Hiring a ‘ghost-writer’ in India: the question of copyright?

Ghost-writing can be described in any of the following four ways: (i) failing to list as an author someone qualified for authorship; (ii) failing to acknowledge writing support; (iii) dishonesty/plagiarism; and (iv) practices such as undisclosed authorship or undisclosed funding for writing support.[1] Alternatively, ghost-writing is a contractual arrangement under which a writer is hired and “paid to produce written work” with the understanding that “the buyer will claim and use it as his own”.[2]

Relevant Law

A copyright subsists in the “original literary works” such as the content of any book.[3] Authors of such copyrighted content or work enjoy certain economic rights or exclusive rights.[4] Also, the Copyright Act provides for the joint authorship when a work is prepared by more than one author in collaboration.[5] The Copyright Act 1957 (“the Act of 1957”) entitles the author or creator of the work as the first owner of copyright i.e. ghost-writer, and vests with author the exclusive right to reproduce, publish, perform, display, or create “derivative works” from its primary work.[6] Further, as per Section 57 of the Copyright Act, the author of a work has the moral right to be attributed as the author of his work even after the assignment, either wholly or partially, of the said copyright.[7] Lastly, Section 18 permits assignment by a prospective owner, i.e., a person who is not the first owner as defined in section 17, in a future work through a written agreement for assignment.[8] However, as per the proviso, parties can enter into an agreement for assignment of copyright in any future work, but the assignment itself takes place only after “the work” comes into existence and not before.[9]

Observation

An author may create a work on his own behalf or at the instance of another person for valuable consideration. The ghost writers are latter one. Such a work is, obviously, a form of plagiarism, however it is with consent of the actual author (the ghost writer) of the work and that makes it acceptable as a work of the ostensible author who is commissioning the work. Under Indian law, the legal position regarding such ghost-writing assignment is unclear in comparison to the international jurisdiction which specifically delineates legal standing on works made for hire (or commissioned works).[10]

Under Indian law, as per the Copyright Act, 1957, in absence of any agreement to the contrary, the person at whose instance the work is made is the owner of the copyright work under Section 17. Since there is no copyright in ideas even if they are original, the originator of the idea is not the owner of the copyright in the work which gives concrete form to the idea.[11] Therefore, where a person provides the material to another for writing a book and the latter (ghost writer) writes the book on the basis of the materials supplied then the latter becomes the owner of the copyright in the book.[12] In order to be an author of a work, a person must accordingly do more than contribute ideas to an author and it is not enough that he passed on his reminiscences to a ghost writer.[13]

In this context, Section 18, therefore, provides that in order to grant exclusive right in a literary work to a person, who is not the owner of copyright within the meaning of the Act to assign his rights in any future work, there should be a contract of assignment in existence.[14]  This way it will be treated as a contract of services and as per Section 17(b) of the Act, authors engaged under contract for service will lose the copyright.[15] Further, Section 57 of the Copyright Act, 1957 recognizes moral rights of the author, such that even after the assignment either wholly or partially of the said copyright, the author of a work shall have the right to claim the authorship of the work. Although, the jurisprudence in terms of waiver of moral rights is slightly unsettled but under several cases contract of services have been upheld and the “contracting out” has been made “permissible provided it is voluntary and does not deal with a matter of public policy”.[16]

Therefore, in the instant case, a collaboration agreement between hirer and the ghost author will form the essence of the copyright ownership. Absent a formal written agreement, ownership of the written work will be governed by the default provisions of the Copyright Act – and not necessarily according to the parties’ wishes. Under that situation, by virtue of Section 17 and Section 57, the ghost author will be the actual author or first owner of the work and consequently will be entitled to economic and moral rights, exclusively.

The best way to address this so that hirer has full ownership of a wriiten work:

To avoid such a situation, there should be a contract of assignment beforehand between the two parties such that the ghost writer will assign the rights of future work prospectively to hiring person. Following are certain steps that will help a hiring person in retaining the full ownership rights in creative works of authorship for a written work:

  • A hiring person should make it certain to have a written agreement with the ghostwriter who will actually author the written work and other allied works.[17]
  • The parties must specifically include in their written contract a provision that the ghost writer is assigning his copyright to the author that will serve as a back-up just in case the work fails to satisfy the ‘contract of services’ requirements of the Copyright Act.
  • The agreement should set extent of rights, deadlines, budgets, compensation, address author credit, decision-making, liability, death, disability, and, if properly drafted, outline a joint exit strategy.[18]
  • If the work fails to qualify as a work under contract of services, exercise, if possible, the defense of “joint authorship” to prevent the loss of “all” the rights in the work. This requires that a hiring person should mention in the collaboration agreement that he is also contributing the “expression of ideas” for the written work.

(Views are personal only. The content of this blog should not be construed as legal advice in any case)


References

[1]Lisa Tora et al, Ghostwriting in biomedicine: a review of the published literature., Journal Current Medical Research and Opinion  Vol 35(9) (2019), https://www.tandfonline.com/doi/full/10.1080/03007995.2019.1608101

[2] Nandita Saikia, Ghost-writing, Plagiarism and Copyright, IN Content Law, https://copyright.lawmatters.in/2010/09/ghost-writing-plagiarism-and-copyright.html.

[3] S. 13, The Copyright Act, 1957.

[4] S. 14, The Copyright Act, 1957.

[5] S. 2(z) and S. 13, The Copyright Act, 1957.

[6] S. 17, The Copyright Act, 1957; Eastern Book Company v. D.B. Modak, (2008) 1 SCC 1.

[7] S.57, The Copyright Act, 1957

[8] S. 18, The Copyright Act, 1957.

[9] Indian Performing Right Society Ltd. v. Eastern Indian Motion Pictures Association , (1977) 2 SCC 820

[10] Title 17 U.S.C. § 101, the Copyright Act.   

[11] R.G. Anand v. Delux Films , AIR 1978 SC 1613; Sreenivasulu N.S., Law relating to Intellectual Property, Penguin-Partridge Publications, Bloomington, Indiana, USA, First Edition, 2013, Pg. No: 485.

[12] R D Ryder and Sreenivasulu N. S., Copyright and Third Sector, 7 RMLNLUJ (2015) 39.

[13] Evans v. E Hulton & Co. Ltd., [1923-8] Macg Cop Cas 51.

[14] Diljeet Titus Advocate & Others v. Alfred A. Adebare & Others , 2006 (32) PTC 609 (Del)

[15] Gee Pee Film Pvt. Ltd. v. Pratik Chowdhury & Others , 2002 (24) PTC 392.

[16] Centrotrade Minerals and Metal. Inc. v. Hindustan Copper Limited, (2006) 11 SCC 245; Sartaj Singh Pannu vs Gurbani Media Pvt Ltd & Anr 2015 (63) PTC 590 Del; Ameet Datta, Moral rights: can authors waive their special rights?, Lexology, https://www.lexology.com/library/detail.aspx?g=0e35276b-9737-47dd-9c1a-94ef6d25036d.

[17] Kaplan v. Vincent, 937 F. Supp. 307 (SDNY 1996) (If the parties had a well-drafted collaboration agreement – as opposed to oral understanding — legal entanglements would have been avoided).

[18] Dorling Kindersley (India) Pvt. Ltd. v. Sanguine Technical Publishers & Others 2013 (56) PTC 40 (Del) at p. 62. (The territorial extent should be specified)

The case of Content Aggregator Platforms: PVR Ltd. v. Just Dial Ltd.

Content aggregation platforms like JustDial are sites that collate, index and distribute hyperlinks to third-party content and displays it on a single webpage for their users’ reference.[1] Aggregators ensure listing of businesses by associating latter’s websites with their platforms using various tools such as deep-links, framing and meta-tags.

Deep-links are hyper-links in the form of an image or text which on selection redirects the user to the specific content/webpage of the source’s website.[2]

Framing is the process by which multiple webpages of another websites are displayed as separate windows/frames on a single webpage of the aggregator’s platform.[3]

Meta-tags are words and phrases in the HTML code of the website, related to the particular content, which become identifiable and a part of the search results when a user searches using the terms on search engine corresponding to the embedded words and phrases.[4]

The case of copyright, trademark and/or other proprietary rights of entities listed on its platform

Content aggregator’s ability to publish or post the relevant content that it obtains from the third-party sources is limited by the copyright and trademark laws of India and by the terms of any agreement entered into with the content-provider or listed entities.[5]

Observation: Aggregator lists business entities on its platform in exchange for a fee. If any entity willingly lists itself on the platform after paying a fee and agrees to the client’s terms of use which provides for use of the information/links/metatags of the business by the aggregator then there will be no violation of the copyright, trademark and/or other proprietary rights of entities listed on the platform.[6] However, if JustDial provides information on its platform about any listed entity, without any prior agreement or consent for utilizing the deep-links or separate frames to the website of the entity, then such links shall inadvertently infringe copyrights or trademarks owned by the entity’s website, as it results in by-pass or duplication of the information contained in the linked webpage.[7] Further, aggregator’s use of meta-tags of such listed entity will result in misapprehension in the mind of the former’s customers that it is authorized by or associated with the latter entity.[8]

Relevant Law: Copyright subsists in the “original literary works” such as the content of any website.[9] The Copyright Act 1957 (“the Act of 1957”) entitles the first owner i.e. the listed entity, with the exclusive right to reproduce, publish, perform, display, or create “derivative works” from its website’s content (primary works). [10] Therefore, a copyright is “deemed to be infringed” if any of these exclusive rights (listed entity’s rights to publish or create “derivative works” through deep-linking or framing respectively to its website) are exercised by the infringer without the permission of the former.[11] Further, the Trademarks Act 1999 (“the Act of 1999”) provides an inclusive definition of “mark” which includes the meta-tags of a website as well.[12] By virtue of the Act of 1999, unauthorized use of trademarks as meta-tags constitutes infringement of registered trademark.[13] However, deep-links, frames and meta-tags could be utilized subjected to “fair use” and “nominative use” exceptions.[14]

In PVR Ltd. v. Just Dial Ltd,[15] the Delhi High Court prima facie held that unauthorised listing of information (ticket-booking details, movie schedule, addresses and pictures of PVR movie theaters), as available on PVR.com, by JustDial using deep-links and frames to and meta-tags of PVR.com, gives the public impression that there is a nexus between the both. Thus, it resulted in exploitation of PVR’s goodwill by JustDial that amounted to copyright and trademark infringement and passing-off. It is considered as the first case in India which deals with the legality of content aggregation tools collectively.

The legality of use of deep-links, frames and meta-tags has also been questioned multiple times in cases of major jurisdictions such as the USA, the UK and Canada.[16] The majority of courts of these jurisdictions have held that the unauthorised use of deep-links, frames and meta-tags of primary website is deceptive to the public and has granted an injunction against content aggregation platforms.   

What are the liabilities that the aggregator’s platform can incur due to the user reviews? What are the measures that aggregator’s platform can put in place to mitigate these liabilities?

Observation: Aggregator’s platform is also a user-review platform which gives its users the ability to review and rate the various businesses listed on its directories. Evaluation platforms/sites provide an opportunity for users to post comments on businesses, in addition to reviewing and ranking them.[17] Such reviews and ratings are usually couched in terms of opinion but could be extremely negative, false or defamatory at times. Since these reviews and ratings are entirely users’ opinions and user-generated contents, the consumer review site cannot be held liable for the same.[18]

Relevant Laws: A user-review platform is an ‘intermediary’ under the Section 2(w) of the Information Technology Act, 2000 (“IT Act”).[19] The ‘intermediaries’ like JustDial are granted an immunity under Section 79 of the IT Act from offences caused due to the user-generated content wherein such intermediary had no knowledge about the nature of content.[20] The Information Technology (Intermediary Guidelines) Rules, 2011 (“Intermediary Guidelines”) provide the due diligence requirements that must be observed by intermediaries to avail the safe-harbor protection (immunity).[21] However, upon receiving actual knowledge or being notified by the Government or its agency about any unlawful content on the platform, intermediaries are liable to take down or disable access to it.[22]

Indian Jurisprudence: In the case of Procentris India (Pvt,) Ltd. v. Mouthshut.com (Pvt.) Ltd.[23], Mouthshut (a popular consumer review site) was ordered by the Bombay High Court to delete reviews critical of Procentris. Subsequently, Mouthshut.com filed a writ petition in the Supreme Court for quashing the IT Rules, 2011 on account of it being violative of Articles 14, 19 and 21 of the Constitution of India. This case was clubbed with the petition in landmark case of Shreya Singhal v. Union of India which introduced ‘safe harbor’ provisions in India.[24]

International Jurisprudence: India doesn’t have enough record of litigations on the issue of liability incurred by consumer review sites due to user-reviews. However, there are significant precedents in international jurisdictions such as the USA, the UK and European Union which provide that no liabilities (except the take-down obligation on notice) are incurred by intermediaries (such as user-review sites) due to the false, incorrect and defamatory nature of the underlying user ratings and reviews as uploaded on their platforms.[25]

Recommended Measures:

In order to avoid liabilities with respect to user-reviews, an aggregator platform should put certain safeguards in its Terms and Conditions (“T&Cs”), in line with various international precedents, such as:

  • Add a mandatory set of Community Guidelines which should specifically prohibit user-reviews which are false, unlawful, misleading, defamatory, harassing, or otherwise objectionable.[26]
  • Add a clause in the T&C which will prevent users from posting user-reviews or ratings anonymously.[27]
  • Add a clause in its Community Guidelines which strictly mandates the user-reviews to be unbiased and objective in order to prevent conflict of interest.[28]
  • Forbidding users from posting any copyright or trademarked content in the user-reviews that they do not own.
  • The T&C shall contain a clause indemnifying the platform from any liability for users’ content including user-reviews.
  • The platform is required to deploy technology based automated tools or appropriate mechanisms with appropriate controls to proactively identify and remove access to unlawful content.[29]

(Views are personal only. The content of this blog should not be construed as legal advice in any case.)

References

[1] Jaani Riordan, The Liability of Internet Intermediaries, 28 (1st ed., 2016).

[2]Linking, Framing, Meta Tags and Caching, Berkman Klein Center for Internet & Society at Harvard University, Berkman Klein Center, available at https://cyber.harvard.edu/property00/metatags/main.html, last seen on 14/02/2020.

[3] Futuredontics Inc. v. Applied Anagramic Inc., 45 U.S.P.Q. 2d 2005 (1998, C.D. Cal.).

[4] World Wrestling Entertainment, Inc. v. Savio Fernandes, 2015 (62) PTC 573.

[5] Posting Third Party Content and Linking, American Bar Association, American Bar Association, available at https://www.americanbar.org/groups/business_law/migrated/safeselling/content/, last seen on 13/02/2020.

[6] Rajiv Kr. Choudhry, Data Extraction: Intersection of Copyright and IT laws in India, SpicyIP, available at https://spicyip.com/2013/10/data-extraction-intersection-of-copyright-and-information-technology-laws-in-india.html, last seen on 08/02/2020.

[7] TATA Sons Limited v. Hoop Anin and Ors., 2012 (188) D.L.T. 327; Washington Post v. Total News Inc., No. 97 Civ. 1190 (PKL) (1990, S.D.N.Y.).

[8] Mattel Inc. & Ors. v. Jayant Agarwalla & Ors., 2008 (153) D.L.T. 548.

[9] S. 13, The Copyright Act, 1957.

[10] S. 17, The Copyright Act, 1957; Eastern Book Company v. D.B. Modak, (2008) 1 SCC 1.

[11] S. 51, The Copyright Act, 1957.

[12] Ss. 2(m) & 2(zb), The Trade Marks Act, 1999; People Interactive (I) Pvt. Ltd. v. Gaurav Jerry & Ors., NMS (L) NO. 1504 of 2014.

[13] S. 29, the Trade Marks Act, 1999; Christian Louboutin Sas v. Nakul Bajaj, 2018 (76) PTC 508 (Del).

[14] S. 52, The Copyright Act, 1957; S. 30(2)(d), the Trade Marks Act, 1999.

[15] PVR Ltd. v. Just Dial Ltd., 2019 SCC OnLine Del 8181.

[16] Ticketmaster Corp. v. Microsoft Corp., No. 97-3055 DDP (1997, C.D. Cal.); Shetland Times Ltd. v. Jonathan Wills and Zetnews Ltd., S.C. 316 (1997, Court of Sessions); Imax Corp. v. Showmax Inc., (2000) 5 C.P.R. (4th) 81 (FCTD).

[17] A.S. Cheung & W. Schulz, Reputation Protection on Online Rating Sites, 21 Stanford Technology Law Review 310, 318 (2018).

[18] Braverman v. Yelp Inc., 5. No. 158299/2013 W.L. 712618, at 3 (2014, N.Y.S.C.).

[19] S. 2(w), The Information Technology Act, 2000.

[20] S. 79, The Information Technology Act, 2000. (“Safe-harbor” provisions)

[21] The Information Technology (Intermediary Guidelines) Rules, 2011.

[22] S. 79(3)(b), The Information Technology Act, 2000.

[23] NMSL 968-13 in SL 364-13-954.

[24] Procentris India (Pvt.) Ltd. v. Mouthshut.com (Pvt.) Ltd., AIR 2015 S.C. 1523.

[25] Mcgrath v. Dawkins, E.W.H.C. B3 (QB) (2012, U.K.H.C.) (This case is concerned with reviews and comments posted on the claimant’s book product page at Amazon.co.uk. The Court dismissed the claims of defamation against Amazon); Hassell v. Bird, 5 Cal. 5th 522 (2018, Cal. S.C.) (The US law firm sued its former client for defamation for posting a false negative review on the Yelp! platform, a consumer review site. The Supreme Court of California held that Yelp! clearly falls under Communications Decency Act, 47 U.S.C. § 230 immunity); Magyar Tartalomszolgaltatok Egyesulete v. Hungary, [2016] E.C.H.R. 135 (EU) (The Hungarian courts held the news portal liable for causing reputational harm to a business caused by “false and offensive” user comments. The European Court of Human Rights disagreed with national courts).

[26] Delfi A.S. v. Estonia, (2016) 62 E.H.R.R. 6. (The case concerned threats and anti-Semitic slurs in the user comments section of online newspaper portal, Estonian courts held, and the ECHR in 2015 affirmed, that the platform could be liable for those comments).

[27] Yelp Inc. v. Hadeed Carpet Cleaning, 752 S.E.2d 554, 568-69 (2014, (Va. Ct. App.). (The Court held that litigants may also target intermediaries with subpoenas seeking the identities of anonymous users for claims other than copyright, such as defamation)

[28] Moving & Storage, Inc. v. Panayotov, No. 12-12262-GA. (2014, U.S.D.C. D. Mass.) (when a moving-company review site owned by a particular moving company selectively deleted user-reviews that were beneficial to its competitors, the intermediary lost the “good faith” protection).

[29] Rule 9, The Information Technology [Draft Intermediaries Guidelines (Amendment) Rules] 2018.

Hopes and Doubts related to Telemedicine Guidelines in the context of Data Protection

Author is Vineet Gupta, Volunteer Researcher, LawforIT. He is actively involved in a research on privacy policies of different leading online medical consultation platforms. Policy paper will be soon available on the Blog.

Background

The Medical Council of India jointly with the NITI Aayog notified the Telemedicine guidelines in midst of the Coronavirus Pandemic. These guidelines can be seen as a first attempt in providing some amount of relief, in regards to legal gaps and anxieties around the practice of medicine by doctors via communication devices.

Although, historically (with the advent of technology) telemedicine has been widely performed in India, for long there has not been any type of legal mechanism for the same. From the introduction of the Communication channel by ISRO in 2001, linking Chennai’s Apollo Hospital with the Apollo Rural Hospital at Aragonda village in the Chittoor district of Andhra Pradesh[i] and to the hundreds of apps providing for online consultation today, we have come up a long way. With the technological up-gradation and boom in the telecommunication sector, it was quite common for a patient to seek recommendations from their family doctors on calls, WhatsApp messages, and even video conferencing. Realizing the potential around telemedicine and its outreach, the internet was flooded with many startups acting as intermediaries that provided a channel between patients and doctors for online medical consultation.

On one side telemedicine was gaining popularity and on the other side, there was also a certain amount of anxiety, backlash, and confusion around the practice of telemedicine. With no proper guidelines among the practice of telemedicine, the doctors were kind of hesitant in providing online/telephonic consultations. They were also pressurized by the medical associations (some of which even declared telecommunication as unethical and practice of which can lead to cancelation of license)[ii]. The patients were hesitant to get telemedicine and a little reluctant to provide their sensitive information online to unknown doctors. They were scared as for long there was no telemedicine and data protection law in place. Most importantly many people, especially the rural population were, and are unaware of the potential of telemedicine and its application in this Technological era. The introductory part of the guideline’s states that:

“In India, till now there was no legislation or guidelines on the practice of telemedicine, through video, phone, Internet-based platforms (web/chat/apps, etc). The existing provisions under the Indian Medical Council Act, 1956, the Indian Medical Council (Professional Conduct, Etiquette and Ethics Regulation 2002), Drugs & Cosmetics Act, 1940 and Rules 1945, Clinical Establishment (Registration and Regulation) Act, 2010, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 primarily govern the practice of medicine and information technology. Gaps in legislation and the uncertainty of rules pose a risk for both the doctors and their patients.[iii]

https://www.mohfw.gov.in/pdf/Telemedicine.pdf

The case of Deep Sanjeev Pawaskar and Anr. v. The state of Maharashtra[iv] was by the high court of Bombay a doctor provided advice to ailing patient online due to lack of unavailability of routine doctor and unfortunately, the patient died. The high court held the doctor as negligent for using telemedicine to treat the emergency. This case led to widespread criticism as the patient would have died irrespective, and telemedicine had no role to play. The above case triggered the need for new legislation, and the need for remote doctors in coronavirus pandemic led to the expeditious introduction of these much-awaited guidelines. These guidelines have opened a door to the future of telemedicine in India. While a lot has been discussed upon the salient features of this act, I will be strictly adhering to the examination the guidelines concerning personal data protection concerns.

Locating privacy under Telemedicine Guidelines

In the course of doctor-patient interaction, a significant amount of data exchange takes place from the side of the patient and the guidelines also makes it compulsory for the RMP to store and keep a record of all this electronic health record[v]. A Registered Medical Practitioner (RMP) is free to choose the mode of communication for providing telemedicine[vi]. The guidelines provide for various types of information related to health conditions which are needed to be provided by the patient to the RMP over telemedicine[vii]. Further, the guidelines provide for the maintenance of privacy as well as medical ethics following the Indian Medical Council act and rules[viii]. The guidelines also state that the RMP would have to follow and abide by various data protection laws such as the Information Technology Act and other data protection laws and rules (present as well as notified in future) which provides for the protection of patient’s data[ix]. The guidelines also highlight the breach of confidentiality by the doctors would be declared misconduct and will be penalized by IMC act, ethics, and other laws[x]. The doctors are exempted from charges in cases where there is reasonable evidence to believe that the breach is due to some technological error with no involvement of the RMP[xi].

Reading Telemedicine Guidelines with data privacy laws

Personal information and Data protection Rules 2011

It is quite clear that telemedicine guidelines would have to be read in conjuncture with data protection laws of the country to protect the privacy of the patients. After the judgment of K.S Putttuswamy v. Union of India[xii], privacy is well recognized as the part of the fundamental rights of the citizens. The data protection laws in India are governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under the IT act. The judgment of Puttuswamy has led forth the Personal Data Protection Bill, 2019 which is in the process of getting passed by the parliament any time soon this year or the coming year[xiii]. The IT rules of 2011, as well as the new personal data protection bill, treats ‘Health Records’ as ‘sensitive personal data or information (SPDI)’. Under the IT acts data protection rules, when a corporate body deals with SPDI (collection, storage, transfer, or processing of SPDI) the data protection rules get activated. The data protection rule considers consent as an important requirement so a doctor or institution is required by law to obtain the consent of the patient in writing for use of any of his data[xiv]. There is also a restriction of sharing SPDI to the third party without the consent of the patient[xv]. The institution collecting such SPDI also has to put a policy in place and mention clearly on their websites[xvi]. A standard of procedure to store data has to be maintained as well as there should be a requirement of modification[xvii] and opt-out[xviii] their SPDI if the need arises.

Role of Intermediaries

There are many e-health apps which just act as a facilitator between the patient and the doctors and are not as such directly involved in the transaction[xix]. In these types of cases, such apps or companies will act as an intermediary and would be subjected guidelines of IT act specifically for the intermediaries. Such intermediaries have to initiate certain due diligence such as including terms of use, the appointment of grievance officer, and removal of offending/unlawful content within 36 hrs of request.

Telemedicine Guidelines: gaps are still needed to be filled to protect mass sensitive data

With the advent of Corona virus pandemic even a lot of state governments are actively involved in providing their own guidelines[xx] and facility of telemedicine[xxi] through their empaneled state government doctors or through Public private partnership Apps and facilities. Although telemedicine has opened a whole new legal world still there are various legal inadequacies in the Telemedicine sector which the present telemedicine guidelines, IT act, and rules do not properly address.

Firstly the telemedicine guidelines make no difference between ‘data fiduciary’ (person who stores, collect and process massive volume of important data) and ‘social media intermediary’ and also what if both are the same. For instance, many corporate hospitals (eg Apollo)[xxii] which have a wide range of medical business are also providing telemedicine. Some pharmaceutical companies (eg. Lybrate)[xxiii] are also in the business of telemedicine.

E-Pharmaceutical companies are already facing uncertainties in regards to online sale of drugs with central government coming out with Draft Rules 2018 to regulate e-pharma amending earlier Drug and cosmetic rules of 1945[xxiv]. These rules will also throw light on protecting data of patients seeking medicines online. But how will draft rules and telemedicine guidelines be able to regulate e-pharma companies who are even providing telemedicine is an area government needs to focus on since these types of companies have huge amount of sensitive data of patients and prone to misuse. Many of these apps even provide for their internal channels of communication for doctors and patients. While taking services from these sites there would be the transmission of the huge amount of electronic medical records to these companies. Since doctors belong to the same company or use a communication channel of the company who is acting as social media intermediary, then believing that data is not shared between them is being very optimistic.

Access to such a huge amount of ‘sensitive personal data’ to the hands of corporates without any supervision is troublesome. These data might be used to create an algorithm for targeted advertising, sharing with 3rd parties, and moving huge data outside the country. In such a scenario if there is any data breach who would be liable? is a question on which the guidelines are silent. And as the data protection law stands today, there is not much to offer.

So, we have to go through the pending data protection bill[xxv] to find some answers. In the Data protection bill two types of entities have a huge due diligence obligation in terms of dealing with personal data’s namely ‘significant data fiduciary’ and ‘social media intermediary’. Under the bill, the obligation which is associated with the significant data fiduciary (a person holding a huge amount of important data to be notified government) is extended to the social media intermediary(‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services[xxvi]’). These significant data fiduciaries and social media intermediaries will be notified by the government.

In addition to provisions provided for significant data fiduciaries like maintenance of records[xxvii], data protection impact assessments[xxviii], an audit of policies[xxix], and appointment of a data protection officer[xxx], Social media intermediaries are obligated to put forth an option to the users (registering from India or using the services in India) for voluntary verification of their accounts. The provisions for ‘significant data fiduciary’ and ‘social media intermediary’ seems promising for companies dealing with electronic medical health records but whether these hospitals providing telemedicine would be notified under ‘significant data fiduciary’ or the e-health apps storing huge amount of data as ‘social media intermediaries’ is a question of time as the bill is still pending.

Parting note

The telemedicine guidelines are a huge breakthrough in the field of medical sciences. The guidelines have tried to address a huge amount of anxieties and uncertainties about the practice of telemedicine but in the context of data protection, the guidelines sadly have not much to offer. The guidelines have to be read along with data protection laws of the country and as the data protection laws of the country currently stand there is not enough impact to ensure the protection of sensitive patient data from the hands of big hospitals doing telemedicine themselves and e-health apps acting as an intermediary for telemedicine. The new data protection bill, 2019 if passed as it is, it would address a lot of these gaps provided the government notifies these hospitals and e-health apps as significant data fiduciary and social media intermediaries respectively. Another pending bill such as Digital Information Security in Healthcare Act (DISHA), a regulatory platform for sharing digital records among hospitals and will be based on setting digital health records in the country[xxxi].  DISHA  will be clubbed with Personal data protection bill along with telemedicine guidelines would be something to look forward.


[i] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6618173/

[ii] https://medicaldialogues.in/indian-medical-association-seeks-clear-cut-guidelines-on-telemedication-from-medical-council-of-india

[iii] https://www.mohfw.gov.in/pdf/Telemedicine.pdf

[iv] Criminal Anticipatory Bail Application No. 513 OF 2018

[v] Telemedicine guidelines 2020, section 3.7.2

[vi] Telemedicine guidelines 2020, section 1.4.1

[vii] Telemedicine guidelines 2020, section 3.5

[viii] Telemedicine guidelines 2020, section 3.7.1

[ix] Id

[x] Id

[xi] id

[xii] 2017 10 SCC 1

[xiii] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[xiv] Rule 5(1) of the Data Protection Rules

[xv] Rule 7 of the Data Protection Rules

[xvi] Rule 4(1) of the Data Protection Rules

[xvii] Rule 5(7) of the Data Protection Rules

[xviii] Id

[xix] https://www.dr-hempel-network.com/digital-health-startups/doctor-patient-platforms-in-india-success/

[xx] See Maharastra: https://www.maharashtramedicalcouncil.in/Files/Notifications_26032020_MCI%20Notification%20Regarding%20TELEMEDICINE.pdf, See Karnataka: https://www.mondaq.com/india/healthcare/905172/karnataka-government-notificationregulations-on-covid-19

[xxi] See kerela: https://economictimes.indiatimes.com/industry/healthcare/biotech/healthcare/kerala-govt to-use-telemedicine-service-e-sanjeevani-for-non-covid-patient-care/articleshow/76370573.cms?from=mdr,

See Westbengal : https://www.newindianexpress.com/nation/2020/jun/30/west-bengal-sets-up-covid-warrior-club-to-help-contain-pandemic-2163150.html, See Tamil Nadu: https://tsitn.org/telemedicine-facilities-in-tamil-nadu/, See Karnatka: https://economictimes.indiatimes.com/news/politics-and-nation/karnataka-govt-launches-apthamitra-helpline-and-app-to-fight-covid 19/articleshow/75293952.cms?from=mdr, See Delhi: https://www.newindianexpress.com/cities/delhi/2020/jul/04/aap-launches-district-surveillance-telemedicine-hub-to-help-with-covid-19-requirements-2165260.html, See Rajasthan: https://timesofindia.indiatimes.com/city/jaipur/rajasthan-government-starts-free-medical-tele-consultation-service/articleshow/75540116.cms

[xxii] id

[xxiii] id

[xxiv] https://www.mondaq.com/india/food-and-drugs-law/865476/regulations-for-online-sale-of-medicines and-drugs-in india#:~:text=India%3A%20Regulations%20For%20Online%20Sale%20Of%20Medicines%20And%20Drugs%20In%20India&text=The%20draft%20rules%20prescribe%20that,registered%20with%20the%20applicable%20authority.

[xxv] Supra

[xxvi] Section 26 (4) Private Data protection bill, 2019

[xxvii] Section 28 Private Data protection bill, 2019

[xxviii] Section 27 Private Data protection bill, 2019

[xxix] Section 29 Private Data protection bill, 2019

[xxx] Section 30 Private Data protection bill, 2019

[xxxi] https://pib.gov.in/Pressreleaseshare.aspx?PRID=1578929

COVID-19 crisis is changing Tech related Law and Policy: Surveillance, Fake news, Telemedicine, and Internet

As I view things and events around the world from the comfort of my home, this blog is my take on how regulations related to technology will get impacted due to the COVID-19 pandemic. As they say, sudden and unexpected events often lead to systematic and permanent changes.  Work from home is a mandate now, as the fear of personal contact and surface contact is prevalent, everyone has uncertainty about the impact of infection. There are even doubts on the globalization given the infection is spreading from one corner of the world to another.

Given the fact that COVID-19 is a pandemic, the authorities have commanded us to practice ‘social distancing’ (trending buzz word on social media) under the twenty-one days lockdown. Hence, there is an unwillingness to engage socially among masses now. As there are shifts in perceiving the world now, there is a shift in the understanding of technology as well. Governments around the world are now valuing its role more than ever and understanding the need for the well-drafted technology policy, as they rush to contain the spread of COVID-19.

Following are the potential changes that we can see in the technology policy of India during and after the COVID-19 crisis.

Increase in the adoption of internet services

With the reach of the internet increasing up to 500 million users and over 660 million broadband subscriptions, internet penetration in India is much evident. However, the present situation is proof that it has been a boon for us that Jio entered the market and made the internet more accessible than ever. The internet is an essential service and something that has kept the masses engaged and sane in their homes during the nationwide lockdown. India has the cheapest internet access in the world, but still, as the crisis gets over, the government will definitely consider more options of making internet services more accessible to the poor of the country which is largely suffering in this crisis. In the present lockdown state, it is important to mention the situation that exists in Kashmir where just the 2G internet is available with the speed which is good for nothing.

India has the cheapest mobile data in the world with 1GB costing just Rs 18.5 (USD 0.26) as compared to the global average of about Rs 600, research by price comparison site Cable.co.uk showed. Average Wireless Data Usage per wireless data subscriber per month is 10.37 GB.

Work from Home

Zoom, a video-meeting app, has seen a significant rise in its download over the last week. With employees are unable to attend offices, video conferencing services that work over the internet has become significant. Again, such applications make access to internet an essential service for operating the business online (a fundamental right). As the employment laws are being discussed these days to understand the place of Work from Home in the law, post the crisis policymakers will definitely deliberate on this and provide a permanent solution for it.

Certain important points for reference of readers from the advisory issued by the government in relation employment laws:

The Ministry of Labour & Employment, Government of India advised on March 20, 2020, that all public and private organizations are to refrain from terminating the services of their employees or reducing their wages.

The Ministry of Labour & Employment has extended the deadline for filing the Unified Annual Return for 2019 under eight laws that were filed on the Shram Suvidha Portal to April 30, 2020 (the previous deadline was February 1, 2020). The notification further states that authorities are not to take action against any entity that did not meet the earlier deadline.

The Employees’ State Insurance Corporation (ESIC), through its communication dated March 16, 2020, has extended the dates for filing of ESI contribution and payment. Accordingly, all contributions for the months of February 2020 and March 2020 can be filed and paid up to April 15, 2020 and May 15, 2020, instead of March 15, 2020 and April 15, 2020, respectively.

The Government of India will contribute the employer contribution (on behalf of companies) and employee contribution (on behalf of employees of those companies) towards the Employee Provident Fund Organization (EPFO) for the next three months for establishments with up to 100 employees meeting certain base salary thresholds.

All EPFO members (employees) will now be able to withdraw up to 75 percent of their total EPFO fund or an amount equivalent to three months of their salary, whichever is lower. The amount withdrawn from EPFO shall be non-refundable, and the employees do not need to return the same to their EPFO account.

Streaming services and regulations

In the process of home quarantine, the dependence on the streaming services is so much that the internet service providers have asked streaming platforms like Netflix and Amazon Prime to reduce the bits rate, in order to lower the stress on networks. The streaming platforms have duly conceded to this demand considering the continuous requirement of providing services to consumers. Consumers are realizing the benefits of streaming platforms and hence there is going to be a potential increase in subscriptions going forward, converting to paying users. In terms of policy-making, if streaming services have the potential to displace traditional entertainment services, the Indian government will look for regulating the content more than ever. Government is already in consultation with the stakeholders regarding options of self-regulation or government regulation.

Increase in demand for spectrum to meet the consumer demand

The percentage of connections that are based on a wireless medium is a staggering 96% approx. Therefore, in the light of increased adoption of the internet for continuous entertainment and work at home has led to increased stress on telecom operators. Therefore, with the 20% sudden increase in demand, telecom operators have sought more spectrum allotment from the government.

A new perspective for e-commerce

The government has rightly considered E-commerce as the provider of essential services during the present situation. Their adequate performance under the lockdown can provide them with a deep sigh of relief, as for the past few months, their food and grocery delivery services have been under the strict supervision of the government. There are several lobbies representing the brick and mortar retailers of groceries and food that have targeted e-commerce market and posed it as a threat to the business of offline retailers across the country. The opportunity for them to legitimize the need for online service during the lockdown has done what demonetisation did for digital payments.

Offline print becomes the victim

Online media channels are also opportunists that are gaining certain traction in terms of consumers. The newspaper industry seems to have been hurt by contact to contact the spreading nature of the COVID-19. Various online posts and WhatsApp threads are flowing in the online media that newspapers are potential vectors of COVID-19. In one of the cases, the Times Group has sent a legal notice to The Print for an article which suggested that COVID-19 can potentially spread through newspapers as well. Therefore, there could be a rise in online media usage and could lead to a rift between offline and online media.

A struggle to contain fake news or misinformation

The sensational way in which COVID-19 crisis has led to the nationwide lockdown is much due to the sensationalized content related to COVID-19 which is spreading through the social media across the country faster than the virus itself. The amount of misinformation spreading about COVID-19 is at large scale, and platforms are struggling to deal with it, especially given the lack of continuous moderation by social media platforms which are not warranted legally. This has given several blows to the effectiveness of lockdown given the people believed on certain misinformation such as cow urine is the cure of COVID-19, the religious congregation will protect from the disease etc, which led to people not take lockdown seriously. Understanding the struggles with automatic moderation of the content on the internet, the government can sooner than before enforcing its strict moderation policy which undermines the right to free speech.

The twenty-one days lockdown recently faltered when an exodus of the large number of migrant workers from urban cities like Delhi and Jaipur came in light. The Supreme Court’s division bench in a hearing on Tuesday, while reviewing the steps that the central government has taken to provide relief to the poor migrant workers during the lockdown, expressed serious concern over spread of fake news or misinformation regarding lockdown’s duration on social, electronic and print media causing the mass exodus of migrant worker from cities to their homes in villages. Read the SC’s order here. Centre in this light has sought direction from SC that no media stakeholders should publish COVID-19 news without ascertaining facts with government. Although, The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.

Privacy, necessity and proportionality

While the right to free speech could be threatened in the future due to the present crisis, the right to privacy has already dealt with several blows. Considering the situation of emergency and lack of any comprehensive law protecting the privacy, the privacy of a number of citizens have been compromised. The health status of quarantined/ or infected is open to all as their homes are being marked and personal details are being made public on social media. Governments are openly surveilling quarantined people for ensuring the enforcement of quarantine and inviting bids from technology companies to procure technology that can make continuous surveillance more effective. In India, several governments are already tracking citizens by keeping a tab on their phones or utilizing geofencing. The crisis has legitimized much longing plans of the government to create an infrastructure which can assist in surveilling its citizens whenever the need arises. Given the opportunity, the Department of Science and Technology has invited proposals and has set up a task force for building surveillance, AI and IoT tools.

As several privacy activists have opinions against the government’s plan to keep track of infected persons. If litigation arises, the question is whether the present circumstances will meet the necessity and proportionality test in order to justify the violations of privacy?

Drones as part of law enforcement

Drones, in some cities, are being used for surveillance to ensure that the current curfew is not violated. Drones allow the police to surveill and document, in a low risk manner. In cities like Chennai, they are being used to disinfect areas. If all goes well in these difficult times of crisis, then expect that police will place more orders for drones going forward, and many tasks will be automated.

Telemedicine guidelines

One of the prime examples of the proposition that experience of COVID-19 crisis will pace up the policy-making with respect to regulate technology is the rollout of a set of guidelines for telemedicine or remote delivery of medical services. Telemedicine practice means that doctors will now be allowed to use information and communication technologies as per guidelines for the exchange of valid information for diagnosis and treatment of ailments with patients. In order to assure steady and quick medical services during the nationwide lockdown, Ministry of Health and Family Welfare finally sanctioned the guidelines that have been proposed ten years ago. Globally, telemedicine has emerged as a front-line weapon against the COVID 19 pandemic. The situation under present crisis motivated the government to provide the concept of telemedicine among masses explaining that the unnecessary exposure of people involved in the delivery of healthcare can be avoided using telemedicine, as patients can be screened remotely.

COVID-19 Lockdown Guidelines [updated with Addendum]: E-commerce for essential services, key takeaways & punishment under section 188 of IPC

The Ministry of Home Affairs has issued guidelines on the measures to be taken by government authorities for containment of COVID-19 epidemic, which exempts delivery of all essential goods through e-commerce from the 21-day lockdown that had come in effect from midnight today. E-commerce will operate without restrictions in order to deliver food, pharmaceuticals, and medical equipment.

MeITY issues advisory to State Governments

On the same lines, the Ministry of Electronics and Information Technology (MeITY) through an advisory has directed all state governments to permit IT/ITeS industries to carry out essential functions which include delivery, warehouse operations, shipping and logistics.  There are cases and videos reported from several parts of countries of police officials halting and beating delivery executives in order to enforce the implementation of the lockdown. Therefore, the advisory by MeITY will help in ensuring that delivery executives and other associated employees carry out these functions. The Ministry advised the state governments to treat “copy of orders, waybills, invoices” as evidence.

Reuters had reported that e-commerce and online grocery delivery services were being disrupted across the country as multiple states have locked down to contain the COVID-19 pandemic. Section 144 has also been imposed in multiple parts of the country, making it harder for delivery personnel to operate, and for warehouse employees to get to work. Flipkart and Amazon temporarily suspended logistics services for sellers across regions, according to an Economic Times report. The problem that e-commerce companies are facing right now is that different states have come out with different guidelines on their operations during the pandemic. For instance, the Tamil Nadu government has banned home delivery services such as Zomato and Swiggy as the state goes into lockdown, but the Maharashtra government exempted food delivery as the delivery of an “essentially good”.

Therefore, the MeITY advisory will assist in providing a uniform direction to all the state governments in order to allow the operation of e-commerce deliveries of essential services across the country.

Other important things to know

Further, for the general information of the reader:

As per guidelines,

Closed Exceptions
Commercial and private establishments will be closed. (such as shopping malls, private outlets etc.) Shops, including ration shops (under PDS), dealing with food, groceries, fruits and vegetables, dairy and milk booths, meat and fish, animal fodder/ district authorities may encourage and facilitate home delivery to minimize the movement of individuals outside their homes/ Banks, insurance offices, and ATMs/ Print and electronic media Telecommunications, internet services, broadcasting and cable services/ Delivery of all essential goods including food, pharmaceuticals, medical equipment through E-commerce.

 

Offices of the Government of India, its Autonomous/ Subordinate Offices and Public Corporations shall remain closed. Police, home guards, civil defence, fire and emergency services, disaster management, and prisons/ District administration, Electricity department, water, sanitation Municipal bodies (Only staff required for essential services like sanitation, personnel related to water supply etc)/ Hospitals and all related medical establishments, including their manufacturing and distribution units, both in public and private sector, such as dispensaries, chemist and medical equipment shops, laboratories, clinics, nursing homes, ambulance etc. will continue to remain functional/ Transportation services for medical purposed will be permitted.

 

The Ministry of Home Affair issued an addendum to the guidelines to include more services/activities that have been exempted from the 21-day nationwide lockdown. Following additional services have been exempted: [The post has been updated on 26.03.2020]

  • The Government “Treasury” has already been exempted vide the guidelines issued yesterday. It is now clarified that the term “Treasury” would include Pay & Accounts Officers, Financial Advisors, field offices of the Controller General of Accounts;
  • Further, it has been added that the RBI, RBI Regulated financial markets, entities such as NPCI and CCIL, payment system operators and standalone primary dealers would also stand exempted;
  • IT Vendor for banking operations, Banking Correspondent and ATM operation and cash management agencies;
  • Shops for seeds and pesticides;
  • Data and call centres for Government activities only;
  • Operation of Railways, Airports and Seaports for cargo movement, relief and evacuation and their related operational organisations;
  • Inter-state movement of goods/cargo for inland and exports;
  • Cross land border movement of essential goods including petroleum products and LPG, food products, medical supplies; and
  • Veterinary hospitals, pharmacies (including Jan Aushadhi Kendra), Pharmaceutical research labs stand exempted.

Punishment for violating the lockdown order

The guidelines strictly note that-

“Any person violating these containment measures will be liable to be proceeded against as per the provisions of Section 51-60 of the Disaster Management Act, 2005, besides legal action under Section 188 of the IPC.”

Section 188 of the Indian Penal Code provides two offences and their punishments as follows:

  • Disobedience to an order lawfully issued by a public servant, if such disobedience causes obstruction, annoyance or injury to persons lawfully employed. Punishment: Simple Imprisonment for 1 month or fine of Rs 200 or both.
  • If such disobedience causes danger to human life, health or safety, etc. Punishment: Simple Imprisonment for 6 months or fine of Rs 1000 or both.

The Section 3 of the Epidemic Diseases Act talks of penalty on any person found to be disobeying any regulation or order made under the law and would be deemed to have committed the offence under the Section 188 of IPC. Therefore, those violating the lockdown orders can face legal action under the Epidemic Diseases Act, 1897, which lays down punishment as per Section 188 of the Indian Penal Code, 1860, for flouting such orders.

Note from the author: The blog started with the aim of simplifying and compiling laws related to technologies for the understanding of everyone. The keyword that motivated the author to write on such topics is the uncertainty behind the laws that regulate technology. However, this post has been different and dealt with the simplification of certain other issues as well. It is again the uncertainty behind the present times that has motivated the author to write this blog piece. The uncertainty related to the magnitude of the damage due to the corona outbreak may result in more such unprecedented laws and guidelines from the government. The author will continue to simplify them for the understanding of everyone. A very little contribution to society in these difficult times. Let us fight this together. Stay home, stay healthy.

Simplifying FinTech and FinTech Laws: All the laws that govern digital payments and transactions in India

Over the years, the financial services industry has become increasingly regulated in terms of adoption of technologies for facilitation and disintermediation of transactions. The extensively fragmented laws and regulations certainly make it difficult for any person and entity to objectively find the mandatory requirements that a law imposes upon them. This post will give you a brief overview of fintech laws and the various ways in which they govern our digital transactions. This post is the third one in the series of ‘Simplifying FinTech and FinTech Laws’.

The legal topography that regulates the Fintech services in India is majorly distributed, and there is not a single comprehensive regulation or legislation that governs the Fintech industry in the country. The lack of a complete and comprehensive single set of guidelines or regulations makes it hard to refer to actual authorities that are supposed to govern the Fintech in India. The legislative or regulatory, whichever it is, primarily comprises of:

The Payment and Settlements Act, 2007

The sources of law that actually governs payment in Indian jurisdiction are the Payment and Settlement Systems Act, 2007 (PSS Act) and the Payment and Settlement Systems Regulations, 2008 and rules as issued thereunder. Basically, these are the statutes from which India’s central bank, the Reserve Bank of India, derives power to function and regulate payment and settlement system in India. In accordance with the PSS Act, the RBI has wide discretionary powers to issue orders, directions and rules to financial systems established in India. There are several recommendations (pending), to change the PSS Act and form a new regulatory board named as the Payments Regulatory Board (PRB), while the necessary amendments to the PSS Act still await.

As per the PSS Act, any person inclusive of the non-banking financial companies (NBFCs) which want to undertake the operation of a payment system, may do so as upon taking the authorization by the RBI. The Act provides several eligibility criteria that are required to be fulfilled by that person or company wishing to operate as a payment system. Further, technology facilitators between merchants and banking institutions (that process and settle the transactions), are known as ‘Gateway Service Providers’, doesn’t have to acquire any authorization from RBI. For instance, common gateway service providers are BillDesk, RazorPay, InstaMojo etc.

The PSS Act is the primary legislation that governs the regulation pf [ayments in India. The PSS Act provides the definition of the “payment system” such that:

“a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service of all of them, but does not include a stock exchange”.

Master Direction on Issuance and Operation of Prepaid Payment Instruments

Prepaid Payment Instruments (PPIs) that are pre-loaded values (basically your PayTM or Freecharge wallets) and in some cases that value can be utilized for a specified purpose only as payment (basically Ola Money). PPIs provide the value to existing in a specified form which facilitates the payment for goods and services also in certain cases person to person remittance transactions of money for eg. sending money to your friends or family members. As defined in Rule 2.3 of the Master Directions:

“PPIs are payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. PPIs that can be issued in the country are classified under three types viz. (i) Closed System PPIs, (ii) Semi-closed System PPIs, and (iii) Open System PPIs.”

The Master Directions were issued by the RBI on October 11, 2017, and amended from time to time. It provides the eligibility criteria that is required to be followed by the PPI issuers, provides the thresholds for debits and credits that can be done using PPIs, and also provides the other operational obligations that are required to be fulfilled by a PPI issuer at the time of issuing such instruments to its customers in India. PPIs come into the ambit of the term ‘payment system’ as provided under the PSS Act and henceforth have to comply with the PSS Act and the Master Directions, both. PPIs include brand-specific gift cards, e-wallets like PayTM wallet, Freecharge, Mobikwik, shopping or travelling cards as issued by the Banks themselves, etc.

NPCI Guidelines governing the UPI Payments

UPI payments are governed through the Procedural Guidelines related to UPI and Operating and Settlement Guidelines related to UPI, as issued by the NPCI. As per the contemporary governing framework, the Banks only have the scope to provide UPI payment services to consumers. Banks are authorized to integrate the UPI platform into their payment systems. They operate over the UPI platforms by engaging the services of a technology provider, in such circumstances the Guidelines subject such technology providers and the Banks to strict compliance with certain norms as prescribed by the NPCI.

“The Unified Payment Interface enables architecture and a set of standard Application Programming Interface (API) specifications to facilitate digital payments using a mobile phone.”

Regulations related to Non-Banking Financial Companies (NBFCs)

The primary document of legislation that governs the NBFCs is the Reserve Bank of India Act, 1934 and subsequent to other secondary master directions and rules and guidelines and circulars which regulates the licensing and operation of such companies in India. The RBI has formed a set of thresholds that are required to be fulfilled in order to determine whether a business entity is to classified as a “financial services company” which also requires a license. Majority of lenders that operate digitally fall under the ambit of the term ‘NBFCs’. The most important regulation that holistically governs NBFCs is the Master Direction – Non-Banking Financial Company – Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016, Master Direction – Non-Banking Financial Company –Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016, and Master Direction – NBFC – Acceptance of Public Deposits (Reserve Bank) Directions, 2016.

Master Directions related to P2P lending platforms

The Master Directions- NBFC- Peer to Peer Lending Platform Directions 2017 incentivized a whole lot of activities for P2P platforms. It provided the P2P platforms to act as an intermediary, such that it has to comply with certain strict legal requirements and has to conduct proper due diligence of participants that are using the platform to finance or borrow. The Master Directions make it mandatory for P2P portals to check the creditworthiness in a form of an assessment and perform risk profiling of the borrower’s business or project, and actively share the disclosures with the potential investors or lenders. Further, RBI regulations bar the P2P platforms from lending or raising deposits or cross-sell any product over the portal. They are not required to facilitate any credit guarantee or secured loans. Cross-jurisdictional flows of funds are barred as per the Master Directions. Therefore, in toto, the Directions prescribe the norms that govern lender exposure and aggregate borrowing thresholds in the context of workings of P2P lending platforms in the country.

Guidelines to govern Payment Aggregators/Intermediaries

The RBI’s circular related to“Directions on opening and operation of Accounts and Settlement of Payments for Electronic Payment Transactions involving Intermediaries” as on November 24, 2009, (“Payment Intermediary Circular”), which lays down the legal framework that applies to the operation of payment gateways and intermediaries in India. Such intermediaries are strictly subjected to be in compliance with guidelines related to the operation of intermediary systems in Inda as provided under the Payment Intermediary Circular.
According to the RB I’s recent discussion papers, it has been suggested that the payment gateways and aggregators form a significantly critical link in the transaction flow, and henceforth it is required to regulate the activities as fall under the ambit of the PSS Act, 2007. The RBI has provided that the established contemporary guidelines governing payment intermediaries and gateway providers have to be reviewed in its Monetary Policy Statement for 2018-19.

RBI Guidelines on Payment Banks

The Guidelines on operation of Payment Banks and Guidelines for Licensing of Payment Banks as provided under the RBI’s governing framework elucidates that the governing regulations and measures related to licensing and operation of payments banks in India. The guidelines, among others, lays down the criteria for eligibility for registration or permissible operation and further other such guidelines that govern the working of payment banks. The Reserve Bank of India provides the purpose of setting-up Payment Banks such that:

“Reserve Bank of India says ―The objectives of setting up of payments banks will be to further financial inclusion by providing (i) small savings accounts and (ii) payments/remittance services to migrant labour workforce, low income households, small businesses, other unorganised sector entities and other users.”

Anti-Money Laundering (AML) Regulations and Know Your Customer (KYC) Regulations

Know Your Customer (“KYC”) is a term that indicates the customer identification process. The KYC norms include the prudential efforts made to ascertain the identity and ownership source of accounts, source of funds, the nature of customer’s business, and accountability of operations in the account in connection to the customer’s businesses etc which further assists banking institutions to manage the risks reasonably. The purpose of the KYC guidelines is to avoid and prohibit banks from being used, specifically as criminal essential of money laundering.

The Reserve Bank of India issued the guidelines to banks under Section 35A of the Banking Regulation Act 1949 and Rule 7 of Prevention of Money-Laundering (Maintenance of Records of the Nature and Value of Transactions, the Procedure and Manner of Maintaining and Time for Furnishing Information and Verification and Maintenance of Records of the Identity of the Clients of the Banking Companies, Financial Institutions and Intermediaries) Rules, 2005.

The key takeaway regulatory guidelines that prescribe anti-money laundering (AML) norms for fintech services in India are part of the PMLA, the PML Rule and the KYC norms included in the Master Directions.

Data Protection Regulations and Rules

Fintech is a data-driven industry due to which it faces a challenge or risk related to the data ownership and its security. Such a risk can be superseded by taking certain legal and technical measures only. There are choices of cybersecurity measures that data labelling, optional information sharing and identified data shareholding, which can be the response to various data-driven challenges that the fintech space is facing.
Unauthorized access to customers’ data is a threat to data privacy, which actually violates the fundamental right to privacy, and therefore a significant challenge to the Fintech platforms engage in gathering and storing several forms of financial and behavioural data. India, right now, doesn’t have any comprehensive legislative or regulatory framework that governs data protection. The Information Technology Act 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, contemporarily provide for the obligations of corporations or businesses to take reasonable measure in order to protect the personal data of consumers.

Further, the draft Personal Data Protection Bill, 2018, that is in pipeline can be best described such that:

“The draft Personal Data Protection Bill (2018) contains provisions that go beyond just the requirements of the IT Rules. The Bill specifies a notice and consent framework with explicit consent in the case of sensitive personal data. Explicit consent is understood as consent that is informed, clear, and specific along with being free and capable of being withdrawn.”

Recommended Readings:

  1. Aayush Rathi and Shweta Mohandas, Fintech in India: A study of privacy and security commitments, The Centre for Internet and Society, at https://cis-india.org/internet-governance/files/Hewlett%20A%20study%20of%20FinTech%20companies%20and%20their%20privacy%20policies.pdf (last accessed on 12/10/2019).
  2. Dr. R Srinivasan and Prof. M. Subramanian, Payment Banks in India – Demystified, SSRG-IJEMS, Vol. 2 Issue 12 (December 2015).
  3. Department of Payment and Settlement Systems, Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators, Reserve Bank of India, at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=943 (last accessed on 12/10/2019).
  4. Latha Ramesh and Yashika Gandhi, Reserve Bank Regulations for P2P lending platforms, Deccan Herald, at https://www.deccanherald.com/business/economy-business/reserve-bank-regulations-p2p-718950.html (last accessed on 12/10/2019).
  5. Rahul Gochhwal, Unified Payment Interface- An advancement in Payment Systems, American Journal of Industrial and Business Management Vol.7 Iss.10, 1174-1191, at https://www.researchgate.net/publication/320661583_Unified_Payment_Interface-An_Advancement_in_Payment_Systems (last accessed on 12/10/2019).
  6. Shilpa M. Ahluwalia & Himanshu Malhotra, Fintech 2019 in India, Golbal Legal Insights, at https://www.globallegalinsights.com/practice-areas/fintech-laws-and-regulations/india (last accessed on 12/10/2019).
  7. Shaikh Zoaib Saleem, What are prepaid payment instruments?, Livemint, at https://www.livemint.com/Money/Wq5AT6vx1JklC0lRSMbnSI/What-are-prepaid-payment-instruments.html (last accessed on 12/10/2019).

Summary: Philippines Senator introduces the ‘Anti-False Content Act’ to fight fake news

The article has been authored by Aryan Babele and first published on Medianama. Read https://www.medianama.com/2019/08/223-the-lowdown-the-anti-false-content-act-to-address-fake-news-that-was-introduced-in-the-philippines/

The Senate of the Philippines has announced the introduction of the Anti-False Content Act’ on 1st July 2019. The newly proposed anti-fake news bill, as filed by the Senator President Vicente Sotto III, aims to prohibit “the publication and proliferation of false content on the Philippine internet, providing measures to counteract its effects and prescribing penalties therefor.” The Senator, in the explanatory note to the Bill, said that

“In the Philippines, widespread are headlines that are mere click-baits; made up quotes attributed to prominent figures; and digitally altered photos. Philipinos have fallen prey to believing that most of them are credible news…. In this regard, this bill seeks to protect the public from the deleterious effects of false and deceiving content online.”

However, media groups are warning that the proposed Bill could lead to censorship. On 25th July 2019, the international group Human Rights Watch (HRW) opposed the proposed law citing that the Bill is “sweepingly broad and threatens to stifle discussion on websites worldwide” and “would excessively restrict online freedom of speech”, in a news release. Linda Lakhdir, Asia Legal Adviser at HRW, further said that:

“The proposed ‘false content’ law poses real risks for activists, journalists, academics, and ordinary people expressing their views on the internet”

Declaration of Policy

The proposed Act declares that the policy of the State is “to protect people from any misleading or false information that is being published and has become prevalent on the internet”. In this regard, the State shall commit to:

  1. Be proactive in preventing further exploitation of online media platforms for such purpose;
  2. Counteract its concomitant prejudicial effects to public interest while remaining cognizant of the people’s fundamental rights to freedom of speech and freedom of the press.

What is ‘online intermediary’?

It refers to “a provider of service which displays an index of search results that leads the internet users to a specific online location”, giving them access to “contents originating from third parties”, and “allows them to upload and download content”. It includes but not limited to social-networking sites, search engine services, internet-based messaging services, and video-sharing sites.

What constitutes ‘publication’?

It refers to the “act of uploading content on an online intermediary with an intent to circulate particular information to the public”.

What is ‘fictitious online account or website’?

It refers to those accounts and websites “that has an anonymous author or uses an assumed name in pursuing activities” in order to avoid punishment or legal consequences of such activities.

Counter-active measures

According to the Section 5 of the proposed Act, the Department of Justice (DOJ) Office of Cybercrime shall have the authority to issue a rectification order, a takedown order and/or a block access order to restrain the creation and/or publication of the content online that contains false information or that tend to mislead the public.

Rectification order refers to an order directing the administrator of the online account or website to issue a notice indicating the necessary corrections to published content.

Takedown order refers to an order directing the owner or administrator of the online account or website to take down the published content.

Block Access order refers to an order directing the online intermediary to disable access by users to the published content.

These orders can be issued by the DOJ Office of Cybercrime in two following cases:

  1. When there is a complaint filed to the DOJ Office of Cybercrime by an aggrieved party is valid and has sufficient basis;
  2. In matters affecting the public interest, the same Office can issue the appropriate order on its own volition (motu proporio).

“Public interest shall refer to anything that affects national security, public health, public safety, public order, public confidence in the Government, and international relations of the Philippines.”

Appeal to cancel the order

According to Section 6 of the Bill, the online publisher or online intermediary who has been issued with Orders under Section 5 of the Bill, can appeal against such Order to the Office of the Secretary of the DOJ.

Punishable Acts under the proposed law

According to Section 4 of the Bill, the following acts shall be punishable offences:

  1. Creating and/or publishing content on one’s personal online account or website knowing or having a reasonable belief that the content online that contains false information or tend to mislead the public;
  2. Use of fictitious online account or website for creating and/or publishing the content that contains false information or misleading the public;
  3. Offering or providing one’s service to create and publish content online intentionally to deceive the public, regardless whether it is done for profit or not;
  4. Financing an activity which has for its purpose the creation and/or publication of a content online containing false information or that would tend to mislead the public;
  5. Non-compliance with any of the government’s Takedown orders, Rectification orders or Block Access orders issued under Section 5 of the proposed law, whether deliberate or through negligence.

Penalties

Section 8 of the Bill proposes following stringent penalties for the afore-mentioned punishable offenses such that:

  1. If an individual found guilty of creating and/or publishing the false information online and mislead the public as provided under Section 4(a) of the proposed law, he/she will be punished with imprisonment of up to six years, or fine of not more than PHP 300,000, or both.
  2. If an individual found guilty of using fictitious online account or website to create and/or publish the false information online and mislead the public as provided under Section 4(b), he/she will be punished with imprisonment of up to six years, or fine of not more than PHP 500,000, or both.
  3. If an individual found guilty of offering or providing one’s services to create and/or publish the false information online with the intent to deceive the public as provided under Section 4(c), he/she will be punished with imprisonment of up to six years, or fine of not more than PHP 200,000, or both.
  4. If an individual found guilty of financing an activity as provided under Section 4(d), he/she will be punished with imprisonment of up to twenty years, or fine of not more than PHP 100,000, or both.
  5. If an individual found guilty of not complying with government’s orders as issued under Section 5 of the proposed law, he/she will be punished with imprisonment of up to twenty years, or fine of not more than PHP 200,000, or both.

Jurisdiction of the regional trial courts

Section 9 provides that the regional trial courts will have jurisdiction over Philippine nationals who commit the acts punishable under the proposed law, whether or not they were in the Philippines when the offense was committed.

Law Enforcement Authorities

The Cybercrime Division of the Philippine National Police (PNP) and the National Bureau of Investigation (NBI) will be responsible for the enforcement of the provisions of the Act.

Facebook’s Clampdown on the business of generating fake likes and followers: ‘Inauthentic Behavior’ on Instagram

Facebook has announced in a blog release titled “Preventing Inauthentic Behavior on Instagram” that Facebook and Instagram have sued a company and three individuals based in New Zealand for making a business of selling fake likes, views and followers on Instagram. It has filed a lawsuit in US federal court alleging that “the company and individuals used different companies and websites to sell fake engagement services to Instagram users”.

It said it issued warnings to the company and suspended company’s associated accounts for violating Facebook’s Terms of Use, but the activities persisted. By filing the lawsuit Facebook wants to send a message that fraudulent activity is not tolerated and it will protect the integrity of its platform.

The lawsuit

The lawsuit asks the Court to prevent the defendant company from “engaging and profiting in the sale of fake likes, views and followers on Instagram”. It also seeks to prevent a “violation of its Terms of Use and Community Guidelines”. Further, it aims to prevent a “violation of the Computer Fraud and Abuse Act and other California laws for distributing fake likes on Instagram in spite of Facebook suspending their accounts and revoking access”.

The Lawsuit details that company called Social Media Series has various websites and services to generate fake likes and followers for Instagram users who wanted to inflate their followers. Customers paid ranging $10 to $99 per week depending on the number of likes they want to purchase for their accounts which then generate almost within seconds of posting a new photo.

The lawsuit says that “through their business, Defendants [Social Media Series Limited and its directors] interfered and continue to interfere with Instagram’s service, create an inauthentic experience for Instagram users, and attempt to fraudulently influence Instagram users for their own enrichment”.

As the lawsuit further claim, the company and its directors has “unjustly enriched themselves at the expense of Facebook and Instagram in the amount of approximately $9,430,000”, since July 2018.

Inauthentic experience

Facebook said in the blogpost that “Inauthentic activity has no place on our platform”. It claims that the social media giant “devote significant resources” to detect and stop the inauthentic behavior. This includes “blocking the creation and use of fake accounts, and using machine learning technology to proactively find and remove inauthentic activity from Instagram”.

It further said that, “today’s lawsuit is one more step in our ongoing efforts to protect people and prevent inauthentic behavior on Facebook and Instagram”. Facebook expects to be paid unspecified damages for manipulating Instagram’s platform.

Clamping down on “Inauthentic Behavior”

Facebook now has multiple lawsuits in the works relating to individuals or companies that sell fake engagement on its social media platforms. Facebook recently removed or unpublished over 1,000 Facebook pages and Instagram accounts from India and Pakistan for ‘inauthentic behavior’. It filed a lawsuit in March 2019  against several companies and individuals based in China claiming that they are engaged in selling of fake accounts, likes, and followers on Facebook and Instagram. In November 2018, Instagram warned users to avoid inauthentic follows and likes generated by third-party apps and services, as reported by Cult of Mac.

Multiple Petitions over ‘PUBG Ban’: Another facet of Technology v. Law

PlayerUnknown’s Battlegrounds (PUBG) is one of the most popular online multiplayer games in the world. It has almost 400 million players base to play the game worldwide. The game is a standalone game in which up to hundred players parachute onto an island and collect weapons and equipments to kill others. The players have to avoid getting killed themselves. The available safe area of the game’s map decreases in size with time, pushing surviving players to tighter areas to force encounters. The last player or team surviving wins the round.

On 11th April 2019, the Gujarat High Court dismissed a Public Interest Litigation (PIL) petition filed by the Internet Freedom Foundation (IFF) which challenged the ban imposed on playing of PlayerUnknown’s Battlegrounds (PUBG), by at least six Gujarat Police departments.

Hearing the IFF’s petition, the HC bench comprising of the Chief Justice Anant S Dave and Justice Biren Vaishnav observed that they “are not satisfied that the scope of the present writ petition falls under the ambit of Public Interest Litigation”.

Public Interest Litigation means litigation introduced for the protection of the public interest. It is litigation introduced in a court of law, not by the aggrieved party but by the court itself or by any other private party. It is not required, for the exercise of the court’s jurisdiction., that the person necessarily should be the victim of the violation of rights. However, the person filing the petition must prove to the satisfaction of the court that the petition is being filed for a public interest and not just as a frivolous litigation.

Whereas in a separate PIL petition seeking ban against the PUBG, The Bombay High Court has issued a direction to the Ministry of Electronics and Information Technology (MEIT) to assess and review online game PUBG and take an action if any “objectionable content” is found.

The Gujarat HC’s order

During March, following a letter from the home department, notably several police departments of Gujarat issued notifications of banning PUBG on the orders of Commissioners under Section 144 of the Code of Criminal Procedure. The orders were issued on the ground that it results in violent behaviour among youngsters and affects their studies. According to several reports, teenagers who were found playing this online game were arrested under Section 188 of the Indian Penal Code.

Section 144 of the Code of Criminal Procedure gives State Governments the power to

It is the case of the IFF’s petition that the ban is arbitrary and unreasonable as it is violating Articles 14, 19 and 21 of the Constitution of India.

The impugned order banning PUBG has been contended by the IFF’s petition as a violation of the fundamental right to liberty under Article 21. According to IFF’s petition, the ban is a disproportionate invasion of privacy due to the following grounds:

  • The ban does not serve any of the legitimate purposes mentioned in Section 144 CrPC, because persons arrested for playing the game are not engaging in any violent or aggressive behaviour.
  • The ban, which carries the threat of arrests and criminal prosecution, is “patently unsuitable method of promoting psychological, social and educational well-being of adolescents and young adults”.
  • “Further, there is no evidence to suggest that the negative effects of PUBG are severe enough to endanger human life or health”.

The petition further challenges the ban as infringing several freedoms guaranteed under Article 19 on following grounds:

  • PUBG provides in-game text and voice chat feature which are used by players to form “meaningful bonds through team play and recreation. Therefore, the ban on game violates players the right to freedom of speech and expression guaranteed by Article 19(1)(a).
  •  PUBG is a team game and players assemble in public places to play PUBG in teams. The petition contends that such ban denies players the right to peacefully assemble in public spaces guaranteed by Article 19(1)(b).
  • There are “professional PUBG competitions” that are held at world stage and “award large cash prizes” and hence is “a source of livelihood for individuals”.  The ban violates the right to practice any profession or occupation under Article 19(1)(g).

The petition further contends that the order of the police is in excess of its powers and is arbitrary under Section 144 of CrPC. The ban is arbitrary as it “cannot be invoked merely based on the remote possibility of a threat”. The banning order is a form of “moral panic” based on unverified data showing ill effects of PUBG.

The Section 144 of CrPC resides as the sole occupant under the chapter of ‘temporary measures to maintain public tranquillity’ and gives State Governments the power to issue orders for immediate remedy in urgent cases of nuisance or apprehended danger.  

From a bare reading, the relevant portion of Section 144 can be carved out into three basic elements:

  • The authority to issue orders: lies with the District Magistrate, a sub divisional magistrate or any other Executive magistrate specially empowered by the State Government in this behalf.
  • The grounds on which S. 144 can be invoked: The reasons include: a)sufficient ground, b) requirement for immediate prevention, and c)speedy remedy to prevent a likely obstruction, annoyance or injury to any person lawfully employed, or danger to human life, health or safety, or a disturbance of the public tranquility, or a riot, or an affray.
  • The intended recipient: After determining sufficient ground and through a written order, the authorized can direct any person to abstain from a certain act or to take certain order with respect to certain property in his possession or under his management.

The IFF previously before the filing of this petition, on 14th March 2019, has also issued an appeal in public for revoking the Section 144 orders and cease criminal prosecutions following the ban.

During the hearing, the Hon’ble Gujarat HC did not agree with the submission of the IFF and rejected the PIL. However, the HC has mentioned that the individuals who have been arrested for playing PUBG may approach the High Court themselves. According to IFF, they have anticipated such a concern in their petition and has noted that “young college students who have been arrested may not have the resources and support to withstand protracted litigation against the Police department”.

The Bombay HC’s order

Hearing a PIL, that seeks a ban on PUBG in schools, Bombay HC’s bench comprising of Chief Justice Pradeep Nandrajog and Justice NM Jamdar has directed the Secretary of the IT Ministry to review and assess the game and take action against the service providers if any objectionable content is found.

The PIL filed by 11-year old Ahad Nizam, represented by his father, contends that the popular online multiplayer game promotes immoral conduct such as “violence, murder, aggression, looting, gaming addiction and cyberbullying”, thus should be banned.

The PIL seeks directions to be issued to the State Education Department to ban PUBG in schools forthwith. It also sought directions to be issued to the Ministry of Electronics and IT, Government of India to form an Online Ethics Review Committee to monitor such content from time to time.

The Court has adjourned the case and posted it for hearing after vacations.

In light of the above two judgments, the blog will explore the tussle between regulations and eSports. Keep checking the posts to know more.

DECODING THE STANDARD CLAUSES OF GDPR- (1)

It is now more than six months with the General Data Protection Regulations (GDPR) in effect now and still many SMEs are inquisitive about it like it is something which is yet to be enforced in the coming time. No doubt, that why GDPR getting so much attention in the global market. It is the globalization of market and integration of it with the internet that makes GDPR a big deal, despite its being the framework of standard regulations that are to be applied in European Union only. GDPR includes some very basic elements that can potentially be the standard data protection law across the globe. Therefore, before discussing its sector-wise impact it is very important to know the obligations and rights of key stakeholders, that deal with personal data, under the GDPR.

It is very important to understand that the GDPR is prescriptive in nature in light of the debate around its being strict and harsh to SMEs. GDPR is prescriptive means that it is basically prescribing the best practices that are needed to be followed by drafting of the privacy policy by businesses of Europe. GDPR is prescriptive on the need for contracts which governs the sharing of personal data of EU citizens in the following three brackets:

  1. Data Sharing between Co-controllers;
  2. Processors appointed by Controllers;
  3. Sub-Processors appointed by Processors. (Data Centres or any kind of support behind the vendor).

______________________________________________________________________

NOTE: Before describing anything related to standard clauses under GDPR, it is important to understand the basic meanings of certain terms and then understand their usage in this article based on the meanings as follows:

Data-Subject refers to an individual person or a natural person identified, directly or indirectly, through an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. In other words, a data subject is an end user whose personal data can be collected.

Data-Controller, according to the GDPR, is defined as a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” For example, a business obtaining customer or employee details, or a school, college or university holding student records.)

The role of a data controller is to determine who shall be responsible for compliance with data protection rules and how data subjects can exercise their rights. Putting it simply, they are the manager of personal data, they instruct the processor. The data controller will decide the purpose for which personal data is required and what personal data is necessary to fulfill that purpose.

A data controller will act on their own autonomy. A party constrained in how they can handle personal data is less likely to be a data controller but could be a data processor.

GDPR defines a Data-Processor as:

a natural or legal person that processes personal data on behalf of the data controller.

A data processor would be a separate business entity (whether a company, partnership or a sole trader) serving the interests and carrying out the instructions of the data controller in its processing of the personal data.

The role of a data processor could include storing data, retrieving data, running the payroll for business, carrying out marketing activities, or providing security for data.

 

PRACTICAL SCENARIO:

X Limited has entered into a contract with Y Limited, providing clear instruction to X Ltd. to send an email, advertising their new range of products.

They provide Y Ltd. with an email template and a spreadsheet of personal email addresses (all obtained with valid GDPR consent).

X Ltd. outline the spreadsheet is only to be used for the purpose of sending this advertising email.

Y Ltd. is bound by instructions of X Ltd.

In this scenario, Y Ltd. is a data processor and X Ltd. is the data controller

 ______________________________________________________________________

Knowing obligations and rights of Controllers

Out there in the practical life, in European Union, vendors/sellers/suppliers are pushing out for the standard contracts that comply with the GDPR as now all the commercial negotiations related to data sharing is now governed by it and EU controllers are very much concerned about managing risks. As the marketplace is very nascent, guidance and enforcement are much needed. Therefore, it is further important to identify and categorize whom one can share data with/ receive data from, determine GDPR processor obligation and ensure the stability of internal processes. Another thing to know GDPR in its true essence is that the contracts are just a wider part of the GDPR compliance but not the whole GDPR by any means.

Article 5 of the GDPR presents the big picture explaining the core principles behind the standard provisions relating to the protection of personal data as follows:

  • Data must be processed lawfully and fairly in a transparent manner and this should be the primary concern of the controller. This principle is the reminder of the significant issues which a stakeholder must provide clearly in the contracts in order to specify responsibilities, process, and liabilities.
  • Data Minimisation must be the essence of every privacy policy. In a simplistic manner, it means that the personal data should be processed to the minimum level that is necessary.
  • Data must be accurate and must be kept updated. It is one of the clauses which provide a course of the way for the implementation of the right to be forgotten in terms of data collection; as the principle requires that out-of-date should be deleted or changed as quickly as possible.
  • Storage limitation should be there in order to limit the duration of identification of the data and source subjected to certain restrictions.
  • Security and Integrity of Data provided with an obligation to prevent unauthorized access or control of data by using efficient ethical, technical and organizational methods. The phrase ‘integrity and confidentiality’ is present at multiple places in GDPR and it is there to remind the stakeholders that what has been expected from their data-protection policy.
  • The principle of accountability puts it straight that in GDPR a stakeholder in supposed to only comply with the regulations, but the stakeholder has to demonstrate it. Therefore, accountability should be visible explicitly in every contract of the privacy policy.
  • There is another principle which is not present in text of Article 5 but has been provided under GDPR through its Article 25 and that is the concept of data-privacy by design and default and the theme behind it is that a stakeholder has to embed the concept of privacy in every word of its privacy policy which deals with the personal data of EU citizens and hence the contract should highlight it as well.

As the principles are known now, one can move forward to understand the letter and spirit of the law that GDPR is enforcing as following:

The GDPR has the specific requirement in terms of the joint controllers or controller-processor/sub-processor arrangements. According to Article 26 of the GDPR, the joint controller relationship is the relationship in which two or more controllers jointly determine purposes and means of processing data. Article 26 requires the joint controllers to identify their compliance responsibilities and the GDPR needs that the data-subject should be aware of these compliances. Therefore, stakeholders have to incorporate the compliances in contracts and policies clearly. The rights and duties in the arrangement with respect to the data-subject must clearly delineate that whose will be liable in the arrangement when data-subject will exercise his/her rights.

Knowing obligations and rights of Processors

The controllers are further obliged to appoint only those Processors that provide them with the guarantee to implement appropriate technical and organizational measures in order to meet the requirements of the GDPR. This means that the controller should undertake a proper due diligence process before the appointment of the Processor. Although GDPR has not prescribed this as the mandatory explicit contractual requirement, but it is always better to cover off the risks by documenting the status in written form especially anything related to the Processor under Article 28 of the GDPR to demonstrate the accountability in commercial contracts. For the purposes of Processors, GDPR has highly specific requirements that should be present in a contract as following:

  1. The subject-matter of the processing;
  2. The duration of the processing;
  3. The purpose of the processing;
  4. Type of personal data being processed;
  5. The categories of data subject;
  6. The obligations and rights of the controller.

Therefore, it means that data processing activities should be laid out in detail that is contracted out to the processor. And even that is also not enough as there are the number of obligations on the processor under Chapter 4 of the GDPR requiring to process data according to the specific instructions of the Controller that are documented in the contract. Again a point to note is that GDPR doesn’t mandate it for stakeholder to cover all such instructions in an initial contract but it is suggested by most of the policy drafters that a stakeholder should include basic instructions for example that who are authorized to give them, to whom do they need to be sent and how quickly they need to be acted on.

The GDPR singles out data transfers in particular as an issue on which a Data Controller must contractually agree to adhere to the instructions of the Controller. Appropriate Confidentiality agreement in respect of persons authorised to process personal data need to be included. The processor has to comply with the security obligations under Article 32 of the GDPR. The Processor also has to comply with the deletion or return requests by the Controller at the end of the contract. It is the first time in EU law that Data Processor will have the direct liability to Data Subjects in relation to certain GDPR data-breaches. As a result, all the parties that are involved in the framework of data collection, processing and sharing have the greater interest in ensuring contractual liability dealt in the way it is most advantageous to them.

Knowing obligations and rights of Sub-Processors

Finally, it is worth mentioning about Sub-Processor also as the GDPR provides in detail about the authorisation regarding appointment of sub-processor under Article 28(4). A Processor cannot appoint the sub-processor without prior specific or general written authorisation from the controller. The controller gives the general written authorisation to the processor and it has to update the controller about any intended changes in the instructions delivered to sub-processor and further give controller the opportunity to object it. It is needed in the contract that a controller should provide specifically discuss that how the notification and approval processes will work under general authorisation. The Processor has to include same obligations for sub-processor that apply on him under the contract with the Controller. Under the GDPR, it is the processor who remains liable to the Controller for data-breaches making the allocation of liability a vital requirement.

GDPR compliance is about more than just complying with a letter of the law and regulators are going to be looking at whether the stakeholder is complying with the spirit of the law.

In order to ensure the compliance, the controller needs to ensure flow down in contracts where the controller should have the obligation which a processor or sub-processor will assist with and the contract must delineate these obligations. The ICO draft guidelines provide a well-developed checklist to ensure the proper drafting of a clause related to the controllers’ obligation.

 

The next blog in the GDPR series will deal with the provisions of GDPR that provides with some specific instructions related to drafting of the privacy policies and private-contracts.

Following are suggested read to understand the technicalities of obligations and rights of data-subjects, Controllers and Processors in an elaborative manner:

https://www.porterdodson.co.uk/blog/gdpr-who-is-the-data-controller-who-is-the-data-processor-and-what-is-the-lawful-basis

https://www.wsiworld.com/blog/responsibilities-of-a-controller-processor-and-data-protection-officer-according-to-gdpr/

https://www.dporganizer.com/gdpr-data-controller-vs-processor/

https://termsfeed.com/blog/gdpr-data-controller-vs-processor/

 

To read the GDPR Regulations, click here.