT Act 2000 provides that in order to avail the safe-harbor immunity, “intermediaries have to take down and disable access to the offending material residing in or connected to a computer resource in India”. It interpreted the definition of ‘Computer Resource’ as given in the IT Act, such that the “Computer Resource” as per the judgment “encompasses within itself a computer network, which would include a maze or a network of computers. Such a computer network could be a global computer network”.[2]
  • Global take downs are technologically possible: The Court held that whenever any content violates the community standards of the internet intermediary platforms, such content is taken down globally by the platform on its own. Therefore, it observed that it is technologically possible for the platforms to take down content globally on the orders of the competent courts as well.
  • Application of IT Act in extra-territorial jurisdiction: In order to justify the global take down, the Court explained that, “a perusal of Section 75 of the Act shows that the IT Act does have extra territorial application to offences or contraventions committed outside India, so long as the computer system or network is located in India”.[3] Therefore, the Court held that as long as the content has been uploaded from the Computer Resource located in India, Indian courts will be competent to pass the global injunction/ take down orders.
  • Allowing the direct ‘Notice-and-Takedown’ mechanism for the future uploads of the objectionable content: The Court has held that the plaintiffs can approach the intermediaries directly if it finds the publication of the questionable content again on their online platforms in future. However, the Court has provided an option of the counter-notice system for intermediaries, by opting which the intermediaries can refute claims of illegality and shift the onus of proof back on plaintiffs, such that after which the plaintiffs will have to approach the Courts for an appropriate remedy.

Observations: the Loopholes, Unsettled Jurisprudence and the Comment

The Loopholes

It is completely understandable that the Court is favouring the global take-down order to make its injunction orders against global services more effective. Unfortunately, in its broad evaluation of legal feasibility of the global injunction order and technological capabilities of intermediaries to obey the same, the Court missed on considering certain very significant arguments[4]:

  • Use of VPNs another way around: The Court agreed to the plaintiffs’ argument that due to the wide availability of the easy-to-use applications like VPN, the geo-blocking is circumvented. However, it didn’t consider the circumvention in the case other way around, in which the user can upload the content using VPN and other web proxy services, and can further easily fake the IP address to make it look like as if the content is being uploaded from outside India, negating the Court’s jurisdiction. Therefore, global takedown order, even at prima facie, doesn’t seem to be the appropriate remedy.
  • In denial of the principle of international comity and right to information: The cross-jurisdictional defamation laws vary on a large scale. If global takedown was mandated, the platforms will be wary of falling foul of the law in other countries. For eg., if Indian courts mandate the global takedown of the content which is not at all questionable as per the laws of certain countries, the takedown order will be in contravention of the right to information of citizens of that country. Not respecting the laws of other country amounts to the breach of the principle of international comity and conflict of laws.[5]
  • Without due consideration to the rights to free speech and privacy: The Court failed to understand the technicalities that involved in the operation of global take down orders, the intermediary platforms have to start monitoring each and every content that is being uploaded in order to stop the dissemination globally. This will further impose the risk of private censorship on the Internet and affect the right to free speech and privacy of users. The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.[6]
  • Shifting away from the law established by the Manila Principles on Intermediary Liability and Shreya Singhal case: The Court has allowed plaintiffs to directly approach the intermediary platforms in case of re-uploading of the objectionable content in future. This is a great shift away from the existing process under Section 79 of the IT Act, 2000 as established by the Supreme Court’s landmark judgment in the Shreya Singhal case, which requires intermediaries to take down or disable the access to the content only in cases of receiving an order from either the government or the Court to do so. The same is considered global best practice according to the Manila Principles on Intermediary Liability.
  • The question of extraterritorial application of the IT Act in the present case: As per the Section 75 of the IT Act 2000, it is clear that the Act applies extra-territorially to certain offences or contraventions committed outside of India if the same is committed using “a computer, computer system or computer network located in India, the contraventions as contemplated under the Act are provided for in Sections 43, 43A, 66A, 66B, 66 66E and Section 66F.” Defamation is not covered in any of these provisions.[7]

Heavy reliance on the unsettled jurisprudence

The Court has heavily relied on certain foreign judgments while reaching the conclusion in its own judgment. The issue with the same is that the jurisprudence around geo-blocking and global injunctions is unsettled and still developing; with the Delhi HC’s order adding more confusion to the same.

The Court has relied on the case of Google Inc. v. Equustek Solutions Inc., which is the living proof of the unsettled jurisprudence.[8] The Supreme Court of Canada ordered Google to de-index listings from its search results in order to provide protection to trade secrets of a subject from Google globally. While, the Supreme Court of Canada upheld a global injunction against Google, the US Court sided with Google ruling that the Canadian order “threatens free speech on the global internet”.

The Court also relied on the case of Eva Glawischnig-Piesczek v. Facebook Ireland Limitedin which the CJEU ordered Facebook and other platforms to remove questionable content, copies of the same and block the access to the same, globally. While emphasizing on the case, the Delhi HC didn’t consider at all the CJEU decision in the case of Google v. CNIL[9], in which it was held that the Google is not required to de-reference listings from its global service, just because the content has been declared to be illegal by an EU member state.

Comment

It is clear that the Delhi HC left a lot to consider before delivering the judgment such that from the complexities of territorial jurisdiction to the difference in nature of cross-jurisdictional laws. In the present case, the Court mainly failed to understand the varying nature of defamation laws across jurisdictions— such that in the UK, the burden of proof is on the defendants to prove that the content is not defamatory, while in the US, a heavy onus of proof is placed on the plaintiff.

The Court also failed to consider certain very important foreign judgments which have specifically highlighted the issue of difference in the nature of law. In Google v. CNIL, CJEU held that the ‘right to be forgotten’ (which was the main issue in the case) has differences in standards for its application and interpretation around the world. Therefore, it agreed that it is enough for Google to block access to the questionable content from the EU domain only. Further, in Bachchan v. India Abroad Publications Inc.[10], the Supreme Court of New York County refused to enforce a defamation judgment awarded by the High Court of Justice in London, England, ruling that it will be a threat to the free speech protections as offered by the First Amendment to the US Constitution.

Unarguably, internet jurisdictions have always been a challenge for the courts and governments. Courts have always been behind the technology in the race and unable to assert absolute jurisdiction. This makes the internet risks become a proverbial ‘wild west’ with no single comprehensive applicable law. The fact that injunction against an intermediary, on a global scale, doesn’t make it necessarily invalid and aggressive. After all, the limited denial of access in the local domain is not protecting the underlying rights at stake; global takedown seems the right method to ensure effectiveness. But all of this is required to be done while mediating the conflicting interests as well as recognizing the protection to certain forms of speech.

As Gautam Bhatia said in the context of Swami Ramdev v. Juggernaut Books last year, “Indian courts seem to increasingly view freedom of speech as a mere annoyance to be brushed aside when confronted with competing claims”. If global take-down orders will become mainstream, the regressive laws on freedom of speech and expression online will become a norm. The Courts and governments, in order to win this ‘hare and tortoise race’, shall not ignore the countervailing arguments in relation to freedom of speech and right to privacy. These rights shall not be considered under-weighed against the values like national integrity, security interests, etc., rather an effort shall be made to strike the balance between both the sides.

The judgment is under challenge now by Facebook before a Division Bench, and the matter is listed for final hearing on January 31, 2020. The Court must set a precedent in the unsettled jurisprudence that will consider the free speech and privacy rights in the world of internet at the intersection of technology and laws such as defamation law.

References:

[1] Para. 87, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[2] Para. 78, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[3] Para. 86, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[4] Apoorva Mandhani, Why Baba Ramdev’s win against Facebook, Google in Delhi HC only adds to judicial confusion, The Print, https://theprint.in/india/governance/judiciary/why-baba-ramdevs-win-against-facebook-google-in-delhi-hc-only-adds-to-judicial-confusion/312403/.

[5] Balu Nair, Delhi HC Gives Expansive Interpretation to Section 79 of IT Act: Issues Global Blocking Order Against Intermediaries, SpicyIP, https://spicyip.com/2019/11/delhi-hc-gives-expansive-interpretation-to-section-79-of-it-act-issues-global-blocking-order.html.

[6] Delhi High Court Approves Take Down of Content Globally, SFLC, https://sflc.in/del-hc-orders-global-take-down-content.

[7] Para 16, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[8] Google Inc. v. Equustek Solutions Inc., Cambridge Core, https://www.cambridge.org/core/journals/american-journal-of-international-law/article/google-inc-v-equustek-solutions-inc/E667668ED944EBE52233E17320478448/core-reader.

[9] Google v. CNIL, CJEU Case C-507/17.

[10] Bachchan v. India Abroad Publications Inc., 154 Misc 2d. 228, 585 N.Y.S.2d 661.

Summary: Philippines Senator introduces the ‘Anti-False Content Act’ to fight fake news

The article has been authored by Aryan Babele and first published on Medianama. Read https://www.medianama.com/2019/08/223-the-lowdown-the-anti-false-content-act-to-address-fake-news-that-was-introduced-in-the-philippines/

The Senate of the Philippines has announced the introduction of the Anti-False Content Act’ on 1st July 2019. The newly proposed anti-fake news bill, as filed by the Senator President Vicente Sotto III, aims to prohibit “the publication and proliferation of false content on the Philippine internet, providing measures to counteract its effects and prescribing penalties therefor.” The Senator, in the explanatory note to the Bill, said that

“In the Philippines, widespread are headlines that are mere click-baits; made up quotes attributed to prominent figures; and digitally altered photos. Philipinos have fallen prey to believing that most of them are credible news…. In this regard, this bill seeks to protect the public from the deleterious effects of false and deceiving content online.”

However, media groups are warning that the proposed Bill could lead to censorship. On 25th July 2019, the international group Human Rights Watch (HRW) opposed the proposed law citing that the Bill is “sweepingly broad and threatens to stifle discussion on websites worldwide” and “would excessively restrict online freedom of speech”, in a news release. Linda Lakhdir, Asia Legal Adviser at HRW, further said that:

“The proposed ‘false content’ law poses real risks for activists, journalists, academics, and ordinary people expressing their views on the internet”

Declaration of Policy

The proposed Act declares that the policy of the State is “to protect people from any misleading or false information that is being published and has become prevalent on the internet”. In this regard, the State shall commit to:

  1. Be proactive in preventing further exploitation of online media platforms for such purpose;
  2. Counteract its concomitant prejudicial effects to public interest while remaining cognizant of the people’s fundamental rights to freedom of speech and freedom of the press.

What is ‘online intermediary’?

It refers to “a provider of service which displays an index of search results that leads the internet users to a specific online location”, giving them access to “contents originating from third parties”, and “allows them to upload and download content”. It includes but not limited to social-networking sites, search engine services, internet-based messaging services, and video-sharing sites.

What constitutes ‘publication’?

It refers to the “act of uploading content on an online intermediary with an intent to circulate particular information to the public”.

What is ‘fictitious online account or website’?

It refers to those accounts and websites “that has an anonymous author or uses an assumed name in pursuing activities” in order to avoid punishment or legal consequences of such activities.

Counter-active measures

According to the Section 5 of the proposed Act, the Department of Justice (DOJ) Office of Cybercrime shall have the authority to issue a rectification order, a takedown order and/or a block access order to restrain the creation and/or publication of the content online that contains false information or that tend to mislead the public.

Rectification order refers to an order directing the administrator of the online account or website to issue a notice indicating the necessary corrections to published content.

Takedown order refers to an order directing the owner or administrator of the online account or website to take down the published content.

Block Access order refers to an order directing the online intermediary to disable access by users to the published content.

These orders can be issued by the DOJ Office of Cybercrime in two following cases:

  1. When there is a complaint filed to the DOJ Office of Cybercrime by an aggrieved party is valid and has sufficient basis;
  2. In matters affecting the public interest, the same Office can issue the appropriate order on its own volition (motu proporio).

“Public interest shall refer to anything that affects national security, public health, public safety, public order, public confidence in the Government, and international relations of the Philippines.”

Appeal to cancel the order

According to Section 6 of the Bill, the online publisher or online intermediary who has been issued with Orders under Section 5 of the Bill, can appeal against such Order to the Office of the Secretary of the DOJ.

Punishable Acts under the proposed law

According to Section 4 of the Bill, the following acts shall be punishable offences:

  1. Creating and/or publishing content on one’s personal online account or website knowing or having a reasonable belief that the content online that contains false information or tend to mislead the public;
  2. Use of fictitious online account or website for creating and/or publishing the content that contains false information or misleading the public;
  3. Offering or providing one’s service to create and publish content online intentionally to deceive the public, regardless whether it is done for profit or not;
  4. Financing an activity which has for its purpose the creation and/or publication of a content online containing false information or that would tend to mislead the public;
  5. Non-compliance with any of the government’s Takedown orders, Rectification orders or Block Access orders issued under Section 5 of the proposed law, whether deliberate or through negligence.

Penalties

Section 8 of the Bill proposes following stringent penalties for the afore-mentioned punishable offenses such that:

  1. If an individual found guilty of creating and/or publishing the false information online and mislead the public as provided under Section 4(a) of the proposed law, he/she will be punished with imprisonment of up to six years, or fine of not more than PHP 300,000, or both.
  2. If an individual found guilty of using fictitious online account or website to create and/or publish the false information online and mislead the public as provided under Section 4(b), he/she will be punished with imprisonment of up to six years, or fine of not more than PHP 500,000, or both.
  3. If an individual found guilty of offering or providing one’s services to create and/or publish the false information online with the intent to deceive the public as provided under Section 4(c), he/she will be punished with imprisonment of up to six years, or fine of not more than PHP 200,000, or both.
  4. If an individual found guilty of financing an activity as provided under Section 4(d), he/she will be punished with imprisonment of up to twenty years, or fine of not more than PHP 100,000, or both.
  5. If an individual found guilty of not complying with government’s orders as issued under Section 5 of the proposed law, he/she will be punished with imprisonment of up to twenty years, or fine of not more than PHP 200,000, or both.

Jurisdiction of the regional trial courts

Section 9 provides that the regional trial courts will have jurisdiction over Philippine nationals who commit the acts punishable under the proposed law, whether or not they were in the Philippines when the offense was committed.

Law Enforcement Authorities

The Cybercrime Division of the Philippine National Police (PNP) and the National Bureau of Investigation (NBI) will be responsible for the enforcement of the provisions of the Act.

“Cyber Security Bill” of Sri Lanka: S-E Asia moving for enhanced Cyber-Security Framework

The Sri Lankan government has drafted a new ‘Cyber Security Bill’ to protect vital information and essential services from cyber attacks.

The Cyber Security Bill vests into Government the powers to establish a ‘Cyber Security Agency’ and to empower the Sri Lanka Computer Emergency Readiness Team and National Cyber Security Operations Centre, which aim to protect “Critical Information Infrastructure”, which is necessary for the continuous delivery of essential services of the country.

The draft bill awaits the cabinet approval and will be presented thereafter to Parliament, according to the non-cabinet minister of Digital Infrastructure and Information Technology Ajith P. Perera. The minister said that the public opinion will be sought on the proposed Bill in a public consultation forum that would be held on June 6. He also informed that the draft of the comprehensive Data Protection is also completed and would be presented to the cabinet and will be legislated in three months.

Understanding the Sri Lanka’s new “Cyber Security Bill”

The objective of “Cyber Security Bill”

The Bill has been proposed with the objective to provide an essential component that will (i) ensure the effective implementation of the National Cyber Security Strategy in Sri Lanka; (ii) prevent, mitigate and respond to cyber security threats and incidents effectively and efficiently; (iii) establish the Cyber Security Agency to strengthen the institutional framework for cyber security and (iv) protect the Critical Information Infrastructure.

In November 2018, the Government of Sri Lanka introduced the Sri Lanka’s first Information and Cyber Security Strategy to be implemented over a period of five years from 2019 to 2023. It is an institutional framework which aims to create a trusted and resilient cyber security ecosystem enabling Sri Lankan citizens to have access to the safe digital benefits and facilitate a better future.

What is ‘Critical Information Infrastructure’?

“Critical Information Infrastructure” (CII) includes all computers or computer systems located wholly or partly Sri Lanka, those are necessary for the continuous delivery of essential services for the public health, public safety, privacy, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace. It also includes the computer system of which the disruption or destruction would have a serious impact on the functioning of the government.

Cyber Security Agency of Sri Lanka

  1. Establishing a new Cyber Security Agency

The Bill proposes to establish an agency which will be the “Apex and Executive body” for all matters relating to cyber security policy in Sri Lanka. It will be responsible for the implementation of the National Cyber Security Strategy “including preparation and execution of operational strategies, policies, action plans, programs and projects”.

  1. The Management and Administration of the Agency

The management and administration of the affairs of the agency shall vest in a Board of Directors consisting of Secretary to the Ministry of Defence, Secretary to the Ministry of Public Administration, a member nominated by the Board of Sri Lanka Computer Emergency Readiness Team (SL-CERT), Secretary to the Ministry which is responsible for implementation of the proposed Act and three expert members appointed by the responsible Minister.

  1. Powers and Functions of the Agency

One of its main functions is to identify and recommend the responsible Minister to designate a computer or computer system as CII and further develop strategies and plans for the protection of the CII.

It will act as the central point of contact to all government institutions and other relevant sectors of the country in respect of cyber security measures.

The Agency will ensure effective compliance by requesting the submission of compliance reports from designated CIIs and other government institutions which will include cyber security assessment and information relating to the steps taken to protect the CIIs.

The Agency or any other officer authorized by the Agency, on reasonable grounds, has the power of entry, inspection and search the premises of designated CIIs. It can examine any documents, records and person pertaining to such CIIs.

  1. Information Security Officer (“ISO”)

The Bill provides appointment of an “Information Security Officer” to each public institution or department. Every ISO will ensure the compliance of such institution or department with the prescribed standards relating to cyber security.

The institutional framework to assist the agency

The new Bill also proposes to empower the Sri Lanka Computer Emergency Readiness Team (SL-CERT) and National Cyber Security Operations Centre for the proper implementation of the National Cyber Security Strategy of Sri Lanka (NCSOC).

It provides that SL-CERT will be “the national point of contact for handling cyber security incidents in Sri Lanka” and will assist the Agency. It will do so by providing the national level cyber threat intelligence information and conducting reactive cyber security services to prevent and mitigate the damages of cyber security incidents.

Further, the responsible Minister with the concurrence of the Agency will designate the CERT or any institution as the new NCSOC. The NCSOC will monitor the designated CIIs, identify potential cyber security incidents, gather cyber threat intelligence information and provide such information to law enforcement authorities, CERT and to the Agency. It will assist the Agency to facilitate coordinated response to prevent, detect, and investigate cyber security incidents.

The owner of CII

The designated CII may be public institutions (as owned or operated by the government) or other institutions. The head of the organization responsible as the CII will be deemed as “owner” of the CII. It is responsibility of owner of the CII to take all necessary steps to protect CII as prescribed in the Bill. This includes conducting security assessments, implementation of the protection plan and notifying the Agency and CERT of the occurrence of any cyber security incident with respect to the CII. If the CII is constituted by multiple organization or multiple sectors, all the heads of such organizations or sectors shall become jointly and severally responsible for protection of the CII.

Offences and Penalties

Every CII owner, who fails to fulfil obligations as prescribed under the proposed Act, without any reasonable cause, and fails to report cyber security incidents to the Agency and CERT, will commit an offence and shall on conviction be liable to pay a fine not exceeding Rs 200,000 or to imprisonment for a term not exceeding two years or to both such fine and imprisonment.

ISO can be held as guilty of the offence if it fails to perform its duties and responsibilities relating to cyber security incidents under the proposed Act. Further, the Bill also provides that every person, who being a head of an institution, if fails to facilitate ISO, shall commit an offence. However, such ISO or person will not be guilty of the offence if it was committed without his knowledge or that he exercised all due diligence with respect to prevent the commission of such offence.

Prosecution under the proposed Act can only be instituted by the Agency or an officer authorized by the Agency.

Other powers of the Minister

“Minister”, as referred in the proposed Act, means “the Minister assigned the subjects and functions relating to cyber security”. The Minister has the power to give general or special directions to the Agency, from time to time, to ensure the effective compliance to the Government policy. He has the power to make regulations, with the concurrence of the Agency, in respect of the matters prescribed in the Act.

 

Facebook’s Clampdown on the business of generating fake likes and followers: ‘Inauthentic Behavior’ on Instagram

Facebook has announced in a blog release titled “Preventing Inauthentic Behavior on Instagram” that Facebook and Instagram have sued a company and three individuals based in New Zealand for making a business of selling fake likes, views and followers on Instagram. It has filed a lawsuit in US federal court alleging that “the company and individuals used different companies and websites to sell fake engagement services to Instagram users”.

It said it issued warnings to the company and suspended company’s associated accounts for violating Facebook’s Terms of Use, but the activities persisted. By filing the lawsuit Facebook wants to send a message that fraudulent activity is not tolerated and it will protect the integrity of its platform.

The lawsuit

The lawsuit asks the Court to prevent the defendant company from “engaging and profiting in the sale of fake likes, views and followers on Instagram”. It also seeks to prevent a “violation of its Terms of Use and Community Guidelines”. Further, it aims to prevent a “violation of the Computer Fraud and Abuse Act and other California laws for distributing fake likes on Instagram in spite of Facebook suspending their accounts and revoking access”.

The Lawsuit details that company called Social Media Series has various websites and services to generate fake likes and followers for Instagram users who wanted to inflate their followers. Customers paid ranging $10 to $99 per week depending on the number of likes they want to purchase for their accounts which then generate almost within seconds of posting a new photo.

The lawsuit says that “through their business, Defendants [Social Media Series Limited and its directors] interfered and continue to interfere with Instagram’s service, create an inauthentic experience for Instagram users, and attempt to fraudulently influence Instagram users for their own enrichment”.

As the lawsuit further claim, the company and its directors has “unjustly enriched themselves at the expense of Facebook and Instagram in the amount of approximately $9,430,000”, since July 2018.

Inauthentic experience

Facebook said in the blogpost that “Inauthentic activity has no place on our platform”. It claims that the social media giant “devote significant resources” to detect and stop the inauthentic behavior. This includes “blocking the creation and use of fake accounts, and using machine learning technology to proactively find and remove inauthentic activity from Instagram”.

It further said that, “today’s lawsuit is one more step in our ongoing efforts to protect people and prevent inauthentic behavior on Facebook and Instagram”. Facebook expects to be paid unspecified damages for manipulating Instagram’s platform.

Clamping down on “Inauthentic Behavior”

Facebook now has multiple lawsuits in the works relating to individuals or companies that sell fake engagement on its social media platforms. Facebook recently removed or unpublished over 1,000 Facebook pages and Instagram accounts from India and Pakistan for ‘inauthentic behavior’. It filed a lawsuit in March 2019  against several companies and individuals based in China claiming that they are engaged in selling of fake accounts, likes, and followers on Facebook and Instagram. In November 2018, Instagram warned users to avoid inauthentic follows and likes generated by third-party apps and services, as reported by Cult of Mac.

DECODING THE STANDARD CLAUSES OF GDPR- (1)

It is now more than six months with the General Data Protection Regulations (GDPR) in effect now and still many SMEs are inquisitive about it like it is something which is yet to be enforced in the coming time. No doubt, that why GDPR getting so much attention in the global market. It is the globalization of market and integration of it with the internet that makes GDPR a big deal, despite its being the framework of standard regulations that are to be applied in European Union only. GDPR includes some very basic elements that can potentially be the standard data protection law across the globe. Therefore, before discussing its sector-wise impact it is very important to know the obligations and rights of key stakeholders, that deal with personal data, under the GDPR.

It is very important to understand that the GDPR is prescriptive in nature in light of the debate around its being strict and harsh to SMEs. GDPR is prescriptive means that it is basically prescribing the best practices that are needed to be followed by drafting of the privacy policy by businesses of Europe. GDPR is prescriptive on the need for contracts which governs the sharing of personal data of EU citizens in the following three brackets:

  1. Data Sharing between Co-controllers;
  2. Processors appointed by Controllers;
  3. Sub-Processors appointed by Processors. (Data Centres or any kind of support behind the vendor).

______________________________________________________________________

NOTE: Before describing anything related to standard clauses under GDPR, it is important to understand the basic meanings of certain terms and then understand their usage in this article based on the meanings as follows:

Data-Subject refers to an individual person or a natural person identified, directly or indirectly, through an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. In other words, a data subject is an end user whose personal data can be collected.

Data-Controller, according to the GDPR, is defined as a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” For example, a business obtaining customer or employee details, or a school, college or university holding student records.)

The role of a data controller is to determine who shall be responsible for compliance with data protection rules and how data subjects can exercise their rights. Putting it simply, they are the manager of personal data, they instruct the processor. The data controller will decide the purpose for which personal data is required and what personal data is necessary to fulfill that purpose.

A data controller will act on their own autonomy. A party constrained in how they can handle personal data is less likely to be a data controller but could be a data processor.

GDPR defines a Data-Processor as:

a natural or legal person that processes personal data on behalf of the data controller.

A data processor would be a separate business entity (whether a company, partnership or a sole trader) serving the interests and carrying out the instructions of the data controller in its processing of the personal data.

The role of a data processor could include storing data, retrieving data, running the payroll for business, carrying out marketing activities, or providing security for data.

 

PRACTICAL SCENARIO:

X Limited has entered into a contract with Y Limited, providing clear instruction to X Ltd. to send an email, advertising their new range of products.

They provide Y Ltd. with an email template and a spreadsheet of personal email addresses (all obtained with valid GDPR consent).

X Ltd. outline the spreadsheet is only to be used for the purpose of sending this advertising email.

Y Ltd. is bound by instructions of X Ltd.

In this scenario, Y Ltd. is a data processor and X Ltd. is the data controller

 ______________________________________________________________________

Knowing obligations and rights of Controllers

Out there in the practical life, in European Union, vendors/sellers/suppliers are pushing out for the standard contracts that comply with the GDPR as now all the commercial negotiations related to data sharing is now governed by it and EU controllers are very much concerned about managing risks. As the marketplace is very nascent, guidance and enforcement are much needed. Therefore, it is further important to identify and categorize whom one can share data with/ receive data from, determine GDPR processor obligation and ensure the stability of internal processes. Another thing to know GDPR in its true essence is that the contracts are just a wider part of the GDPR compliance but not the whole GDPR by any means.

Article 5 of the GDPR presents the big picture explaining the core principles behind the standard provisions relating to the protection of personal data as follows:

  • Data must be processed lawfully and fairly in a transparent manner and this should be the primary concern of the controller. This principle is the reminder of the significant issues which a stakeholder must provide clearly in the contracts in order to specify responsibilities, process, and liabilities.
  • Data Minimisation must be the essence of every privacy policy. In a simplistic manner, it means that the personal data should be processed to the minimum level that is necessary.
  • Data must be accurate and must be kept updated. It is one of the clauses which provide a course of the way for the implementation of the right to be forgotten in terms of data collection; as the principle requires that out-of-date should be deleted or changed as quickly as possible.
  • Storage limitation should be there in order to limit the duration of identification of the data and source subjected to certain restrictions.
  • Security and Integrity of Data provided with an obligation to prevent unauthorized access or control of data by using efficient ethical, technical and organizational methods. The phrase ‘integrity and confidentiality’ is present at multiple places in GDPR and it is there to remind the stakeholders that what has been expected from their data-protection policy.
  • The principle of accountability puts it straight that in GDPR a stakeholder in supposed to only comply with the regulations, but the stakeholder has to demonstrate it. Therefore, accountability should be visible explicitly in every contract of the privacy policy.
  • There is another principle which is not present in text of Article 5 but has been provided under GDPR through its Article 25 and that is the concept of data-privacy by design and default and the theme behind it is that a stakeholder has to embed the concept of privacy in every word of its privacy policy which deals with the personal data of EU citizens and hence the contract should highlight it as well.

As the principles are known now, one can move forward to understand the letter and spirit of the law that GDPR is enforcing as following:

The GDPR has the specific requirement in terms of the joint controllers or controller-processor/sub-processor arrangements. According to Article 26 of the GDPR, the joint controller relationship is the relationship in which two or more controllers jointly determine purposes and means of processing data. Article 26 requires the joint controllers to identify their compliance responsibilities and the GDPR needs that the data-subject should be aware of these compliances. Therefore, stakeholders have to incorporate the compliances in contracts and policies clearly. The rights and duties in the arrangement with respect to the data-subject must clearly delineate that whose will be liable in the arrangement when data-subject will exercise his/her rights.

Knowing obligations and rights of Processors

The controllers are further obliged to appoint only those Processors that provide them with the guarantee to implement appropriate technical and organizational measures in order to meet the requirements of the GDPR. This means that the controller should undertake a proper due diligence process before the appointment of the Processor. Although GDPR has not prescribed this as the mandatory explicit contractual requirement, but it is always better to cover off the risks by documenting the status in written form especially anything related to the Processor under Article 28 of the GDPR to demonstrate the accountability in commercial contracts. For the purposes of Processors, GDPR has highly specific requirements that should be present in a contract as following:

  1. The subject-matter of the processing;
  2. The duration of the processing;
  3. The purpose of the processing;
  4. Type of personal data being processed;
  5. The categories of data subject;
  6. The obligations and rights of the controller.

Therefore, it means that data processing activities should be laid out in detail that is contracted out to the processor. And even that is also not enough as there are the number of obligations on the processor under Chapter 4 of the GDPR requiring to process data according to the specific instructions of the Controller that are documented in the contract. Again a point to note is that GDPR doesn’t mandate it for stakeholder to cover all such instructions in an initial contract but it is suggested by most of the policy drafters that a stakeholder should include basic instructions for example that who are authorized to give them, to whom do they need to be sent and how quickly they need to be acted on.

The GDPR singles out data transfers in particular as an issue on which a Data Controller must contractually agree to adhere to the instructions of the Controller. Appropriate Confidentiality agreement in respect of persons authorised to process personal data need to be included. The processor has to comply with the security obligations under Article 32 of the GDPR. The Processor also has to comply with the deletion or return requests by the Controller at the end of the contract. It is the first time in EU law that Data Processor will have the direct liability to Data Subjects in relation to certain GDPR data-breaches. As a result, all the parties that are involved in the framework of data collection, processing and sharing have the greater interest in ensuring contractual liability dealt in the way it is most advantageous to them.

Knowing obligations and rights of Sub-Processors

Finally, it is worth mentioning about Sub-Processor also as the GDPR provides in detail about the authorisation regarding appointment of sub-processor under Article 28(4). A Processor cannot appoint the sub-processor without prior specific or general written authorisation from the controller. The controller gives the general written authorisation to the processor and it has to update the controller about any intended changes in the instructions delivered to sub-processor and further give controller the opportunity to object it. It is needed in the contract that a controller should provide specifically discuss that how the notification and approval processes will work under general authorisation. The Processor has to include same obligations for sub-processor that apply on him under the contract with the Controller. Under the GDPR, it is the processor who remains liable to the Controller for data-breaches making the allocation of liability a vital requirement.

GDPR compliance is about more than just complying with a letter of the law and regulators are going to be looking at whether the stakeholder is complying with the spirit of the law.

In order to ensure the compliance, the controller needs to ensure flow down in contracts where the controller should have the obligation which a processor or sub-processor will assist with and the contract must delineate these obligations. The ICO draft guidelines provide a well-developed checklist to ensure the proper drafting of a clause related to the controllers’ obligation.

 

The next blog in the GDPR series will deal with the provisions of GDPR that provides with some specific instructions related to drafting of the privacy policies and private-contracts.

Following are suggested read to understand the technicalities of obligations and rights of data-subjects, Controllers and Processors in an elaborative manner:

https://www.porterdodson.co.uk/blog/gdpr-who-is-the-data-controller-who-is-the-data-processor-and-what-is-the-lawful-basis

https://www.wsiworld.com/blog/responsibilities-of-a-controller-processor-and-data-protection-officer-according-to-gdpr/

https://www.dporganizer.com/gdpr-data-controller-vs-processor/

https://termsfeed.com/blog/gdpr-data-controller-vs-processor/

 

To read the GDPR Regulations, click here.

The Road to GDPR: Historical Context behind the European Data-Protection Laws

Since the last few months, internet users are receiving hundreds of emails or pop-ups from different websites regarding the frequent updates in their privacy policies. It is a formal process that most of the Europe based firms and service providers are completing, in order to become compliant with the most-debated General Data Protection Regulations (GDPR). It was on 25th May 2018, that the European Union’s GDPR came into force, providing significant upgrades to the E.U. data protection regulatory framework. It is a regulatory policy enhancement over the EU Directives 95/46/EC on Data Protection, adopted 20 years ago, which was centered on the protection of personal data of individuals in the era of early users of Internet that were engaged in processing and free movement of such data situated in various cyber-cafes. The directives later became the in-hand limitations that directed the internet service providers with a procedure that is to be adopted before handling data-processing of personal information of users. After 20 years, the Internet is ubiquitous in our lives as its application is prevalent around us everywhere. Therefore, recent GDPR requirements are going to massively impact the data-usage practices of both the consumers and the companies.

2016-01-30_GDPR_history

GDPR is a very much talked about topic these days as there is a lot of confusion surrounding that what is covered by GDPR and what not. The debate on the acceptance of GDPR became more heated as a string of Small and Medium Enterprises withdrawn from the EU market or shut down operations entirely in order to avoid the hefty costs of compliance. Such events itself tells that the GDPR is a strict law. GDPR is a far-reaching and multifaceted regulation, requiring the companies to provide significant control to consumers over their personal-data including establishing new rights for the individual (right of data portability, right to be forgotten, data localisation etc.). Another stringent check on companies is the debated-introduction of fines up to €20 million or 4 percent of the company’s turnover in case of breach of data-privacy by the company. Unarguably this makes EU a regulatory superpower, leading the pack of stricter regulations, on data-protection. Why EU is so adamant to afford such stricter regulations that can break up the global internet into regional or national chunks? The seriousness of the penalties reflects a European approach to privacy that can be traced back, in large part, to the history of its members’ experiences with personal data being used for certainly wrong purposes. To have a clear focus on GDPR and European approach to data protection, it is important to explore the dark past related to data protection in Europe.

The causes for adopting a very strict approach can be traced back to the Europe of World War II era, during which the Nazis in Germany consistently abused private data and personal information in order to create profiles of citizens and identify Jews and other minority groups. During the Nazi regime, the state’s control of market brought with it control of information technology as well. The access to such information-data also provided a door to the census information that indicated residents’ nationalities, native languages, religion, and profession. The punch cards that were used to feed in this information are the early data processors known as Hollerith machines, allegedly manufactured by IBM’s German subsidiary at the time Deutsche Hollerith Maschinen GmbH (Dehomag), as also mentioned in the book titled IBM and the Holocaust: The Strategic Alliance between Nazi Germany and America’s most powerful Corporation. The use of census data to create a database of personal profiles according to which a broad level of discriminatory policies can be imposed- is a disturbing fact related to dark past of free movement of data.

Exploitation of private data didn’t end in Germany with the WWII coming to the end, but it was continued in the East German state as to keep in track the pro-Nazi agenda and later, in cold war era, spies of West German states. This was the first kind of mass surveillance by any state in the history through screening of private communications, periodical searching of houses, etc. The state kept the details of each and every personal data in their database from people’s friends to their sexual habits. Stasi, East German secret police force became most famous due to carrying out of such practices. As the Stasi started cross-border surveillance, in response, in 1970 West Germany approved what’s considered the country’s first modern data privacy legal framework concerning public sector data in the West German state of Hesse. This was followed by a 1977 Federal Data Protection Act designed to protect resident “against abuse in their storage, transmission, modification, and deletion.” West Europe’s push on privacy-related matters rendered the right to privacy a legal imperative in the Data Protection Convention (Treaty 108), as adopted by the Council of Europe.

Such concerns related to the exploitation of census data led to a landmark German Federal Constitutional Court’s judgment that the right of “self-determination over personal data” is a fundamental right. Later, this became the cornerstone of the EU’s view today. With the wave of European countries debating on the issue of the importance of personal information-data of citizens, the first data protection legislation was introduced into the Irish domestic law was the Data Protection Act of 1988, along with many commonwealth countries adopting such comprehensive legislation into their domestic law. The end of Cold War coincided with the rise in data transfers throughout Europe in the ‘90s. This is how migrating market throughout the European continent became a threat to the personal data of citizens of individual European states. Therefore, in order to establish a single market EU also included a 1995 E.U. data protection regulation, and cautious attitudes about privacy became a European norm. The European Data Protection Directive is created, reflecting technological advances and introducing new terms including processing, sensitive personal data, and consent, among others.

The 1995 Directive was implemented as EU further adopted the Directive on Privacy and Electronic Communications in 2002. In 2006, the EU Directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks is adopted. Although it was declared invalid by a Court of Justice ruling in 2014 for violating fundamental rights. By 2009, the EU Electronic Communications Regulations in response to email addresses and mobile numbers evolved as becoming prime currency in conducting marketing and sales campaigns. Perhaps most famously, in 2014 Europe’s top court, the Court of Justice of the European Union, affirmed the so-called right to be forgotten and ruled that Google has to abide by user requests to take down “data that appear to be inadequate, irrelevant or no longer relevant” — and since then, Google has received 655,000 requests to remove about 2.5 million links, and complied with 43.3% of those requests. (Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (es), Mario Costeja González, ECLI:EU:C:2014:317)

Given such a complex historical backdrop, the European data-protection legislations are intuitively more appealing and less subject to resistance. Europe has been always the most active regime in terms of enactments related to protections on privacy that tend to apply all sectors of the economy. To this legacy, GDPR is just a significant upgrade to that 1995 law. In the light of Cambridge Analytica’s Facebook data breach and the Equifax hack, such upgrade is being considered as a step that will reinforce consumer confidence with an assurance of protection of their personal data. Other regulations will require an update in alignment with GDPR, such as the ePrivacy Directive and Regulation 45/2001, which applies to the EU institutions when they process personal data. Member states are entitled to provide specific rules or derogations to the GDPR, where freedom of expression and information is concerned, or in the context of employment law or the preservation of scientific or historical research.