Comments on the NITI Aayog’s draft ‘Guiding Principles’ for the ‘Regulation of Online Fantasy Sports Platforms in India’

On 5th December 2020, NITI Aayog released a draft for discussion titled ‘Guiding Principles for the Uniform National-Level Regulation of Online Fantasy Sports Platforms in India’ (“Draft Report”), seeking comments from different stakeholders of fantasy sports industry. The Draft report hits two birds with one stone; firstly, it proposes to establish a single Self-Regulatory Organization (SRO) for Online Fantasy Sports Platforms (OFSP) so as to enable ‘light touch’ regulatory framework, secondly, these guidelines also act as a ‘regulatory sandbox’ for OFSP.  

A brief summary of our submission to NITI Aayog with comments, concerns and recommendations in relation to the Draft Report are as follows: 

Recognition for all categories of “pay-to-play” online games

Apart from online fantasy sports, there are many other pay-to-play format of online games like rummy, cricket simulation etc. that are offered using the same digital interface through which they offer online fantasy sports contests. For instance, Paytm First Games and Mobile Premier League, to name a few. We have raised the concern that governing only OFSP could result in complex situation for online gaming industry in general and such all-in-one online gaming platforms in particular. We recommend that by virtue of these guidelines all “pay-to-play” formats of online games should be recognised.

Specify definition and extent of the term ‘fantasy sports’

The Draft Report neither defines the term neither ‘fantasy sports’ nor enlists activities that might constitute the same under the proposed framework. The framework proposes that “all formats” of fantasy sports offered by OFSP must be skill-predominant. There is no clarity whether ‘free to play’ formats, which doesn’t involve any stake of players and are risk-free, are also required to be game of skill. In our comments, we have formulated an element-wise definition of ‘fantasy sports’ wherein we have specifically pleaded that the definition should exclude free to play format specifically from the definition of fantasy sports.

The proposed framework requires a platform to take approval from SRO if offering a fantasy format different from judicially determined game of skill. There are three HCs which have analysed the Dream 11’s format as game of skill and no definitive criteria have been laid down by any of them for determining whether a fantasy format is game of skill or not. Therefore, we believe that ‘judicially determined’ format of fantasy sports is subjective and the framework should itself provide objective test in the Draft Report itself.   

Uniform and diverse representation in the SRO

The Draft Report prescribes that only a fantasy sports industry body, which have as members OFSPs with registered user base, in aggregate, equivalent to at least 66 percent of registered users of online fantasy sports in India, could be recognised as SRO by the Government. This is an absurd eligibility criterion as the concentration of users is not uniform across OFSPs. In such a scenario, there is a risk of disadvantage to the interests of OFSPs with small user base.

The proposed model of membership of SRO leaves aside many other participants of the fantasy sports industry like advertisers, payment service providers, consumer bodies etc. We recommend that the eligibility criterion for recognition of an industry body as SRO must be based on diversity and number of members rather than the strength of user base of its members. This will lead to a holistic and pervasive regulatory framework.

Requirement of minimum safeguards in the organizational framework of SRO

Three internal bodies have been envisaged within the proposed SRO: an independent oversight board, a grievance redressal mechanism and an evaluation committee. We recommend that a governing body, in addition to the internal bodies, must be constituted. Further, basic principles and minimum safeguards must be incorporated in the framework to ensure independence of oversight board, transparency in working of grievance redressal body and evaluation committee, etc.

Clarity on how safe-harbour exemption will be implemented

The guiding principles proposed in the Draft Report grant safe-harbour exemption or a criminal immunity to all the member-OFSPs of the SRO. As “gambling and betting” is a subject of the state list, it is recommended that a clarificatory note be released by the NITI that fantasy sports be construed as a class apart from gambling rather than exception. In short, fantasy sports should be governed by the Union using its residuary powers under Entry 97 of List I.

(Authored by Eukti Garg, Volunteer-Researcher at LawforIT, with inputs from Aryan Babele)

Let us talk about E-Contracts (I): Electronic agents and conclusion of online contracts

The advancements in the internet as means of facilitating contract formation does not, at first read, present a situation different from that applicable to a facsimile or telex. An e-contract can be created either via the exchange of e-mails or by the completion of a document as a website which is submitted to another party electronically. While it is true that to the great extent that e-contracts are modernised methods of contract formation but they don’t require any particular changes to the law. Still, there are some particular issues arising from their electronic form. This post will discuss the international instruments that provide legal recognition to e-contracts and very advanced facets of it.

A contract is concluded if the parties intend to be legally bound, and they reach a sufficient agreement. Conclusion of contract with offer and acceptance. A contract can be concluded by the acceptance of an offer.

There are various ways to conclude e-contracts. The significant and interesting ones are as follows:

Forming contracts via electronic communications (such as e-mails)

The simplest e-contract is concluded by the exchange of text documents via electronic communications, such as e-mail. Offers and acceptances can be exchanged totally by e-mails, or can be combined with paper documents, faxes, telephonic discussions, etc.

Acceptance of orders placed on online marketplaces

The vendor/ supplier can offer goods or services (such as air tickets, software, etc.) through his website. The vendee, in such cases, places an order by completing and transmitting the order form provided on the website. The merchandise may be physically delivered later (e.g., in case of outfits, CDS, books, etc) or be immediately delivered electronically (e.g., in case of e-tickets, software, etc).

Online agreements

In some cases, users are required to accept an online agreement in order to be able to avail the services e.g. clicking on ‘I agree’ while installing software or clicking on ‘I agree’ while signing up for an e-mail account.

The electronic data interchange (EDI)

It is the inter-process of communication of business information in a standardised electronic form. That is, they are contracts used in trade transactions which enable the transfer of data from one computer to another in such a way that each transaction in the trading cycle (for example, commencing from the receipt of an order from an overseas buyer, through the preparation and lodgment of export and other official documents, leading eventually to the shipment of the goods) can be processed with virtually no paperwork. In this case, the data is formatted by means of standard protocols, so that it can be implemented directly by the receiving computer. EDI is, frequently, used to transmit standard purchase orders, acceptances, invoices, and other records, and thus, reduces paperwork and the potential for human errors. In this type of contracts, in contrast to the above methods, there is an exchange of information and completion of contracts between two computers and not an individual and a computer.

Through electronic agents/ bots

It is possible for computer users to instruct the computer to carry out transactions robotically. For instance, in today’s supermarket, the computer updates its inventory as items are scanned for sale. When the stock of an item falls to a predetermined level, the computer is programmed, without human involvement, to contact the computer of the supplier and place an order for replacement stock. The supplier’s computer, exclusive of human intervention, accepts the order and the next morning automatically prints out worksheets and delivery sheets for the supply and transport staff.

These electronic agents are programmed by and with the authority of the purchaser and supplier. The legal status of electronic agents has not been clarified by the courts, but the most common view is that like any other piece of equipment under the control of the owner, the owner accepts responsibility. A computer is a tool programmed by or with a person’s authority to put into operation their intention to make or accept contractual offers.

According to Russell and Norving, ‘An agent is anything that can be viewed as perceiving its environment through sensors and acting upon that environment through effectors. A human agent has eyes, ears, and other organs for sensors, and hands, legs, mouth, and other body parts for effectors. A robotic agent substitutes cameras and infrared range finders for the sensors and various motors for the effectors. A software agent has encoded bit strings as its percepts and actions.’

Such electronic agents and devices have features which facilitate humans in their normal interaction and functions, such as, intelligence, autonomy and pro-activeness. The idea of having intelligent systems—to assist human beings with routine tasks, to shift through an enormous amount of information available to a user and select only that which is relevant—is not novel and a lot of work and results have already been achieved in the field of artificial intelligence (‘AI’).

Legal recognition of electronic agents

The E-COMMERCE DIRECTIVE 2000/31/EC of The European Parliament and of the Council of 8 June 2000 does not take in hand the issue of automated transaction made through electronic agents. The explanatory notes of the proposal of the Ecommerce Directive state that the Member States should refrain from preventing the use of certain electronic systems such as intelligent electronic agents for making a contract. But, the final version makes no reference to electronic agents in the main text or in the recital. The deletion of the proposed text furnishes a sign of the EU’s failure to respond to the tremendous growth of e-commerce. It is also not in consonance with the preamble to the Directive, which states that the purpose of the Directive is to stimulate economic growth, competitiveness and investment by removing many legal obstacles to the internal market in online provision of electronic commerce services. However, the exclusion of the provision giving legal recognition to electronic agents is a step backwards and a failure to recognise the role of electronic agents in fostering the development of e-commerce such as lower transaction costs, facilitate technology and adherence to international conventions.

The United Nations Convention on the Use of Electronic Communications in International Contracts 2005 (hereinafter referred to as the ‘UNCUECIC’) contains provisions dealing with issues such as determining a party’s location in an electronic environment; the time and place of dispatch and receipt of electronic communications and the use of automated message systems for contract formation. Art.12 of the UNCUECIC, which deals with the use of automated message systems for contract formation, states, ‘A contract formed by the interaction of an automated message system and a natural person, or by the interaction of automated message systems, shall not be denied validity or enforceability on the sole ground that no natural person reviewed or intervened in each of the individual actions carried out by the automated message systems or the resulting contract.’ The objective behind the adoption of the uniform rules was to remove obstacles to the use of electronic communications in international contracts, including obstacles that might result from the operation of existing international trade law instruments, and to enhance legal certainty and commercial predictability for international contracts and help States gain access to modern trade routes.

In the USA, the Uniform Electronic Transactions Act, 1999 (UETA) expressly recognises that an electronic agent may operate autonomously, and contemplates contracts formed through the interaction of electronic agents and those formed by the interaction of electronic agents and individuals.

Section 14 of the UETA reads as follows:

In an automated transaction, the following rules apply:

(1) A contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents’ actions or the resulting terms and agreements.

(2) A contract may be formed by the interaction of an electronic agent and an individual, acting on the individual’s own behalf or for another person, including by an interaction in which the individual performs actions that the individual is free to refuse to perform and which the individual knows or has reason to know will cause the electronic agent to complete the transaction or performance.

(3) The terms of the contract are determined by the substantive law applicable to it.

Section 14 of the UETA, which is based upon Article 11 of the UNICTRAL Model Law on Electronic Commerce, deals with ‘automated transaction’. This Section states that contracts can be formed by machines functioning as ‘electronic agents’ for parties to a transaction. It wipes out any claim that lack of human intent, at the time of contract formation, prevents contract formation. When machines are involved, the requirement of intention flows from the programming and use of the machine. It is quite evident that the main purpose of this provision of the UETA is to remove barriers to electronic transactions while leaving the substantive law, e.g., law of mistake, law of contract formation, unaffected to the greatest extent possible. Also, the Uniform Computer Information Transaction Act (UCITA) also has provisions supporting the ability of electronic agents to make binding contracts.

Recommended Readings

  • Wooldridge & Jennings, ‘Intelligent Agents: Theory and Practice’, Knowledge Engineering Review, (June 1995) Vol. 10 No. 2, Cambridge University Press (1995).
  • Alan Davidson, The Law of Electronic Commerce, Cambridge University Press, (2009).
  • R K Singh, Law Relating To Electronic Contracts (2017)

Simplifying FinTech and FinTech Laws: Key Takeaways for Indian FinTech Industry

The significant advancements in Fintech are directly impacting on the traditional financial sector. The regulators had to be cautious in order to not miss the train and should jump on the wagon of promoting financial innovation and stiff competition in the sector. The newcomers in the sector should be provided certain leniency in form of exemptions from a number of strict compliances which are used to curb the malpractices of the big corporations, for the sake of promoting competition in the market. This post is dealing with key takeaways from reports of different regulators’ committees in India. This is the last post in the series of ‘Simplifying FinTech and FinTech Laws’.

Fintech charged firms and businesses must work in tandem with the regulated entities, e.g. banks and regulated finance providers. The businesses that a bank can undertake are provided under Section 6 of the Banking Regulation Act, 1949 and there is no business outside Section 6 that can operate as the bank. Such provisions, therefore, incentivize banking companies to make fintech innovations in a narrower scope relevant to their operations. The archaic laws make it difficult for banks to undertake fintech innovations that can be of significant utility but are beyond the scope of financial regulation.

The Watal Committee Report noted this, that:

“The current law does not impose any obligation on authorised payment systems to provide open access to all PSPs. This has led to a situation where access to payment systems by new non-bank payments service providers, including FinTech firms, is restricted. Most of them can access payment systems only through the banks, which are also their competitors in the payments service industry. This, according to the Committee, has restricted the fast-paced expansion of digital payments in India by hindering competition from technology firms.”

Forming a comprehensive and non-discriminatory regulatory approach

Regulators and legislators are required to realign their legal approach to the Fintech services. There is a requirement of developing a deeper understanding of various Fintech services and their interaction in a financial environment with other fintech services. To provide the fintech space to work utmost to its potential, it is needed that it gets a level playing field in relation to the traditional banking and non-banking players. The practise of restricting the access of non-bank institutions to payment infrastructure, such as AEPS, has to be reevaluated and the proper steps to be taken. It is required from the end of Government and Regulatory bodies that they should adopt necessary measures in order to provide accessibility to national payment infrastructure and facilities to all fintech firms without any discrimination.

Providing Standards for Data Protection and Privacy

All the fintech companies are required to invest significantly in self-regulating policies to prevent privacy risks. Fintech companies should be provided with the standards of data protection as soon as possible by government and regulators. It is evident that the provisions of the Personal Data Protection Bill, 2019 can significantly affect the growth of Fintech companies. Therefore, the standards adopted for fintech companies by regulators should be reviewed with respect to data protection and privacy concerns. The government and regulators specific to finance of the country should start focusing on the valuation of data that is processed by banking companies and recommend practices to safeguard consumer interests.

Open Data principles should govern the financial sector in order to enhance Competition

The regulators should pay heed to the open data policy among participants of a fintech sector. The regulators should begin with the mandatory norms directing financial service companies to encourage banking institutions to enable participants to access the databases of their rejected credit applications on a specific platform on a consensual basis. The practice of the UK with respect to Open Data Regulations in Banking can be adopted, where banking institutions on the basis of consent framework allow data to be available to banking partners in order to foster competition. Even the RBI Steering Committee on Fintech recommended:

“It also recommends that all financial sector regulators study the potential of open data access among their respective regulated entities, for enhancing competition in the provision of financial services.”

The KYC process should be reformed with respect to the Supreme Court’s Judgment on Aadhaar’s validity

Fintech businesses are the most affected entities due to the striking down of Section 57 of the Aadhaar Act as it invalidated the online KYC process. The online KYC and authentication provided the required efficiency and convenience to fintech firms with respect to their endeavours of on-boarding as many as consumers on their digital platform. It is recommended that alternatives to the mandatory linking to Aadhaar should be adopted in the form of possible video-based KYC, such that the documents as verified must be protected and processed with the prior consent of the consumer.

Other key recommendations

1. It is recommended that the adequate cybersecurity, anti-money laundering and fraud control measures should be adopted by investing in technologies and guidelines that can prevent fraud.

2. Technical innovations should be monitored with respect to the potential risk that innovation carries in operation under the contemporaneous legal landscape of the country.

3. A self-regulatory body to facilitate the needs of fintech is much needed as for the RBI it is still turning out to be difficult to replace the existing regulatory structure. A regulatory mechanism allowing the broader participative consultation approach should be adopted.

4. Regulators should invest in Reg-Tech (“Reg Tech is a sub-set of FinTech that focuses on technologies that facilitate the delivery of regulatory requirements more efficiently and effectively than existing capabilities. In July 2015 the FCA issued a call for input entitled ‘Supporting the development and adoption of Reg Tech’.”)

5. The majority of economies have adopted the practice of setting up of the regulatory sandboxes catalyzing the fintech innovations. It is recommended that RBI should continue with the introduction of the mechanisms, like regulatory sandboxes, enabling the adaptation of regulatory initiatives which will play a key role in maintaining India’s competitive edge.

Delhi HC has expanded the scope of injunction orders in Internet jurisdiction: Geo-blocking to Global-blocking in IT law

This post has borrowed extensively from an earlier blog-publication by Aryan Babele on Tech Law Forum @ NALSAR.

On 23rd October 2019, the Delhi HC has delivered an impactful judgment authorizing Indian courts to issue “global takedown” orders to Internet intermediary platforms like Facebook, Google and Twitter against illegal content as uploaded, published and shared by their users. The Delhi HC delivered the judgment on the plea filed by Baba Ramdev and Patanjali Ayurved Ltd. requesting the global takedown of certain videos which are defamatory in nature.

The Court passed the order in the context of its observation that there is a ‘hare and tortoise race’ between technology and law such that the ‘technology gallops, the law tries to keep pace’. Such observation reflects that the Court’s intention is to interpret IT law in the manner which will ensure the effective implementation of the judicial orders throughout the internet jurisdiction and mitigate the circumvention of such orders by use of the advanced technology.

However, the Court’s order is attracting criticism globally from several internet-freedom activists. It seems that the Court has made a hasty attempt to win the ‘hare and tortoise race’ and has missed on considering the far-reaching implications of it on the IT law jurisprudence and conflict of law provisions. This article aims to analyze and indicate the significant points in the Delhi HC’s judgment, which the Court lacked in considering while relying on the unsettled jurisprudence of global injunction orders.

Background- The case of Swami Ramdev v. Facebook

In Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC], Swami Ramdev (a prominent yoga guru and public figure) filed a case before the Court against Facebook, Google, YouTube and Twitter, inter-alia, praying for the global take down of defamatory contents (videos) as uploaded, published and shared by users of these intermediary platforms.

The given case stems out of the publication of videos on defendants’ platforms, which are based on those particular offending portions of the book titled “Godman to Tycoon: The Untold Story of Baba Ramdev’ by Priyanka Pathak Narain, which are already undergoing an ad-interim injunction as granted by the Court in Swami Ramdev v. Juggernaut Books [CM (M) 556/2018] in May 2018.

Subsequently, in January 2019, the Court passed an interim injunction against the defendants’ platforms to disable access to the offending URLs and weblinks for the Indian domain as per Section 79 of the Information Technology Act, 2000, [hereinafter referred as IT Act 2000] i.e. ordered geo-blocking.

However, the plaintiff argued that the geo-blocking is an ineffective solution as the objectionable content is widely available on the global internet and internet users in India can still access such content using VPNs and other such mechanisms. Therefore, the only effective remedy, according to the submission of plaintiff, is to issue a global blocking order.

Internet intermediaries have contended against such a global take down mechanism as it poses a number of technical and legal difficulties for them. Firstly, cross-jurisdictional laws vary in standards for determining defamation, and hence disabling access globally will breach the principles of international comity. Secondly, in order to globally disable access to the content, the intermediary platforms have to monitor every upload on their platforms which is technically difficult and legally wrong.

The Delhi HC’s Judgment

The Court agreeing with the plaintiffs’ submission went on to held that the online intermediary platforms can be ordered to take down content globally by a competent court in India, as the content is published on their global services. It observed that the complete removal is needed because there are easy –to-use technology applications available widely that helps local users in circumventing the geo-blocking and render the take-down order useless. Therefore, an absolute removal globally is an absolute remedy, as per the Court’s observations.[1]

Further, the following directions, hereby in brief, have been put forth by the Court to support its order:

  • The Court broadened the interpretation of Shreya Singhal v. Union of India: As per the Court, Section 79 of the IT Act 2000 provides that in order to avail the safe-harbor immunity, “intermediaries have to take down and disable access to the offending material residing in or connected to a computer resource in India”. It interpreted the definition of ‘Computer Resource’ as given in the IT Act, such that the “Computer Resource” as per the judgment “encompasses within itself a computer network, which would include a maze or a network of computers. Such a computer network could be a global computer network”.[2]
  • Global take downs are technologically possible: The Court held that whenever any content violates the community standards of the internet intermediary platforms, such content is taken down globally by the platform on its own. Therefore, it observed that it is technologically possible for the platforms to take down content globally on the orders of the competent courts as well.
  • Application of IT Act in extra-territorial jurisdiction: In order to justify the global take down, the Court explained that, “a perusal of Section 75 of the Act shows that the IT Act does have extra territorial application to offences or contraventions committed outside India, so long as the computer system or network is located in India”.[3] Therefore, the Court held that as long as the content has been uploaded from the Computer Resource located in India, Indian courts will be competent to pass the global injunction/ take down orders.
  • Allowing the direct ‘Notice-and-Takedown’ mechanism for the future uploads of the objectionable content: The Court has held that the plaintiffs can approach the intermediaries directly if it finds the publication of the questionable content again on their online platforms in future. However, the Court has provided an option of the counter-notice system for intermediaries, by opting which the intermediaries can refute claims of illegality and shift the onus of proof back on plaintiffs, such that after which the plaintiffs will have to approach the Courts for an appropriate remedy.

Observations: the Loopholes, Unsettled Jurisprudence and the Comment

The Loopholes

It is completely understandable that the Court is favouring the global take-down order to make its injunction orders against global services more effective. Unfortunately, in its broad evaluation of legal feasibility of the global injunction order and technological capabilities of intermediaries to obey the same, the Court missed on considering certain very significant arguments[4]:

  • Use of VPNs another way around: The Court agreed to the plaintiffs’ argument that due to the wide availability of the easy-to-use applications like VPN, the geo-blocking is circumvented. However, it didn’t consider the circumvention in the case other way around, in which the user can upload the content using VPN and other web proxy services, and can further easily fake the IP address to make it look like as if the content is being uploaded from outside India, negating the Court’s jurisdiction. Therefore, global takedown order, even at prima facie, doesn’t seem to be the appropriate remedy.
  • In denial of the principle of international comity and right to information: The cross-jurisdictional defamation laws vary on a large scale. If global takedown was mandated, the platforms will be wary of falling foul of the law in other countries. For eg., if Indian courts mandate the global takedown of the content which is not at all questionable as per the laws of certain countries, the takedown order will be in contravention of the right to information of citizens of that country. Not respecting the laws of other country amounts to the breach of the principle of international comity and conflict of laws.[5]
  • Without due consideration to the rights to free speech and privacy: The Court failed to understand the technicalities that involved in the operation of global take down orders, the intermediary platforms have to start monitoring each and every content that is being uploaded in order to stop the dissemination globally. This will further impose the risk of private censorship on the Internet and affect the right to free speech and privacy of users. The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.[6]
  • Shifting away from the law established by the Manila Principles on Intermediary Liability and Shreya Singhal case: The Court has allowed plaintiffs to directly approach the intermediary platforms in case of re-uploading of the objectionable content in future. This is a great shift away from the existing process under Section 79 of the IT Act, 2000 as established by the Supreme Court’s landmark judgment in the Shreya Singhal case, which requires intermediaries to take down or disable the access to the content only in cases of receiving an order from either the government or the Court to do so. The same is considered global best practice according to the Manila Principles on Intermediary Liability.
  • The question of extraterritorial application of the IT Act in the present case: As per the Section 75 of the IT Act 2000, it is clear that the Act applies extra-territorially to certain offences or contraventions committed outside of India if the same is committed using “a computer, computer system or computer network located in India, the contraventions as contemplated under the Act are provided for in Sections 43, 43A, 66A, 66B, 66 66E and Section 66F.” Defamation is not covered in any of these provisions.[7]

Heavy reliance on the unsettled jurisprudence

The Court has heavily relied on certain foreign judgments while reaching the conclusion in its own judgment. The issue with the same is that the jurisprudence around geo-blocking and global injunctions is unsettled and still developing; with the Delhi HC’s order adding more confusion to the same.

The Court has relied on the case of Google Inc. v. Equustek Solutions Inc., which is the living proof of the unsettled jurisprudence.[8] The Supreme Court of Canada ordered Google to de-index listings from its search results in order to provide protection to trade secrets of a subject from Google globally. While, the Supreme Court of Canada upheld a global injunction against Google, the US Court sided with Google ruling that the Canadian order “threatens free speech on the global internet”.

The Court also relied on the case of Eva Glawischnig-Piesczek v. Facebook Ireland Limitedin which the CJEU ordered Facebook and other platforms to remove questionable content, copies of the same and block the access to the same, globally. While emphasizing on the case, the Delhi HC didn’t consider at all the CJEU decision in the case of Google v. CNIL[9], in which it was held that the Google is not required to de-reference listings from its global service, just because the content has been declared to be illegal by an EU member state.

Comment

It is clear that the Delhi HC left a lot to consider before delivering the judgment such that from the complexities of territorial jurisdiction to the difference in nature of cross-jurisdictional laws. In the present case, the Court mainly failed to understand the varying nature of defamation laws across jurisdictions— such that in the UK, the burden of proof is on the defendants to prove that the content is not defamatory, while in the US, a heavy onus of proof is placed on the plaintiff.

The Court also failed to consider certain very important foreign judgments which have specifically highlighted the issue of difference in the nature of law. In Google v. CNIL, CJEU held that the ‘right to be forgotten’ (which was the main issue in the case) has differences in standards for its application and interpretation around the world. Therefore, it agreed that it is enough for Google to block access to the questionable content from the EU domain only. Further, in Bachchan v. India Abroad Publications Inc.[10], the Supreme Court of New York County refused to enforce a defamation judgment awarded by the High Court of Justice in London, England, ruling that it will be a threat to the free speech protections as offered by the First Amendment to the US Constitution.

Unarguably, internet jurisdictions have always been a challenge for the courts and governments. Courts have always been behind the technology in the race and unable to assert absolute jurisdiction. This makes the internet risks become a proverbial ‘wild west’ with no single comprehensive applicable law. The fact that injunction against an intermediary, on a global scale, doesn’t make it necessarily invalid and aggressive. After all, the limited denial of access in the local domain is not protecting the underlying rights at stake; global takedown seems the right method to ensure effectiveness. But all of this is required to be done while mediating the conflicting interests as well as recognizing the protection to certain forms of speech.

As Gautam Bhatia said in the context of Swami Ramdev v. Juggernaut Books last year, “Indian courts seem to increasingly view freedom of speech as a mere annoyance to be brushed aside when confronted with competing claims”. If global take-down orders will become mainstream, the regressive laws on freedom of speech and expression online will become a norm. The Courts and governments, in order to win this ‘hare and tortoise race’, shall not ignore the countervailing arguments in relation to freedom of speech and right to privacy. These rights shall not be considered under-weighed against the values like national integrity, security interests, etc., rather an effort shall be made to strike the balance between both the sides.

The judgment is under challenge now by Facebook before a Division Bench, and the matter is listed for final hearing on January 31, 2020. The Court must set a precedent in the unsettled jurisprudence that will consider the free speech and privacy rights in the world of internet at the intersection of technology and laws such as defamation law.

References:

[1] Para. 87, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[2] Para. 78, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[3] Para. 86, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[4] Apoorva Mandhani, Why Baba Ramdev’s win against Facebook, Google in Delhi HC only adds to judicial confusion, The Print, https://theprint.in/india/governance/judiciary/why-baba-ramdevs-win-against-facebook-google-in-delhi-hc-only-adds-to-judicial-confusion/312403/.

[5] Balu Nair, Delhi HC Gives Expansive Interpretation to Section 79 of IT Act: Issues Global Blocking Order Against Intermediaries, SpicyIP, https://spicyip.com/2019/11/delhi-hc-gives-expansive-interpretation-to-section-79-of-it-act-issues-global-blocking-order.html.

[6] Delhi High Court Approves Take Down of Content Globally, SFLC, https://sflc.in/del-hc-orders-global-take-down-content.

[7] Para 16, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[8] Google Inc. v. Equustek Solutions Inc., Cambridge Core, https://www.cambridge.org/core/journals/american-journal-of-international-law/article/google-inc-v-equustek-solutions-inc/E667668ED944EBE52233E17320478448/core-reader.

[9] Google v. CNIL, CJEU Case C-507/17.

[10] Bachchan v. India Abroad Publications Inc., 154 Misc 2d. 228, 585 N.Y.S.2d 661.

S-E Asia gearing up for Data Protection: Sri Lankan Framework on Data Protection Legislation

The Sri Lankan Ministry of Digital Infrastructure and Information Technology introduced the framework for the proposed Personal Data Protection Bill on June 12, 2019. ‘Data Protection Legislation’ is an important public policy consideration for the Sri Lankan government in the context of “digital transformation taking place in Sri Lanka with government agencies, Banks, Telco’s, ISPs and private sector collecting personal data via the Internet,” according to the official press release. It is also important as “the Right to Information Act (2016) is currently being implemented in Sri Lanka, pursuant to Article 14A of the Constitution, where the right to privacy is an exception”.

To draft the legislation, the Drafting Committee looked at international best practices, such as the EU General Data Protection Regulation as well as the laws enacted in other jurisdictions, “such as Australia, Singapore and the Indian Draft Legislation”.

The Framework has been introduced for the stakeholder comments and will now be subjected to an Independent Review Committee.

The objective of the Framework

As per the Preamble, the Framework aims to:

  1. Protect the personal information while ensuring the rights of natural persons with regard to the processing of such information
  2. Improve consumer confidence and ensure the growth of digital democracy and innovation and promote both the protection of personal data and its use in Sri Lanka while respecting domestic laws and regulations and international standards
  3. Enable the Government to regulate the processing of personal data and to ensure confidence in the privacy and security of online transactions and information networks and actively participate in an information-driven global economy
  4. Improve interoperability among privacy frameworks as well as strengthen cross-border co-operation among enforcement authorities and provide clear guidance and direction to entities located or operational in Sri Lanka on generic data protection issues and their impact.

What is ‘Personal Data’?

‘Personal Data’ means any information whether true or not, relating to an identified or identifiable natural person, that is, data subject.

‘Personal Data Breach’ means any act or omission that consequently results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data of the data subject.

What are ‘Special Categories of Data’?

Any personal data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, financial data, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning natural person’s sex life or sexual orientation, personal data relating to offence, criminal proceedings and convictions, personal data relating to a child” and any other personal data that the Minister may determine upon the recommendation of the Data Protection Authority (DPA) as established  from time to time by Regulation in accordance with the proposed Framework.

What is the ‘Data Protection Authority’ (DPA)?

Part VII of the Framework provides for the establishment of the Data Protection Authority (the “Authority”)  of Sri Lanka. It will be the apex body for all matters related to data protection and for implementation of the proposed Act. It will be responsible for maintaining the Register of controllers, and giving directions, issuing guidelines and undertaking training for controllers.

Following are certain significant powers vested with the Authority, inter alia:

  1. To enforce its orders or determinations made under this Act against a controller
    or processor through prosecution;
  2. Data Protection Authority has power and has a duty to prosecute for the offences
    under this Act;
  3. The Authority may carry out periodic audits in relation to any processing activity carried out by a controller or processor to ensure compliance with this Act.

“For the purpose of investigating into a complaint received by the Authority,

holding an inquiry in relation to an appeal or making an order under section 38:

  1. require any person to appear before it;

  2. examine such person under oath or affirmation and require such person where necessary to produce any information related to processing

  3. to inspect any information strictly related to the processing in question that is held or controlled by a controller or processor by an officer authorized on that behalf by the Authority. In any event, such officer shall be a senior staff member of the Authority having relevant expertise to conduct such inspection.

  4. make a determination in accordance with the provisions of this act with due consideration of the information available to it.”

Application of the proposed legislation

Part I says that the proposed legislation applies to the processing of data that will take place:

  1. wholly or partly within Sri Lanka; or
  2. by a controller or processor which is resident, incorporated or subjected under Sri Lankan law, or a controller or processor which is offering “goods/services to data subjects in Sri Lanka”, or “who monitors the behaviour of data subjects in Sri Lanka including profiling in so far as such behaviour takes place in Sri Lanka”.

However, the provisions will not apply to the processing of data that is for “purely personal or household purposes” or when the data is anonymised. Also, it will not apply to the processing of data which is done by any government department, provincial council or any other regulatory body for lawful purposes.

Data Protection Principles

Part II of the proposed legislation provides that processing and controlling of data will be lawful only when it is done in accordance with the following principles:

  1. Personal data shall be processed lawfully, fairly and in a transparent manner;
  2. Personal data shall be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with the said purposes;
  3. Processing shall be adequate, relevant, necessary, proportionate to the purposes for which the personal data is processed;
  4. The controller shall ensure that personal data that is processed is accurate and, where necessary, kept up to date with every reasonable step being taken to ensure that any inaccurate personal data are rectified or erased without delay;
  5. Personal data may be kept in a form which permits the identification of data subjects for such period as may be necessary for the purposes for which the personal data is processed; and
  6. Personal data shall be processed in a manner that ensures appropriate security of personal data using appropriate technical or organisational measures.

Rights of Data Subjects

Part III lays out the following rights of Data Subject, inter alia:

  1. Data Subject shall have the right to withdraw its consent for the processing of its personal data. Data Subject can request the controller for the withdrawal of consent in writing.
  2. The Framework entitles Data Subjects to obtain access to their personal data and information at any time they request. Data subjects shall also have the right to request for rectification of any inaccurate personal data that has been processed.
  3. The Data Subject can also request from the controller for erasure/deletion of the personal data which has been unlawfully processed, or processed pursuant to a legal obligation, or processed when such processing is no longer necessary or processed when such processing is no longer legitimate.
  4. The Framework enables Data Subjects to claim their aforementioned rights by way of directly approaching controller of the personal data and in cases in which controller restricts the request of Data Subject, through the appeal to the Authority.

Scope of Controllers and Processors of the Data

Registration requirements

Part IV of the Framework obligates controllers and processors to register themselves with the Authority. They have to apply for registration in the prescribed form, which will require complete details related to the processing of the personal data and safeguards adopted by them to protect such personal data, within the prescribed time period.  The Authority shall keep and maintain a Register of the registered controllers in such form and manner as may be prescribed.

The Framework also requires the controller and processor to designate a Data Protection Officer. A holding company may appoint a single data protection officer for all its subsidiaries. The Officer will advise on applicable data processing requirements and data protection impact assessment, ensure the compliance with the applicable law, and cooperate with the Authority for controllers and processors.

Duties and obligations

The Framework imposes certain duties and obligations on the controller such that, inter alia:

  1. The controller shall implement appropriate technical and organisational measures such as encryption, pseudonymisation, anonymisation, data minimisation techniques, privacy-by-design techniques, adopt privacy enhancing technologies as applicable, to ensure and to be able to demonstrate that processing is done in accordance with the provisions of this Act;
  2. Conduct privacy impact assessments when required by this Act and in accordance with the provisions of this Act;
  3. Implement internal oversight mechanisms and integrate such mechanisms into its governance structure;

“Where processing is to be carried out by a processor on behalf of a controller:

  1. the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Act and ensure the protection of the rights of the data subject as guaranteed by this Act;
  2. Any processing by a processor on behalf of the controller shall be governed by a contract or any other written law that is binding on the processor that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

The Framework further provides the duties and obligations of processor such that it can only process the personal data in accordance with the documented instructions from the controller.

The Framework obligates the processor, inter alia:

  1. to ensure that its personnel are bound by contractual obligations on confidentiality and secrecy (personnel means any employee, consultant, agent, affiliate or any person who is contracted by the processor to process personal data);
  2. assists the controller by appropriate technical and organisational measures for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in this Act;
  3. assists the controller in ensuring compliance with the obligations under this Act.
  4. allow for and contribute to audits, including inspections upon the controller’s request.

The processor shall remain liable to the controller for the performance at all times even when the processor appoints the ‘sub-processor’.

Data breach notifications

The controller shall without undue delay and in any event of a personal data breach within the prescribed time and in such manner and form as prescribed by the Authority inform the Authority of becoming aware of a personal data breach.

Data protection impact assessments

The Framework makes it mandatory for the controller to carry out a privacy impact assessment whenever a type of processing is likely to result in a high risk to the rights of the Data Subject. The controller shall seek the advice of the data protection officer, where designated when carrying out a data protection impact assessment. Such an impact assessment is mandatory in cases where there is:

  1. a systematic and extensive evaluation of personal data such as profiling;
  2. processing on a large scale of special categories of data;
  3. monitoring of publicly accessible areas or telecommunication networks or any other processing activity as prescribed under the proposed Act.

The Authority will provide the guidelines through official gazette regarding the form and manner in which the privacy impact assessments are to be carried out by the controller.

Certain exceptions

Part V provides certain exceptions to the protection of personal data as provided by law for “the protection of national security, defence, public safety, economic and financial wellbeing [sic] of Sri Lanka, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties, and other essential objectives of general public interest”, and for the protection of “rights and fundamental freedom” of Data Subject and others, “notably freedom of expression and right to information”.

Cross-border flow of personal data

Part VI lays out the rules for the cross-border flow of personal data:

  1. A controller and processor can only process the data at a location outside Sri Lanka if the location has been prescribed by the Minister as a place which ensures an adequate level of protection for personal data in accordance with the provisions of this proposed Act.
  2. Otherwise, the controller and processor have to provide safeguards and ensure the effective remedies for Data Subjects in order to process the data at a location outside Sri Lanka.
  3. DPA will by rules prescribe the conditions under which a controller or processor has to take the prior authorization of the Authority in order to process data outside Sri Lanka.

Use of personal data for direct marketing

Part VIII defines how personal data may be used for direct marketing.

 

‘Direct marketing communications’ means any form of advertising, directly or indirectly, whether written or oral, sent to one or more identified or identifiable end-users via electronic or digital communication or telecommunication services or any other means including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.

 

Any natural or legal person who wants to use electronic or digital communication and any other services for sending direct marketing communications to end-users of such services has to ensure “unambiguous consent” of such end-users. However, with each such direct communication, end-user will be provided with the right to object. If an end-user claims the right to object then the natural or legal person has to ensure that they comply with such request.

 

Imposition of penalty

In Part IX, the Framework prescribes the penalty that will be imposed upon a person who fails to comply with the proposed Act while considering the nature and gravity of relevant non-compliance.

It provides the penalty that will not exceed 2% of its total worldwide turnover or rupees 25 million, whichever is higher. If a person doesn’t conform to the provisions of the proposed Act even after getting penalized once, then he/she will “be liable to the payment of an additional penalty in a sum consisting of double the amount imposed as a penalty on the first occasion”.

Such imposition of penalty will not preclude a supervisory authority from taking any regulatory or disciplinary measures (cancellation of license, suspension, etc.) against such a controller or processor.

Facebook’s Clampdown on the business of generating fake likes and followers: ‘Inauthentic Behavior’ on Instagram

Facebook has announced in a blog release titled “Preventing Inauthentic Behavior on Instagram” that Facebook and Instagram have sued a company and three individuals based in New Zealand for making a business of selling fake likes, views and followers on Instagram. It has filed a lawsuit in US federal court alleging that “the company and individuals used different companies and websites to sell fake engagement services to Instagram users”.

It said it issued warnings to the company and suspended company’s associated accounts for violating Facebook’s Terms of Use, but the activities persisted. By filing the lawsuit Facebook wants to send a message that fraudulent activity is not tolerated and it will protect the integrity of its platform.

The lawsuit

The lawsuit asks the Court to prevent the defendant company from “engaging and profiting in the sale of fake likes, views and followers on Instagram”. It also seeks to prevent a “violation of its Terms of Use and Community Guidelines”. Further, it aims to prevent a “violation of the Computer Fraud and Abuse Act and other California laws for distributing fake likes on Instagram in spite of Facebook suspending their accounts and revoking access”.

The Lawsuit details that company called Social Media Series has various websites and services to generate fake likes and followers for Instagram users who wanted to inflate their followers. Customers paid ranging $10 to $99 per week depending on the number of likes they want to purchase for their accounts which then generate almost within seconds of posting a new photo.

The lawsuit says that “through their business, Defendants [Social Media Series Limited and its directors] interfered and continue to interfere with Instagram’s service, create an inauthentic experience for Instagram users, and attempt to fraudulently influence Instagram users for their own enrichment”.

As the lawsuit further claim, the company and its directors has “unjustly enriched themselves at the expense of Facebook and Instagram in the amount of approximately $9,430,000”, since July 2018.

Inauthentic experience

Facebook said in the blogpost that “Inauthentic activity has no place on our platform”. It claims that the social media giant “devote significant resources” to detect and stop the inauthentic behavior. This includes “blocking the creation and use of fake accounts, and using machine learning technology to proactively find and remove inauthentic activity from Instagram”.

It further said that, “today’s lawsuit is one more step in our ongoing efforts to protect people and prevent inauthentic behavior on Facebook and Instagram”. Facebook expects to be paid unspecified damages for manipulating Instagram’s platform.

Clamping down on “Inauthentic Behavior”

Facebook now has multiple lawsuits in the works relating to individuals or companies that sell fake engagement on its social media platforms. Facebook recently removed or unpublished over 1,000 Facebook pages and Instagram accounts from India and Pakistan for ‘inauthentic behavior’. It filed a lawsuit in March 2019  against several companies and individuals based in China claiming that they are engaged in selling of fake accounts, likes, and followers on Facebook and Instagram. In November 2018, Instagram warned users to avoid inauthentic follows and likes generated by third-party apps and services, as reported by Cult of Mac.

Multiple Petitions over ‘PUBG Ban’: Another facet of Technology v. Law

PlayerUnknown’s Battlegrounds (PUBG) is one of the most popular online multiplayer games in the world. It has almost 400 million players base to play the game worldwide. The game is a standalone game in which up to hundred players parachute onto an island and collect weapons and equipments to kill others. The players have to avoid getting killed themselves. The available safe area of the game’s map decreases in size with time, pushing surviving players to tighter areas to force encounters. The last player or team surviving wins the round.

On 11th April 2019, the Gujarat High Court dismissed a Public Interest Litigation (PIL) petition filed by the Internet Freedom Foundation (IFF) which challenged the ban imposed on playing of PlayerUnknown’s Battlegrounds (PUBG), by at least six Gujarat Police departments.

Hearing the IFF’s petition, the HC bench comprising of the Chief Justice Anant S Dave and Justice Biren Vaishnav observed that they “are not satisfied that the scope of the present writ petition falls under the ambit of Public Interest Litigation”.

Public Interest Litigation means litigation introduced for the protection of the public interest. It is litigation introduced in a court of law, not by the aggrieved party but by the court itself or by any other private party. It is not required, for the exercise of the court’s jurisdiction., that the person necessarily should be the victim of the violation of rights. However, the person filing the petition must prove to the satisfaction of the court that the petition is being filed for a public interest and not just as a frivolous litigation.

Whereas in a separate PIL petition seeking ban against the PUBG, The Bombay High Court has issued a direction to the Ministry of Electronics and Information Technology (MEIT) to assess and review online game PUBG and take an action if any “objectionable content” is found.

The Gujarat HC’s order

During March, following a letter from the home department, notably several police departments of Gujarat issued notifications of banning PUBG on the orders of Commissioners under Section 144 of the Code of Criminal Procedure. The orders were issued on the ground that it results in violent behaviour among youngsters and affects their studies. According to several reports, teenagers who were found playing this online game were arrested under Section 188 of the Indian Penal Code.

Section 144 of the Code of Criminal Procedure gives State Governments the power to

It is the case of the IFF’s petition that the ban is arbitrary and unreasonable as it is violating Articles 14, 19 and 21 of the Constitution of India.

The impugned order banning PUBG has been contended by the IFF’s petition as a violation of the fundamental right to liberty under Article 21. According to IFF’s petition, the ban is a disproportionate invasion of privacy due to the following grounds:

  • The ban does not serve any of the legitimate purposes mentioned in Section 144 CrPC, because persons arrested for playing the game are not engaging in any violent or aggressive behaviour.
  • The ban, which carries the threat of arrests and criminal prosecution, is “patently unsuitable method of promoting psychological, social and educational well-being of adolescents and young adults”.
  • “Further, there is no evidence to suggest that the negative effects of PUBG are severe enough to endanger human life or health”.

The petition further challenges the ban as infringing several freedoms guaranteed under Article 19 on following grounds:

  • PUBG provides in-game text and voice chat feature which are used by players to form “meaningful bonds through team play and recreation. Therefore, the ban on game violates players the right to freedom of speech and expression guaranteed by Article 19(1)(a).
  •  PUBG is a team game and players assemble in public places to play PUBG in teams. The petition contends that such ban denies players the right to peacefully assemble in public spaces guaranteed by Article 19(1)(b).
  • There are “professional PUBG competitions” that are held at world stage and “award large cash prizes” and hence is “a source of livelihood for individuals”.  The ban violates the right to practice any profession or occupation under Article 19(1)(g).

The petition further contends that the order of the police is in excess of its powers and is arbitrary under Section 144 of CrPC. The ban is arbitrary as it “cannot be invoked merely based on the remote possibility of a threat”. The banning order is a form of “moral panic” based on unverified data showing ill effects of PUBG.

The Section 144 of CrPC resides as the sole occupant under the chapter of ‘temporary measures to maintain public tranquillity’ and gives State Governments the power to issue orders for immediate remedy in urgent cases of nuisance or apprehended danger.  

From a bare reading, the relevant portion of Section 144 can be carved out into three basic elements:

  • The authority to issue orders: lies with the District Magistrate, a sub divisional magistrate or any other Executive magistrate specially empowered by the State Government in this behalf.
  • The grounds on which S. 144 can be invoked: The reasons include: a)sufficient ground, b) requirement for immediate prevention, and c)speedy remedy to prevent a likely obstruction, annoyance or injury to any person lawfully employed, or danger to human life, health or safety, or a disturbance of the public tranquility, or a riot, or an affray.
  • The intended recipient: After determining sufficient ground and through a written order, the authorized can direct any person to abstain from a certain act or to take certain order with respect to certain property in his possession or under his management.

The IFF previously before the filing of this petition, on 14th March 2019, has also issued an appeal in public for revoking the Section 144 orders and cease criminal prosecutions following the ban.

During the hearing, the Hon’ble Gujarat HC did not agree with the submission of the IFF and rejected the PIL. However, the HC has mentioned that the individuals who have been arrested for playing PUBG may approach the High Court themselves. According to IFF, they have anticipated such a concern in their petition and has noted that “young college students who have been arrested may not have the resources and support to withstand protracted litigation against the Police department”.

The Bombay HC’s order

Hearing a PIL, that seeks a ban on PUBG in schools, Bombay HC’s bench comprising of Chief Justice Pradeep Nandrajog and Justice NM Jamdar has directed the Secretary of the IT Ministry to review and assess the game and take action against the service providers if any objectionable content is found.

The PIL filed by 11-year old Ahad Nizam, represented by his father, contends that the popular online multiplayer game promotes immoral conduct such as “violence, murder, aggression, looting, gaming addiction and cyberbullying”, thus should be banned.

The PIL seeks directions to be issued to the State Education Department to ban PUBG in schools forthwith. It also sought directions to be issued to the Ministry of Electronics and IT, Government of India to form an Online Ethics Review Committee to monitor such content from time to time.

The Court has adjourned the case and posted it for hearing after vacations.

In light of the above two judgments, the blog will explore the tussle between regulations and eSports. Keep checking the posts to know more.

Key Points from Mark Zuckerberg’s call for regulation of the Internet: harmful content, data portability, election interference, privacy

This article authored by Aryan Babele has been first uploaded in MediaNama.

In his article in the Washington Post, Facebook founder Mark Zuckerberg suggested the need for new rules from lawmakers to balance the interests and responsibilities of all the different stakeholders’ i.e. people, companies and governments. He called for regulation on four areas require an active role of governments and regulators: harmful content, election integrity, privacy and data portability.”

Key Legal Improvements that Mark Zuckerberg suggested (Read)

1. Harmful Content

  • Content takedowns subject to appeals: In the absence of any legal standards, most of the social media platforms adopt self-regulation, but struggle because of a large base. Zuckerberg says that people should understand the difficulty that internet companies face in “deciding what counts as terrorist propaganda, hate speech and more”, that Facebook realises that they have “too much power over speech” and therefore to reduce it, the decisions regarding any speech should be subjected to an appeal before independent bodies. This seems to be how Facebook is looking to limit the move away from self-regulation.
  • Define standards for harmful content: There is a need for defining standards by third-party bodies on harmful content against which the distribution of harmful content will be governed and measured. “Internet companies should be accountable for enforcing standards on harmful content”. Zuckerberg proposes that “regulation could set baselines for what’s prohibited and require companies to build systems for keeping harmful content to a bare minimum”.
  • Quarterly compliance reports: He also suggested an idea of mandating the publication of transparency reports in every quarter of the year by every major Internet service company, which Facebook already publishes. He says that this “is just as important as financial reporting.”

Indian scenario on harmful content:

  • The government released a draft of The Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018 on 24th December 2018, which are intended to curb the misuse of social media and stop the spreading of ‘unlawful content’. Although no clarity on the definition of “unlawful” content has been provided, leaving it open to abuse.
  • As there is no standard has been adopted to filter the “unlawful” content in the draft, it forces companies to take judgment calls regarding content on the basis of “take down first, think later”. However, the draft promotes the deployment of “automated tools to filter content”.

2. In terms of Election Interference: It is important to highlight the importance that Zuckerberg has given to the legislation for creating common standards in terms of regulations that govern political information campaigns and verification of political actors. “Facebook has already made significant changes around political ads: Advertisers in many countries must verify their identities before purchasing political ads”, he says, while adding that “deciding whether an ad is political isn’t always straightforward”.

  • Updating online political advertising laws: “Online political advertising laws primarily focus on candidates and elections, rather than divisive political issues where we’ve seen more attempted interference.” Laws related to elections are temporal even when political campaigns are non-stop and may include controversial use of data and targeting. Therefore, he said that “legislation should be updated to reflect the reality of the threats and set standards for the whole industry”.

Indian scenario on online Election Interference:

  • Election laws in India are very ill-equipped when it comes to dealing with online political advertisements. The Election Commission, which is the constitutional authority that regulates state and national elections, is itself relying on online platforms to self-regulate and prevent ‘illegal’ content. In absence of any comprehensive legislation that can provide Election Commission with the authority to make rules and standards for monitoring the online political advertisements, these online platforms are open to censor or amplify certain information without transparency.
  • In January, the committee led by senior deputy election commissioner Umesh Sinha submitted its report to the commission that recommended modifying the provisions of Section 126 (prohibits displaying any election matter by means, inter alia, of television or similar apparatus, during the period of 48 hours before the hour fixed for conclusion of poll in a constituency) and certain other provisions of the Representation of the People Act, 1951, including provisions of the Model Code of Conduct to bring Social Media platforms under its purview.
  • Chief election commissioner Sunil Arora said all major social media platforms — Facebook, Twitter, Google, WhatsApp and Share Chat — are taking measures such as verification of political advertisers’ credentials, sharing expenditure on it with the Election Commission (EC) through public databases and adhering to the “silence period” that comes into effect 48 hours before the polls.

3. In terms of Data Protection and Privacy:

  • Adopting GDPR as a globally harmonized framework: Reiterating the common demand of entrepreneurs for a globally harmonized framework of regulations on data protection, Zuckerberg agrees that there is a need to develop privacy regulations in line with the European Union’s General Data Protection Regulation (‘GDPR”). He further insists that “New privacy regulation in the United States and around the world should build on the protections GDPR provides”. GDPR approach to privacy regulation serves as the best example for the common global framework as it provides certain standard protections – protects the right to choose how the information should be used and does away from the process of data localisation as it subjects the data to unwarranted access. Such protections together will establish a framework under which companies like Facebook can be held accountable when it makes mistakes.
  • The Data Protection framework must not be ambiguous: Lawmakers should adopt new privacy regulations which must be clear on the points that even GDPR failed to clarify. “We need clear rules on when information can be used to serve the public interest and how it should apply to new technologies such as artificial intelligence”.

Indian Scenario on Privacy Regulations:

  • Till now the only legal protection provided to personal information in India is through section 43A of the Information Technology Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 developed under the section. This provision mandates that a body corporate which ‘receives, possesses, stores, deals, or handles’ any ‘sensitive personal data’ to implement and maintain ‘reasonable security practices’, are held liable to compensate those affected when they failed to implement such practices. Given the maturity of privacy jurisprudence in the most countries around the world, these rules are just a half-hearted approach cutting a sorry figure.
  • In its landmark judgment in the Justice KS Puttaswamy case in August 2017, the Apex Court ruled the privacy as the fundamental right under Article 21 of the Constitution of India, though not in its absolute sense. Since then the government has taken significant steps to modify the privacy regulations in the line of GDPR of EU.
  • As the Personal Data Protection Bill, 2018 as recommended by the Justice Srikrishna Committee is all set to be introduced in next session of the Parliament. It covers basic protections and even recommends the data localisation which has raised concerns among various Internet services.

4. Data Portability: “Regulation should guarantee the principle of data portability. If you share data with one service, you should be able to move it to another”. The data portability will provide the choice to people to select between competing for internet services. This can actually serve in balancing the interests of people and innovators. However, the application of data portability requires clear rules of about the liabilities of protecting information when data is transferred from one service to the other. According to Zuckerberg, “this also needs common standards” and the open source Data Transfer Project is a suggested standard data transfer format.

Indian Scenario on Data Portability

Data portability may also be considered an upgraded version of the right to access and the right to erasure of personal data, both of which are present in the current Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.