Hopes and Doubts related to Telemedicine Guidelines in the context of Data Protection

Author is Vineet Gupta, Volunteer Researcher, LawforIT. He is actively involved in a research on privacy policies of different leading online medical consultation platforms. Policy paper will be soon available on the Blog.

Background

The Medical Council of India jointly with the NITI Aayog notified the Telemedicine guidelines in midst of the Coronavirus Pandemic. These guidelines can be seen as a first attempt in providing some amount of relief, in regards to legal gaps and anxieties around the practice of medicine by doctors via communication devices.

Although, historically (with the advent of technology) telemedicine has been widely performed in India, for long there has not been any type of legal mechanism for the same. From the introduction of the Communication channel by ISRO in 2001, linking Chennai’s Apollo Hospital with the Apollo Rural Hospital at Aragonda village in the Chittoor district of Andhra Pradesh[i] and to the hundreds of apps providing for online consultation today, we have come up a long way. With the technological up-gradation and boom in the telecommunication sector, it was quite common for a patient to seek recommendations from their family doctors on calls, WhatsApp messages, and even video conferencing. Realizing the potential around telemedicine and its outreach, the internet was flooded with many startups acting as intermediaries that provided a channel between patients and doctors for online medical consultation.

On one side telemedicine was gaining popularity and on the other side, there was also a certain amount of anxiety, backlash, and confusion around the practice of telemedicine. With no proper guidelines among the practice of telemedicine, the doctors were kind of hesitant in providing online/telephonic consultations. They were also pressurized by the medical associations (some of which even declared telecommunication as unethical and practice of which can lead to cancelation of license)[ii]. The patients were hesitant to get telemedicine and a little reluctant to provide their sensitive information online to unknown doctors. They were scared as for long there was no telemedicine and data protection law in place. Most importantly many people, especially the rural population were, and are unaware of the potential of telemedicine and its application in this Technological era. The introductory part of the guideline’s states that:

“In India, till now there was no legislation or guidelines on the practice of telemedicine, through video, phone, Internet-based platforms (web/chat/apps, etc). The existing provisions under the Indian Medical Council Act, 1956, the Indian Medical Council (Professional Conduct, Etiquette and Ethics Regulation 2002), Drugs & Cosmetics Act, 1940 and Rules 1945, Clinical Establishment (Registration and Regulation) Act, 2010, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 primarily govern the practice of medicine and information technology. Gaps in legislation and the uncertainty of rules pose a risk for both the doctors and their patients.[iii]

https://www.mohfw.gov.in/pdf/Telemedicine.pdf

The case of Deep Sanjeev Pawaskar and Anr. v. The state of Maharashtra[iv] was by the high court of Bombay a doctor provided advice to ailing patient online due to lack of unavailability of routine doctor and unfortunately, the patient died. The high court held the doctor as negligent for using telemedicine to treat the emergency. This case led to widespread criticism as the patient would have died irrespective, and telemedicine had no role to play. The above case triggered the need for new legislation, and the need for remote doctors in coronavirus pandemic led to the expeditious introduction of these much-awaited guidelines. These guidelines have opened a door to the future of telemedicine in India. While a lot has been discussed upon the salient features of this act, I will be strictly adhering to the examination the guidelines concerning personal data protection concerns.

Locating privacy under Telemedicine Guidelines

In the course of doctor-patient interaction, a significant amount of data exchange takes place from the side of the patient and the guidelines also makes it compulsory for the RMP to store and keep a record of all this electronic health record[v]. A Registered Medical Practitioner (RMP) is free to choose the mode of communication for providing telemedicine[vi]. The guidelines provide for various types of information related to health conditions which are needed to be provided by the patient to the RMP over telemedicine[vii]. Further, the guidelines provide for the maintenance of privacy as well as medical ethics following the Indian Medical Council act and rules[viii]. The guidelines also state that the RMP would have to follow and abide by various data protection laws such as the Information Technology Act and other data protection laws and rules (present as well as notified in future) which provides for the protection of patient’s data[ix]. The guidelines also highlight the breach of confidentiality by the doctors would be declared misconduct and will be penalized by IMC act, ethics, and other laws[x]. The doctors are exempted from charges in cases where there is reasonable evidence to believe that the breach is due to some technological error with no involvement of the RMP[xi].

Reading Telemedicine Guidelines with data privacy laws

Personal information and Data protection Rules 2011

It is quite clear that telemedicine guidelines would have to be read in conjuncture with data protection laws of the country to protect the privacy of the patients. After the judgment of K.S Putttuswamy v. Union of India[xii], privacy is well recognized as the part of the fundamental rights of the citizens. The data protection laws in India are governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under the IT act. The judgment of Puttuswamy has led forth the Personal Data Protection Bill, 2019 which is in the process of getting passed by the parliament any time soon this year or the coming year[xiii]. The IT rules of 2011, as well as the new personal data protection bill, treats ‘Health Records’ as ‘sensitive personal data or information (SPDI)’. Under the IT acts data protection rules, when a corporate body deals with SPDI (collection, storage, transfer, or processing of SPDI) the data protection rules get activated. The data protection rule considers consent as an important requirement so a doctor or institution is required by law to obtain the consent of the patient in writing for use of any of his data[xiv]. There is also a restriction of sharing SPDI to the third party without the consent of the patient[xv]. The institution collecting such SPDI also has to put a policy in place and mention clearly on their websites[xvi]. A standard of procedure to store data has to be maintained as well as there should be a requirement of modification[xvii] and opt-out[xviii] their SPDI if the need arises.

Role of Intermediaries

There are many e-health apps which just act as a facilitator between the patient and the doctors and are not as such directly involved in the transaction[xix]. In these types of cases, such apps or companies will act as an intermediary and would be subjected guidelines of IT act specifically for the intermediaries. Such intermediaries have to initiate certain due diligence such as including terms of use, the appointment of grievance officer, and removal of offending/unlawful content within 36 hrs of request.

Telemedicine Guidelines: gaps are still needed to be filled to protect mass sensitive data

With the advent of Corona virus pandemic even a lot of state governments are actively involved in providing their own guidelines[xx] and facility of telemedicine[xxi] through their empaneled state government doctors or through Public private partnership Apps and facilities. Although telemedicine has opened a whole new legal world still there are various legal inadequacies in the Telemedicine sector which the present telemedicine guidelines, IT act, and rules do not properly address.

Firstly the telemedicine guidelines make no difference between ‘data fiduciary’ (person who stores, collect and process massive volume of important data) and ‘social media intermediary’ and also what if both are the same. For instance, many corporate hospitals (eg Apollo)[xxii] which have a wide range of medical business are also providing telemedicine. Some pharmaceutical companies (eg. Lybrate)[xxiii] are also in the business of telemedicine.

E-Pharmaceutical companies are already facing uncertainties in regards to online sale of drugs with central government coming out with Draft Rules 2018 to regulate e-pharma amending earlier Drug and cosmetic rules of 1945[xxiv]. These rules will also throw light on protecting data of patients seeking medicines online. But how will draft rules and telemedicine guidelines be able to regulate e-pharma companies who are even providing telemedicine is an area government needs to focus on since these types of companies have huge amount of sensitive data of patients and prone to misuse. Many of these apps even provide for their internal channels of communication for doctors and patients. While taking services from these sites there would be the transmission of the huge amount of electronic medical records to these companies. Since doctors belong to the same company or use a communication channel of the company who is acting as social media intermediary, then believing that data is not shared between them is being very optimistic.

Access to such a huge amount of ‘sensitive personal data’ to the hands of corporates without any supervision is troublesome. These data might be used to create an algorithm for targeted advertising, sharing with 3rd parties, and moving huge data outside the country. In such a scenario if there is any data breach who would be liable? is a question on which the guidelines are silent. And as the data protection law stands today, there is not much to offer.

So, we have to go through the pending data protection bill[xxv] to find some answers. In the Data protection bill two types of entities have a huge due diligence obligation in terms of dealing with personal data’s namely ‘significant data fiduciary’ and ‘social media intermediary’. Under the bill, the obligation which is associated with the significant data fiduciary (a person holding a huge amount of important data to be notified government) is extended to the social media intermediary(‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services[xxvi]’). These significant data fiduciaries and social media intermediaries will be notified by the government.

In addition to provisions provided for significant data fiduciaries like maintenance of records[xxvii], data protection impact assessments[xxviii], an audit of policies[xxix], and appointment of a data protection officer[xxx], Social media intermediaries are obligated to put forth an option to the users (registering from India or using the services in India) for voluntary verification of their accounts. The provisions for ‘significant data fiduciary’ and ‘social media intermediary’ seems promising for companies dealing with electronic medical health records but whether these hospitals providing telemedicine would be notified under ‘significant data fiduciary’ or the e-health apps storing huge amount of data as ‘social media intermediaries’ is a question of time as the bill is still pending.

Parting note

The telemedicine guidelines are a huge breakthrough in the field of medical sciences. The guidelines have tried to address a huge amount of anxieties and uncertainties about the practice of telemedicine but in the context of data protection, the guidelines sadly have not much to offer. The guidelines have to be read along with data protection laws of the country and as the data protection laws of the country currently stand there is not enough impact to ensure the protection of sensitive patient data from the hands of big hospitals doing telemedicine themselves and e-health apps acting as an intermediary for telemedicine. The new data protection bill, 2019 if passed as it is, it would address a lot of these gaps provided the government notifies these hospitals and e-health apps as significant data fiduciary and social media intermediaries respectively. Another pending bill such as Digital Information Security in Healthcare Act (DISHA), a regulatory platform for sharing digital records among hospitals and will be based on setting digital health records in the country[xxxi].  DISHA  will be clubbed with Personal data protection bill along with telemedicine guidelines would be something to look forward.


[i] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6618173/

[ii] https://medicaldialogues.in/indian-medical-association-seeks-clear-cut-guidelines-on-telemedication-from-medical-council-of-india

[iii] https://www.mohfw.gov.in/pdf/Telemedicine.pdf

[iv] Criminal Anticipatory Bail Application No. 513 OF 2018

[v] Telemedicine guidelines 2020, section 3.7.2

[vi] Telemedicine guidelines 2020, section 1.4.1

[vii] Telemedicine guidelines 2020, section 3.5

[viii] Telemedicine guidelines 2020, section 3.7.1

[ix] Id

[x] Id

[xi] id

[xii] 2017 10 SCC 1

[xiii] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[xiv] Rule 5(1) of the Data Protection Rules

[xv] Rule 7 of the Data Protection Rules

[xvi] Rule 4(1) of the Data Protection Rules

[xvii] Rule 5(7) of the Data Protection Rules

[xviii] Id

[xix] https://www.dr-hempel-network.com/digital-health-startups/doctor-patient-platforms-in-india-success/

[xx] See Maharastra: https://www.maharashtramedicalcouncil.in/Files/Notifications_26032020_MCI%20Notification%20Regarding%20TELEMEDICINE.pdf, See Karnataka: https://www.mondaq.com/india/healthcare/905172/karnataka-government-notificationregulations-on-covid-19

[xxi] See kerela: https://economictimes.indiatimes.com/industry/healthcare/biotech/healthcare/kerala-govt to-use-telemedicine-service-e-sanjeevani-for-non-covid-patient-care/articleshow/76370573.cms?from=mdr,

See Westbengal : https://www.newindianexpress.com/nation/2020/jun/30/west-bengal-sets-up-covid-warrior-club-to-help-contain-pandemic-2163150.html, See Tamil Nadu: https://tsitn.org/telemedicine-facilities-in-tamil-nadu/, See Karnatka: https://economictimes.indiatimes.com/news/politics-and-nation/karnataka-govt-launches-apthamitra-helpline-and-app-to-fight-covid 19/articleshow/75293952.cms?from=mdr, See Delhi: https://www.newindianexpress.com/cities/delhi/2020/jul/04/aap-launches-district-surveillance-telemedicine-hub-to-help-with-covid-19-requirements-2165260.html, See Rajasthan: https://timesofindia.indiatimes.com/city/jaipur/rajasthan-government-starts-free-medical-tele-consultation-service/articleshow/75540116.cms

[xxii] id

[xxiii] id

[xxiv] https://www.mondaq.com/india/food-and-drugs-law/865476/regulations-for-online-sale-of-medicines and-drugs-in india#:~:text=India%3A%20Regulations%20For%20Online%20Sale%20Of%20Medicines%20And%20Drugs%20In%20India&text=The%20draft%20rules%20prescribe%20that,registered%20with%20the%20applicable%20authority.

[xxv] Supra

[xxvi] Section 26 (4) Private Data protection bill, 2019

[xxvii] Section 28 Private Data protection bill, 2019

[xxviii] Section 27 Private Data protection bill, 2019

[xxix] Section 29 Private Data protection bill, 2019

[xxx] Section 30 Private Data protection bill, 2019

[xxxi] https://pib.gov.in/Pressreleaseshare.aspx?PRID=1578929

A key takeaway from SBI’s call for applications for ‘Data Protection Officer’

State Bank of India, in my knowledge, is one of the first Indian Bankers to announce positions for the “Data Protection Officer”.  

I am considering this as a good  sign that the Bank has recognized the need for an exclusive officer. But with the Personal Data Protection Bill is still in consideration the call for applications for the positions might be driven more by the international demand from their foreign branches which should have received notices from some supervisory authorities of foreign jurisdictions but it could also be a slight of realization that data protection is a necessity of business.

The educational qualification required for the post are as following:

  • Graduation or its equivalent
  • Preferred Professional Certification:
  • Certified EU GDPR Foundation,
  • CIPP (Certified Information Privacy Professional),
  • CIPT (Certified Information Privacy Technologist),
  • CIPM (Certified Information Privacy Manager) etc

Post qualification work experience required is

  • Minimum 15 years’ post qualification work experience (as on 01.04.2020) as  executive/ Supervisor in Corporate Sector out of which at least  10 years’ experience should be in BFSI Sector.
  • Preferred: Experience in Data Privacy Laws & Regulations and other Data Security areas with associated IT skills.
  • The age restriction is 55 years and the appointment is a contractual for 2 years.

The requirement of following special skills have been specified

  • High level specialist knowledge in the General Data Privacy Regulation underpinned by theory and experience
  • Evidence of continuing professional and/ or personal self- development.
  • Expert knowledge of data privacy laws and practices.
  • Exposure to Data Privacy laws & regulations such as General Data Protection Regulation “GDPR”), UK Data Protection Act 1998 etc.
  • Knowledge of Information life-cycle, risk management & data security areas.
  •  Extensive knowledge of Information Governance disciplines.
  • Skill of interpretation of national guidance and legislation and subsequent local implementation.
  • Flair for managing staff and implementing budgets. Training Delivery.
  • Capacity to work with cross functional teams, attention to detail, organizational skills and multitasking.
  • Strong management, motivational & leadership skills with ability to drive large change management programs within organizations.
  •  Ability to maintain confidentiality and deal with situations in a sensitive manner.
  • Ability to communicate across all organizational boundaries in an appropriate manner.

Key Takeaway

The job description and specified qualifications, not at all mention about knowledge of the Indian data protection law either on the basis of the Information Technology Act 2000 or (Amendment) 2008 or on the basis of the proposed Data Protection Bill.

The usage of “etc” at various places may include the knowledge of such laws and may be taken into consideration when candidates are screened.

Overall, such announcement indicates that soon other Banks will also start considering these positions shortly and start opening opportunities for “Data Protection Professionals”.

Public health surveillance in India: concerns of an individual’s liberty and privacy amid a pandemic

(This article extensively borrows from another article that authors wrote for and first published on the Leaflet)

The world is grappling with the kind of situation that it has never seen before. The rapid pace of COVID-19 spread made it necessary for the governments around the world to use extreme means and measures that would otherwise be considered Orwellian. These emergency measures by the governments are attempts to effectively enforce a lockdown and strictly prohibit movement of the citizens in a bid to break the chain of infection.

As Governments are attempting to contain the contagious virus, the use of technology for monitoring people undergoing quarantine has doubled in order to combat the spread of the virus. Ordinarily, under such developing Orwellian state of affairs, civil liberty activists and privacy advocates stir commotion; considering the scale of the crisis, they seem to tacitly embrace these measures. It is obvious that this pandemic is reshaping our relationship with surveillance technology, albeit to the fear of some the surveillance that could become a norm.

World under surveillance

Across the globe, countries are expansively deploying tech-enabled surveillance infrastructure of Face Recognition Technology (FRT) based CCTVs, drones and cell phone tracking devices for contact tracing and enforcing quarantine. Growing number of countries such as Israel and South Korea are ‘contact tracing’ using mobile applications or cell phone records. It is a process of mapping travel history of an infected person by analyzing location records of the cell phones. It is followed by pinpointing the other contacts for quarantine that might have come in contact with such a person. Meanwhile, Taiwan has gone a step further in quarantining the traced contacts by deploying an ‘electronic-fence’. If a mobile user’s SIM card is tracked beyond the reach of a network station or found to be switched off, law enforcement authorities quickly approach the suspect.

In India, law enforcement authorities across the nation are increasingly using technology to monitor and restrict the spread of the virus. In several states such as Rajasthan, Punjab and Delhi, local authorities have published a list of personal details, in online media and newspaper, of those suspected or infected of COVID-19. The Karnataka government has taken this to an inordinate level by mandating all quarantined persons to send a selfie with geo-tags through an official app named ‘CoronaWatch’ every hour, except between sleeping time 10 PM to 7 AM. Now, the Ministry of Electronics and Information Technology (MeitY) has also launched an app- ‘Aarogya Setu’, which uses Bluetooth and GPS to alert an individual if they come within six feet of a Covid-19 infected person.

The case of “Public Health Surveillance”

Law enforcement agencies of different countries are carrying out tech-enabled surveillance on their citizens to ensure compliance with the rules of social distancing and lockdown. In normal times, such measures are targeted against terrorists or criminals; while also scrutinized vide privacy and civil liberty concerns.

However, even the World Health Organisation (WHO) has sought to play down privacy concerns in these unprecedented times, by terming the measure as “public health surveillance”. The WHO has simply legitimized the governments’ argument that the extraordinary situation of COVID-19 pandemic necessitates the use of an extraordinary measure of mass surveillance. The public health emergency of such magnitude is being touted as a valid justification for deploying tech-enabled mass surveillance and subversion of individual rights.

Is surveillance a matter of concern for India?

There are certain unique reasons due to which implementation of these emergency measures, in India, are worrisome.

No clarity on the legal basis for surveillance measures

Firstly, in India, neither the central government nor the state governments have provided any legal basis for directing such tech-enabled surveillance measures. For instance, neither of the official press release of the Aarogya Setu app and Karnataka’s ‘mandatory selfie direction mention any legal grounds for such directions nor have they provided any privacy policy with it. The absolute abandonment of civil liberties and privacy in the interest of public health, without the bare minimum legal foundation, portends negative consequences

The government has invoked the Epidemics Diseases Act, 1897 and Disaster Management Act (DMA), 2005 to deal with the COVID-19 outbreak. Both, the colonial era Epidemics Diseases Act and NDMA, do not cover surveillance in their scope. Although, there is an argument that basic residuary power to take ‘necessary’ steps to curb the spread of virus, under the mentioned laws accord a legitimate authority to government for surveillance.

It is unclear why the government has not availed these very basic residuary powers to also notify the standing rules on privacy or lawful manner of deployment of tech-enabled surveillance measures. As a natural consequence, government directives infringing an individual’s right to privacy cannot be tested for their legality without any standing rules for arbitrariness and lack of accountability. This is particularly dangerous in a country like India where a data protection statute does not exist.

The use of unregulated novel technologies for surveillance provides no legal checks and oversight

Secondly, the details regarding the technological capabilities of the government for surveillance are largely a secret. It is the sudden outbreak of pandemic that has forced the government to openly introduce a deluge of unregulated, contemporary and emerging technologies for mass surveillance. There is a growing concern among certain privacy advocates that the tech-enabled surveillance could persist beyond the pandemic once it gets accepted and normalized in the present emergency times. History is witness that world’s most dictatorships and authoritarian regimes emerge amid the crises.

There is no information available about the extent and scope of the government’s capability and techniques. The secrecy about the techniques of surveillance impedes the legislative checks or institutional audits. If the public is unaware of how a technology works (due to non-disclosure by the Executive), the said manner of surveillance then cannot be even challenged in a court of law. Therefore, such secrecy is nullifying the system of checks and balances in favor of the ever-augmenting executive power.

Several surveillance techniques are disproportionate and unnecessary

Thirdly, due to the use of technologies of varying level of invasiveness, there are doubts regarding the necessity and proportionality of such measures in relation to the right to privacy and individual liberty.

The Puttaswamy (I) judgment upheld, explicitly recognized in reference to public health, that to legitimately restrict fundamental rights such as privacy and liberty for implementing a measure, such measure should be proportionate in nature. In the case, the SC held that a government measure is proportionate if it satisfies following four criteria: 1) that the measure should pursue legitimate purpose; 2) that the measure should be rationally connected to the purpose; 3) that there should no less intrusive alternative measure available; 4) that the measure should accrue public benefit greater than the extent of infringement of a constitutional right.

More than half of the population of the country doesn’t have access to the internet services. In the context of such a scenario, how is surveillance through mobile application is a necessary measure? Further, several state governments are taking extreme measures of disclosing the home addresses and other personal details of infected and suspected persons, which grossly fall afoul of three prongs of the constitutional test upheld in the Puttaswamy I judgment. An obviously lesser intrusive measure such as informing at a locality level about the presence of infected cases in areas could have sufficed. Allahabad HC also held such practices, publishing personal details of anti-CAA protestors in public, of the UP government as “arbitrary invasion of privacy”.

Karnataka has rolled out a mobile application which comprehensively discloses the location history and home addresses of persons infected and quarantined. Also, some of the states are publicly listing such details wide in social media channels. Such invariable disclosure of private information of infected and suspected persons has prompted concerns and possibilities of social intimidation.

There have already been reports from across the nation of infected and suspected patients facing the stigmatisation, and various forms of discrimination which are further resulting in a negative social impact. For instance, in Maharashtra, public listing of coronavirus suspects on social media led to several cases of forceful eviction of quarantined people by their landlords.

Such events question the proportionality and necessity of the measure as it would have been a satisfactory measure if the government has alternatively chosen a lesser intrusive measure.

Ways to resolve the concerns

There is no denying that certain limitations can be imposed on civil liberties given the urgency of the COVID-19 crisis. However, in a democratic set up like India it is expected from the government that its actions should be transparent and provide a window to the public to assess the government’s accountability. All the worrisome aspects related to public health surveillance measures can be subdued by making concerted efforts to introduce legal backing for its actions, to establish institutional oversight and to use the least intrusive means.

For providing the legal basis, the government can issue the standing rules that would lay down the legal and accountability measures for the responsible local authorities undertaking public health surveillance. The governments should avail the residual powers under the NDMA and the Epidemic Diseases Act to also issue the ad-hoc rules and guidelines in addition to the emergency surveillance measures. These rules and guidelines will provide the mechanism under which surveillance can be carried out without causing deterrence to an individual’s privacy and liberty.

The government can presently provide such ad-hoc rules for privacy protection based on similar principles as delineated in the Personal Data Protection Bill 2019 (“PDPB 2019”) for the data collection during health emergencies. Clause 12 of the PDPB 2019 exempts the data fiduciaries from taking consent under urgencies like pandemic, but strictly imposes requirements of data minimization or purposes limitation, lawful processing, transparency and accountability. Introduction of such principles will ensure that the information collected surveillance is being handled under the constitutional checks to maintain privacy as much as possible

Such ad-hoc rules will obligate the government as a data fiduciary to follow principle of purpose limitation such that the authorities should only collect the minimum possible data which is sufficient for tracing contact, enforcing quarantine and any other lawful and specific purpose. The government shall use the anonymised data only and adopt all security measures to prevent leaks and maintain confidentiality of personal data of data subject. The rules will also mandate the government to delete the collected data at the earliest after it has been used for the specified purpose. This will automatically shun away the emerging concern that the surveillance’s effect could persist beyond pandemic. Further, it will inhibit the misuse of personal data and abuse of surveillance measures.

The surveillance measures aim to keep people in quarantine and check the spread of infection for their benefit, therefore it is suggested that the government should hold no secrets about its surveillance techniques and manners. It should adopt a method of “Public Notice” system such that the local district administration has to notify the model of surveillance to the public before conducting surveillance.

At the very least, this notice should disclose the legal rules governing the tech-enabled surveillance measure, and its purpose. It should be clear on the authorization required for the retention, access, and use of information collected through the use of such novel technology. Such a notice would provide the transparency in the process of imposition of surveillance and allow the legislature and public to exercise meaningful control and oversight over the manner of deployment of unregulated technologies for surveillance.

Parting note

Unarguably, the present situation calls for the governments to take substantial measures to protect the lives and health of public at large, but this should not happen in the utter disregard of constitutionally recognized rights to privacy and individual liberty. The policies and techniques of government should be legitimate and proportionate in order to maintain the democratic principles of public trust and transparency. There is no hard choice between public health and individual’ right to privacy and liberty. Both can mutually co-exist under the legal framework that guarantees the challenge to unnecessary expansion of the surveillance regime.

As pointed out by Deborah Brown, senior digital-rights researcher at Human Rights Watch, “surveillance measures should come with a legal basis, be narrowly tailored to meet a legitimate public health goal, and contain safeguards against abuse”.

Therefore, the government should definitely focus on the situation of urgency for many, instead of investing focused efforts in ensuring rights for few but should not absolutely ignore its accountability towards any section of the community. These fundamental rights are lung to the edifice of our entire constitutional system. The government should make efforts to prevent any injuries to it as much as possible.

COVID-19 crisis is changing Tech related Law and Policy: Surveillance, Fake news, Telemedicine, and Internet

As I view things and events around the world from the comfort of my home, this blog is my take on how regulations related to technology will get impacted due to the COVID-19 pandemic. As they say, sudden and unexpected events often lead to systematic and permanent changes.  Work from home is a mandate now, as the fear of personal contact and surface contact is prevalent, everyone has uncertainty about the impact of infection. There are even doubts on the globalization given the infection is spreading from one corner of the world to another.

Given the fact that COVID-19 is a pandemic, the authorities have commanded us to practice ‘social distancing’ (trending buzz word on social media) under the twenty-one days lockdown. Hence, there is an unwillingness to engage socially among masses now. As there are shifts in perceiving the world now, there is a shift in the understanding of technology as well. Governments around the world are now valuing its role more than ever and understanding the need for the well-drafted technology policy, as they rush to contain the spread of COVID-19.

Following are the potential changes that we can see in the technology policy of India during and after the COVID-19 crisis.

Increase in the adoption of internet services

With the reach of the internet increasing up to 500 million users and over 660 million broadband subscriptions, internet penetration in India is much evident. However, the present situation is proof that it has been a boon for us that Jio entered the market and made the internet more accessible than ever. The internet is an essential service and something that has kept the masses engaged and sane in their homes during the nationwide lockdown. India has the cheapest internet access in the world, but still, as the crisis gets over, the government will definitely consider more options of making internet services more accessible to the poor of the country which is largely suffering in this crisis. In the present lockdown state, it is important to mention the situation that exists in Kashmir where just the 2G internet is available with the speed which is good for nothing.

India has the cheapest mobile data in the world with 1GB costing just Rs 18.5 (USD 0.26) as compared to the global average of about Rs 600, research by price comparison site Cable.co.uk showed. Average Wireless Data Usage per wireless data subscriber per month is 10.37 GB.

Work from Home

Zoom, a video-meeting app, has seen a significant rise in its download over the last week. With employees are unable to attend offices, video conferencing services that work over the internet has become significant. Again, such applications make access to internet an essential service for operating the business online (a fundamental right). As the employment laws are being discussed these days to understand the place of Work from Home in the law, post the crisis policymakers will definitely deliberate on this and provide a permanent solution for it.

Certain important points for reference of readers from the advisory issued by the government in relation employment laws:

The Ministry of Labour & Employment, Government of India advised on March 20, 2020, that all public and private organizations are to refrain from terminating the services of their employees or reducing their wages.

The Ministry of Labour & Employment has extended the deadline for filing the Unified Annual Return for 2019 under eight laws that were filed on the Shram Suvidha Portal to April 30, 2020 (the previous deadline was February 1, 2020). The notification further states that authorities are not to take action against any entity that did not meet the earlier deadline.

The Employees’ State Insurance Corporation (ESIC), through its communication dated March 16, 2020, has extended the dates for filing of ESI contribution and payment. Accordingly, all contributions for the months of February 2020 and March 2020 can be filed and paid up to April 15, 2020 and May 15, 2020, instead of March 15, 2020 and April 15, 2020, respectively.

The Government of India will contribute the employer contribution (on behalf of companies) and employee contribution (on behalf of employees of those companies) towards the Employee Provident Fund Organization (EPFO) for the next three months for establishments with up to 100 employees meeting certain base salary thresholds.

All EPFO members (employees) will now be able to withdraw up to 75 percent of their total EPFO fund or an amount equivalent to three months of their salary, whichever is lower. The amount withdrawn from EPFO shall be non-refundable, and the employees do not need to return the same to their EPFO account.

Streaming services and regulations

In the process of home quarantine, the dependence on the streaming services is so much that the internet service providers have asked streaming platforms like Netflix and Amazon Prime to reduce the bits rate, in order to lower the stress on networks. The streaming platforms have duly conceded to this demand considering the continuous requirement of providing services to consumers. Consumers are realizing the benefits of streaming platforms and hence there is going to be a potential increase in subscriptions going forward, converting to paying users. In terms of policy-making, if streaming services have the potential to displace traditional entertainment services, the Indian government will look for regulating the content more than ever. Government is already in consultation with the stakeholders regarding options of self-regulation or government regulation.

Increase in demand for spectrum to meet the consumer demand

The percentage of connections that are based on a wireless medium is a staggering 96% approx. Therefore, in the light of increased adoption of the internet for continuous entertainment and work at home has led to increased stress on telecom operators. Therefore, with the 20% sudden increase in demand, telecom operators have sought more spectrum allotment from the government.

A new perspective for e-commerce

The government has rightly considered E-commerce as the provider of essential services during the present situation. Their adequate performance under the lockdown can provide them with a deep sigh of relief, as for the past few months, their food and grocery delivery services have been under the strict supervision of the government. There are several lobbies representing the brick and mortar retailers of groceries and food that have targeted e-commerce market and posed it as a threat to the business of offline retailers across the country. The opportunity for them to legitimize the need for online service during the lockdown has done what demonetisation did for digital payments.

Offline print becomes the victim

Online media channels are also opportunists that are gaining certain traction in terms of consumers. The newspaper industry seems to have been hurt by contact to contact the spreading nature of the COVID-19. Various online posts and WhatsApp threads are flowing in the online media that newspapers are potential vectors of COVID-19. In one of the cases, the Times Group has sent a legal notice to The Print for an article which suggested that COVID-19 can potentially spread through newspapers as well. Therefore, there could be a rise in online media usage and could lead to a rift between offline and online media.

A struggle to contain fake news or misinformation

The sensational way in which COVID-19 crisis has led to the nationwide lockdown is much due to the sensationalized content related to COVID-19 which is spreading through the social media across the country faster than the virus itself. The amount of misinformation spreading about COVID-19 is at large scale, and platforms are struggling to deal with it, especially given the lack of continuous moderation by social media platforms which are not warranted legally. This has given several blows to the effectiveness of lockdown given the people believed on certain misinformation such as cow urine is the cure of COVID-19, the religious congregation will protect from the disease etc, which led to people not take lockdown seriously. Understanding the struggles with automatic moderation of the content on the internet, the government can sooner than before enforcing its strict moderation policy which undermines the right to free speech.

The twenty-one days lockdown recently faltered when an exodus of the large number of migrant workers from urban cities like Delhi and Jaipur came in light. The Supreme Court’s division bench in a hearing on Tuesday, while reviewing the steps that the central government has taken to provide relief to the poor migrant workers during the lockdown, expressed serious concern over spread of fake news or misinformation regarding lockdown’s duration on social, electronic and print media causing the mass exodus of migrant worker from cities to their homes in villages. Read the SC’s order here. Centre in this light has sought direction from SC that no media stakeholders should publish COVID-19 news without ascertaining facts with government. Although, The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.

Privacy, necessity and proportionality

While the right to free speech could be threatened in the future due to the present crisis, the right to privacy has already dealt with several blows. Considering the situation of emergency and lack of any comprehensive law protecting the privacy, the privacy of a number of citizens have been compromised. The health status of quarantined/ or infected is open to all as their homes are being marked and personal details are being made public on social media. Governments are openly surveilling quarantined people for ensuring the enforcement of quarantine and inviting bids from technology companies to procure technology that can make continuous surveillance more effective. In India, several governments are already tracking citizens by keeping a tab on their phones or utilizing geofencing. The crisis has legitimized much longing plans of the government to create an infrastructure which can assist in surveilling its citizens whenever the need arises. Given the opportunity, the Department of Science and Technology has invited proposals and has set up a task force for building surveillance, AI and IoT tools.

As several privacy activists have opinions against the government’s plan to keep track of infected persons. If litigation arises, the question is whether the present circumstances will meet the necessity and proportionality test in order to justify the violations of privacy?

Drones as part of law enforcement

Drones, in some cities, are being used for surveillance to ensure that the current curfew is not violated. Drones allow the police to surveill and document, in a low risk manner. In cities like Chennai, they are being used to disinfect areas. If all goes well in these difficult times of crisis, then expect that police will place more orders for drones going forward, and many tasks will be automated.

Telemedicine guidelines

One of the prime examples of the proposition that experience of COVID-19 crisis will pace up the policy-making with respect to regulate technology is the rollout of a set of guidelines for telemedicine or remote delivery of medical services. Telemedicine practice means that doctors will now be allowed to use information and communication technologies as per guidelines for the exchange of valid information for diagnosis and treatment of ailments with patients. In order to assure steady and quick medical services during the nationwide lockdown, Ministry of Health and Family Welfare finally sanctioned the guidelines that have been proposed ten years ago. Globally, telemedicine has emerged as a front-line weapon against the COVID 19 pandemic. The situation under present crisis motivated the government to provide the concept of telemedicine among masses explaining that the unnecessary exposure of people involved in the delivery of healthcare can be avoided using telemedicine, as patients can be screened remotely.

Simplifying FinTech and FinTech Laws: Key Takeaways for Indian FinTech Industry

The significant advancements in Fintech are directly impacting on the traditional financial sector. The regulators had to be cautious in order to not miss the train and should jump on the wagon of promoting financial innovation and stiff competition in the sector. The newcomers in the sector should be provided certain leniency in form of exemptions from a number of strict compliances which are used to curb the malpractices of the big corporations, for the sake of promoting competition in the market. This post is dealing with key takeaways from reports of different regulators’ committees in India. This is the last post in the series of ‘Simplifying FinTech and FinTech Laws’.

Fintech charged firms and businesses must work in tandem with the regulated entities, e.g. banks and regulated finance providers. The businesses that a bank can undertake are provided under Section 6 of the Banking Regulation Act, 1949 and there is no business outside Section 6 that can operate as the bank. Such provisions, therefore, incentivize banking companies to make fintech innovations in a narrower scope relevant to their operations. The archaic laws make it difficult for banks to undertake fintech innovations that can be of significant utility but are beyond the scope of financial regulation.

The Watal Committee Report noted this, that:

“The current law does not impose any obligation on authorised payment systems to provide open access to all PSPs. This has led to a situation where access to payment systems by new non-bank payments service providers, including FinTech firms, is restricted. Most of them can access payment systems only through the banks, which are also their competitors in the payments service industry. This, according to the Committee, has restricted the fast-paced expansion of digital payments in India by hindering competition from technology firms.”

Forming a comprehensive and non-discriminatory regulatory approach

Regulators and legislators are required to realign their legal approach to the Fintech services. There is a requirement of developing a deeper understanding of various Fintech services and their interaction in a financial environment with other fintech services. To provide the fintech space to work utmost to its potential, it is needed that it gets a level playing field in relation to the traditional banking and non-banking players. The practise of restricting the access of non-bank institutions to payment infrastructure, such as AEPS, has to be reevaluated and the proper steps to be taken. It is required from the end of Government and Regulatory bodies that they should adopt necessary measures in order to provide accessibility to national payment infrastructure and facilities to all fintech firms without any discrimination.

Providing Standards for Data Protection and Privacy

All the fintech companies are required to invest significantly in self-regulating policies to prevent privacy risks. Fintech companies should be provided with the standards of data protection as soon as possible by government and regulators. It is evident that the provisions of the Personal Data Protection Bill, 2019 can significantly affect the growth of Fintech companies. Therefore, the standards adopted for fintech companies by regulators should be reviewed with respect to data protection and privacy concerns. The government and regulators specific to finance of the country should start focusing on the valuation of data that is processed by banking companies and recommend practices to safeguard consumer interests.

Open Data principles should govern the financial sector in order to enhance Competition

The regulators should pay heed to the open data policy among participants of a fintech sector. The regulators should begin with the mandatory norms directing financial service companies to encourage banking institutions to enable participants to access the databases of their rejected credit applications on a specific platform on a consensual basis. The practice of the UK with respect to Open Data Regulations in Banking can be adopted, where banking institutions on the basis of consent framework allow data to be available to banking partners in order to foster competition. Even the RBI Steering Committee on Fintech recommended:

“It also recommends that all financial sector regulators study the potential of open data access among their respective regulated entities, for enhancing competition in the provision of financial services.”

The KYC process should be reformed with respect to the Supreme Court’s Judgment on Aadhaar’s validity

Fintech businesses are the most affected entities due to the striking down of Section 57 of the Aadhaar Act as it invalidated the online KYC process. The online KYC and authentication provided the required efficiency and convenience to fintech firms with respect to their endeavours of on-boarding as many as consumers on their digital platform. It is recommended that alternatives to the mandatory linking to Aadhaar should be adopted in the form of possible video-based KYC, such that the documents as verified must be protected and processed with the prior consent of the consumer.

Other key recommendations

1. It is recommended that the adequate cybersecurity, anti-money laundering and fraud control measures should be adopted by investing in technologies and guidelines that can prevent fraud.

2. Technical innovations should be monitored with respect to the potential risk that innovation carries in operation under the contemporaneous legal landscape of the country.

3. A self-regulatory body to facilitate the needs of fintech is much needed as for the RBI it is still turning out to be difficult to replace the existing regulatory structure. A regulatory mechanism allowing the broader participative consultation approach should be adopted.

4. Regulators should invest in Reg-Tech (“Reg Tech is a sub-set of FinTech that focuses on technologies that facilitate the delivery of regulatory requirements more efficiently and effectively than existing capabilities. In July 2015 the FCA issued a call for input entitled ‘Supporting the development and adoption of Reg Tech’.”)

5. The majority of economies have adopted the practice of setting up of the regulatory sandboxes catalyzing the fintech innovations. It is recommended that RBI should continue with the introduction of the mechanisms, like regulatory sandboxes, enabling the adaptation of regulatory initiatives which will play a key role in maintaining India’s competitive edge.

Delhi HC has expanded the scope of injunction orders in Internet jurisdiction: Geo-blocking to Global-blocking in IT law

This post has borrowed extensively from an earlier blog-publication by Aryan Babele on Tech Law Forum @ NALSAR.

On 23rd October 2019, the Delhi HC has delivered an impactful judgment authorizing Indian courts to issue “global takedown” orders to Internet intermediary platforms like Facebook, Google and Twitter against illegal content as uploaded, published and shared by their users. The Delhi HC delivered the judgment on the plea filed by Baba Ramdev and Patanjali Ayurved Ltd. requesting the global takedown of certain videos which are defamatory in nature.

The Court passed the order in the context of its observation that there is a ‘hare and tortoise race’ between technology and law such that the ‘technology gallops, the law tries to keep pace’. Such observation reflects that the Court’s intention is to interpret IT law in the manner which will ensure the effective implementation of the judicial orders throughout the internet jurisdiction and mitigate the circumvention of such orders by use of the advanced technology.

However, the Court’s order is attracting criticism globally from several internet-freedom activists. It seems that the Court has made a hasty attempt to win the ‘hare and tortoise race’ and has missed on considering the far-reaching implications of it on the IT law jurisprudence and conflict of law provisions. This article aims to analyze and indicate the significant points in the Delhi HC’s judgment, which the Court lacked in considering while relying on the unsettled jurisprudence of global injunction orders.

Background- The case of Swami Ramdev v. Facebook

In Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC], Swami Ramdev (a prominent yoga guru and public figure) filed a case before the Court against Facebook, Google, YouTube and Twitter, inter-alia, praying for the global take down of defamatory contents (videos) as uploaded, published and shared by users of these intermediary platforms.

The given case stems out of the publication of videos on defendants’ platforms, which are based on those particular offending portions of the book titled “Godman to Tycoon: The Untold Story of Baba Ramdev’ by Priyanka Pathak Narain, which are already undergoing an ad-interim injunction as granted by the Court in Swami Ramdev v. Juggernaut Books [CM (M) 556/2018] in May 2018.

Subsequently, in January 2019, the Court passed an interim injunction against the defendants’ platforms to disable access to the offending URLs and weblinks for the Indian domain as per Section 79 of the Information Technology Act, 2000, [hereinafter referred as IT Act 2000] i.e. ordered geo-blocking.

However, the plaintiff argued that the geo-blocking is an ineffective solution as the objectionable content is widely available on the global internet and internet users in India can still access such content using VPNs and other such mechanisms. Therefore, the only effective remedy, according to the submission of plaintiff, is to issue a global blocking order.

Internet intermediaries have contended against such a global take down mechanism as it poses a number of technical and legal difficulties for them. Firstly, cross-jurisdictional laws vary in standards for determining defamation, and hence disabling access globally will breach the principles of international comity. Secondly, in order to globally disable access to the content, the intermediary platforms have to monitor every upload on their platforms which is technically difficult and legally wrong.

The Delhi HC’s Judgment

The Court agreeing with the plaintiffs’ submission went on to held that the online intermediary platforms can be ordered to take down content globally by a competent court in India, as the content is published on their global services. It observed that the complete removal is needed because there are easy –to-use technology applications available widely that helps local users in circumventing the geo-blocking and render the take-down order useless. Therefore, an absolute removal globally is an absolute remedy, as per the Court’s observations.[1]

Further, the following directions, hereby in brief, have been put forth by the Court to support its order:

  • The Court broadened the interpretation of Shreya Singhal v. Union of India: As per the Court, Section 79 of the IT Act 2000 provides that in order to avail the safe-harbor immunity, “intermediaries have to take down and disable access to the offending material residing in or connected to a computer resource in India”. It interpreted the definition of ‘Computer Resource’ as given in the IT Act, such that the “Computer Resource” as per the judgment “encompasses within itself a computer network, which would include a maze or a network of computers. Such a computer network could be a global computer network”.[2]
  • Global take downs are technologically possible: The Court held that whenever any content violates the community standards of the internet intermediary platforms, such content is taken down globally by the platform on its own. Therefore, it observed that it is technologically possible for the platforms to take down content globally on the orders of the competent courts as well.
  • Application of IT Act in extra-territorial jurisdiction: In order to justify the global take down, the Court explained that, “a perusal of Section 75 of the Act shows that the IT Act does have extra territorial application to offences or contraventions committed outside India, so long as the computer system or network is located in India”.[3] Therefore, the Court held that as long as the content has been uploaded from the Computer Resource located in India, Indian courts will be competent to pass the global injunction/ take down orders.
  • Allowing the direct ‘Notice-and-Takedown’ mechanism for the future uploads of the objectionable content: The Court has held that the plaintiffs can approach the intermediaries directly if it finds the publication of the questionable content again on their online platforms in future. However, the Court has provided an option of the counter-notice system for intermediaries, by opting which the intermediaries can refute claims of illegality and shift the onus of proof back on plaintiffs, such that after which the plaintiffs will have to approach the Courts for an appropriate remedy.

Observations: the Loopholes, Unsettled Jurisprudence and the Comment

The Loopholes

It is completely understandable that the Court is favouring the global take-down order to make its injunction orders against global services more effective. Unfortunately, in its broad evaluation of legal feasibility of the global injunction order and technological capabilities of intermediaries to obey the same, the Court missed on considering certain very significant arguments[4]:

  • Use of VPNs another way around: The Court agreed to the plaintiffs’ argument that due to the wide availability of the easy-to-use applications like VPN, the geo-blocking is circumvented. However, it didn’t consider the circumvention in the case other way around, in which the user can upload the content using VPN and other web proxy services, and can further easily fake the IP address to make it look like as if the content is being uploaded from outside India, negating the Court’s jurisdiction. Therefore, global takedown order, even at prima facie, doesn’t seem to be the appropriate remedy.
  • In denial of the principle of international comity and right to information: The cross-jurisdictional defamation laws vary on a large scale. If global takedown was mandated, the platforms will be wary of falling foul of the law in other countries. For eg., if Indian courts mandate the global takedown of the content which is not at all questionable as per the laws of certain countries, the takedown order will be in contravention of the right to information of citizens of that country. Not respecting the laws of other country amounts to the breach of the principle of international comity and conflict of laws.[5]
  • Without due consideration to the rights to free speech and privacy: The Court failed to understand the technicalities that involved in the operation of global take down orders, the intermediary platforms have to start monitoring each and every content that is being uploaded in order to stop the dissemination globally. This will further impose the risk of private censorship on the Internet and affect the right to free speech and privacy of users. The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.[6]
  • Shifting away from the law established by the Manila Principles on Intermediary Liability and Shreya Singhal case: The Court has allowed plaintiffs to directly approach the intermediary platforms in case of re-uploading of the objectionable content in future. This is a great shift away from the existing process under Section 79 of the IT Act, 2000 as established by the Supreme Court’s landmark judgment in the Shreya Singhal case, which requires intermediaries to take down or disable the access to the content only in cases of receiving an order from either the government or the Court to do so. The same is considered global best practice according to the Manila Principles on Intermediary Liability.
  • The question of extraterritorial application of the IT Act in the present case: As per the Section 75 of the IT Act 2000, it is clear that the Act applies extra-territorially to certain offences or contraventions committed outside of India if the same is committed using “a computer, computer system or computer network located in India, the contraventions as contemplated under the Act are provided for in Sections 43, 43A, 66A, 66B, 66 66E and Section 66F.” Defamation is not covered in any of these provisions.[7]

Heavy reliance on the unsettled jurisprudence

The Court has heavily relied on certain foreign judgments while reaching the conclusion in its own judgment. The issue with the same is that the jurisprudence around geo-blocking and global injunctions is unsettled and still developing; with the Delhi HC’s order adding more confusion to the same.

The Court has relied on the case of Google Inc. v. Equustek Solutions Inc., which is the living proof of the unsettled jurisprudence.[8] The Supreme Court of Canada ordered Google to de-index listings from its search results in order to provide protection to trade secrets of a subject from Google globally. While, the Supreme Court of Canada upheld a global injunction against Google, the US Court sided with Google ruling that the Canadian order “threatens free speech on the global internet”.

The Court also relied on the case of Eva Glawischnig-Piesczek v. Facebook Ireland Limitedin which the CJEU ordered Facebook and other platforms to remove questionable content, copies of the same and block the access to the same, globally. While emphasizing on the case, the Delhi HC didn’t consider at all the CJEU decision in the case of Google v. CNIL[9], in which it was held that the Google is not required to de-reference listings from its global service, just because the content has been declared to be illegal by an EU member state.

Comment

It is clear that the Delhi HC left a lot to consider before delivering the judgment such that from the complexities of territorial jurisdiction to the difference in nature of cross-jurisdictional laws. In the present case, the Court mainly failed to understand the varying nature of defamation laws across jurisdictions— such that in the UK, the burden of proof is on the defendants to prove that the content is not defamatory, while in the US, a heavy onus of proof is placed on the plaintiff.

The Court also failed to consider certain very important foreign judgments which have specifically highlighted the issue of difference in the nature of law. In Google v. CNIL, CJEU held that the ‘right to be forgotten’ (which was the main issue in the case) has differences in standards for its application and interpretation around the world. Therefore, it agreed that it is enough for Google to block access to the questionable content from the EU domain only. Further, in Bachchan v. India Abroad Publications Inc.[10], the Supreme Court of New York County refused to enforce a defamation judgment awarded by the High Court of Justice in London, England, ruling that it will be a threat to the free speech protections as offered by the First Amendment to the US Constitution.

Unarguably, internet jurisdictions have always been a challenge for the courts and governments. Courts have always been behind the technology in the race and unable to assert absolute jurisdiction. This makes the internet risks become a proverbial ‘wild west’ with no single comprehensive applicable law. The fact that injunction against an intermediary, on a global scale, doesn’t make it necessarily invalid and aggressive. After all, the limited denial of access in the local domain is not protecting the underlying rights at stake; global takedown seems the right method to ensure effectiveness. But all of this is required to be done while mediating the conflicting interests as well as recognizing the protection to certain forms of speech.

As Gautam Bhatia said in the context of Swami Ramdev v. Juggernaut Books last year, “Indian courts seem to increasingly view freedom of speech as a mere annoyance to be brushed aside when confronted with competing claims”. If global take-down orders will become mainstream, the regressive laws on freedom of speech and expression online will become a norm. The Courts and governments, in order to win this ‘hare and tortoise race’, shall not ignore the countervailing arguments in relation to freedom of speech and right to privacy. These rights shall not be considered under-weighed against the values like national integrity, security interests, etc., rather an effort shall be made to strike the balance between both the sides.

The judgment is under challenge now by Facebook before a Division Bench, and the matter is listed for final hearing on January 31, 2020. The Court must set a precedent in the unsettled jurisprudence that will consider the free speech and privacy rights in the world of internet at the intersection of technology and laws such as defamation law.

References:

[1] Para. 87, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[2] Para. 78, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[3] Para. 86, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[4] Apoorva Mandhani, Why Baba Ramdev’s win against Facebook, Google in Delhi HC only adds to judicial confusion, The Print, https://theprint.in/india/governance/judiciary/why-baba-ramdevs-win-against-facebook-google-in-delhi-hc-only-adds-to-judicial-confusion/312403/.

[5] Balu Nair, Delhi HC Gives Expansive Interpretation to Section 79 of IT Act: Issues Global Blocking Order Against Intermediaries, SpicyIP, https://spicyip.com/2019/11/delhi-hc-gives-expansive-interpretation-to-section-79-of-it-act-issues-global-blocking-order.html.

[6] Delhi High Court Approves Take Down of Content Globally, SFLC, https://sflc.in/del-hc-orders-global-take-down-content.

[7] Para 16, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[8] Google Inc. v. Equustek Solutions Inc., Cambridge Core, https://www.cambridge.org/core/journals/american-journal-of-international-law/article/google-inc-v-equustek-solutions-inc/E667668ED944EBE52233E17320478448/core-reader.

[9] Google v. CNIL, CJEU Case C-507/17.

[10] Bachchan v. India Abroad Publications Inc., 154 Misc 2d. 228, 585 N.Y.S.2d 661.

Simplifying FinTech and FinTech Laws: Trends and Regulatory Challenges related to FinTech in India

In the second quarter of 2019, Indian mobile payment leader PayTM surpassed China in the number of deals. Such a feat has been achieved while India is still an evolving fintech market in comparison to the developed fintech market like China. Red-tapism and the immense number of laws are the reasons of slow down for the FinTech market in India, but strict regulations are inevitable when it comes to a financial or technological company. The Steering Committee on FinTech related issues constituted by the Ministry of Finance, Department of Economic Affairs, submitted in September 2019 its report indicating various trends and challenges related to FinTech in India. This post discusses the same in brief. This post is the second one in the series of ‘Simplifying FinTech and FinTech Laws’.

Suggestion by the Steering Committee on Issues related to FinTech
Suggestions by the Steering Committee on Issues related to FinTech. Source: Economic Times

Trends related to Fintech in India

The FinTech sector in India is thriving and growing expansively, enabled by a large consumer base, innovatively boosted startups and balanced regulatory policies in the form of ‘Digital India’ programme. The Indian Fintech industry has grown by 282% in the last decade and has reached the valuation of USD 450 million in 2015. Currently, there are more than 400 fintech companies that are working in India and the investments are to be fueled with 170% by 2020. The Indian fintech market is expected to grow by USD 2.4 million by 2020 from the present USD 1.2 billion, as per NASSCOM report. The transactional value of Indian fintech sector is evaluated to be USD 33 billion in approx in 2016 and is further forecasted to reach the point of USD 73 billion by 2020.

Figures based on banks people per bank
Source: Bloomberg

FinTech facilities in India

The primary facilities offered by companies operating in the space of fintech are:

Pre-paid Payment Instruments

Also known as PPIs, this instrument enables the user to engage in the purchase of products that include products relating to financial services as well. To be able to purchase the products, a value entered into the e-wallets in the PPIs so as to make purchases against that value. There are 3 types of PPIs: Closed, semi-closed and open systems. Depending on the type, one may also have the facility to withdraw cash from the PPIs. Other than the banks, they can only be issued by institutions authorized to function in the arena of e-wallets or pre-paid card services.

UPI Payments

Managed by the National Payments Corporation of India, the UPI (Unified Payment Interface) provides a platform for quicker real time-based transactions, facilitating ease for the smartphone users to enter into multiple transactions with a lower cost than what the traditional method demands. Constituting a major part of the consumer behaviour in the market, the UPIs enable universality to the transactions they wish to enter in and engage in the greater number with the traders.

Digital Transactions

In the traditional financial market, it was only the banks that could lend money. However, with the convergence of technology and financial market, loans nowadays are even dispersed by non-banking financial companies, also known as NBFCs. The NBFCs with their interactive and user-friendly applications have attracted wide userbase in the digital arena to enter into credit purchasing, loan system after verification.

Lending Platforms

These lending platforms offered are Peer to Peer based. Such platforms bring together willing lenders and borrowers to enter into regulated transactions. As per the guidelines issued by RBI in this regard, the lending platforms can only be offered by the registered non- banking companies in India.

Online Sale and Purchase

The recent trends amongst many have also been that of online sale and purchase. To facilitate the same there requires to be a system whereby an entity collects payments form the purchases and send it across to the sellers. The entities involved in this function are known as payment aggregators or intermediaries. These entities electronically consolidate the payments done and transfer the same to the sellers.

Banking Services

Once begun as a measure to penetrate into the grassroots level of society the banking system and provide ease to the customers, digital banking services by the payment banks have now become a feature of the payment banks. The RBI has allowed payment banks to offer basic services involved in smooth banking by the customers online. This includes facilities such as accepting deposits (though RBI has placed a limit on it), view transactions, transfer funds, etc. However, this arena remains strictly regulated for not all facilities remain digitally available such as issuing credit cards.

FinTech Investments by US Banks
Source: Bloomberg

Regulatory Challenges to Fin-Tech in India

While in India, digital finance firms are thriving as the government is continuing to issue pro-startup regulations and policies, the central regulatory body for Fintech i.e. the Reserve Bank of India, still suffers due to a traditionally rooted and established infrastructure which cannot be easily replaced with the updated regulatory framework that matches the advancements of technology.
Indian market is already recognized as the conservative and restrictive market and henceforth makes it difficult for Fintech firms to further instil the confidence in adopting the Fintech services in the absence of any concrete regulatory framework.
The commendable steps have been taken by the Indian government and regulatory institutions in a prompt manner, however, policies and regulations have to match the pace with which technological advancements in the finance sector taking place. This is much needed to ensure secure a transparent growth of Fintech in India.

Regulatory Uncertainty in the Fintech Sector

The foremost challenge that the regulator for the fintech sector has to dealt with by it the lack of regulations. Moreover, if there are regulations then to consolidate them is another major challenge. There is a requirement to “to support the formulation of policies that foster the benefits of fintech and mitigate potential risks”. Henceforth, a regulator or policy-maker has to work in the directions of “the modification and adaptation of regulatory frameworks to contain risks of arbitrage, while recognizing that regulation should remain proportionate to the risks.”

Digital On-boarding and Financial Inclusion

The two significant challenges that one can see as the huge mountainous tasks in the Indian context are: firstly, making the fintech platforms accessible to every Indian and secondly, analyzing the risks that are potentially present in trying out a scheme to provide digital onboarding. The Supreme Court recently decided upon the constitutionality of the Aadhaar, the ambitious government project to provide a unified identity. Aadhaar has been held constitutional but Section 57 of the Aadhaar Act was struck off. Section 57 provided the mandatory verification and linking procedure for consumers to avail a company’s service. The judgment is having serious implications on the government’s efforts to provide frictionless onboarding of consumers.

“The judgement impacted the delivery of financial services across verticals including bank account opening, loans, mutual funds and insurance. Though the judgement allows voluntary use of Aadhaar by consumers, there are multiple interpretations of it and the Unique Identification Authority of India (UIDAI) has resorted to safer approaches to avoid any more legal battles and stopped services to private entities altogether.”

Low Credit for Startups

Investors in the market are now hesitant to invest in fintech startups. The investors are baulking as there have been quite a number of bad loan incidents. The big setback to the fintech industry as well as the financial sector came into the form of IL&FS breakdown. The company defaulted against the inter-corporate deposits and commercial papers or borrowings. The incident has affected the whole fintech industry as the crisis included lending businesses that were key to a number of NBFCs as a funding source.

e-NACH crisis

The Apex Court’s judgment brought down to stoppage, another popular mode of financing which is also the foremost mode of debit for lenders, MFs and insurance, as in pulling money from customer’s account. This is yet another judgment that has slowed down the advancement and has promoted the traditional manner of physical registrations.

Data Protection

Both the traditional banking system and the fintech services gather a large number of data records from various of their clients, which contains a profile of behavioural and financial information. Though the utility of such data is positive when it is used for a specific purpose of improving the services, it leads to giving way to a heap of privacy issues as well, especially when the financial service provider engages a third party’s technology services.

The judiciary recognized the risk of data privacy to the banking sector’s consumer in the case of Punjab National Bank v Rupa Mahajan Pahwa, “in which Punjab National Bank had issued a duplicate passbook of a joint savings bank account, held between the petitioner and her husband, to an unauthorized person”.

Other Challenges to the Fintech system in India

In terms of regulatory standards, India lacks in providing a comprehensive cybersecurity framework to reduce the cyber-crime issues. The competition law has also, in some sort of stages, have failed to control the domination of certain advance fintech NBFCs.

Recommended Readings:

S-E Asia gearing up for Data Protection: Sri Lankan Framework on Data Protection Legislation

The Sri Lankan Ministry of Digital Infrastructure and Information Technology introduced the framework for the proposed Personal Data Protection Bill on June 12, 2019. ‘Data Protection Legislation’ is an important public policy consideration for the Sri Lankan government in the context of “digital transformation taking place in Sri Lanka with government agencies, Banks, Telco’s, ISPs and private sector collecting personal data via the Internet,” according to the official press release. It is also important as “the Right to Information Act (2016) is currently being implemented in Sri Lanka, pursuant to Article 14A of the Constitution, where the right to privacy is an exception”.

To draft the legislation, the Drafting Committee looked at international best practices, such as the EU General Data Protection Regulation as well as the laws enacted in other jurisdictions, “such as Australia, Singapore and the Indian Draft Legislation”.

The Framework has been introduced for the stakeholder comments and will now be subjected to an Independent Review Committee.

The objective of the Framework

As per the Preamble, the Framework aims to:

  1. Protect the personal information while ensuring the rights of natural persons with regard to the processing of such information
  2. Improve consumer confidence and ensure the growth of digital democracy and innovation and promote both the protection of personal data and its use in Sri Lanka while respecting domestic laws and regulations and international standards
  3. Enable the Government to regulate the processing of personal data and to ensure confidence in the privacy and security of online transactions and information networks and actively participate in an information-driven global economy
  4. Improve interoperability among privacy frameworks as well as strengthen cross-border co-operation among enforcement authorities and provide clear guidance and direction to entities located or operational in Sri Lanka on generic data protection issues and their impact.

What is ‘Personal Data’?

‘Personal Data’ means any information whether true or not, relating to an identified or identifiable natural person, that is, data subject.

‘Personal Data Breach’ means any act or omission that consequently results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data of the data subject.

What are ‘Special Categories of Data’?

Any personal data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, financial data, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning natural person’s sex life or sexual orientation, personal data relating to offence, criminal proceedings and convictions, personal data relating to a child” and any other personal data that the Minister may determine upon the recommendation of the Data Protection Authority (DPA) as established  from time to time by Regulation in accordance with the proposed Framework.

What is the ‘Data Protection Authority’ (DPA)?

Part VII of the Framework provides for the establishment of the Data Protection Authority (the “Authority”)  of Sri Lanka. It will be the apex body for all matters related to data protection and for implementation of the proposed Act. It will be responsible for maintaining the Register of controllers, and giving directions, issuing guidelines and undertaking training for controllers.

Following are certain significant powers vested with the Authority, inter alia:

  1. To enforce its orders or determinations made under this Act against a controller
    or processor through prosecution;
  2. Data Protection Authority has power and has a duty to prosecute for the offences
    under this Act;
  3. The Authority may carry out periodic audits in relation to any processing activity carried out by a controller or processor to ensure compliance with this Act.

“For the purpose of investigating into a complaint received by the Authority,

holding an inquiry in relation to an appeal or making an order under section 38:

  1. require any person to appear before it;

  2. examine such person under oath or affirmation and require such person where necessary to produce any information related to processing

  3. to inspect any information strictly related to the processing in question that is held or controlled by a controller or processor by an officer authorized on that behalf by the Authority. In any event, such officer shall be a senior staff member of the Authority having relevant expertise to conduct such inspection.

  4. make a determination in accordance with the provisions of this act with due consideration of the information available to it.”

Application of the proposed legislation

Part I says that the proposed legislation applies to the processing of data that will take place:

  1. wholly or partly within Sri Lanka; or
  2. by a controller or processor which is resident, incorporated or subjected under Sri Lankan law, or a controller or processor which is offering “goods/services to data subjects in Sri Lanka”, or “who monitors the behaviour of data subjects in Sri Lanka including profiling in so far as such behaviour takes place in Sri Lanka”.

However, the provisions will not apply to the processing of data that is for “purely personal or household purposes” or when the data is anonymised. Also, it will not apply to the processing of data which is done by any government department, provincial council or any other regulatory body for lawful purposes.

Data Protection Principles

Part II of the proposed legislation provides that processing and controlling of data will be lawful only when it is done in accordance with the following principles:

  1. Personal data shall be processed lawfully, fairly and in a transparent manner;
  2. Personal data shall be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with the said purposes;
  3. Processing shall be adequate, relevant, necessary, proportionate to the purposes for which the personal data is processed;
  4. The controller shall ensure that personal data that is processed is accurate and, where necessary, kept up to date with every reasonable step being taken to ensure that any inaccurate personal data are rectified or erased without delay;
  5. Personal data may be kept in a form which permits the identification of data subjects for such period as may be necessary for the purposes for which the personal data is processed; and
  6. Personal data shall be processed in a manner that ensures appropriate security of personal data using appropriate technical or organisational measures.

Rights of Data Subjects

Part III lays out the following rights of Data Subject, inter alia:

  1. Data Subject shall have the right to withdraw its consent for the processing of its personal data. Data Subject can request the controller for the withdrawal of consent in writing.
  2. The Framework entitles Data Subjects to obtain access to their personal data and information at any time they request. Data subjects shall also have the right to request for rectification of any inaccurate personal data that has been processed.
  3. The Data Subject can also request from the controller for erasure/deletion of the personal data which has been unlawfully processed, or processed pursuant to a legal obligation, or processed when such processing is no longer necessary or processed when such processing is no longer legitimate.
  4. The Framework enables Data Subjects to claim their aforementioned rights by way of directly approaching controller of the personal data and in cases in which controller restricts the request of Data Subject, through the appeal to the Authority.

Scope of Controllers and Processors of the Data

Registration requirements

Part IV of the Framework obligates controllers and processors to register themselves with the Authority. They have to apply for registration in the prescribed form, which will require complete details related to the processing of the personal data and safeguards adopted by them to protect such personal data, within the prescribed time period.  The Authority shall keep and maintain a Register of the registered controllers in such form and manner as may be prescribed.

The Framework also requires the controller and processor to designate a Data Protection Officer. A holding company may appoint a single data protection officer for all its subsidiaries. The Officer will advise on applicable data processing requirements and data protection impact assessment, ensure the compliance with the applicable law, and cooperate with the Authority for controllers and processors.

Duties and obligations

The Framework imposes certain duties and obligations on the controller such that, inter alia:

  1. The controller shall implement appropriate technical and organisational measures such as encryption, pseudonymisation, anonymisation, data minimisation techniques, privacy-by-design techniques, adopt privacy enhancing technologies as applicable, to ensure and to be able to demonstrate that processing is done in accordance with the provisions of this Act;
  2. Conduct privacy impact assessments when required by this Act and in accordance with the provisions of this Act;
  3. Implement internal oversight mechanisms and integrate such mechanisms into its governance structure;

“Where processing is to be carried out by a processor on behalf of a controller:

  1. the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Act and ensure the protection of the rights of the data subject as guaranteed by this Act;
  2. Any processing by a processor on behalf of the controller shall be governed by a contract or any other written law that is binding on the processor that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

The Framework further provides the duties and obligations of processor such that it can only process the personal data in accordance with the documented instructions from the controller.

The Framework obligates the processor, inter alia:

  1. to ensure that its personnel are bound by contractual obligations on confidentiality and secrecy (personnel means any employee, consultant, agent, affiliate or any person who is contracted by the processor to process personal data);
  2. assists the controller by appropriate technical and organisational measures for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in this Act;
  3. assists the controller in ensuring compliance with the obligations under this Act.
  4. allow for and contribute to audits, including inspections upon the controller’s request.

The processor shall remain liable to the controller for the performance at all times even when the processor appoints the ‘sub-processor’.

Data breach notifications

The controller shall without undue delay and in any event of a personal data breach within the prescribed time and in such manner and form as prescribed by the Authority inform the Authority of becoming aware of a personal data breach.

Data protection impact assessments

The Framework makes it mandatory for the controller to carry out a privacy impact assessment whenever a type of processing is likely to result in a high risk to the rights of the Data Subject. The controller shall seek the advice of the data protection officer, where designated when carrying out a data protection impact assessment. Such an impact assessment is mandatory in cases where there is:

  1. a systematic and extensive evaluation of personal data such as profiling;
  2. processing on a large scale of special categories of data;
  3. monitoring of publicly accessible areas or telecommunication networks or any other processing activity as prescribed under the proposed Act.

The Authority will provide the guidelines through official gazette regarding the form and manner in which the privacy impact assessments are to be carried out by the controller.

Certain exceptions

Part V provides certain exceptions to the protection of personal data as provided by law for “the protection of national security, defence, public safety, economic and financial wellbeing [sic] of Sri Lanka, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties, and other essential objectives of general public interest”, and for the protection of “rights and fundamental freedom” of Data Subject and others, “notably freedom of expression and right to information”.

Cross-border flow of personal data

Part VI lays out the rules for the cross-border flow of personal data:

  1. A controller and processor can only process the data at a location outside Sri Lanka if the location has been prescribed by the Minister as a place which ensures an adequate level of protection for personal data in accordance with the provisions of this proposed Act.
  2. Otherwise, the controller and processor have to provide safeguards and ensure the effective remedies for Data Subjects in order to process the data at a location outside Sri Lanka.
  3. DPA will by rules prescribe the conditions under which a controller or processor has to take the prior authorization of the Authority in order to process data outside Sri Lanka.

Use of personal data for direct marketing

Part VIII defines how personal data may be used for direct marketing.

 

‘Direct marketing communications’ means any form of advertising, directly or indirectly, whether written or oral, sent to one or more identified or identifiable end-users via electronic or digital communication or telecommunication services or any other means including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.

 

Any natural or legal person who wants to use electronic or digital communication and any other services for sending direct marketing communications to end-users of such services has to ensure “unambiguous consent” of such end-users. However, with each such direct communication, end-user will be provided with the right to object. If an end-user claims the right to object then the natural or legal person has to ensure that they comply with such request.

 

Imposition of penalty

In Part IX, the Framework prescribes the penalty that will be imposed upon a person who fails to comply with the proposed Act while considering the nature and gravity of relevant non-compliance.

It provides the penalty that will not exceed 2% of its total worldwide turnover or rupees 25 million, whichever is higher. If a person doesn’t conform to the provisions of the proposed Act even after getting penalized once, then he/she will “be liable to the payment of an additional penalty in a sum consisting of double the amount imposed as a penalty on the first occasion”.

Such imposition of penalty will not preclude a supervisory authority from taking any regulatory or disciplinary measures (cancellation of license, suspension, etc.) against such a controller or processor.