Let us talk about E-Contracts (I): Electronic agents and conclusion of online contracts

The advancements in the internet as means of facilitating contract formation does not, at first read, present a situation different from that applicable to a facsimile or telex. An e-contract can be created either via the exchange of e-mails or by the completion of a document as a website which is submitted to another party electronically. While it is true that to the great extent that e-contracts are modernised methods of contract formation but they don’t require any particular changes to the law. Still, there are some particular issues arising from their electronic form. This post will discuss the international instruments that provide legal recognition to e-contracts and very advanced facets of it.

A contract is concluded if the parties intend to be legally bound, and they reach a sufficient agreement. Conclusion of contract with offer and acceptance. A contract can be concluded by the acceptance of an offer.

There are various ways to conclude e-contracts. The significant and interesting ones are as follows:

Forming contracts via electronic communications (such as e-mails)

The simplest e-contract is concluded by the exchange of text documents via electronic communications, such as e-mail. Offers and acceptances can be exchanged totally by e-mails, or can be combined with paper documents, faxes, telephonic discussions, etc.

Acceptance of orders placed on online marketplaces

The vendor/ supplier can offer goods or services (such as air tickets, software, etc.) through his website. The vendee, in such cases, places an order by completing and transmitting the order form provided on the website. The merchandise may be physically delivered later (e.g., in case of outfits, CDS, books, etc) or be immediately delivered electronically (e.g., in case of e-tickets, software, etc).

Online agreements

In some cases, users are required to accept an online agreement in order to be able to avail the services e.g. clicking on ‘I agree’ while installing software or clicking on ‘I agree’ while signing up for an e-mail account.

The electronic data interchange (EDI)

It is the inter-process of communication of business information in a standardised electronic form. That is, they are contracts used in trade transactions which enable the transfer of data from one computer to another in such a way that each transaction in the trading cycle (for example, commencing from the receipt of an order from an overseas buyer, through the preparation and lodgment of export and other official documents, leading eventually to the shipment of the goods) can be processed with virtually no paperwork. In this case, the data is formatted by means of standard protocols, so that it can be implemented directly by the receiving computer. EDI is, frequently, used to transmit standard purchase orders, acceptances, invoices, and other records, and thus, reduces paperwork and the potential for human errors. In this type of contracts, in contrast to the above methods, there is an exchange of information and completion of contracts between two computers and not an individual and a computer.

Through electronic agents/ bots

It is possible for computer users to instruct the computer to carry out transactions robotically. For instance, in today’s supermarket, the computer updates its inventory as items are scanned for sale. When the stock of an item falls to a predetermined level, the computer is programmed, without human involvement, to contact the computer of the supplier and place an order for replacement stock. The supplier’s computer, exclusive of human intervention, accepts the order and the next morning automatically prints out worksheets and delivery sheets for the supply and transport staff.

These electronic agents are programmed by and with the authority of the purchaser and supplier. The legal status of electronic agents has not been clarified by the courts, but the most common view is that like any other piece of equipment under the control of the owner, the owner accepts responsibility. A computer is a tool programmed by or with a person’s authority to put into operation their intention to make or accept contractual offers.

According to Russell and Norving, ‘An agent is anything that can be viewed as perceiving its environment through sensors and acting upon that environment through effectors. A human agent has eyes, ears, and other organs for sensors, and hands, legs, mouth, and other body parts for effectors. A robotic agent substitutes cameras and infrared range finders for the sensors and various motors for the effectors. A software agent has encoded bit strings as its percepts and actions.’

Such electronic agents and devices have features which facilitate humans in their normal interaction and functions, such as, intelligence, autonomy and pro-activeness. The idea of having intelligent systems—to assist human beings with routine tasks, to shift through an enormous amount of information available to a user and select only that which is relevant—is not novel and a lot of work and results have already been achieved in the field of artificial intelligence (‘AI’).

Legal recognition of electronic agents

The E-COMMERCE DIRECTIVE 2000/31/EC of The European Parliament and of the Council of 8 June 2000 does not take in hand the issue of automated transaction made through electronic agents. The explanatory notes of the proposal of the Ecommerce Directive state that the Member States should refrain from preventing the use of certain electronic systems such as intelligent electronic agents for making a contract. But, the final version makes no reference to electronic agents in the main text or in the recital. The deletion of the proposed text furnishes a sign of the EU’s failure to respond to the tremendous growth of e-commerce. It is also not in consonance with the preamble to the Directive, which states that the purpose of the Directive is to stimulate economic growth, competitiveness and investment by removing many legal obstacles to the internal market in online provision of electronic commerce services. However, the exclusion of the provision giving legal recognition to electronic agents is a step backwards and a failure to recognise the role of electronic agents in fostering the development of e-commerce such as lower transaction costs, facilitate technology and adherence to international conventions.

The United Nations Convention on the Use of Electronic Communications in International Contracts 2005 (hereinafter referred to as the ‘UNCUECIC’) contains provisions dealing with issues such as determining a party’s location in an electronic environment; the time and place of dispatch and receipt of electronic communications and the use of automated message systems for contract formation. Art.12 of the UNCUECIC, which deals with the use of automated message systems for contract formation, states, ‘A contract formed by the interaction of an automated message system and a natural person, or by the interaction of automated message systems, shall not be denied validity or enforceability on the sole ground that no natural person reviewed or intervened in each of the individual actions carried out by the automated message systems or the resulting contract.’ The objective behind the adoption of the uniform rules was to remove obstacles to the use of electronic communications in international contracts, including obstacles that might result from the operation of existing international trade law instruments, and to enhance legal certainty and commercial predictability for international contracts and help States gain access to modern trade routes.

In the USA, the Uniform Electronic Transactions Act, 1999 (UETA) expressly recognises that an electronic agent may operate autonomously, and contemplates contracts formed through the interaction of electronic agents and those formed by the interaction of electronic agents and individuals.

Section 14 of the UETA reads as follows:

In an automated transaction, the following rules apply:

(1) A contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents’ actions or the resulting terms and agreements.

(2) A contract may be formed by the interaction of an electronic agent and an individual, acting on the individual’s own behalf or for another person, including by an interaction in which the individual performs actions that the individual is free to refuse to perform and which the individual knows or has reason to know will cause the electronic agent to complete the transaction or performance.

(3) The terms of the contract are determined by the substantive law applicable to it.

Section 14 of the UETA, which is based upon Article 11 of the UNICTRAL Model Law on Electronic Commerce, deals with ‘automated transaction’. This Section states that contracts can be formed by machines functioning as ‘electronic agents’ for parties to a transaction. It wipes out any claim that lack of human intent, at the time of contract formation, prevents contract formation. When machines are involved, the requirement of intention flows from the programming and use of the machine. It is quite evident that the main purpose of this provision of the UETA is to remove barriers to electronic transactions while leaving the substantive law, e.g., law of mistake, law of contract formation, unaffected to the greatest extent possible. Also, the Uniform Computer Information Transaction Act (UCITA) also has provisions supporting the ability of electronic agents to make binding contracts.

Recommended Readings

  • Wooldridge & Jennings, ‘Intelligent Agents: Theory and Practice’, Knowledge Engineering Review, (June 1995) Vol. 10 No. 2, Cambridge University Press (1995).
  • Alan Davidson, The Law of Electronic Commerce, Cambridge University Press, (2009).
  • R K Singh, Law Relating To Electronic Contracts (2017)

Public health surveillance in India: concerns of an individual’s liberty and privacy amid a pandemic

(This article extensively borrows from another article that authors wrote for and first published on the Leaflet)

The world is grappling with the kind of situation that it has never seen before. The rapid pace of COVID-19 spread made it necessary for the governments around the world to use extreme means and measures that would otherwise be considered Orwellian. These emergency measures by the governments are attempts to effectively enforce a lockdown and strictly prohibit movement of the citizens in a bid to break the chain of infection.

As Governments are attempting to contain the contagious virus, the use of technology for monitoring people undergoing quarantine has doubled in order to combat the spread of the virus. Ordinarily, under such developing Orwellian state of affairs, civil liberty activists and privacy advocates stir commotion; considering the scale of the crisis, they seem to tacitly embrace these measures. It is obvious that this pandemic is reshaping our relationship with surveillance technology, albeit to the fear of some the surveillance that could become a norm.

World under surveillance

Across the globe, countries are expansively deploying tech-enabled surveillance infrastructure of Face Recognition Technology (FRT) based CCTVs, drones and cell phone tracking devices for contact tracing and enforcing quarantine. Growing number of countries such as Israel and South Korea are ‘contact tracing’ using mobile applications or cell phone records. It is a process of mapping travel history of an infected person by analyzing location records of the cell phones. It is followed by pinpointing the other contacts for quarantine that might have come in contact with such a person. Meanwhile, Taiwan has gone a step further in quarantining the traced contacts by deploying an ‘electronic-fence’. If a mobile user’s SIM card is tracked beyond the reach of a network station or found to be switched off, law enforcement authorities quickly approach the suspect.

In India, law enforcement authorities across the nation are increasingly using technology to monitor and restrict the spread of the virus. In several states such as Rajasthan, Punjab and Delhi, local authorities have published a list of personal details, in online media and newspaper, of those suspected or infected of COVID-19. The Karnataka government has taken this to an inordinate level by mandating all quarantined persons to send a selfie with geo-tags through an official app named ‘CoronaWatch’ every hour, except between sleeping time 10 PM to 7 AM. Now, the Ministry of Electronics and Information Technology (MeitY) has also launched an app- ‘Aarogya Setu’, which uses Bluetooth and GPS to alert an individual if they come within six feet of a Covid-19 infected person.

The case of “Public Health Surveillance”

Law enforcement agencies of different countries are carrying out tech-enabled surveillance on their citizens to ensure compliance with the rules of social distancing and lockdown. In normal times, such measures are targeted against terrorists or criminals; while also scrutinized vide privacy and civil liberty concerns.

However, even the World Health Organisation (WHO) has sought to play down privacy concerns in these unprecedented times, by terming the measure as “public health surveillance”. The WHO has simply legitimized the governments’ argument that the extraordinary situation of COVID-19 pandemic necessitates the use of an extraordinary measure of mass surveillance. The public health emergency of such magnitude is being touted as a valid justification for deploying tech-enabled mass surveillance and subversion of individual rights.

Is surveillance a matter of concern for India?

There are certain unique reasons due to which implementation of these emergency measures, in India, are worrisome.

No clarity on the legal basis for surveillance measures

Firstly, in India, neither the central government nor the state governments have provided any legal basis for directing such tech-enabled surveillance measures. For instance, neither of the official press release of the Aarogya Setu app and Karnataka’s ‘mandatory selfie direction mention any legal grounds for such directions nor have they provided any privacy policy with it. The absolute abandonment of civil liberties and privacy in the interest of public health, without the bare minimum legal foundation, portends negative consequences

The government has invoked the Epidemics Diseases Act, 1897 and Disaster Management Act (DMA), 2005 to deal with the COVID-19 outbreak. Both, the colonial era Epidemics Diseases Act and NDMA, do not cover surveillance in their scope. Although, there is an argument that basic residuary power to take ‘necessary’ steps to curb the spread of virus, under the mentioned laws accord a legitimate authority to government for surveillance.

It is unclear why the government has not availed these very basic residuary powers to also notify the standing rules on privacy or lawful manner of deployment of tech-enabled surveillance measures. As a natural consequence, government directives infringing an individual’s right to privacy cannot be tested for their legality without any standing rules for arbitrariness and lack of accountability. This is particularly dangerous in a country like India where a data protection statute does not exist.

The use of unregulated novel technologies for surveillance provides no legal checks and oversight

Secondly, the details regarding the technological capabilities of the government for surveillance are largely a secret. It is the sudden outbreak of pandemic that has forced the government to openly introduce a deluge of unregulated, contemporary and emerging technologies for mass surveillance. There is a growing concern among certain privacy advocates that the tech-enabled surveillance could persist beyond the pandemic once it gets accepted and normalized in the present emergency times. History is witness that world’s most dictatorships and authoritarian regimes emerge amid the crises.

There is no information available about the extent and scope of the government’s capability and techniques. The secrecy about the techniques of surveillance impedes the legislative checks or institutional audits. If the public is unaware of how a technology works (due to non-disclosure by the Executive), the said manner of surveillance then cannot be even challenged in a court of law. Therefore, such secrecy is nullifying the system of checks and balances in favor of the ever-augmenting executive power.

Several surveillance techniques are disproportionate and unnecessary

Thirdly, due to the use of technologies of varying level of invasiveness, there are doubts regarding the necessity and proportionality of such measures in relation to the right to privacy and individual liberty.

The Puttaswamy (I) judgment upheld, explicitly recognized in reference to public health, that to legitimately restrict fundamental rights such as privacy and liberty for implementing a measure, such measure should be proportionate in nature. In the case, the SC held that a government measure is proportionate if it satisfies following four criteria: 1) that the measure should pursue legitimate purpose; 2) that the measure should be rationally connected to the purpose; 3) that there should no less intrusive alternative measure available; 4) that the measure should accrue public benefit greater than the extent of infringement of a constitutional right.

More than half of the population of the country doesn’t have access to the internet services. In the context of such a scenario, how is surveillance through mobile application is a necessary measure? Further, several state governments are taking extreme measures of disclosing the home addresses and other personal details of infected and suspected persons, which grossly fall afoul of three prongs of the constitutional test upheld in the Puttaswamy I judgment. An obviously lesser intrusive measure such as informing at a locality level about the presence of infected cases in areas could have sufficed. Allahabad HC also held such practices, publishing personal details of anti-CAA protestors in public, of the UP government as “arbitrary invasion of privacy”.

Karnataka has rolled out a mobile application which comprehensively discloses the location history and home addresses of persons infected and quarantined. Also, some of the states are publicly listing such details wide in social media channels. Such invariable disclosure of private information of infected and suspected persons has prompted concerns and possibilities of social intimidation.

There have already been reports from across the nation of infected and suspected patients facing the stigmatisation, and various forms of discrimination which are further resulting in a negative social impact. For instance, in Maharashtra, public listing of coronavirus suspects on social media led to several cases of forceful eviction of quarantined people by their landlords.

Such events question the proportionality and necessity of the measure as it would have been a satisfactory measure if the government has alternatively chosen a lesser intrusive measure.

Ways to resolve the concerns

There is no denying that certain limitations can be imposed on civil liberties given the urgency of the COVID-19 crisis. However, in a democratic set up like India it is expected from the government that its actions should be transparent and provide a window to the public to assess the government’s accountability. All the worrisome aspects related to public health surveillance measures can be subdued by making concerted efforts to introduce legal backing for its actions, to establish institutional oversight and to use the least intrusive means.

For providing the legal basis, the government can issue the standing rules that would lay down the legal and accountability measures for the responsible local authorities undertaking public health surveillance. The governments should avail the residual powers under the NDMA and the Epidemic Diseases Act to also issue the ad-hoc rules and guidelines in addition to the emergency surveillance measures. These rules and guidelines will provide the mechanism under which surveillance can be carried out without causing deterrence to an individual’s privacy and liberty.

The government can presently provide such ad-hoc rules for privacy protection based on similar principles as delineated in the Personal Data Protection Bill 2019 (“PDPB 2019”) for the data collection during health emergencies. Clause 12 of the PDPB 2019 exempts the data fiduciaries from taking consent under urgencies like pandemic, but strictly imposes requirements of data minimization or purposes limitation, lawful processing, transparency and accountability. Introduction of such principles will ensure that the information collected surveillance is being handled under the constitutional checks to maintain privacy as much as possible

Such ad-hoc rules will obligate the government as a data fiduciary to follow principle of purpose limitation such that the authorities should only collect the minimum possible data which is sufficient for tracing contact, enforcing quarantine and any other lawful and specific purpose. The government shall use the anonymised data only and adopt all security measures to prevent leaks and maintain confidentiality of personal data of data subject. The rules will also mandate the government to delete the collected data at the earliest after it has been used for the specified purpose. This will automatically shun away the emerging concern that the surveillance’s effect could persist beyond pandemic. Further, it will inhibit the misuse of personal data and abuse of surveillance measures.

The surveillance measures aim to keep people in quarantine and check the spread of infection for their benefit, therefore it is suggested that the government should hold no secrets about its surveillance techniques and manners. It should adopt a method of “Public Notice” system such that the local district administration has to notify the model of surveillance to the public before conducting surveillance.

At the very least, this notice should disclose the legal rules governing the tech-enabled surveillance measure, and its purpose. It should be clear on the authorization required for the retention, access, and use of information collected through the use of such novel technology. Such a notice would provide the transparency in the process of imposition of surveillance and allow the legislature and public to exercise meaningful control and oversight over the manner of deployment of unregulated technologies for surveillance.

Parting note

Unarguably, the present situation calls for the governments to take substantial measures to protect the lives and health of public at large, but this should not happen in the utter disregard of constitutionally recognized rights to privacy and individual liberty. The policies and techniques of government should be legitimate and proportionate in order to maintain the democratic principles of public trust and transparency. There is no hard choice between public health and individual’ right to privacy and liberty. Both can mutually co-exist under the legal framework that guarantees the challenge to unnecessary expansion of the surveillance regime.

As pointed out by Deborah Brown, senior digital-rights researcher at Human Rights Watch, “surveillance measures should come with a legal basis, be narrowly tailored to meet a legitimate public health goal, and contain safeguards against abuse”.

Therefore, the government should definitely focus on the situation of urgency for many, instead of investing focused efforts in ensuring rights for few but should not absolutely ignore its accountability towards any section of the community. These fundamental rights are lung to the edifice of our entire constitutional system. The government should make efforts to prevent any injuries to it as much as possible.

Simplifying FinTech and FinTech Laws: Key Takeaways for Indian FinTech Industry

The significant advancements in Fintech are directly impacting on the traditional financial sector. The regulators had to be cautious in order to not miss the train and should jump on the wagon of promoting financial innovation and stiff competition in the sector. The newcomers in the sector should be provided certain leniency in form of exemptions from a number of strict compliances which are used to curb the malpractices of the big corporations, for the sake of promoting competition in the market. This post is dealing with key takeaways from reports of different regulators’ committees in India. This is the last post in the series of ‘Simplifying FinTech and FinTech Laws’.

Fintech charged firms and businesses must work in tandem with the regulated entities, e.g. banks and regulated finance providers. The businesses that a bank can undertake are provided under Section 6 of the Banking Regulation Act, 1949 and there is no business outside Section 6 that can operate as the bank. Such provisions, therefore, incentivize banking companies to make fintech innovations in a narrower scope relevant to their operations. The archaic laws make it difficult for banks to undertake fintech innovations that can be of significant utility but are beyond the scope of financial regulation.

The Watal Committee Report noted this, that:

“The current law does not impose any obligation on authorised payment systems to provide open access to all PSPs. This has led to a situation where access to payment systems by new non-bank payments service providers, including FinTech firms, is restricted. Most of them can access payment systems only through the banks, which are also their competitors in the payments service industry. This, according to the Committee, has restricted the fast-paced expansion of digital payments in India by hindering competition from technology firms.”

Forming a comprehensive and non-discriminatory regulatory approach

Regulators and legislators are required to realign their legal approach to the Fintech services. There is a requirement of developing a deeper understanding of various Fintech services and their interaction in a financial environment with other fintech services. To provide the fintech space to work utmost to its potential, it is needed that it gets a level playing field in relation to the traditional banking and non-banking players. The practise of restricting the access of non-bank institutions to payment infrastructure, such as AEPS, has to be reevaluated and the proper steps to be taken. It is required from the end of Government and Regulatory bodies that they should adopt necessary measures in order to provide accessibility to national payment infrastructure and facilities to all fintech firms without any discrimination.

Providing Standards for Data Protection and Privacy

All the fintech companies are required to invest significantly in self-regulating policies to prevent privacy risks. Fintech companies should be provided with the standards of data protection as soon as possible by government and regulators. It is evident that the provisions of the Personal Data Protection Bill, 2019 can significantly affect the growth of Fintech companies. Therefore, the standards adopted for fintech companies by regulators should be reviewed with respect to data protection and privacy concerns. The government and regulators specific to finance of the country should start focusing on the valuation of data that is processed by banking companies and recommend practices to safeguard consumer interests.

Open Data principles should govern the financial sector in order to enhance Competition

The regulators should pay heed to the open data policy among participants of a fintech sector. The regulators should begin with the mandatory norms directing financial service companies to encourage banking institutions to enable participants to access the databases of their rejected credit applications on a specific platform on a consensual basis. The practice of the UK with respect to Open Data Regulations in Banking can be adopted, where banking institutions on the basis of consent framework allow data to be available to banking partners in order to foster competition. Even the RBI Steering Committee on Fintech recommended:

“It also recommends that all financial sector regulators study the potential of open data access among their respective regulated entities, for enhancing competition in the provision of financial services.”

The KYC process should be reformed with respect to the Supreme Court’s Judgment on Aadhaar’s validity

Fintech businesses are the most affected entities due to the striking down of Section 57 of the Aadhaar Act as it invalidated the online KYC process. The online KYC and authentication provided the required efficiency and convenience to fintech firms with respect to their endeavours of on-boarding as many as consumers on their digital platform. It is recommended that alternatives to the mandatory linking to Aadhaar should be adopted in the form of possible video-based KYC, such that the documents as verified must be protected and processed with the prior consent of the consumer.

Other key recommendations

1. It is recommended that the adequate cybersecurity, anti-money laundering and fraud control measures should be adopted by investing in technologies and guidelines that can prevent fraud.

2. Technical innovations should be monitored with respect to the potential risk that innovation carries in operation under the contemporaneous legal landscape of the country.

3. A self-regulatory body to facilitate the needs of fintech is much needed as for the RBI it is still turning out to be difficult to replace the existing regulatory structure. A regulatory mechanism allowing the broader participative consultation approach should be adopted.

4. Regulators should invest in Reg-Tech (“Reg Tech is a sub-set of FinTech that focuses on technologies that facilitate the delivery of regulatory requirements more efficiently and effectively than existing capabilities. In July 2015 the FCA issued a call for input entitled ‘Supporting the development and adoption of Reg Tech’.”)

5. The majority of economies have adopted the practice of setting up of the regulatory sandboxes catalyzing the fintech innovations. It is recommended that RBI should continue with the introduction of the mechanisms, like regulatory sandboxes, enabling the adaptation of regulatory initiatives which will play a key role in maintaining India’s competitive edge.

Delhi HC has expanded the scope of injunction orders in Internet jurisdiction: Geo-blocking to Global-blocking in IT law

This post has borrowed extensively from an earlier blog-publication by Aryan Babele on Tech Law Forum @ NALSAR.

On 23rd October 2019, the Delhi HC has delivered an impactful judgment authorizing Indian courts to issue “global takedown” orders to Internet intermediary platforms like Facebook, Google and Twitter against illegal content as uploaded, published and shared by their users. The Delhi HC delivered the judgment on the plea filed by Baba Ramdev and Patanjali Ayurved Ltd. requesting the global takedown of certain videos which are defamatory in nature.

The Court passed the order in the context of its observation that there is a ‘hare and tortoise race’ between technology and law such that the ‘technology gallops, the law tries to keep pace’. Such observation reflects that the Court’s intention is to interpret IT law in the manner which will ensure the effective implementation of the judicial orders throughout the internet jurisdiction and mitigate the circumvention of such orders by use of the advanced technology.

However, the Court’s order is attracting criticism globally from several internet-freedom activists. It seems that the Court has made a hasty attempt to win the ‘hare and tortoise race’ and has missed on considering the far-reaching implications of it on the IT law jurisprudence and conflict of law provisions. This article aims to analyze and indicate the significant points in the Delhi HC’s judgment, which the Court lacked in considering while relying on the unsettled jurisprudence of global injunction orders.

Background- The case of Swami Ramdev v. Facebook

In Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC], Swami Ramdev (a prominent yoga guru and public figure) filed a case before the Court against Facebook, Google, YouTube and Twitter, inter-alia, praying for the global take down of defamatory contents (videos) as uploaded, published and shared by users of these intermediary platforms.

The given case stems out of the publication of videos on defendants’ platforms, which are based on those particular offending portions of the book titled “Godman to Tycoon: The Untold Story of Baba Ramdev’ by Priyanka Pathak Narain, which are already undergoing an ad-interim injunction as granted by the Court in Swami Ramdev v. Juggernaut Books [CM (M) 556/2018] in May 2018.

Subsequently, in January 2019, the Court passed an interim injunction against the defendants’ platforms to disable access to the offending URLs and weblinks for the Indian domain as per Section 79 of the Information Technology Act, 2000, [hereinafter referred as IT Act 2000] i.e. ordered geo-blocking.

However, the plaintiff argued that the geo-blocking is an ineffective solution as the objectionable content is widely available on the global internet and internet users in India can still access such content using VPNs and other such mechanisms. Therefore, the only effective remedy, according to the submission of plaintiff, is to issue a global blocking order.

Internet intermediaries have contended against such a global take down mechanism as it poses a number of technical and legal difficulties for them. Firstly, cross-jurisdictional laws vary in standards for determining defamation, and hence disabling access globally will breach the principles of international comity. Secondly, in order to globally disable access to the content, the intermediary platforms have to monitor every upload on their platforms which is technically difficult and legally wrong.

The Delhi HC’s Judgment

The Court agreeing with the plaintiffs’ submission went on to held that the online intermediary platforms can be ordered to take down content globally by a competent court in India, as the content is published on their global services. It observed that the complete removal is needed because there are easy –to-use technology applications available widely that helps local users in circumventing the geo-blocking and render the take-down order useless. Therefore, an absolute removal globally is an absolute remedy, as per the Court’s observations.[1]

Further, the following directions, hereby in brief, have been put forth by the Court to support its order:

  • The Court broadened the interpretation of Shreya Singhal v. Union of India: As per the Court, Section 79 of the IT Act 2000 provides that in order to avail the safe-harbor immunity, “intermediaries have to take down and disable access to the offending material residing in or connected to a computer resource in India”. It interpreted the definition of ‘Computer Resource’ as given in the IT Act, such that the “Computer Resource” as per the judgment “encompasses within itself a computer network, which would include a maze or a network of computers. Such a computer network could be a global computer network”.[2]
  • Global take downs are technologically possible: The Court held that whenever any content violates the community standards of the internet intermediary platforms, such content is taken down globally by the platform on its own. Therefore, it observed that it is technologically possible for the platforms to take down content globally on the orders of the competent courts as well.
  • Application of IT Act in extra-territorial jurisdiction: In order to justify the global take down, the Court explained that, “a perusal of Section 75 of the Act shows that the IT Act does have extra territorial application to offences or contraventions committed outside India, so long as the computer system or network is located in India”.[3] Therefore, the Court held that as long as the content has been uploaded from the Computer Resource located in India, Indian courts will be competent to pass the global injunction/ take down orders.
  • Allowing the direct ‘Notice-and-Takedown’ mechanism for the future uploads of the objectionable content: The Court has held that the plaintiffs can approach the intermediaries directly if it finds the publication of the questionable content again on their online platforms in future. However, the Court has provided an option of the counter-notice system for intermediaries, by opting which the intermediaries can refute claims of illegality and shift the onus of proof back on plaintiffs, such that after which the plaintiffs will have to approach the Courts for an appropriate remedy.

Observations: the Loopholes, Unsettled Jurisprudence and the Comment

The Loopholes

It is completely understandable that the Court is favouring the global take-down order to make its injunction orders against global services more effective. Unfortunately, in its broad evaluation of legal feasibility of the global injunction order and technological capabilities of intermediaries to obey the same, the Court missed on considering certain very significant arguments[4]:

  • Use of VPNs another way around: The Court agreed to the plaintiffs’ argument that due to the wide availability of the easy-to-use applications like VPN, the geo-blocking is circumvented. However, it didn’t consider the circumvention in the case other way around, in which the user can upload the content using VPN and other web proxy services, and can further easily fake the IP address to make it look like as if the content is being uploaded from outside India, negating the Court’s jurisdiction. Therefore, global takedown order, even at prima facie, doesn’t seem to be the appropriate remedy.
  • In denial of the principle of international comity and right to information: The cross-jurisdictional defamation laws vary on a large scale. If global takedown was mandated, the platforms will be wary of falling foul of the law in other countries. For eg., if Indian courts mandate the global takedown of the content which is not at all questionable as per the laws of certain countries, the takedown order will be in contravention of the right to information of citizens of that country. Not respecting the laws of other country amounts to the breach of the principle of international comity and conflict of laws.[5]
  • Without due consideration to the rights to free speech and privacy: The Court failed to understand the technicalities that involved in the operation of global take down orders, the intermediary platforms have to start monitoring each and every content that is being uploaded in order to stop the dissemination globally. This will further impose the risk of private censorship on the Internet and affect the right to free speech and privacy of users. The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.[6]
  • Shifting away from the law established by the Manila Principles on Intermediary Liability and Shreya Singhal case: The Court has allowed plaintiffs to directly approach the intermediary platforms in case of re-uploading of the objectionable content in future. This is a great shift away from the existing process under Section 79 of the IT Act, 2000 as established by the Supreme Court’s landmark judgment in the Shreya Singhal case, which requires intermediaries to take down or disable the access to the content only in cases of receiving an order from either the government or the Court to do so. The same is considered global best practice according to the Manila Principles on Intermediary Liability.
  • The question of extraterritorial application of the IT Act in the present case: As per the Section 75 of the IT Act 2000, it is clear that the Act applies extra-territorially to certain offences or contraventions committed outside of India if the same is committed using “a computer, computer system or computer network located in India, the contraventions as contemplated under the Act are provided for in Sections 43, 43A, 66A, 66B, 66 66E and Section 66F.” Defamation is not covered in any of these provisions.[7]

Heavy reliance on the unsettled jurisprudence

The Court has heavily relied on certain foreign judgments while reaching the conclusion in its own judgment. The issue with the same is that the jurisprudence around geo-blocking and global injunctions is unsettled and still developing; with the Delhi HC’s order adding more confusion to the same.

The Court has relied on the case of Google Inc. v. Equustek Solutions Inc., which is the living proof of the unsettled jurisprudence.[8] The Supreme Court of Canada ordered Google to de-index listings from its search results in order to provide protection to trade secrets of a subject from Google globally. While, the Supreme Court of Canada upheld a global injunction against Google, the US Court sided with Google ruling that the Canadian order “threatens free speech on the global internet”.

The Court also relied on the case of Eva Glawischnig-Piesczek v. Facebook Ireland Limitedin which the CJEU ordered Facebook and other platforms to remove questionable content, copies of the same and block the access to the same, globally. While emphasizing on the case, the Delhi HC didn’t consider at all the CJEU decision in the case of Google v. CNIL[9], in which it was held that the Google is not required to de-reference listings from its global service, just because the content has been declared to be illegal by an EU member state.

Comment

It is clear that the Delhi HC left a lot to consider before delivering the judgment such that from the complexities of territorial jurisdiction to the difference in nature of cross-jurisdictional laws. In the present case, the Court mainly failed to understand the varying nature of defamation laws across jurisdictions— such that in the UK, the burden of proof is on the defendants to prove that the content is not defamatory, while in the US, a heavy onus of proof is placed on the plaintiff.

The Court also failed to consider certain very important foreign judgments which have specifically highlighted the issue of difference in the nature of law. In Google v. CNIL, CJEU held that the ‘right to be forgotten’ (which was the main issue in the case) has differences in standards for its application and interpretation around the world. Therefore, it agreed that it is enough for Google to block access to the questionable content from the EU domain only. Further, in Bachchan v. India Abroad Publications Inc.[10], the Supreme Court of New York County refused to enforce a defamation judgment awarded by the High Court of Justice in London, England, ruling that it will be a threat to the free speech protections as offered by the First Amendment to the US Constitution.

Unarguably, internet jurisdictions have always been a challenge for the courts and governments. Courts have always been behind the technology in the race and unable to assert absolute jurisdiction. This makes the internet risks become a proverbial ‘wild west’ with no single comprehensive applicable law. The fact that injunction against an intermediary, on a global scale, doesn’t make it necessarily invalid and aggressive. After all, the limited denial of access in the local domain is not protecting the underlying rights at stake; global takedown seems the right method to ensure effectiveness. But all of this is required to be done while mediating the conflicting interests as well as recognizing the protection to certain forms of speech.

As Gautam Bhatia said in the context of Swami Ramdev v. Juggernaut Books last year, “Indian courts seem to increasingly view freedom of speech as a mere annoyance to be brushed aside when confronted with competing claims”. If global take-down orders will become mainstream, the regressive laws on freedom of speech and expression online will become a norm. The Courts and governments, in order to win this ‘hare and tortoise race’, shall not ignore the countervailing arguments in relation to freedom of speech and right to privacy. These rights shall not be considered under-weighed against the values like national integrity, security interests, etc., rather an effort shall be made to strike the balance between both the sides.

The judgment is under challenge now by Facebook before a Division Bench, and the matter is listed for final hearing on January 31, 2020. The Court must set a precedent in the unsettled jurisprudence that will consider the free speech and privacy rights in the world of internet at the intersection of technology and laws such as defamation law.

References:

[1] Para. 87, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[2] Para. 78, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[3] Para. 86, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[4] Apoorva Mandhani, Why Baba Ramdev’s win against Facebook, Google in Delhi HC only adds to judicial confusion, The Print, https://theprint.in/india/governance/judiciary/why-baba-ramdevs-win-against-facebook-google-in-delhi-hc-only-adds-to-judicial-confusion/312403/.

[5] Balu Nair, Delhi HC Gives Expansive Interpretation to Section 79 of IT Act: Issues Global Blocking Order Against Intermediaries, SpicyIP, https://spicyip.com/2019/11/delhi-hc-gives-expansive-interpretation-to-section-79-of-it-act-issues-global-blocking-order.html.

[6] Delhi High Court Approves Take Down of Content Globally, SFLC, https://sflc.in/del-hc-orders-global-take-down-content.

[7] Para 16, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[8] Google Inc. v. Equustek Solutions Inc., Cambridge Core, https://www.cambridge.org/core/journals/american-journal-of-international-law/article/google-inc-v-equustek-solutions-inc/E667668ED944EBE52233E17320478448/core-reader.

[9] Google v. CNIL, CJEU Case C-507/17.

[10] Bachchan v. India Abroad Publications Inc., 154 Misc 2d. 228, 585 N.Y.S.2d 661.

Simplifying FinTech and FinTech Laws: Understanding the ‘Financial Technology’

Note from Author: This post is the first one in the series of ‘Simplifying FinTech and FinTech Laws’. The evolution of finance started almost a century decades ago when the world saw the establishment of Fedwire in the US in 1918. The actual FinTech application was the first mobile payment in 1997 to buy a Coca-Cola from the vending machine. In India, as well, the FinTech has completed almost one and a half-decade, but still, there seems to be little awareness about what the term ‘FinTech’ actually means and what law governs it. The fact that people are not aware of what ‘FinTech’ is and what daily financing applications constitute it is the inspiration of the series of posts. The author is hopeful that these posts will help in simplifying the understanding of FinTech and related laws.

An individual can realize that something has changed when, in the current scenario, he sees that everyone around him is transacting amounts with a click on their mobile phones. Since the time civilization has seen the increasing use of the mobile payment apps like PaytTM, Google Pay etc., financial technology (hereinafter referred to as “fin-tech”) companies, the financial services industry has been turned on its head. Whether you are doing online shopping or just buying groceries from your local grocers, fintech is surrounding us from all sides in 2019.

Financial technology, basically, means the technology that seeks to assist, improve and automate the facilitation, processing and delivery of transactional and financial services. At the core, fintech is being utilized to facilitate corporations, businessmen and customers process their financial operations by operating through curated software and algorithms as used on computers and significantly on computers, eliminating the manual intermediation in the financial industry. Broadly, as stated, the ‘fin-tech’ term can be applied to the number of technological innovations in the processes of transaction business, such as the invention of digital money to double-entry bookkeeping.

Since the digital boom and the incoming of the recent smartphone generation, financial technology has grown exponentially and expansively, in both the manner. Therefore, the fintechs are attracting the attention of various sectors especially customers of banking facilities and investment funds, which have the impression of fintech as the future of the financial services industry. The offline retailers and telcos are also considerably looking fintech as a better alternative to traditional financial services, as financial technology provides them with the speedier and decentralized mode of handling transactions. The extensively large number of activities are raising a flurry of questions regarding the emerging financial topography.

Some several major fin-tech products and services are currently being utilized in the market, some of them are Peer to Peer lending platforms, crowdfunding platforms, distributed ledger technology, Big Data, Mobile Banking Services etc. These fintech options are in operation to facilitate the services of international finance, bringing together the large lenders and borrowers, “seekers and providers” of data and information, providing the centralized or decentralized mode of transactions.

Traditional financing institutions have understood the need to upgrade their services. In pursuance of this, financial institutions are modifying the services by adding the technological innovation, by the way of both retaining the services technology companies or by themselves investing in technological research and development (“R&D”). However, there still exist wide disparities in the practices of traditional banking facilities in India.

Definition of FinTech

As per the Report of the RBI’s Working Group on FinTech and Digital Banking, ‘FinTech’ is an umbrella term which is defined as “technological innovation having a bearing on financial services”.

Further, according to the Financial Stability Board (FSB), of the BIS, “FinTech is technologically enabled financial innovation that could result in new business models, applications, processes, or products with an associated material effect on financial markets and institutions and the provision of financial services”.

These definitions focus on encompassing the broader categories of innovations in the financial sector as facilitated by technologies, irrespective of the kind, business scale and regulatory status of the technologically innovative firm. The width of the FSB’s definition can be gauged while “assessing and anticipating” the expansive development of the financial system, and “the associated risks and opportunities”. Therefore, the key take away from the definition is that FinTech refers to “the integration of technology into offerings by financial services companies in order to improve their use and delivery to consumers”.

FinTech developments or innovations have the potential to facilitate a range of beneficial services, specifically efficient processing and cost-minimizing. Technological advancements are also substantially transforming how people have access to financial services. The investments in the Fintech sector is largely increasing through venture capital funds. The same is estimated at around USD 20 billion.

FinTech products and services

There is no defined scope of FinTech innovations, products and services. The broad nature of the technological advancements in the area of financial services includes some of the most prominent fintech innovations that have produced quite a significant effect on financial markets. Mobile and web-based payments are being used in Payments, Clearing and Settlement as an advancement. Similarly, crowdfunding and peer to peer lending have made deposits, lending, and capital raising more advanced than before. E-trading has made Investment management better. It is worth noting that, Data Analytics and Risk Management in delivering financial services are flexible now as the automation of the process is being carried out by using Big Data and Artificial Intelligence.

Infographic: TrendsFintech2019
Thanks to Ionixxtech.com

Payments, Clearing and Settlement

Fintech products and services in this category are the innovations that focus on the expediency and efficiency of the ‘payments, clearing and settlement’. The innovation in terms of improving the speed of transaction, minimizing the cost and flexing the mode of financial transaction, will bring positive changes to the whole financial services system.

Internet-based payment apps

In general terms, payments services work such that there is a user who gets an account opened in a bank and receive “a payment instrument” (Credit Card, Debit Card, etc.), which is, in consequence, is” linked to the account from the issuing bank to pay merchants online or offline”. Bank merchants are intermediaries that request payment and are obliged to reciprocally share the information of payment with the bank i.e. the financial institution. Banks receive funds while facilitating the transactions for various other financial institutions. Today, all the series of aforementioned processes are being assisted by the Internet. In such transactions, the payments are directly made to the service provider through the fintech services and “integrated payment agency”.

There are two kinds of internet-based payment services, such that the services that are based on mobile applications which merely assist the existing payment infrastructure. For eg. Apple Pay, mPay, GPay etc. which operate over the “existing card payment infrastructure” providing the consumer of services with an ability to use their mobile as their credit cards or debit cards. Then there are other mobile applications or internet websites that provide payment facilities through the “new payment infrastructure”, for eg. “Mobile phone money services such as M-Pesa in Kenya and IMPS in India”.

Digital Currency

A digital form of currencies, basically “digital representations of value”, is “value stored electronically in a device such as a chip card or a hard drive in a personal computer”. Innovative technology in combination with the proliferation of AI and automation, internet availability, and upgrading consumer choices, has expanded the scope of the need for alternative forms of hard currencies or traditional instruments of payment. Digital currency can be defined, in a broad sense only, as something that represents value such that firstly it is an electronic or digital form of money or “government-issued flat currency”. Then subsequently it also covers the virtual currency- an electronic form of the currency that is not a legal tender. These currencies are the tokens or tenders which are developed, controlled and created by certain private developers, with the value being trusted and appreciated in a specific community.

Distributed ledger technology

Distributed ledger technology (“DLT”) is the innovation that provides a wholly secure and safe transaction record, which connects various users in a network duly updated and verified. Each and every transaction is accessible to all the users and hence allow users to have the track record of a transaction, eliminating the chances of fraud and centralization in the transaction. These transactions following the DLT are, in actual sense, peer-to-peer transactions, offering advantages of efficiency and security. As per the World Bank’s report,

“Distributed Ledger Technology refers to a novel and fast-evolving approach to recording and sharing data across multiple data stores (or ledgers). This technology allows for transactions and data to be recorded, shared, and synchronized across a distributed network of different network participants.”

Blockchain technology

Blockchain technology is a form of distributed ledger technology which is constituted of transactions (e.g. cryptographed tokens or securities) stored in units of blocks. Blockchain system works on the model of a distributed ledger to record time-stamped digital transactions that are irreversible and may not be unilaterally altered. The process of recording transactions over the ledger is called mining. A blockchain network has as many nodes as much there are participants in the network. The recorded transaction is broadcasted to all the participating nodes and requires consensus over the authenticity of the transaction from each and every node that is part of the distributed ledger. As per the report of the steering committee on fintech related issues:

“Blockchain is a type of DLT which enables a community of users to record transactions in a distributed (without a central repository) and a decentralized (without a central authority) manner. The transaction records are visible to all the participants of the blockchain network, while being immutable at the same time. Blockchains rely heavily on cryptographic primitives”

Deposits, lending and capital raising avenues

As the currency flow has transformed around us, other kinds of the transaction are also transforming to become expedient and flexible and disintermediating the financial transactions. Alternative finance is becoming a prominent mode of capital raising and financing. As the Medium and Small Scale Enterprises are mushrooming across India, the inability to access adequate finance still exists in our lives as one of the major reasons for the constraint to the growth of SMEs. There is lack of access to the adequate sums as the traditional banks don’t provide finance till the time they satisfy their creditworthiness requirements which require strong collaterals, good asset size and perfect credit history on part of the SMEs and businesses.

The new avenues of financing which exempt the lending from being vitiated by the financial intermediation, are data-driven and facilitated by technology. Popular alternative financing avenues are Crowdfunding and Peer to Peer lending.

Crowdfunding

Crowdfunding is an innovative technology portal which allows its users to connect such that forming the relationship constituting three parties: the entrepreneur or SME firm seeking funds, the contributors looking for investing the project or cause, and the moderator organization that facilitates the engagement between the contributors and initiators. The moderators make it flexible for the contributors to acquire data about the several initiatives at a platform that are seeking the funding opportunities for the development and production of their products and services. Foremost and prominent business models of crowdfunding are rewards-based crowdfunding, donation-based crowdfunding, and equity-based crowdfunding.

“Crowdsourced funding is a means of raising money for a creative project (for instance, music, film, book publication), a benevolent or public-interest cause (for instance, a community based social or co-operative initiative) or a business venture, through small financial contributions from persons who may number in the hundreds or thousands. Those contributions are sought through an online crowd-funding platform, while the offer may also be promoted through social media.”

Peer-to-Peer Lending

Peer-to-Peer (“P2P”) Lending platforms allow individual businesses and, especially, SMEs to finance and borrow amongst themselves. As the credit goes to the updated and developed IT infrastructure, P2P portals provide the options of interest rates lower than the traditional banking institutions. Further, the thin line of distinction between banks and P2P platform providers is that the P2P fintechs are basically “matchmakers”, as the P2P platforms facilitate the networking between lenders and borrowers and in exchange of such a function they charge a fee. As the P2P lenders provide services on a fee based mechanism, they basically doesn’t have to meet the mandatory “capital adequacy requirements”.

In the case of P2P platforms, one cannot expect investor protection through compensation against default as one expects under deposit guarantee schemes in traditional bank deposits. The rising trend of application of P2P platforms in order to secure finance can be gauged from the fact that most of the jurisdictions like Germany and Italy, have already classified P2P portals as banks (as they undertake the task of credit intermediation) and are being regulated as banks.

“P2P lending is a form of crowd-funding used to raise loans which are paid back with interest. It can be defined as the use of an online platform that matches lenders with borrowers in order to provide unsecured loans. The borrower can either be an individual or a legal person requiring a loan. The interest rate may be set by the platform or by mutual agreement between the borrower and the lender.”

All these aforementioned technological innovations potentially can bring many opportunities and challenges. Fintech has the capability to substantially improve the efficiency and diversity of the financial market. The load concentration in traditional banking for minor payments will get minimized and may lead to expedient delivery of services to consumers. As technology advances, it finds a way to make a service or product more user-friendly. Similarly, as Fintech advancing, it is providing an incentive for traditional financing institutions to be competitive and focused on their customers.

 

Recommended Readings:

  1. Anne Sraders, ‘What Is Fintech? Uses and Examples in 2019’, The Street, at https://www.thestreet.com/technology/what-is-fintech-14885154 (last accessed on 15/10/2019).
  2. Julia Kagan, ‘Financial Technology – Fintech’, Investopedia, at https://www.investopedia.com/terms/f/fintech.asp (last accessed on 15/10/2019).
  3. ‘Emerging technologies disrupting the financial sector’, PwC & ASSOCHAM, at https://www.pwc.in/assets/pdfs/consulting/financial-services/fintech/publications/emerging-technologies-disrupting-the-financial-sector.pdf. (last accessed on 12/10/2019).
  4. Report of the Working Group on FinTech and Digital Banking, Reserve Bank of India, at https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/WGFR68AA1890D7334D8F8F72CC2399A27F4A.PDF (last accessed on 12/10/2019).
  5. Monitoring of Fintech, FSB, at https://www.fsb.org/work-of-the-fsb/policy-development/additional-policy-areas/monitoring-of-fintech/ . (last accessed on 12/10/2019).
  6. The Pulse of Fintech, KPMG, at https://assets.kpmg/content/dam/kpmg/pdf/2016/05/the-pulse-of-fintech.pdf.. (last accessed on 12/10/2019).
  7. Final Report- The Future of Financial Services, World Economic Forum, at http://www3.weforum.org/docs/WEF_The_future__of_financial_services.pdf. (last accessed on 12/10/2019)
  8. Jungho Kang, Mobile payment in Fintech environment: trends, security challenges and service, Human-centric Computing and Information Sciences 8:32, at https://link.springer.com/article/10.1186/s13673-018-0155-4 (last accessed on 12/10/2019)
  9. J W Biggs, Introduction to Digital Currency, Bookdown, at https://bookdown.org/Jack_Biggs/Cryptocurrency/ (last accessed on 12/10/2019).
  10. Fintech Note No.1: Distributed Ledger Technology (DLT) and Blockchain, World Bank Group, at http://documents.worldbank.org/curated/en/177911513714062215/pdf/122140-WP-PUBLIC-Distributed-Ledger-Technology-and-Blockchain-Fintech-Notes.pdf
  11.  Judd Bagley, What is Blockchain Technology? A Step-by-Step Guide For Beginners, BlockGeeks, available at http://atitech.unitbv.ro/documente/docs/Criptografie/04_-_Cryptocurrency_-_What_is_Blockchain_Technology.pdf. (2016).
  12. Discussion Paper, Crwod-sourced Equity Funding, Corporations and Markets Advisory Committee, Australian Government, at https://treasury.gov.au/sites/default/files/2019-03/C2014-054_CSEF-Discussion-Paper.pdf (last accessed on 12/10/2019).
  13. Consultation paper on Crowdfunding in India, SEBI, at https://www.sebi.gov.in/sebi_data/attachdocs/1403005615257.pdf (last accessed on 12/10/2019).
  14. K.S.Ashik & Akshay V, Crowdfunding in Indian Context, JCIL Vol.3 Iss. 8, at http://jcil.lsyndicate.com/wp-content/uploads/2017/08/K.S-Akshay.pdf (last accessed on 12/10/2019).
  15. Consultation paper on Crowdfunding in India, SEBI, at https://www.sebi.gov.in/sebi_data/attachdocs/1403005615257.pdf (last accessed on 12/10/2019).
  16. Eleanor Kirby & Shane Worner, Crowdfunding: An Infant Industry Growing Fast, IOSCO Research Department, at https://www.iosco.org/research/pdf/swp/Crowd-funding-An-Infant-Industry-Growing-Fast.pdf (last accessed on 12/10/2019).
  17. Consultation paper on Peer to Peer Lending, Reserve Bank of India, at https://rbidocs.rbi.org.in/rdocs/content/pdfs/CPERR280416.pdf (last accessed on 12/10/2019).

Summary: Philippines Senator introduces the ‘Anti-False Content Act’ to fight fake news

The article has been authored by Aryan Babele and first published on Medianama. Read https://www.medianama.com/2019/08/223-the-lowdown-the-anti-false-content-act-to-address-fake-news-that-was-introduced-in-the-philippines/

The Senate of the Philippines has announced the introduction of the Anti-False Content Act’ on 1st July 2019. The newly proposed anti-fake news bill, as filed by the Senator President Vicente Sotto III, aims to prohibit “the publication and proliferation of false content on the Philippine internet, providing measures to counteract its effects and prescribing penalties therefor.” The Senator, in the explanatory note to the Bill, said that

“In the Philippines, widespread are headlines that are mere click-baits; made up quotes attributed to prominent figures; and digitally altered photos. Philipinos have fallen prey to believing that most of them are credible news…. In this regard, this bill seeks to protect the public from the deleterious effects of false and deceiving content online.”

However, media groups are warning that the proposed Bill could lead to censorship. On 25th July 2019, the international group Human Rights Watch (HRW) opposed the proposed law citing that the Bill is “sweepingly broad and threatens to stifle discussion on websites worldwide” and “would excessively restrict online freedom of speech”, in a news release. Linda Lakhdir, Asia Legal Adviser at HRW, further said that:

“The proposed ‘false content’ law poses real risks for activists, journalists, academics, and ordinary people expressing their views on the internet”

Declaration of Policy

The proposed Act declares that the policy of the State is “to protect people from any misleading or false information that is being published and has become prevalent on the internet”. In this regard, the State shall commit to:

  1. Be proactive in preventing further exploitation of online media platforms for such purpose;
  2. Counteract its concomitant prejudicial effects to public interest while remaining cognizant of the people’s fundamental rights to freedom of speech and freedom of the press.

What is ‘online intermediary’?

It refers to “a provider of service which displays an index of search results that leads the internet users to a specific online location”, giving them access to “contents originating from third parties”, and “allows them to upload and download content”. It includes but not limited to social-networking sites, search engine services, internet-based messaging services, and video-sharing sites.

What constitutes ‘publication’?

It refers to the “act of uploading content on an online intermediary with an intent to circulate particular information to the public”.

What is ‘fictitious online account or website’?

It refers to those accounts and websites “that has an anonymous author or uses an assumed name in pursuing activities” in order to avoid punishment or legal consequences of such activities.

Counter-active measures

According to the Section 5 of the proposed Act, the Department of Justice (DOJ) Office of Cybercrime shall have the authority to issue a rectification order, a takedown order and/or a block access order to restrain the creation and/or publication of the content online that contains false information or that tend to mislead the public.

Rectification order refers to an order directing the administrator of the online account or website to issue a notice indicating the necessary corrections to published content.

Takedown order refers to an order directing the owner or administrator of the online account or website to take down the published content.

Block Access order refers to an order directing the online intermediary to disable access by users to the published content.

These orders can be issued by the DOJ Office of Cybercrime in two following cases:

  1. When there is a complaint filed to the DOJ Office of Cybercrime by an aggrieved party is valid and has sufficient basis;
  2. In matters affecting the public interest, the same Office can issue the appropriate order on its own volition (motu proporio).

“Public interest shall refer to anything that affects national security, public health, public safety, public order, public confidence in the Government, and international relations of the Philippines.”

Appeal to cancel the order

According to Section 6 of the Bill, the online publisher or online intermediary who has been issued with Orders under Section 5 of the Bill, can appeal against such Order to the Office of the Secretary of the DOJ.

Punishable Acts under the proposed law

According to Section 4 of the Bill, the following acts shall be punishable offences:

  1. Creating and/or publishing content on one’s personal online account or website knowing or having a reasonable belief that the content online that contains false information or tend to mislead the public;
  2. Use of fictitious online account or website for creating and/or publishing the content that contains false information or misleading the public;
  3. Offering or providing one’s service to create and publish content online intentionally to deceive the public, regardless whether it is done for profit or not;
  4. Financing an activity which has for its purpose the creation and/or publication of a content online containing false information or that would tend to mislead the public;
  5. Non-compliance with any of the government’s Takedown orders, Rectification orders or Block Access orders issued under Section 5 of the proposed law, whether deliberate or through negligence.

Penalties

Section 8 of the Bill proposes following stringent penalties for the afore-mentioned punishable offenses such that:

  1. If an individual found guilty of creating and/or publishing the false information online and mislead the public as provided under Section 4(a) of the proposed law, he/she will be punished with imprisonment of up to six years, or fine of not more than PHP 300,000, or both.
  2. If an individual found guilty of using fictitious online account or website to create and/or publish the false information online and mislead the public as provided under Section 4(b), he/she will be punished with imprisonment of up to six years, or fine of not more than PHP 500,000, or both.
  3. If an individual found guilty of offering or providing one’s services to create and/or publish the false information online with the intent to deceive the public as provided under Section 4(c), he/she will be punished with imprisonment of up to six years, or fine of not more than PHP 200,000, or both.
  4. If an individual found guilty of financing an activity as provided under Section 4(d), he/she will be punished with imprisonment of up to twenty years, or fine of not more than PHP 100,000, or both.
  5. If an individual found guilty of not complying with government’s orders as issued under Section 5 of the proposed law, he/she will be punished with imprisonment of up to twenty years, or fine of not more than PHP 200,000, or both.

Jurisdiction of the regional trial courts

Section 9 provides that the regional trial courts will have jurisdiction over Philippine nationals who commit the acts punishable under the proposed law, whether or not they were in the Philippines when the offense was committed.

Law Enforcement Authorities

The Cybercrime Division of the Philippine National Police (PNP) and the National Bureau of Investigation (NBI) will be responsible for the enforcement of the provisions of the Act.

“Cyber Security Bill” of Sri Lanka: S-E Asia moving for enhanced Cyber-Security Framework

The Sri Lankan government has drafted a new ‘Cyber Security Bill’ to protect vital information and essential services from cyber attacks.

The Cyber Security Bill vests into Government the powers to establish a ‘Cyber Security Agency’ and to empower the Sri Lanka Computer Emergency Readiness Team and National Cyber Security Operations Centre, which aim to protect “Critical Information Infrastructure”, which is necessary for the continuous delivery of essential services of the country.

The draft bill awaits the cabinet approval and will be presented thereafter to Parliament, according to the non-cabinet minister of Digital Infrastructure and Information Technology Ajith P. Perera. The minister said that the public opinion will be sought on the proposed Bill in a public consultation forum that would be held on June 6. He also informed that the draft of the comprehensive Data Protection is also completed and would be presented to the cabinet and will be legislated in three months.

Understanding the Sri Lanka’s new “Cyber Security Bill”

The objective of “Cyber Security Bill”

The Bill has been proposed with the objective to provide an essential component that will (i) ensure the effective implementation of the National Cyber Security Strategy in Sri Lanka; (ii) prevent, mitigate and respond to cyber security threats and incidents effectively and efficiently; (iii) establish the Cyber Security Agency to strengthen the institutional framework for cyber security and (iv) protect the Critical Information Infrastructure.

In November 2018, the Government of Sri Lanka introduced the Sri Lanka’s first Information and Cyber Security Strategy to be implemented over a period of five years from 2019 to 2023. It is an institutional framework which aims to create a trusted and resilient cyber security ecosystem enabling Sri Lankan citizens to have access to the safe digital benefits and facilitate a better future.

What is ‘Critical Information Infrastructure’?

“Critical Information Infrastructure” (CII) includes all computers or computer systems located wholly or partly Sri Lanka, those are necessary for the continuous delivery of essential services for the public health, public safety, privacy, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace. It also includes the computer system of which the disruption or destruction would have a serious impact on the functioning of the government.

Cyber Security Agency of Sri Lanka

  1. Establishing a new Cyber Security Agency

The Bill proposes to establish an agency which will be the “Apex and Executive body” for all matters relating to cyber security policy in Sri Lanka. It will be responsible for the implementation of the National Cyber Security Strategy “including preparation and execution of operational strategies, policies, action plans, programs and projects”.

  1. The Management and Administration of the Agency

The management and administration of the affairs of the agency shall vest in a Board of Directors consisting of Secretary to the Ministry of Defence, Secretary to the Ministry of Public Administration, a member nominated by the Board of Sri Lanka Computer Emergency Readiness Team (SL-CERT), Secretary to the Ministry which is responsible for implementation of the proposed Act and three expert members appointed by the responsible Minister.

  1. Powers and Functions of the Agency

One of its main functions is to identify and recommend the responsible Minister to designate a computer or computer system as CII and further develop strategies and plans for the protection of the CII.

It will act as the central point of contact to all government institutions and other relevant sectors of the country in respect of cyber security measures.

The Agency will ensure effective compliance by requesting the submission of compliance reports from designated CIIs and other government institutions which will include cyber security assessment and information relating to the steps taken to protect the CIIs.

The Agency or any other officer authorized by the Agency, on reasonable grounds, has the power of entry, inspection and search the premises of designated CIIs. It can examine any documents, records and person pertaining to such CIIs.

  1. Information Security Officer (“ISO”)

The Bill provides appointment of an “Information Security Officer” to each public institution or department. Every ISO will ensure the compliance of such institution or department with the prescribed standards relating to cyber security.

The institutional framework to assist the agency

The new Bill also proposes to empower the Sri Lanka Computer Emergency Readiness Team (SL-CERT) and National Cyber Security Operations Centre for the proper implementation of the National Cyber Security Strategy of Sri Lanka (NCSOC).

It provides that SL-CERT will be “the national point of contact for handling cyber security incidents in Sri Lanka” and will assist the Agency. It will do so by providing the national level cyber threat intelligence information and conducting reactive cyber security services to prevent and mitigate the damages of cyber security incidents.

Further, the responsible Minister with the concurrence of the Agency will designate the CERT or any institution as the new NCSOC. The NCSOC will monitor the designated CIIs, identify potential cyber security incidents, gather cyber threat intelligence information and provide such information to law enforcement authorities, CERT and to the Agency. It will assist the Agency to facilitate coordinated response to prevent, detect, and investigate cyber security incidents.

The owner of CII

The designated CII may be public institutions (as owned or operated by the government) or other institutions. The head of the organization responsible as the CII will be deemed as “owner” of the CII. It is responsibility of owner of the CII to take all necessary steps to protect CII as prescribed in the Bill. This includes conducting security assessments, implementation of the protection plan and notifying the Agency and CERT of the occurrence of any cyber security incident with respect to the CII. If the CII is constituted by multiple organization or multiple sectors, all the heads of such organizations or sectors shall become jointly and severally responsible for protection of the CII.

Offences and Penalties

Every CII owner, who fails to fulfil obligations as prescribed under the proposed Act, without any reasonable cause, and fails to report cyber security incidents to the Agency and CERT, will commit an offence and shall on conviction be liable to pay a fine not exceeding Rs 200,000 or to imprisonment for a term not exceeding two years or to both such fine and imprisonment.

ISO can be held as guilty of the offence if it fails to perform its duties and responsibilities relating to cyber security incidents under the proposed Act. Further, the Bill also provides that every person, who being a head of an institution, if fails to facilitate ISO, shall commit an offence. However, such ISO or person will not be guilty of the offence if it was committed without his knowledge or that he exercised all due diligence with respect to prevent the commission of such offence.

Prosecution under the proposed Act can only be instituted by the Agency or an officer authorized by the Agency.

Other powers of the Minister

“Minister”, as referred in the proposed Act, means “the Minister assigned the subjects and functions relating to cyber security”. The Minister has the power to give general or special directions to the Agency, from time to time, to ensure the effective compliance to the Government policy. He has the power to make regulations, with the concurrence of the Agency, in respect of the matters prescribed in the Act.