All Blogs

This is the first in a series of case studies, using our recently-published Evaluation Framework for Digital ID. It looks at the use of digital identity programmes for the purpose of verification, often using the process of deduplication.

As governments across the globe implement new and foundational digital identification systems (Digital ID), or modernize existing ID programs, there is an urgent need for more research and discussion about appropriate uses of Digital ID systems. This significant momentum for creating Digital ID has been accompanied with concerns about privacy, surveillance and exclusion harms of state-issued Digital IDs in several parts of the world, resulting in campaigns and litigations in countries, such as UK, India, Kenya, and Jamaica. Given the sweeping range of considerations required to evaluate Digital ID projects, it is necessary to formulate evaluation frameworks that can be used for this purpose.

This work began with the question of what the appropriate uses of Digital ID can be, but through the research process, it became clear that the question of use cannot be divorced from the fundamental attributes of Digital ID systems and their governance structures. This framework provides tests, which can be used to evaluate the governance of Digital ID across jurisdictions, as well as determine whether a particular use of Digital ID is legitimate. Through three kinds of checks — Rule of Law tests, Rights based tests, and Risks based tests — this scheme is a ready guide for evaluation of Digital ID.

View the framework or download as PDF.

Our note on the comparison of the Personal Data Protection Bill with the General Data Protection Regulation an the California Consumer Protection Act can be downloaded as a PDF here

The European Union’s General Data Protection Regulation (GDPR), replacing the 1995 EU Data Protection Directive came into effect in May 2018. It harmonises the data protection regulations across the European Union. In 2018, California passed the Consumer Protection Act (CCPA), to enhance the privacy protection of residents of California. The CCPA came into effect from January 1, 2020, however, the California Attorney General has not begun enforcing the law as yet. The Attorney General will be allowed to take action six months after the rules are finalised, or on July 1, 2020, whichever is earlier 

While the PDP Bill incorporates several concepts of the CCPA and the GDPR, there are also significant areas of divergence. We have prepared the following charts to compare the PDP Bill with the GDPR and the CCPA on the following points: (i) Jurisdiction and scope (ii) Rights of the Data Principal; (iii) Obligations of the Data Fiduciaries; (iv) Exemptions; (v) Data Protection Authority; and (vi) Breach of Personal Data. It is not a comprehensive list of all requirements under the three regulations.

The charts are based on the comparative charts prepared by the Future of Privacy Forum.

Our note on the divergence between the General Data Protection Regulation and the Personal Data Protection Bill can be downloaded as a PDF here.

The European Union’s General Data Protection Regulation (GDPR), replacing the 1995 EU Data Protection Directive came into effect in May 2018. It harmonises the data protection regulations across the European Union. In India, the Ministry of Electronics and Information Technology had constituted a Committee of Experts (chaired by Justice Srikrishna) to frame recommendations for a data protection framework in India. The Committee submitted its report and a draft Personal Data Protection Bill in July 2018 (2018 Bill). Public comments were sought on the bill till October 2018. The Central Government revised the Bill and introduced the revised version of the Personal Data Protection Bill (PDP Bill) on December 11, 2019 in the Lok Sabha.

The PDP Bill has incorporated certain aspects of the GDPR, such as requirements for notice to be given to the data principal, consent for processing of data, establishment of a data protection authority, etc. However, there are some differences and in this note we have highlighted the areas of divergence between the two. It only includes provisions which are common to the GDPR and the PDP Bill. It does not include the provisions on (i) Appellate Tribunal, (ii) Finance, Account and Audit; and (iii) Non- Personal Data. 

This article by Gurshabad Grover appeared on ETVBharat on February 10, 2020. The author would like to thank Kanav Khanna for his research assistance. The article was edited by Arindrajit Basu and translated into various languages by the ETVBharat team. You can also read it in Gujarati, Hindi, Kannada, Odia, and Urdu.

On 4 August 2019, the Central Government ordered the suspension of telecommunication and internet services in Jammu and Kashmir. Suddenly, roughly a crore citizens found themselves unable to exercise their basic freedoms of expression and association online. According to the Software Freedom Law Centre’s Internet Shutdown Tracker, Jammu and Kashmir endured 180 partial or complete internet shutdowns in the last seven years. These astonishing numbers indicate that communication blockades in the state are a common occurrence, but perhaps even Kashmiris did not anticipate that they are entering the longest internet shutdown ever imposed by a democratic country.

It is no secret that the internet has become an essential tool for democratic participation. The loss of the network infrastructure also causes both social and economic harm: students are denied access to critical educational resources, hospitals and emergency services face an administrative catastrophe, and local business can crumble. As recent work by the scholar Jan Rydzak demonstrates, shutting down the internet may not even be ensuring public order and peace, as the government would readily claim. Rydzak argues that access to the internet allows wide coordination that is necessary to demonstrate a peaceful protest, and that internet shutdowns may thus be fueling violent protests rather than curbing them.

When the internet shutdown, among other state action, was challenged by Kashmiri Times editor Anuradha Bhasin, the Supreme Court (SC) did have an opportunity to consider these factors when deciding on the legality of the shutdown. The concerns of civil society were made severe in this particular situation because the Government failed, in a total disregard for the rule of law, failed to publish the internet shutdown orders or present them before the court. In its final order on 10 January this year, the SC did affirm basic constitutional principles and sets progressive precedent for future cases.

First and foremost, the Court affirms that the Constitution, through Article 19, protects the “freedom of speech and expression and the freedom to practice any profession or carry on any [...] occupation over the medium of internet.” Second, the Court recognised that internet shutdowns cannot be imposed indefinitely, must be reviewed by the executive every week and that the orders are subject to judicial review. In that regard, the SC may pave for strengthened challenges to internet shutdowns in the future. However, as several scholars have noted, besides ordering the restoration of some essential services, the Court does fall short of providing relief to Kashmiri citizens in the case. Soon after the SC delivered this judgment, the government of Jammu and Kashmir issued orders to internet service providers to restore 2G internet services but only permit access to 301 websites. Besides the fact that the list arbitrarily includes and excludes services, major communication services were notably from the list. Most importantly, this piece of ‘internet regulation’ makes little sense when you consider either the internet or the regulations governing it.

In the technical sense, the regulations completely misunderstand how the modern web functions. When one connects to a website, the websites in turn often make the system download critical resources from other servers. If internet service providers permit only specific websites, the content from other unwhite listed sources still remains inaccessible. A recent experiment by Rohini Lakshané and Prateek Waghre confirms this empirically: out of the 301 websites in the list, only 126 were usable in some form. While the order seems like a necessary consequence of the SC order, there is also little legislative basis for the order. The order cites the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules issued in 2017 under the colonial-era Indian Telegraph Act. These regulations do permit the Government to shut down telecom and internet services but do not allow the government to issue orders that allow ‘whitelists’ such as this one. The Information Technology (IT) Act, namely through Section 69A, allows the Central Government and courts to order the blocking of certain websites. Even the license agreements issued by the government to internet service providers only allow the Government to order the blocking certain online resources on the grounds of national security. Therefore, the order of a ‘whitelist’ of websites has no basis in law because it turns the logic of only blocking websites on its head.

After Kashmiris found a way to circumvent the ‘whitelist’ by using virtual private networks (VPNs), reports emerged that security forces were forcing Kashmiris to uninstall these applications. All this, of course, despite the fact that there is no law preventing the use of VPNs or the circumvention of internet censorship in general.

It has now been around seven months since internet and telecom services were suspended in Kashmir. This long-standing deprivation of basic rights to Kashmiris is wrong that perhaps even the future cannot correct. After months of a complete shutdown, the Government can make better amends than restoring only limited and partial access. As we march onto the next decade, the world is watching. History will not judge kindly those who occluded civil liberties through a facile ritual incantation of ‘public order’ and ‘national security’.