Delhi HC has expanded the scope of injunction orders in Internet jurisdiction: Geo-blocking to Global-blocking in IT law

This post has borrowed extensively from an earlier blog-publication by Aryan Babele on Tech Law Forum @ NALSAR.

On 23rd October 2019, the Delhi HC has delivered an impactful judgment authorizing Indian courts to issue “global takedown” orders to Internet intermediary platforms like Facebook, Google and Twitter against illegal content as uploaded, published and shared by their users. The Delhi HC delivered the judgment on the plea filed by Baba Ramdev and Patanjali Ayurved Ltd. requesting the global takedown of certain videos which are defamatory in nature.

The Court passed the order in the context of its observation that there is a ‘hare and tortoise race’ between technology and law such that the ‘technology gallops, the law tries to keep pace’. Such observation reflects that the Court’s intention is to interpret IT law in the manner which will ensure the effective implementation of the judicial orders throughout the internet jurisdiction and mitigate the circumvention of such orders by use of the advanced technology.

However, the Court’s order is attracting criticism globally from several internet-freedom activists. It seems that the Court has made a hasty attempt to win the ‘hare and tortoise race’ and has missed on considering the far-reaching implications of it on the IT law jurisprudence and conflict of law provisions. This article aims to analyze and indicate the significant points in the Delhi HC’s judgment, which the Court lacked in considering while relying on the unsettled jurisprudence of global injunction orders.

Background- The case of Swami Ramdev v. Facebook

In Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC], Swami Ramdev (a prominent yoga guru and public figure) filed a case before the Court against Facebook, Google, YouTube and Twitter, inter-alia, praying for the global take down of defamatory contents (videos) as uploaded, published and shared by users of these intermediary platforms.

The given case stems out of the publication of videos on defendants’ platforms, which are based on those particular offending portions of the book titled “Godman to Tycoon: The Untold Story of Baba Ramdev’ by Priyanka Pathak Narain, which are already undergoing an ad-interim injunction as granted by the Court in Swami Ramdev v. Juggernaut Books [CM (M) 556/2018] in May 2018.

Subsequently, in January 2019, the Court passed an interim injunction against the defendants’ platforms to disable access to the offending URLs and weblinks for the Indian domain as per Section 79 of the Information Technology Act, 2000, [hereinafter referred as IT Act 2000] i.e. ordered geo-blocking.

However, the plaintiff argued that the geo-blocking is an ineffective solution as the objectionable content is widely available on the global internet and internet users in India can still access such content using VPNs and other such mechanisms. Therefore, the only effective remedy, according to the submission of plaintiff, is to issue a global blocking order.

Internet intermediaries have contended against such a global take down mechanism as it poses a number of technical and legal difficulties for them. Firstly, cross-jurisdictional laws vary in standards for determining defamation, and hence disabling access globally will breach the principles of international comity. Secondly, in order to globally disable access to the content, the intermediary platforms have to monitor every upload on their platforms which is technically difficult and legally wrong.

The Delhi HC’s Judgment

The Court agreeing with the plaintiffs’ submission went on to held that the online intermediary platforms can be ordered to take down content globally by a competent court in India, as the content is published on their global services. It observed that the complete removal is needed because there are easy –to-use technology applications available widely that helps local users in circumventing the geo-blocking and render the take-down order useless. Therefore, an absolute removal globally is an absolute remedy, as per the Court’s observations.[1]

Further, the following directions, hereby in brief, have been put forth by the Court to support its order:

  • The Court broadened the interpretation of Shreya Singhal v. Union of India: As per the Court, Section 79 of the IT Act 2000 provides that in order to avail the safe-harbor immunity, “intermediaries have to take down and disable access to the offending material residing in or connected to a computer resource in India”. It interpreted the definition of ‘Computer Resource’ as given in the IT Act, such that the “Computer Resource” as per the judgment “encompasses within itself a computer network, which would include a maze or a network of computers. Such a computer network could be a global computer network”.[2]
  • Global take downs are technologically possible: The Court held that whenever any content violates the community standards of the internet intermediary platforms, such content is taken down globally by the platform on its own. Therefore, it observed that it is technologically possible for the platforms to take down content globally on the orders of the competent courts as well.
  • Application of IT Act in extra-territorial jurisdiction: In order to justify the global take down, the Court explained that, “a perusal of Section 75 of the Act shows that the IT Act does have extra territorial application to offences or contraventions committed outside India, so long as the computer system or network is located in India”.[3] Therefore, the Court held that as long as the content has been uploaded from the Computer Resource located in India, Indian courts will be competent to pass the global injunction/ take down orders.
  • Allowing the direct ‘Notice-and-Takedown’ mechanism for the future uploads of the objectionable content: The Court has held that the plaintiffs can approach the intermediaries directly if it finds the publication of the questionable content again on their online platforms in future. However, the Court has provided an option of the counter-notice system for intermediaries, by opting which the intermediaries can refute claims of illegality and shift the onus of proof back on plaintiffs, such that after which the plaintiffs will have to approach the Courts for an appropriate remedy.

Observations: the Loopholes, Unsettled Jurisprudence and the Comment

The Loopholes

It is completely understandable that the Court is favouring the global take-down order to make its injunction orders against global services more effective. Unfortunately, in its broad evaluation of legal feasibility of the global injunction order and technological capabilities of intermediaries to obey the same, the Court missed on considering certain very significant arguments[4]:

  • Use of VPNs another way around: The Court agreed to the plaintiffs’ argument that due to the wide availability of the easy-to-use applications like VPN, the geo-blocking is circumvented. However, it didn’t consider the circumvention in the case other way around, in which the user can upload the content using VPN and other web proxy services, and can further easily fake the IP address to make it look like as if the content is being uploaded from outside India, negating the Court’s jurisdiction. Therefore, global takedown order, even at prima facie, doesn’t seem to be the appropriate remedy.
  • In denial of the principle of international comity and right to information: The cross-jurisdictional defamation laws vary on a large scale. If global takedown was mandated, the platforms will be wary of falling foul of the law in other countries. For eg., if Indian courts mandate the global takedown of the content which is not at all questionable as per the laws of certain countries, the takedown order will be in contravention of the right to information of citizens of that country. Not respecting the laws of other country amounts to the breach of the principle of international comity and conflict of laws.[5]
  • Without due consideration to the rights to free speech and privacy: The Court failed to understand the technicalities that involved in the operation of global take down orders, the intermediary platforms have to start monitoring each and every content that is being uploaded in order to stop the dissemination globally. This will further impose the risk of private censorship on the Internet and affect the right to free speech and privacy of users. The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.[6]
  • Shifting away from the law established by the Manila Principles on Intermediary Liability and Shreya Singhal case: The Court has allowed plaintiffs to directly approach the intermediary platforms in case of re-uploading of the objectionable content in future. This is a great shift away from the existing process under Section 79 of the IT Act, 2000 as established by the Supreme Court’s landmark judgment in the Shreya Singhal case, which requires intermediaries to take down or disable the access to the content only in cases of receiving an order from either the government or the Court to do so. The same is considered global best practice according to the Manila Principles on Intermediary Liability.
  • The question of extraterritorial application of the IT Act in the present case: As per the Section 75 of the IT Act 2000, it is clear that the Act applies extra-territorially to certain offences or contraventions committed outside of India if the same is committed using “a computer, computer system or computer network located in India, the contraventions as contemplated under the Act are provided for in Sections 43, 43A, 66A, 66B, 66 66E and Section 66F.” Defamation is not covered in any of these provisions.[7]

Heavy reliance on the unsettled jurisprudence

The Court has heavily relied on certain foreign judgments while reaching the conclusion in its own judgment. The issue with the same is that the jurisprudence around geo-blocking and global injunctions is unsettled and still developing; with the Delhi HC’s order adding more confusion to the same.

The Court has relied on the case of Google Inc. v. Equustek Solutions Inc., which is the living proof of the unsettled jurisprudence.[8] The Supreme Court of Canada ordered Google to de-index listings from its search results in order to provide protection to trade secrets of a subject from Google globally. While, the Supreme Court of Canada upheld a global injunction against Google, the US Court sided with Google ruling that the Canadian order “threatens free speech on the global internet”.

The Court also relied on the case of Eva Glawischnig-Piesczek v. Facebook Ireland Limitedin which the CJEU ordered Facebook and other platforms to remove questionable content, copies of the same and block the access to the same, globally. While emphasizing on the case, the Delhi HC didn’t consider at all the CJEU decision in the case of Google v. CNIL[9], in which it was held that the Google is not required to de-reference listings from its global service, just because the content has been declared to be illegal by an EU member state.

Comment

It is clear that the Delhi HC left a lot to consider before delivering the judgment such that from the complexities of territorial jurisdiction to the difference in nature of cross-jurisdictional laws. In the present case, the Court mainly failed to understand the varying nature of defamation laws across jurisdictions— such that in the UK, the burden of proof is on the defendants to prove that the content is not defamatory, while in the US, a heavy onus of proof is placed on the plaintiff.

The Court also failed to consider certain very important foreign judgments which have specifically highlighted the issue of difference in the nature of law. In Google v. CNIL, CJEU held that the ‘right to be forgotten’ (which was the main issue in the case) has differences in standards for its application and interpretation around the world. Therefore, it agreed that it is enough for Google to block access to the questionable content from the EU domain only. Further, in Bachchan v. India Abroad Publications Inc.[10], the Supreme Court of New York County refused to enforce a defamation judgment awarded by the High Court of Justice in London, England, ruling that it will be a threat to the free speech protections as offered by the First Amendment to the US Constitution.

Unarguably, internet jurisdictions have always been a challenge for the courts and governments. Courts have always been behind the technology in the race and unable to assert absolute jurisdiction. This makes the internet risks become a proverbial ‘wild west’ with no single comprehensive applicable law. The fact that injunction against an intermediary, on a global scale, doesn’t make it necessarily invalid and aggressive. After all, the limited denial of access in the local domain is not protecting the underlying rights at stake; global takedown seems the right method to ensure effectiveness. But all of this is required to be done while mediating the conflicting interests as well as recognizing the protection to certain forms of speech.

As Gautam Bhatia said in the context of Swami Ramdev v. Juggernaut Books last year, “Indian courts seem to increasingly view freedom of speech as a mere annoyance to be brushed aside when confronted with competing claims”. If global take-down orders will become mainstream, the regressive laws on freedom of speech and expression online will become a norm. The Courts and governments, in order to win this ‘hare and tortoise race’, shall not ignore the countervailing arguments in relation to freedom of speech and right to privacy. These rights shall not be considered under-weighed against the values like national integrity, security interests, etc., rather an effort shall be made to strike the balance between both the sides.

The judgment is under challenge now by Facebook before a Division Bench, and the matter is listed for final hearing on January 31, 2020. The Court must set a precedent in the unsettled jurisprudence that will consider the free speech and privacy rights in the world of internet at the intersection of technology and laws such as defamation law.

References:

[1] Para. 87, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[2] Para. 78, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[3] Para. 86, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[4] Apoorva Mandhani, Why Baba Ramdev’s win against Facebook, Google in Delhi HC only adds to judicial confusion, The Print, https://theprint.in/india/governance/judiciary/why-baba-ramdevs-win-against-facebook-google-in-delhi-hc-only-adds-to-judicial-confusion/312403/.

[5] Balu Nair, Delhi HC Gives Expansive Interpretation to Section 79 of IT Act: Issues Global Blocking Order Against Intermediaries, SpicyIP, https://spicyip.com/2019/11/delhi-hc-gives-expansive-interpretation-to-section-79-of-it-act-issues-global-blocking-order.html.

[6] Delhi High Court Approves Take Down of Content Globally, SFLC, https://sflc.in/del-hc-orders-global-take-down-content.

[7] Para 16, Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC]

[8] Google Inc. v. Equustek Solutions Inc., Cambridge Core, https://www.cambridge.org/core/journals/american-journal-of-international-law/article/google-inc-v-equustek-solutions-inc/E667668ED944EBE52233E17320478448/core-reader.

[9] Google v. CNIL, CJEU Case C-507/17.

[10] Bachchan v. India Abroad Publications Inc., 154 Misc 2d. 228, 585 N.Y.S.2d 661.

S-E Asia gearing up for Data Protection: Sri Lankan Framework on Data Protection Legislation

The Sri Lankan Ministry of Digital Infrastructure and Information Technology introduced the framework for the proposed Personal Data Protection Bill on June 12, 2019. ‘Data Protection Legislation’ is an important public policy consideration for the Sri Lankan government in the context of “digital transformation taking place in Sri Lanka with government agencies, Banks, Telco’s, ISPs and private sector collecting personal data via the Internet,” according to the official press release. It is also important as “the Right to Information Act (2016) is currently being implemented in Sri Lanka, pursuant to Article 14A of the Constitution, where the right to privacy is an exception”.

To draft the legislation, the Drafting Committee looked at international best practices, such as the EU General Data Protection Regulation as well as the laws enacted in other jurisdictions, “such as Australia, Singapore and the Indian Draft Legislation”.

The Framework has been introduced for the stakeholder comments and will now be subjected to an Independent Review Committee.

The objective of the Framework

As per the Preamble, the Framework aims to:

  1. Protect the personal information while ensuring the rights of natural persons with regard to the processing of such information
  2. Improve consumer confidence and ensure the growth of digital democracy and innovation and promote both the protection of personal data and its use in Sri Lanka while respecting domestic laws and regulations and international standards
  3. Enable the Government to regulate the processing of personal data and to ensure confidence in the privacy and security of online transactions and information networks and actively participate in an information-driven global economy
  4. Improve interoperability among privacy frameworks as well as strengthen cross-border co-operation among enforcement authorities and provide clear guidance and direction to entities located or operational in Sri Lanka on generic data protection issues and their impact.

What is ‘Personal Data’?

‘Personal Data’ means any information whether true or not, relating to an identified or identifiable natural person, that is, data subject.

‘Personal Data Breach’ means any act or omission that consequently results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data of the data subject.

What are ‘Special Categories of Data’?

Any personal data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, financial data, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning natural person’s sex life or sexual orientation, personal data relating to offence, criminal proceedings and convictions, personal data relating to a child” and any other personal data that the Minister may determine upon the recommendation of the Data Protection Authority (DPA) as established  from time to time by Regulation in accordance with the proposed Framework.

What is the ‘Data Protection Authority’ (DPA)?

Part VII of the Framework provides for the establishment of the Data Protection Authority (the “Authority”)  of Sri Lanka. It will be the apex body for all matters related to data protection and for implementation of the proposed Act. It will be responsible for maintaining the Register of controllers, and giving directions, issuing guidelines and undertaking training for controllers.

Following are certain significant powers vested with the Authority, inter alia:

  1. To enforce its orders or determinations made under this Act against a controller
    or processor through prosecution;
  2. Data Protection Authority has power and has a duty to prosecute for the offences
    under this Act;
  3. The Authority may carry out periodic audits in relation to any processing activity carried out by a controller or processor to ensure compliance with this Act.

“For the purpose of investigating into a complaint received by the Authority,

holding an inquiry in relation to an appeal or making an order under section 38:

  1. require any person to appear before it;

  2. examine such person under oath or affirmation and require such person where necessary to produce any information related to processing

  3. to inspect any information strictly related to the processing in question that is held or controlled by a controller or processor by an officer authorized on that behalf by the Authority. In any event, such officer shall be a senior staff member of the Authority having relevant expertise to conduct such inspection.

  4. make a determination in accordance with the provisions of this act with due consideration of the information available to it.”

Application of the proposed legislation

Part I says that the proposed legislation applies to the processing of data that will take place:

  1. wholly or partly within Sri Lanka; or
  2. by a controller or processor which is resident, incorporated or subjected under Sri Lankan law, or a controller or processor which is offering “goods/services to data subjects in Sri Lanka”, or “who monitors the behaviour of data subjects in Sri Lanka including profiling in so far as such behaviour takes place in Sri Lanka”.

However, the provisions will not apply to the processing of data that is for “purely personal or household purposes” or when the data is anonymised. Also, it will not apply to the processing of data which is done by any government department, provincial council or any other regulatory body for lawful purposes.

Data Protection Principles

Part II of the proposed legislation provides that processing and controlling of data will be lawful only when it is done in accordance with the following principles:

  1. Personal data shall be processed lawfully, fairly and in a transparent manner;
  2. Personal data shall be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with the said purposes;
  3. Processing shall be adequate, relevant, necessary, proportionate to the purposes for which the personal data is processed;
  4. The controller shall ensure that personal data that is processed is accurate and, where necessary, kept up to date with every reasonable step being taken to ensure that any inaccurate personal data are rectified or erased without delay;
  5. Personal data may be kept in a form which permits the identification of data subjects for such period as may be necessary for the purposes for which the personal data is processed; and
  6. Personal data shall be processed in a manner that ensures appropriate security of personal data using appropriate technical or organisational measures.

Rights of Data Subjects

Part III lays out the following rights of Data Subject, inter alia:

  1. Data Subject shall have the right to withdraw its consent for the processing of its personal data. Data Subject can request the controller for the withdrawal of consent in writing.
  2. The Framework entitles Data Subjects to obtain access to their personal data and information at any time they request. Data subjects shall also have the right to request for rectification of any inaccurate personal data that has been processed.
  3. The Data Subject can also request from the controller for erasure/deletion of the personal data which has been unlawfully processed, or processed pursuant to a legal obligation, or processed when such processing is no longer necessary or processed when such processing is no longer legitimate.
  4. The Framework enables Data Subjects to claim their aforementioned rights by way of directly approaching controller of the personal data and in cases in which controller restricts the request of Data Subject, through the appeal to the Authority.

Scope of Controllers and Processors of the Data

Registration requirements

Part IV of the Framework obligates controllers and processors to register themselves with the Authority. They have to apply for registration in the prescribed form, which will require complete details related to the processing of the personal data and safeguards adopted by them to protect such personal data, within the prescribed time period.  The Authority shall keep and maintain a Register of the registered controllers in such form and manner as may be prescribed.

The Framework also requires the controller and processor to designate a Data Protection Officer. A holding company may appoint a single data protection officer for all its subsidiaries. The Officer will advise on applicable data processing requirements and data protection impact assessment, ensure the compliance with the applicable law, and cooperate with the Authority for controllers and processors.

Duties and obligations

The Framework imposes certain duties and obligations on the controller such that, inter alia:

  1. The controller shall implement appropriate technical and organisational measures such as encryption, pseudonymisation, anonymisation, data minimisation techniques, privacy-by-design techniques, adopt privacy enhancing technologies as applicable, to ensure and to be able to demonstrate that processing is done in accordance with the provisions of this Act;
  2. Conduct privacy impact assessments when required by this Act and in accordance with the provisions of this Act;
  3. Implement internal oversight mechanisms and integrate such mechanisms into its governance structure;

“Where processing is to be carried out by a processor on behalf of a controller:

  1. the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Act and ensure the protection of the rights of the data subject as guaranteed by this Act;
  2. Any processing by a processor on behalf of the controller shall be governed by a contract or any other written law that is binding on the processor that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

The Framework further provides the duties and obligations of processor such that it can only process the personal data in accordance with the documented instructions from the controller.

The Framework obligates the processor, inter alia:

  1. to ensure that its personnel are bound by contractual obligations on confidentiality and secrecy (personnel means any employee, consultant, agent, affiliate or any person who is contracted by the processor to process personal data);
  2. assists the controller by appropriate technical and organisational measures for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in this Act;
  3. assists the controller in ensuring compliance with the obligations under this Act.
  4. allow for and contribute to audits, including inspections upon the controller’s request.

The processor shall remain liable to the controller for the performance at all times even when the processor appoints the ‘sub-processor’.

Data breach notifications

The controller shall without undue delay and in any event of a personal data breach within the prescribed time and in such manner and form as prescribed by the Authority inform the Authority of becoming aware of a personal data breach.

Data protection impact assessments

The Framework makes it mandatory for the controller to carry out a privacy impact assessment whenever a type of processing is likely to result in a high risk to the rights of the Data Subject. The controller shall seek the advice of the data protection officer, where designated when carrying out a data protection impact assessment. Such an impact assessment is mandatory in cases where there is:

  1. a systematic and extensive evaluation of personal data such as profiling;
  2. processing on a large scale of special categories of data;
  3. monitoring of publicly accessible areas or telecommunication networks or any other processing activity as prescribed under the proposed Act.

The Authority will provide the guidelines through official gazette regarding the form and manner in which the privacy impact assessments are to be carried out by the controller.

Certain exceptions

Part V provides certain exceptions to the protection of personal data as provided by law for “the protection of national security, defence, public safety, economic and financial wellbeing [sic] of Sri Lanka, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties, and other essential objectives of general public interest”, and for the protection of “rights and fundamental freedom” of Data Subject and others, “notably freedom of expression and right to information”.

Cross-border flow of personal data

Part VI lays out the rules for the cross-border flow of personal data:

  1. A controller and processor can only process the data at a location outside Sri Lanka if the location has been prescribed by the Minister as a place which ensures an adequate level of protection for personal data in accordance with the provisions of this proposed Act.
  2. Otherwise, the controller and processor have to provide safeguards and ensure the effective remedies for Data Subjects in order to process the data at a location outside Sri Lanka.
  3. DPA will by rules prescribe the conditions under which a controller or processor has to take the prior authorization of the Authority in order to process data outside Sri Lanka.

Use of personal data for direct marketing

Part VIII defines how personal data may be used for direct marketing.

 

‘Direct marketing communications’ means any form of advertising, directly or indirectly, whether written or oral, sent to one or more identified or identifiable end-users via electronic or digital communication or telecommunication services or any other means including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.

 

Any natural or legal person who wants to use electronic or digital communication and any other services for sending direct marketing communications to end-users of such services has to ensure “unambiguous consent” of such end-users. However, with each such direct communication, end-user will be provided with the right to object. If an end-user claims the right to object then the natural or legal person has to ensure that they comply with such request.

 

Imposition of penalty

In Part IX, the Framework prescribes the penalty that will be imposed upon a person who fails to comply with the proposed Act while considering the nature and gravity of relevant non-compliance.

It provides the penalty that will not exceed 2% of its total worldwide turnover or rupees 25 million, whichever is higher. If a person doesn’t conform to the provisions of the proposed Act even after getting penalized once, then he/she will “be liable to the payment of an additional penalty in a sum consisting of double the amount imposed as a penalty on the first occasion”.

Such imposition of penalty will not preclude a supervisory authority from taking any regulatory or disciplinary measures (cancellation of license, suspension, etc.) against such a controller or processor.