We are anonymous, we are legion

Beyond the PDP Bill: Governance Choices for the DPA

Trishi Jindal and S.Vivek — 2021-11-10T07:32:33Z

This article examines the specific governance choices the Data Protection Authority (DPA) in India must deliberate on vis-à-vis its standard-setting function, which are distinct from those it will encounter as part of its enforcement and supervision functions.

The Personal Data Protection Bill, 2019, was introduced in the Lok Sabha on 11 December 2019. It lays down an overarching framework for personal data protection in India. Once revised and approved by Parliament, it is likely to establish the first comprehensive data protection framework for India. However, the provisions of the Bill are only one component of the forthcoming data protection framework It further proposes setting up the Data Protection Authority (DPA) to oversee the final enforcement, supervision, and standard-setting. The Bill consciously chooses to vest the responsibility of administering the framework with a regulator instead of a government department. As an independent agency, the DPA is expected to be autonomous from the legislature and the Central Government and capable of making expert-driven regulatory decisions in enforcing the framework.

Furthermore, the DPA is not merely an implementing authority; it is also expected to develop privacy regulations for India by setting standards. As such, it will set the day-to-day obligations of regulated entities under its supervision. Thus, the effectiveness with which it carries out its functions will be the primary determinant of the impact of this Bill (or a revised version thereof) and the data protection framework set out under it.

The final version for the PDP Bill may or may not provide the DPA with clear guidance regarding its functions. In this article, we emphasise the need to look beyond the Bill and instead examine the specific governance choices the DPA must deliberate on vis-à-vis its standard-setting function, which are distinct from those it will encounter as part of its enforcement and supervision functions.

A brief timeline of the genesis of a distinct privacy regulator for India

The vision of an independent regulator for data protection in India emerged over the course of several intervening processes that set out to revise India’s data protection laws. In fact, the need for a dedicated data protection regulation for India, with enforceable obligations and rights, was debated years before the Aadhaar, Cambridge Analytica, and Pegasusrevelations captured the public imagination and mainstreamed conversations on privacy.

The Right to Privacy Bill, 2011, which never took off, recognised the right to privacy in line with Article 21 of the Constitution of India, which pertains to the right to life and personal liberty. The Bill laid down express conditions for collecting and processing data and the rights of data subjects. It also proposed setting up a Data Protection Authority (DPA) to supervise and enforce the law and advise the government in policy matters. Upon review by the Cabinet, it was suggested that the Authority be revised to an Advisory Council, given its role under the Bill was limited.

Subsequently, in 2012, the AP Shah Committee Report recommended a principle-based data protection law, focusing on set standards while refraining from providing granular rules, to be enforced through a co-regulatory structure. This structure would consist of central and regional-level privacy commissioners, self-regulatory bodies, and data protection officers appointed by data controllers. There were also a few private members’ bills introduced between 2011 and 2019.

None of these efforts materialised, and the regulatory regime for data protection and privacy remained embedded within the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). Though the SPDI Rules require body corporates to secure personal data, their enforcement is limited to cases of negligence in abiding by these limited set of obligations pertaining to sensitive personal information only, and which have caused wrongful loss or gain – a high threshold to prove for aggrieved individuals. Otherwise, the Intermediary Guidelines, 2011 require all intermediaries to generally follow these Rules under Rule 3(8). The enforcement of these obligations is entrusted to adjudicating officers (AO) appointed by the central government, who are typically bureaucrats appointed as AOs in an ex-officio capacity.

By 2017, the Aadhaar litigations had provided additional traction to the calls for a dedicated and enforceable data protection framework in India. In its judgement, the Supreme Court recognised the right to privacy as a fundamental right in India and stressed the need for a dedicated data protection law. Around the same time, the Ministry of Electronics and Information Technology (MeitY) constituted a committee of experts under the chairmanship of Justice BN Srikrishna. The Srikrishna Committee undertook public consultations on a 2017 white paper, which culminated in the nearly comprehensive Personal Data Protection Bill, 2018, and an accompanying report. This 2018 Bill outlined a regulatory framework of personal data processing for India and defined data processing entities as fiduciaries, which owe a duty of care to individuals to whom personal data relates. The Bill provided for the setting up of an independent regulator that would, among other things, specify further standards for data protection and administer and enforce the provisions of the Bill.

MeitY invited public comments on this Bill and tabled a revised version, the Personal Data Protection Bill, 2019 (PDP Bill), in the Lok Sabha in December 2019. Following public pressure calling for detailed discussions on the Bill before its passing, it was referred to a Joint Parliamentary Committee (JPC) constituted for this purpose. It currently remains under review; the JPC is reportedly expected to table its report in the 2021 Winter Session of Parliament. Though the Bill is likely to undergo another round of revisions following the JPC’s review, this is the closest India has come to realising its aspirations of establishing a dedicated and enforceable data protection framework.

This Bill carries forward the choice of a distinct regulatory body, though questions remain on the degree of its independence, given the direct control granted to the central government in appointing its members and funding the DPA.

Conceptualising an Independent DPA

The Srikrishna Committee’s 2017 white paper and its 2018 report on the PDP Bill discuss the need for a regulator in the context of enforcement of its provisions. However, the DPA under the PDP Bill is tasked with extensive powers to frame detailed regulations and codes of conduct to inform the day-to-day obligations of data fiduciaries and processors. To be clear, the standard-setting function for a regulator entails laying down the standards based on which regulated entities (i.e. the data fiduciaries) will be held accountable, and the manner in which they may conduct themselves while undertaking the regulated activity (i.e. personal data processing). This is in addition to its administrative and enforcement, and quasi-judicial functions, as outlined below:

Functions of the DPA under the PDP Bill 2019

At this stage, it is important to note that the choice of regulation via a regulator is distinct from the administration of the Bill by the central or state governments. Creating a distinct regulatory body allows government procedures to be replaced with expert-driven decision-making to ensure sound economic regulation of the sector. At the same time, the independence of the regulatory authority insulates it from political processes. The third advantage of independent regulatory authorities is the scope for ‘operational flexibility’, which is embodied in the relative autonomy of its employees and its decision-making from government scrutiny.

This is also the rationale provided by the Srikrishna Committee in stating their choice to entrust the administration of the data protection law to an independent DPA. The 2017 white paper that preceded the 2018 Srikrishna Committee Report proposed a distinct regulator to provide expert-driven enforcement of laws for the highly specialised data protection sphere. Secondly, the regulator would serve as a single point of contact for entities seeking guidance and will ensure consistency by issuing rules, standards, and guidelines. The Srikrishna Committee Report concretised this idea and proposed a sector-agnostic regulator that is expected to undertake expertise-driven standard-setting, enforcement, and adjudication under the Bill. The PDP Bill carries forward this conception of a DPA, which is distinct from the central government.

Conceptualised as such, the DPA has a completely new set of questions to contend with. Specifically, regulatory bodies require additional safeguards to overcome the legitimacy and accountability questions that arise when law-making is carried out not by elected members of the legislature, but via the unelected executive. The DPA would need to incorporate democratic decision-making processes to overcome the deficit of public participation in an expert-driven body. Thus, the meta-objective of ensuring autonomous, expertise-driven, and legitimate regulation of personal data processing necessitates that the regulator has sufficient independence from political interference, is populated with subject matter experts and competent decision-makers, and further has democratic decision-making procedures.

Further, the standard-setting role of the regulator does not receive sufficient attention in terms of providing distinct procedural or substantive safeguards either in the legislation or public policy guidance.

Reconnaissance under the PDP Bill: How well does it guide the DPA?

At this time, the PDP Bill is the primary guidance document that defines the DPA and its overall structure. India also lacks an overarching statute or binding framework that lays down granular guidance on regulation-making by regulatory agencies.

The PDP Bill, in its current iteration, sets out skeletal provisions to guide the DPA in achieving its objectives. Specifically, the Bill provides guidance limited to the following:

Parliamentary scrutiny of regulations: The DPA must table all its regulations before the Parliament. This is meant to accord legislative scrutiny to binding legal standards promulgated by unelected officials.
Consistency with the Act: All regulations should be consistent with the Act and the rules framed under it. This integrates a standard of administrative law to a limited extent within the regulation-making process.

However, India’s past track record indicates that regulations, once tabled before the Parliament, are rarely questioned or scrutinised. Judicial review is typically based on ‘thin’ procedural considerations such as whether the regulation is unconstitutional, arbitrary, ultra vires, or goes beyond the statutory obligations or jurisdiction of the regulator. In any event, judicial review is possible only when an instrument is challenged by a litigant, and, therefore, it may not always be a robust ex-ante check on the exercise of this power. A third challenge arises where instruments other than regulations are issued by the regulator. These could be circulars, directions, guidelines, and even FAQs, which are rarely bound by even the minimal procedural mandate of being tabled before the Parliament. To be sure, older regulators including the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) also face similar issues, which they have attempted to address through various methods including voluntary public consultations, stakeholder meetings, and publication of minutes of meetings. These are useful tools for the DPA to consider as well.

Apart from these, specific guidance is provided with respect to issuing and approving codes of practice and issuing directions as follows:

Codes of practice: The DPA is required to (i) ensure transparency,^{^[1]} (ii) consult with other sectoral regulators and stakeholders, and (iii) follow a procedure to be prescribed by the central government prior to the notification of codes of practice under the Bill.^{^[2]}
Directions: The DPA may issue directions to individual, regulated entities or their classes from time to time, provided these entities have been given the opportunity to be heard by the DPA before such directions are issued.^{^[3]}

However, the meaning of transparency and the process for engaging with sectoral regulators remains unspecified under the Bill. Furthermore, the central government has been provided vast discretion to formulate these procedures, as the Bill does not specify the principles or outcomes sought to be achieved via these procedures. The Bill also does not specify instances where such directions may be issued and in which form.

Thus, as per its last publicly available iteration, the Bill remains silent on the following:

The principles that may guide the DPA in its functioning.
The procedure to be followed for issuing regulations and other subordinate legislation under the Bill.
The relevant regulatory instruments, other than regulations and codes of practice – such as circulars, guidelines, FAQs, etc. – that may be issued by the DPA.
The specifics regarding the members and employees within the DPA who are empowered to make these regulations.

It is unclear whether the JPC will revise the DPA’s structure or recommend statutory guidance for the DPA in executing any of its functions. This is unlikely, given that parent statutes for other regulators typically omit such guidance. As a result, the DPA may be required to make intentional and proactive choices on these matters, much like their regulatory counterparts in India. These are discussed in the section below.

Envisaging a Proactive Role for the DPA

As the primary regulatory body in charge of the enforcement of the forthcoming data protection framework, what should be the role of the DPA in setting standards for data protection?

The complexity of the subject matter, and the DPA’s role as the frontline body to define day-to-day operational standards for data protection for the entire digital economy, necessitates that it develop transparent guiding principles and procedures. Furthermore, given that the DPA’s autonomy and capacity are currently unclear, the DPA will need to make deliberate choices regarding how it conducts itself. In this regard, the skeletal nature of the PDP Bill also allows the DPA to determine its own procedures to carry out its tasks effectively.

This is not uncommon in India: various regulators have devised frameworks to create benchmarks for themselves. The Airports Economic Regulatory Authority (AERA) is obligated to follow a dedicated consultation process as per an explicit transparency mandate under the parent statute. However, the Insolvency and Bankruptcy Board of India (IBBI) has, on its own initiative, formulated regulations to guide its regulation-making functions. In other cases, consultation processes have been integrated into the respective framework through judicial intervention: the Telecom Regulatory Authority of India (TRAI) has been mandated to undertake consultations through judicial interpretation of the requirement for transparency under the Telecom Regulatory Authority of India Act, 1997 (TRAI Act).

In this regard, we develop a list of considerations that the DPA should look to address while carrying out its standard-setting functions. We also draw on best practices by Indian regulators and abroad, which can help identify feasible solutions for an effective DPA for India.

The choice of regulatory instruments

The DPA is empowered to issue regulations, codes of practice, and directions under the Bill. At the same time, regulators in India routinely issue other regulatory instruments to assign obligations and clarify them. Some commonly used regulatory instruments are outlined below. The terms used for instruments are not standard across regulators, and the list and description set out below outline the main concepts and not fixed labels for the instruments.

Overview of regulatory instruments

	Circulars and Master Circulars	Guidelines	FAQs	Directions
Content	Circulars are used to prescribe detailed obligations and prohibitions for regulated entities and can mimic regulations. Master circulars consolidate circulars on a particular topic periodically.	These may be administrative or substantive, depending on the practice of the regulator in question.	Issued in public interest by regulators to clarify the regulatory framework administered by them. They cannot prescribe new standards or create obligations.	Issued to provide focused instructions to individual entities or class of entities in response to an adjudicatory action or in lieu of a current challenge.
Binding character	They are generally binding in the same manner as regulations and rules. However, if they go beyond the parent Act or existing rules and regulations, they may be struck down following a judicial review.	They may or may not be binding depending upon the language employed or the regulator’s practice.	Unclear whether these are binding and to what extent. However, crucial clarifications on important concepts sometimes emerge from FAQs.	Binding in respect of the class of regulated entities to whom this is issued.
Parliamentary scrutiny	Unlike regulations, these do not have to be laid before the Parliament.

Thus, all these instruments, to varying degrees, have been used to create binding obligations for regulated entities. The choice of regulatory instrument is not made systematically. Indeed, even a hierarchy of instruments and their functions are not clearly set out by most regulators. The rationale for deciding why a circular is issued as against a regulation is also unclear. A study on regulatory performance in India by Burman and Zaveri (2018) has highlighted an over-reliance on instruments such as circulars. As per their study, between 2014 and 2016, RBI and SEBI issued 1,016 and 122 circulars, as against 48 and 51 regulations, respectively. These circulars are not bound by the same pre-consultative mandate nor are they mandated to be laid before the Parliament. While circulars may have been intended for routine to routinely used to lay down administrative or procedural requirements, the study narrows its frame of reference to circulars which lay down substantive regulatory requirements. In this instance, it is unclear why parliamentary scrutiny is mandated for regulations alone, and not for instruments like circulars and directions, even though they lay down similarly substantive requirements. Furthermore, there have also been instances where certain instruments like FAQs have gone beyond their advisory scope to provide new directions or definitions that were not previously shared under binding instruments like regulations or circulars.

The DPA has been provided specific powers to issue regulations, codes of practice, and directions. However, the rationale for issuing one instead of the other has been absent from the PDP Bill so far. In such a scenario, it is important that the DPA transparently outlines the types of instruments it wishes to use, whether they are binding or advisory, and the procedure to be followed for issuing each.

Pre-legislative consultative rule-making

Participatory and consultative processes have emerged as core components of democratic rule-making by regulators. Transparent consultative mechanisms could also ameliorate capacity challenges in a new regulator (particularly for technical matters) and help enhance public confidence in the regulator.

In India, several regulators have adopted consultation mechanisms even when there is no specific statutory requirement. SEBI and IBBI routinely issue discussion papers and consultation papers. The RBI also issues draft instruments soliciting comments. As discussed previously, TRAI and AERA have distinct transparency mandates under which they carry out consultations before issuing regulations. However, these processes are not mandated all forms of subordinate legislation. Taking cognizance of this, the Financial Sector Legislative Reform Committee (FSLRC) has recommended transparency in the regulation-making process. This was carried forward by the Financial Stability and Development Council (FSDC), which recommended that consultation processes should be a prerequisite for all subordinate legislations, including circulars, guidelines, etc. A study on regulators’ adherence to these mandates, spanning TRAI, AERA, SEBI, and RBI, demonstrated that this pre-consultation mandate is followed inconsistently, if at all. Predictable consultation practices are therefore critical.

Furthermore, the study stated that it could not determine whether the consultation processes yielded meaningful participation, given that regulators are not obligated to disclose how public feedback was integrated into the rule-making process. Subordinate legislations issued in the form of circulars and guidelines also do not typically undergo the same rigorous consultation processes. Thus, an ideal consultation framework would comprise:

Publication of the draft subordinate legislation along with a detailed explanation of the policy objectives. Further, the regulator should publish the internal or external studies conducted to arrive at the proposed legislation to engender meaningful discussion.
Permitting sufficient time for the public and interested stakeholders to respond to the draft.
Publishing all feedback received for the public to assess, and allowing them to respond to the feedback.

However, beyond specifying the manner of conducting consultations, it will be important for the DPA to determine where they are mandatory and binding, and for which type of subordinate legislations. These are discussed in the next section.

Choice of consultation mandates for distinct regulatory instruments

While the Bill provides for consultation processes for issuing and approving codes of practice, no such mechanism has been set out for other instruments. Nevertheless, specifying consultation mandates for different regulatory instruments is important to ensure that decision-making is consistent and regulation-making remains bound by transparent and accountable processes. As discussed above, regulatory instruments such as circulars and FAQs are not necessarily bound by the same consultation mandates in India. This distinction has been clarified in more sophisticated administrative law frameworks abroad. For instance, under the Administrative Procedures Act in the United States (US), all substantive rules made by regulatory agencies are bound by a consultation process, which requires notice of the proposed rule-making and public feedback. This does not preclude the regulatory agency from issuing clarifications, guidelines, and supplemental information on the rules issued. These documents do not require the consultation process otherwise required for formal rules. However, they cannot be used to expand the scope of the rules, set new legal standards, or have the effect of amending the rules. Nevertheless, agencies are not precluded from choosing to seek public feedback on such documents.

Similarly, the Information Commissioner’s Office in the United Kingdom (UK) takes into consideration public consultations and surveys while issuing toolkits and guidance for regulated entities on how to comply with the data protection framework in the UK.

Here, the DPA may choose to subject strictly binding instruments like regulations and codes of practice to pre-legislative consultation mandates, while softer mechanisms like FAQs may be subject to the publication of a detailed outline of the policy objective or online surveys to invite non-binding, advisory feedback. For each of these, the DPA will nonetheless need to create specific criteria by which it classifies instruments as binding and advisory, and further outline specific pre-legislative mandates for each category.

Framework for issuing regulatory instruments and instructions

While the DPA is likely to issue several instruments, the system based on which these instruments will be issued is not yet clear. Without a clearly thought-out framework, different departments within the regulator typically issue a series of directions, circulars, regulations, and other instruments. This raises questions regarding the consistency between instruments. This also requires stakeholders to go through multiple instruments to find the position of law on a given issue. Older Indian regulators are now facing challenges in adapting their ad hoc system into a framework. For example, the RBI currently issues a series of circulars and guidelines that are periodically consolidated on a subject-matter basis as Master Circulars and Master Directions. These are then updated and published on their website. IBBI also publishes handbooks and information brochures that consolidate instruments in an accessible manner.

While these are useful improvements, these practices cannot keep pace with rapid changes in regulatory instructions and are not complete or user-friendly (for example, the subject-matter based consolidation does not allow for filtering regulatory instructions by entity). Other jurisdictions have developed different techniques such as formal codification processes to consolidate regulations issued by government agencies under one unified code, register, or handbook, websites that allow for searches based on different parameters (subject-matter, type of instrument, chronology, entity-based), and guides tailored to different types of entities. The DPA, as a new regulator, can learn from this experience and adopt a consistent framework right from the beginning.

Further, an ethos of responsive regulation also requires the DPA to evaluate and revise directions and regulations periodically, in response to market and technology trends. A commitment to periodic evaluation of subordinate legislations entrenched in the rules is critical to reducing the dependence on officials and leadership, which may change. For instance, the IBBI has set out a mandatory review of regulations issued by it every three years.

Dedicating capacity for drafting subordinate legislations

The DPA has been granted the discretion to appoint experts and staff its offices with the personnel it needs. A study of European data protection authorities shows that by the time the General Data Protection Regulation, 2016 became effective, most of the authorities increased the number of employees with some even reporting a 240% increase. The annual spending on the authorities also went up for most countries. While these authorities do not necessarily frame subordinate legislations, they nonetheless create guidance toolkits and codes of practice as part of their supervisory functions.

In this regard, the DPA will need to ensure it has dedicated capacity in-house to draft subordinate legislations. Since regulators are generally seen as enforcement authorities, there is inadequate investment in capacity-building for drafting legislations in India.

Moreover, considering the multiplicity of instruments and guidance documents the DPA is expected to issue, it may seek to create templates for these instruments, along with compulsory constituents of different types of instruments. For instance, the Office of the Australian Information Commissioner is required to include a mandatory set of components while issuing or approving binding industry codes of practice.

Conclusion

The Personal Data Protection Bill, 2019 (in the final form recommended by the JPC and accepted by the MeitY) will usher in a new chapter in India’s data protection timeline. While the Bill will finally effectuate a nearly comprehensive data protection framework for India, it will also establish a new regulatory framework that sets up a new regulator, the DPA, to oversee the new data protection law. This DPA will be empowered to regulate entities across sectors and is likely to determine the success of the data protection law in India.

Furthermore, the DPA must not only contend with the complexity of markets and the fast pace of technological change, but it must also address anticipated regulatory capacity deficits, low levels of user literacy, the number and diversity of enities within its regulatory ambit, and the need to secure individual privacy within and outside the digital realm.

Thus, looking ahead, we must account for the questions of governance that the forthcoming DPA is likely to face, as these will directly impact how entities and citizens engage with the DPA. In India, regulatory agencies adopt distinct choices to fulfil their functions. Regulators have also fared variably in ensuring transparent and accountable decision-making driven by demonstrable expertise. Even if the final form of the PDP Bill does not address these gaps, the DPA has the opportunity to integrate benchmarks and best practices as discussed above within its own governance framework from the get-go as it takes on its daunting responsibilities under the PDP Bill.

(The authors are Research Fellow, Law, Technology and Society Initiative and Project Lead, Regulatory Governance Project respectively at the National Law School of India University, Bangalore. Views are personal.)

This post was reviewed by Vipul Kharbanda and Shweta Mohandas

References

For a discussion on distinct regulatory choices, please see TV Somanathan, The Administrative and Regulatory State in Sujit Choudhary, Madhav Khosla, et al. (eds), Oxford Handbook of the Indian Constitution (2016).
On best practices for consultative law-making, see generally European Union Better Regulation Communication, Guidelines for Effective Regulatory Consultations (Canada), and OECD Best Practice Principles for Regulatory Policy: The Governance of Regulators, 2014.

^{^[1]} Personal Data Protection Bill 2019, § 50(3).

^{^[2]} Personal Data Protection Bill 2019, § 50(4).

^{^[3]} Personal Data Protection Bill 2019, § 51.

For more details visit https://cis-india.org/internet-governance/blog/trishi-jindal-and-s-vivek-beyond-the-pdp-bill

Big Tech’s privacy promise to consumers could be good news — and also bad news

Rajat Kathuria and Isha Suri — 2023-01-18T23:25:28Z

Rajat Kathuria, Isha Suri write: Its use as a tool for market development must balance consumer protection, innovation, and competition.

In February, Facebook, rebranded as Meta, stated that its revenue in 2022 is anticipated to reduce by $10 billion due to steps undertaken by Apple to enhance user privacy on its mobile operating system. More specifically, Meta attributed this loss to a new AppTrackingTransparency feature that requires apps to request permission from users before tracking them across other apps and websites or sharing their information with and from third parties. Through this change, Apple effectively shut the door on “permissionless” internet tracking and has given consumers more control over how their data is used. Meta alleged that this would hurt small businesses benefiting from access to targeted advertising services and charged Apple with abusing its market power by using its app store to disadvantage competitors under the garb of enhancing user privacy.

Access the full article published in the Indian Express on April 13, 2022

For more details visit https://cis-india.org/internet-governance/blog/indian-express-rajat-kathuria-isha-suri-big-tech-consumers-privacy-policy

UN Questionnaire on Digital Innovation, Technologies and Right to Health

Pahlavi and Shweta Mohandas — 2022-11-21T16:10:06Z

The Centre for Internet & Society (CIS) contributed to the questionnaire put out by the Office of the United Nations High Commissioner for Human Rights, on digital innovation, technologies and the right to health. The responses were authored by Pahlavi and Shweta Mohandas, and edited by Indumathi Manohar.

Questionnaire

1. What are benefits of increased use of digital technologies in the planning and delivery of health information, services and care? Consider the use of digital technologies for healthcare services, the collection and use of health-related data, the rise of social media and mobile phones, and the use of artificial intelligence specifically to plan and deliver healthcare. Please share examples of how such technologies benefited specific groups. How have digital technologies contributed to availability, accessibility, acceptability and quality of healthcare? Has the use of artificial intelligence improved access to health information, services and care? Please comment on existing or emerging biases in health information, services and care.

The use of digital technologies and forms of digital health interventions has seen an increase in interest from governments, industries, as well as individuals since the beginning of the pandemic. The lockdowns, and other social distancing measures created a push towards telemedicine and online consultations. Digital health services provide a number of people the opportunity to seek medical help without traveling, which particularly help people with accessibility needs, the elderly, and anyone else that has difficulty in movement.1 Telemedicine can also help meet the challenges of healthcare delivery to rural and remote areas, in addition to serving as a means of training and education.2

The pandemic brought about a push towards telehealth and telemedicine and the telemedicine market has been reported to touch $5.4 Bn by 2025,3 with a number of applications working to make it more accessible to people in India. With respect to AI there has been some adoption of AI in India to help the most vulnerable group of people. For example: Microsoft has teamed up with the Government of Telangana to use cloud-based analytics for the Rashtriya Bal Swasthya Karyakram program by adopting MINE (Microsoft Intelligent Network for Eyecare), an AI platform to reduce avoidable blindness in children.4 Similarly Philips Innovation Campus (PIC) in Bengaluru, Karnataka is harnessing technology to make solutions for TB detection from chest x-rays, and a software solution (Mobile Obstetrics Monitoring) to identify and manage high-risk pregnancies.5 More recently IWill by ePsyClinic, a mental-health platform in India, has received a grant from Microsoft's 'AI for Accessibility' program to accelerate the building of a Hindi-based AI Mental Health conversational program.6

However the use of digital technologies and online medical interventions has also widened the increasing gap between those who can afford a smart phone and internet and those who cannot. A digital-only health intervention also results in excluding a wide number of people who do not have a smartphone, for example the Indian contact-tracing app, Aarogya Setu, which was a mandatory download to access public places during the lockdown was initially only available via a smartphone. Additionally, the app initially was not compatible with screen readers.7 The disparities in digital access and infrastructure is not limited to individuals— a report by the Ministry of Electronics and Information Technology India highlighted that the government hospitals and dispensaries have very little ICT infrastructure with only some major public hospitals having computers and connectivity.8

As stated above, the adoption of digital health technologies is not uniform around the world, and the people who are not able to access these technologies missed being included in the data that is being collected by these systems, further excluding from the data set which might be used to train future interventions. In the same light, digital technologies such as AI based screening are based on historical data that have been proved to contain biases against

marginalised communities. Continuing to use these systems without addressing these biases and or including more diverse dataset results in the same people being marginalised and misdiagnosed further. For example, safety apps where data is provided by limited people could identify Dalit and Muslim areas as unsafe, reflecting the prejudices of the app’s middleand upper-class users.9 While this has not been revealed in healthcare apps, the growing use of CCTVs and subsequent use of facial recognition in only certain pockets of the city reveal the historical biases in the police system that lead to targeted surveillance.10

2. How has the rise of web platforms and social media increased access to health information and services, or conversely, increased risk of misdiagnosis or other harms? Please share examples of ways in which social media and web platforms facilitated innovation in access to evidence-based health information and services, or created new threats of discrimination, mental health harms, or online or offline violence.

Social media platforms have helped people immensely during the pandemic. For example, when people reached out to strangers for help for hospital beds and oxygen. However, the benefits of such were limited to people who were on social media and had the reach and networks to share such information.11Furthermore, social media and messaging apps such as Whatsapp also led to the spread of misinformation during the pandemic. For example a Whatsapp message claiming to be from the Ministry of Aayush which permitted homeopathy doctors to treat Covid19 spread significantly, leading to the official government channels clarifying that it is fake and cautioning people against it.12 It was also noted that at times when women shared requests for beds or oxygen during covid on social media, they were faced with fake calls, stalking and trolling on social media, making it harder for them to seek help.

3. How has the right to privacy been impacted by the use of digital technologies for health? Please share examples of ways in which data gathered from digital technologies have been used by States, commercial entities or other third parties to either benefit or harm groups regarding the right to health.

In 2006, the National e-Governance Plan (NeGP) was approved by the Indian State wherein a massive infrastructure was developed to reach the remotest corners and facilitate easy access of government services efficiently at affordable costs.13There has been a paradigm shift in the Indian state’s governance strategy, with severe implications for privacy and inclusion. However, this shift has been undertaken primarily through a series of administrative orders with no real legislative mandate and minimal judicial oversight. This digitisation began with services such as taxation, land record, passport details, but it soon extended its ambit, and it now covers most services for which the citizen is dependent upon the state— the latest being digital health.

In the Indian context, there have been a number of policies that have been published which dealt with digital health. The policies looked at creating a digital health ID, digitisation of health data, and the management of health data. However these policies are being introduced without the existence of a comprehensive data protection legislation. While there are certain safeguards mentioned in each policy, without privacy and data protection legislation it is impossible to ensure compliance and the rights of the data owners. This issue became a reality when during the vaccination for Covid, some vaccination centres created Health ID for people without their consent.14

4. What are current strengths or weaknesses of digital health governance at national, regional and global levels? Please provide examples of laws, regulations or other safeguards that has been put in place to protect and fulfill the rights to health, privacy, and confidentiality within the use of digital technologies for health? Do restrictive laws or law enforcement create any specific challenges for persons using digital technologies to access health information or services?

Digitisation of the healthcare system in India had started prior to the pandemic. However, the pandemic also saw a slew of digitisation policies being rolled out, the most notable being the National Digital Health Mission (re-designed as the Aayushman Bharat Digital Mission) which empowered and saw the government use the vaccination process to generate Health IDs for citizens, in several reported cases without their knowledge or consent.15 The entire digitisation process has been undertaken in the absence of any legislative mandate or judicial oversight. It has primarily been undertaken through issuance of executive notifications and resulting in absent or inadequate grievance redressal mechanisms.

The rollout of the NDHM also saw health IDs being generated for citizens. In several reported cases across states, this rollout happened during the Covid-19 vaccination process— without the informed consent of the concerned person. All of these developments took place in the absence of a data protection law and a law regulating the digital health sphere, raising critical concerns around citizens’ privacy and the governance and oversight mechanisms for digital health initiatives.

Valdez, R. S., Rogers, C. C., Claypool, H., Trieshmann, L., Frye, O., Wellbeloved-Stone, C., & Kushalnagar, P. (2021). Ensuring full participation of people with disabilities in an era of telehealth. Journal of the American Medical Informatics Association, 28(2), 389-392.
Paul, Hickok, Sinha, & Tiwari. (2018). Artificial Intelligence in the Healthcare Industry in India. Centre for Internet and Society India. Retrieved November 15, 2022, from https://cis-india.org/internet-governance/ai-and-healthcare-report/view
Dayalani, V., K., H., S., G., R., T., & M., L. (2021, February 15). 1mg Rises In Indian Telemedicine Space As Sector Set To Touch $5.4 Bn Market Size by 2025. Inc42 Media. Retrieved November 15, 2022, from https://inc42.com/datalab/telemedicine-a-post-covid-reality-in-india/
Government of Telangana adopts Microsoft Cloud and becomes the first state to use Artificial Intelligence for eye care screening for children - Microsoft Stories India. (2017, August 3). Microsoft Stories India. Retrieved November 15, 2022, from https://news.microsoft.com/en-in/governmenttelangana-adopts-microsoft-cloud-becomes-first-state-use-articial-intelligence-eye-care-screeningchildren/
D’Monte, L. (2017, February 15). How Philips is using AI to transform healthcare. Mint. Retrieved November 15, 2022, from https://www.livemint.com/Science/yxgekz1jJJ3smvvRLwmaAL/How-Philips-is-using-AI-to-transformhealthcare.html
PTI. (2022, November 11). Microsoft supports IWill with “AI for Accessibility” grant to develop AI CBT mental health program for 615 million Hindi users. Microsoft Supports IWill With “AI for Accessibility”Grant to Develop AI CBT Mental Health Program for 615 Million Hindi Users. Retrieved November 15,2022, from https://www.ptinews.com/pti/Microsoft-supports-IWill-with--AI-for-Accessibility--grant-todevelop-AI-CBT-mental-health-program-for-615-million-Hindi-users/58238.html
Nath. (2020, May 2). Coronavirus | Mandatory Aarogya Setu app not accessible to persons with disabilities.Coronavirus | Mandatory Aarogya Setu App Not Accessible to Persons With Disabilities - the Hindu. Retrieved November 15, 2022, from https://www.thehindu.com/news/national/coronavirus-mandatory-aarogya-setu-app-notaccessible-to-persons-with-disabilities/article31489933.ece
Sharma, N. C. (2018, July 16). Adoption of e-medical records facing infra hurdles: Report. Mint. Retrieved November 15, 2022, from https://www.livemint.com/Politics/CucBmKaoWLZuSf1Y9VaafM/Adoption-of-emedical-recordsfacing-infra-hurdles-Report.html
https://www.livemint.com/news/world/ai-algorithms-far-from-neutral-in-india-11613617957200.html
Vipra. (n.d.). The Use of Facial Recognition Technology for Policing in Delhi. Vidhi Centre for Legal Policy. Retrieved November 15, 2022, from https://vidhilegalpolicy.in/research/the-use-of-facial-recognition-technology-for-policingin-delhi/
Kalra, A., & Ghoshal, D. (2021, April 21). Twitter becomes a platform of hope amid the despair of India’s COVID crisis. Reuters. Retrieved November 15, 2022, from https://www.reuters.com/world/india/twitterbecomes- platform-hope-amid-despair-indias-covid-crisis-2021-04-21/
Times of India . (2020, April 29). WhatsApp message on Homeopathy and coronavirus treatment is fake- Times of India. The Times of India. Retrieved November 15, 2022, from https://timesondia.indiatimes.com/gadgets-news/whatsapp-message-on-homeopathy-and-coronavirustreatment-is-fake/articleshow/75425274.cms
Amber Sinha, Pallavi Bedi and Amber Sinha, “Techno-Solutinist Responses to Covid 19”, EPW, Vol LVI, No. 29, July 17, 2021 Retrieved from: https://www.epw.in/journal/2021/29/commentary/technosolutionist-responses-covid-19.html
Rana, C. (2021, October 1). COVID-19 vaccine beneficiaries were assigned unique health IDs without their consent.The Caravan. Retrieved November 15, 2022, from https://caravanmagazine.in/health/covid-19-vaccinebeneficiaries-were-assigned-unique-health-ids-without-their-consent

For more details visit https://cis-india.org/internet-governance/un-questionnaire-digital-innovation-technologies-right-to-health

The PDP Bill 2019 Through the Lens of Privacy by Design

2020-11-13T07:51:03Z

This paper evaluates the PDP Bill based on the Privacy by Design approach. It examines the implications of Bill in terms of the data ecosystem it may lead to, and the visual interface design in digital platforms. This paper focuses on the notice and consent communication suggested by the Bill, and the role and accountability of design in its interpretation.

Background

The Personal Data Protection (PDP) Bill, 2019 was introduced in the Lok Sabha on December 11, 2019 by the Minister of Electronics and Information Technology. The Bill aims to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same [1]. The PDP Bill, 2019 contains several clauses that have implications on the visual design of digital products. These include the specific requirements for communication of notice and consent at various stages of the product. The Bill also introduces the Privacy by Design policy. Privacy by Design (PbD), as a concept, was proposed by Ann Cavoukian in the 1990s, with the purpose of approaching privacy from a design-thinking perspective [2]. She describes this perspective to be holistic, interdisciplinary, integrative, and innovative. The approach suggests that privacy must be incorporated into networked data systems and technologies, by default [3]. It challenges the practice of enhancing privacy as an afterthought. It expects privacy to be a default setting, and a proactive (not reactive) measure that would be embedded into a design in its initial stage and throughout the life cycle of the product [4]. While PbD is a conceptual framework, it’s application can change the way digital platforms are created and the way in which people interact with them. From devising a business model, to making technological decisions, PbD principles can make privacy integral to the processes and standards of a digital platform.

The PDP Bill states that data fiduciaries are required to prepare a Privacy by Design policy and have it certified by the Data Protection Authority. According to the Bill, the policy would contain the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal [5]. It would mention if the technology used in the processing of personal data is in accordance with the certified standards. It would also comprise of the ways in which privacy is being protected throughout the stages of processing of personal data, and that the interest of the individual is accounted for in each of these stages. Once certified by the Data Protection Authority, the data fiduciaries are also required to publish this policy on their website [6]. This forces the data fiduciaries to envision privacy as a fundamental requirement and not an afterthought. Such a policy would have a huge impact in the way digital platforms are conceptualised, both from the technological and the design point of view. The adoption of this policy by digital platforms would enable people to know if their privacy is protected by the companies, and what are the various steps being taken for this purpose. Besides the explicit Privacy by Design policy, the PDP Bill, 2019, also recommends the regulations for data minimisation, establishment of the Data Protection Authority (DPA), and the development of a consent framework. These steps are also part of the Privacy by Design approach.

This paper evaluates the PDP Bill based on the Privacy by Design approach. The Bill’s scope includes both the conceptual and technological aspects of a digital platform, as well as the interface aspect that the individual using the platform faces. The paper will hence analyse how PbD approach is reflected in both these aspects. At the conceptual level, it will look at the data ecosystem that the Bill unwittingly creates, and at the interface level, it will critically analyse the Bill’s implication on the notice and consent communication in the digital products. This includes the several points of communication or touchpoints between a company and an individual using their service, as dictated by the Bill, and how they would translate into visual design. Visual design forms an integral part of digital platforms. It is the way in which the platforms interact with the individuals. The choices made by individuals are largely driven by the visual structuring and presentation of information on these platforms. Presently, the interface design in several platforms is being used to perpetuate unethical data practices in the form of dark patterns. Dark Patterns are deceptive user interface interactions, designed to mislead or trick users to make them do something they don’t want to do [7]. The design of the notice and consent touchpoints can significantly influence the enforcement of this Bill, and how it benefits individuals. Moreover, digital platforms may technically follow the regulations but can still be manipulative through their interface design. Thus, the role and accountability of design becomes crucial in the interpretation of the data protection regulations.

The full paper can be read here.

[1] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[2] https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf

[3] https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf

[4] https://www.smashingmagazine.com/2019/04/privacy-ux-aware-design-framework/

[5] http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf

[6] https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft

[7] https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c

For more details visit https://cis-india.org/internet-governance/blog/the-pdp-bill-2019-through-the-lens-of-privacy-by-design

The Wolf in Sheep's Clothing: Demanding your Data

Rekha Jain — 2020-11-10T17:44:13Z

This piece was originally published in The Economic Times Telecom, on 8 September, 2020.

The increasing digitalization of the economy and ubiquity of the Internet, coupled with developments in Artificial Intelligence (AI) and Machine Learning (ML) has given rise to transformational business models across several sectors. These developments have changed the very structure of existing sectors, with a few dominant firms straddling across many sectors. The position of these firms is entrenched due to the large amounts of data they have, and usage of sophisticated algorithms that deliver very targeted service/content and their global nature.

Such data based network businesses are generally multi-sided platforms subject to network effects and winner takes all phenomena, often, making traditional competition regulation inappropriate. In addition, there has been concern that such companies hurt competition as they are owners of large amounts of data collected globally, the very basis on which new services are predicated. Also since users have an inertia to share their data on multiple platforms, new companies find it very challenging to emerge. Several of the large companies are of US origin. Several regions/countries such as EU, UK, India are concerned that while these companies benefit from the data of their citizens or their devices, SMEs and other companies in their own countries find it increasingly difficult to remain viable or achieve scale. With the objective of supporting enterprises, including SMEs in their own countries, Europe, UK India are in different stages of data regulation initiatives.

In India, the Personal Data Protection (PDP) Bill, 2019 deals with the framework for collecting, managing and transferring of Personal Data of Indian citizens, including mandating sharing of anonymized data of individuals and non-personal data for better targeting of services or policy making. In addition, the Report by the Committee of Experts (CoE) on Non Personal Data (NPD) came up with a Framework for Regulating NPD. Since the NPD Report is a more recent phenomenon, this articles analyzes some aspects of it.

According to CoE, non-personal data could be of two types. First, data or information which was never about an individual (e.g. weather data). Second, data or information that once was related to an individual (e.g. mobile number) but has now ceased to be identifiable due to the removal of certain identifiers through the process of ‘anonymisation’. However, it may be possible to recover the personal data from such anonymized data and therefore, the distinction between personal and non-personal is not clean. In any case, the PDP bill 2019 deals with personal data. If the CoE felt that some aspect of personal data (including anonymized data) were not adequately dealt with, it should work to strengthen it. The current approach of the CoE is bound to create confusion and overlapping jurisdiction. Since anonymized data is required to be shared, there are disincentives to anonymization, causing greater risk to individual privacy.

A new class of business based on a “horizontal classification cutting across different industry sectors” is defined. This refers to any business that derives “new or additional economic value from data, by collecting, storing, processing, and managing data” based on a certain threshold of data collected/processed that will be defined by the regulatory authority that is outlined in the report. The CoE also recommends that “Data Businesses will provide, within India, open access to meta-data and regulated access to the underlying data” without any remuneration. Further, “By looking at the meta-data, potential users may identify opportunities for combining data from multiple Data Businesses and/or governments to develop innovative solutions, products and services. Subsequently, data requests may be made for the detailed underlying data”.

With increasing digitalization, today almost every business is a data business. The problem in such categorization will be with the definition of thresholds. It is likely that even a small video sharing app or an AR/VR app would store/collect/process/transmit more data than say a mid-sized bank in terms of data volumes. Further, with increasing embedding of IoT in various aspects of our lives and businesses (smart manufacturing, logistics, banking etc), the amount of data that is captured by even small entities can be huge.

The private sector, driven by profitability, identifies innovative business models, risks capital and finds unique ways of capturing and melding different data sets. In order to sustain economic growth, such innovation is necessary. The private sector would also like legal protection over these aspects of its businesses, including the unique IPR that may be embedded in the processing of data or its business processes. But mandating such onerous requirements on sharing by the CoE is going to kill any private initiative. Any regulatory regime must balance between the need to provide a secure environment for protecting data of incumbents and making it available to SMEs/businesses.

Meta data provides insights to the company’s databases and processes. These are source of competitive advantage for any company. Meta data is not without a context. The basis of demanding such disclosure is mandated with the proposed NPD Regulator who would evaluate such a purpose. In practice, purposes are open to interpretation and the structure of appeal mechanism etc is going to stall any such sharing. Would such mandates of sharing not interfere with the existing Intellectual Property Rights? Or the freedom to contract? Any innovation could easily be made available to a competitor that front-ends itself with a start-up. To mandate making such data available would not be fair. Further, how would the NPD regulator even ensure that such data is used for the purpose (which the proposed regulator is supposed to evaluate) that it is sought for? In Europe, where such data sharing mandates are being considered, the focus is on public data. For private entities, the sharing is largely based on voluntary contributions. Compulsory sharing is mandated only under restricted situations where market failure situations are not addressed through Competition Act and provided legitimate interest of the data holder and existing legal provisions are taken into account.

Further, the compliance requirements for such Data Businesses is very onerous and makes a mockery of “minimum government” framework of the government. The CoE recommends that all Data Businesses, whether government NGO, or private “to disclose data elements collected, stored and processed, and data-based services offered”. As if this was not enough, the CoE further recommends that “Every Data Business must declare what they do and what data they collect, process and use, in which manner, and for what purposes (like disclosure of data elements collected, where data is stored, standards adopted to store and secure data, nature of data processing and data services provided). This is similar to disclosures required by pharma industry and in food products”. Such disclosures are necessary in these industries as the companies in this sector deal with critical aspects of human life. But are such requirements necessary for all activities and businesses? As long as organizations collect and process data, in a legal manner, within the sectoral regulation, why should such information have to be “reported”? Further, such bureaucratic processes and reporting requirements are only going to be a burden to existing legitimate businesses and give rise to a thriving regulatory license raj.

Further questions that arise are: How is any compliance agency going to make sure that all the underlying metadata is made available in a timely manner? As companies respond to a dynamic environment, their analysis and analytical tools change and so does the metadata. This inherent aspect of businesses raises the question: At what point in time should companies make their meta-data available? How will the compliance be monitored?

Conclusion: The CoE needs to create an enabling and facilitating an environment for data sharing. The incentives for different types of entities to participate and contribute must be recognized. Adequate provisions for risks and liabilities arising out data sharing need to be thought through. National initiatives on data sharing should not create an onerous reporting regime, as envisaged by the CoE, even if digital.

DISCLAIMER: The views expressed are solely of the author and ETTelecom.com does not necessarily subscribe to it. ETTelecom.com shall not be responsible for any damage caused to any person/organisation directly or indirectly.

For more details visit https://cis-india.org/internet-governance/blog/the-wolf-in-sheeps-clothing-demanding-your-data

Reclaiming AI Futures: Call for Contributions and Provocations

Divij Joshi — 2020-11-18T09:04:25Z

CIS is pleased to share this call for contributions by Mozilla Fellow Divij Joshi. CIS will be working with Divij to edit, collate, and finalise this publication. This publication will add to Divij’s work as part of the AI observatory. The work is entirely funded by Divij Joshi.

Please visit this link for the full call, and details on how to apply.

For more details visit https://cis-india.org/internet-governance/blog/reclaiming-ai-futures-call-for-contributions-and-provocations

Comments to National Digital Health Mission: Health Data Management Policy

Shweta Mohandas, Pallavi Bedi, Shweta Reddy, and Saumyaa Naidu — 2020-10-05T15:56:51Z

CIS has submitted comments to the National Health Data Management Policy. We welcome the opportunity provided to our comments on the Policy and we hope that the final Policy will consider the interests of all the stakeholders to ensure that it protects the privacy of the individual while encouraging a digital health ecosystem.

Read the full set of comments here.

For more details visit https://cis-india.org/internet-governance/blog/comments-to-national-digital-health-mission-health-data-management-policy

Mapping Web Censorship & Net Neutrality Violations

pranav — 2020-10-05T07:59:47Z

For over a year, researchers at the Centre for Internet and Society have been studying website blocking by internet service providers (ISPs) in India. We have learned that major ISPs don’t always block the same websites, and also use different blocking techniques. To take this study further, and map net neutrality violations by ISPs, we need your help. We have developed CensorWatch, a research tool to collect empirical evidence about what websites are blocked by Indian ISPs, and which blocking methods are being used to do so. Read more about this project (link), download CensorWatch (link), and help determine if ISPs are complying with India’s net neutrality regulations.

Learn more about website blocking in India, through our recent work on the issue —

Using information from court orders, user reports, and government orders, and running network tests from six ISPs, Kushagra Singh, Gurshabad Grover and Varun Bansal presented the largest study of web blocking in India. Through their work, they demonstrated that major ISPs in India use different techniques to block websites, and that they don’t block the same websites (link).
Gurshabad Grover and Kushagra Singh collaborated with Simone Basso of the Open Observatory of Network Interference (OONI) to study HTTPS traffic blocking in India by running experiments on the networks of three popular Indian ISPs: ACT Fibernet, Bharti Airtel, and Reliance Jio (link).
For The Leaflet, Torsha Sarkar and Gurshabad Grover wrote about the legal framework of blocking in India — Section 69A of the IT Act and its rules. They considered commentator opinions questioning the constitutionality of the regime, whether originators of content are entitled to a hearing, and whether Rule 16, which mandates confidentiality of content takedown requests received by intermediaries from the Government, continues to be operative (link).
In the Hindustan Times, Gurshabad Grover critically analysed the confidentiality requirement embedded within Section 69A of the IT Act and argued how this leads to internet users in India experiencing arbitrary censorship (link).
Torsha Sarkar, along with Sarvjeet Singh of the Centre for Communication Governance (CCG), spoke to Medianama delineating the procedural aspects of section 69A of the IT Act (link).
Arindrajit Basu spoke to the Times of India about the geopolitical and regulatory implications of the Indian government’s move to ban fifty-nine Chinese applications from India (link).

For more details visit https://cis-india.org/internet-governance/blog/mapping-web-censorship-net-neutrality-violations

Fundamental Right to Privacy — Three Years of the Puttaswamy Judgment

pranav — 2020-08-24T07:46:10Z

Today marks three years since the Supreme Court of India recognised the fundamental right to privacy, but the ideals laid down in the Puttaswamy Judgment are far from being completely realized. Through our research, we invite you to better understand the judgment and its implications, and take stock of recent issues pertaining to privacy.

Amber Sinha dissects the Puttaswamy Judgment through an analysis of the sources, scope and structure of the right, and its possible limitations. [link]

Through a visual guide to the fundamental right to privacy, Amber Sinha and Pooja Saxena trace how courts in India have viewed the right to privacy since Independence, explain how key legal questions were resolved in the Puttaswamy Judgement, and provide an account of the four dimensions of privacy — space, body, information and choice — recognized by the Supreme Court. [link]

Based on publicly available submissions, press statements, and other media reports, Arindrajit Basu and Amber Sinha track the political evolution of the data protection ecosystem in India, on EPW Engage. They discuss how this has, and will continue to impact legislative and policy developments. [link]

For the AI Policy Exchange, Arindrajit Basu and Siddharth Sonkar examine the Automated Facial Recognition Systems (AFRS), and define the key legal and policy questions related to privacy concerns around the adoption of AFRS by governments around the world. [link]

Over the past decade, reproductive health programmes in India have been digitising extensive data about pregnant women. In partnership with Privacy International, we studied the Mother and Child Tracking system (MCTS), and Ambika Tandon presents the impact on the privacy of mothers and children in the country. [link]

While the right to privacy can be used to protect oneself from state surveillance, Mira Swaminathan and Shubhika Saluja write about the equally crucial problem of lateral surveillance — surveillance that happens between individuals, and within neighbourhoods, and communities — with a focus on this issue during the COVID-19 crisis. [link]

Finally, take a dive into the archives of the Centre for Internet and Society to read our work, which was cited in the Puttaswamy judgment — essays by Ashna Ashesh, Vidushi Marda and Bhairav Acharya that displaced the notion that privacy is inherently a Western concept, by attempting to locate the constructs of privacy in Classical Hindu [link], and Islamic Laws [link]; and Acharya’s article in the Economic and Political Weekly, which highlighted the need for privacy jurisprudence to reflect theoretical clarity, and be sensitive to unique Indian contexts [link].

For more details visit https://cis-india.org/internet-governance/blog/fundamental-right-to-privacy-three-years-of-the-puttaswamy-judgment

Comments on NITI AAYOG Working Document: Towards Responsible #AIforAll

Shweta Mohandas, Arindrajit Basu and Ambika Tandon — 2020-08-18T06:25:18Z

The NITI Aayog Working Document on Responsible AI for All released on 21st July 2020 serves as a significant statement of intent from NITI Aayog, acknowledging the need to ensure that any conception of “Responsible AI” must fulfill constitutional responsibilities, incorporated through workable principles. However, as it is a draft document for discussion, it is important to highlight next steps for research and policy levers to build upon this report.

Read our comments in their entirety here.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-niti-aayog-working-document-towards-responsible-aiforall

Investigating TLS blocking in India

Simone Basso, Gurshabad Grover and Kushagra Singh — 2020-07-09T01:23:43Z

A study into Transport Layer Security (TLS)-based blocking by three popular Indian ISPs: ACT Fibernet, Bharti Airtel and Reliance Jio.

Gurshabad Grover and Kushgra Singh collaborated with Simone Basso (OONI) to investigate TLS-based blocking in India. The research report was published on OONI's blog. It was edited and reviewed by Maria Xynou and Arturo Filastò.

Summary

This report investigates Transport Layer Security (TLS)-based blocking in India. Previous research by the Centre for Internet & Society, India (CIS) has already exposed TLS blocking based on the value of the SNI field. OONI has also implemented and started testing SNI-based TLS blocking measurements.

Recently, the Magma Project documented cases where CIS India and OONI’s methodologies could be improved. They specifically found that blocking sometimes appears to depend not only on the value of the SNI field but also on the address of the web server being used. These findings were later confirmed by OONI measurements in Spain and Iran through the use of an extended measurement methodology.

We were therefore curious to see whether such an extended methodology would discover further cases of TLS blocking in India. To answer this research question we ran experiments on the networks of three popular Indian Internet Service Providers (ISPs) (ACT Fibernet, Bharti Airtel, and Reliance Jio) which account for over 70% of the internet subscribers in India.

We recorded SNI-based blocking on both Bharti Airtel and Reliance Jio. We also discovered that Reliance Jio blocks TLS traffic not just based on the SNI value, but also on the web server involved with the TLS handshake. Moreover, we noticed that ACT Fibernet’s DNS resolver directs users towards servers owned by ACT Fibernet itself. Such servers caused the TLS handshake to fail, but the root cause of censorship was the DNS.

We also document that one of the endpoints we tested, collegehumor.com:443, does not allow establishing TCP connection from several vantage points and control measurements. Yet, in Reliance Jio, we see cases where the connections to such endpoints complete successfully and a timeout occurs during the TLS handshake. We believe this is caused by some kind of proxy that terminates the TCP connection and performs the TLS handshake.

Read the full research report on OONI's blog.

For more details visit https://cis-india.org/internet-governance/blog/investigating-tls-blocking-in-india

Towards Algorithmic Transparency

Radhika Radhakrishnan, and Amber Sinha — 2020-07-15T13:16:44Z

This policy brief examines the issue of transparency as a key ethical component in the development, deployment, and use of Artificial Intelligence.

This brief proposes a framework that seeks to overcome the challenges in preserving transparency when dealing with machine learning algorithms, and suggests solutions such as the incorporation of audits, and ex ante approaches to building interpretable models right from the design stage. Read the full report here.

The Regulatory Practices Lab at CIS aims to produce regulatory policy suggestions focused on India, but with global application, in an agile and targeted manner and to promote transparency around practices affecting digital rights.
The Regulatory Practices Lab is supported by Google and Facebook.

For more details visit https://cis-india.org/internet-governance/blog/towards-algorithmic-transparency

After the Lockdown

Shyam Ponappa — 2020-04-09T10:05:49Z

This post was first published in the Business Standard, on April 2, 2020.

This is a time when, as the authorities deal with a lockdown, there needs to be an equal emphasis on providing for large numbers of people without the money for food and necessities, while the rest of us wait it out. Hard as it is, an MIT scholar writes that after the Spanish flu in 1918, cities that restricted public gatherings sooner and longer had fewer fatalities, and emerged with stronger economic growth.1 It is likely that costs and benefits vary with economic and social capacity, and we may have a harder time with it here. Going forward, government action to help provide relief, rehabilitate people and deal with loss needs to be well planned, including targeting aid to the urban and displaced poor.2

As important now as to ensure the lockdown continues is to plan on how to revive productive activity and the economy, and restore public confidence. A systematic approach will likely yield better results.

A major element of the recovery plan is steps such as liberal credit and amortisation terms, perhaps much more than the three-month extension the Reserve Bank of India (RBI) has announced. A primary purpose is the re-initiation of large-scale activities such as construction, of which there are reportedly about 200,000 large projects around the country. These have to be nursed back to being going concerns. The RBI may need to consider doing more, including lowering rates.

An ominous development that has grown as the economy slowed is financial stress that could swell non-performing assets (NPAs). At the half-year ending September 2019, about half of non-financial large corporations in India, excluding telecom, showed financial stress (see table).

Source: Krishna Kant: "Coronavirus shutdown puts Rs 15-trillion debt at risk, to impact finances", BS, March 30, 2020:

https://www.business-standard.com/article/markets/coronavirus-shutdown-puts-rs-15-trillion-debt-at-risk-to-impact-finances-120032901036_1.html

These include some of India’s largest companies, producing power, steel, and chemicals. The 201 companies have total debt of nearly Rs 15 trillion, more than half of all borrowings. There is also the debt overhang of the National Highways Authority of India, and of the telecom companies. Ironically, the telecom companies are our lifeline now, despite having nearly collapsed under debt because of ill-advised policies in the past, which have still not changed. Perhaps our obvious dependence telecom services now will spark well conceived, convergent policies for this sector, so that we can function effectively.

A start with immediate changes in administrative rules for 60GHz, 70-80GHz, and 500-700MHz wireless use, modelled on the US FCC regulations as was done for the 5GHz Wi-Fi in October 2018, could change the game. It will provide the opportunity in India for the innovation of devices, their production, and use, possibly unleashing this sector. This can help offset our reliance on imported technology and equipment. However, such changes in policies and purchasing support have eluded us thus far. Now, the only way our high-technology manufacturers can thrive is to succeed internationally, in order to be able to sell to the domestic market. Imagine how hard that might be, and you begin to get an inkling of why we have few domestic product champions, struggling against odds in areas such as optical switches, networking equipment, and wireless devices. For order-of-magnitude change, however, structural changes need to be worked out in consultation with operators in the organisation of services through shared infrastructure.

For the longer term, a fundamental reconsideration for allocating resources is needed through coherent, orchestrated policy planning and support. What the government can do as a primary responsibility, besides ensuring law and order and security, is to develop our inadequate and unreliable infrastructure, including facilities and services that enable efficient production clusters, their integrated functioning, and skilling. For instance, Apple’s recent decision against moving iPhone production from China to India was reportedly because similar large facilities (factories of 250,000) are not feasible here, and second, our logistics are inadequate. Such considerations should be factored into our planning, although Apple may well have to revisit the very sustainability of the concept of outsize facilities that require the sort of repressive conditions prevailing in China. However, we need not aim for building unsustainable mega-factories. Instead, a more practical approach may be to plan for building agglomerations of smaller, sustainable units, that can aggregate their activity and output effectively and efficiently. Such developments could form the basis of numerous viable clusters, and where possible, capitalise on existing incipient clusters of activities. Such infrastructure needs to be extended to the countryside for agriculture and allied activities as well, so that productivity increases with a change from rain-fed, extensive cultivation to intensive practices, with more controlled conditions.

The automotive industry, the largest employer in manufacturing, provides an example for other sectors. It was a success story like telecom until recently, but is now floundering, partly because of inappropriate policies, despite its systematic efforts at incorporating collaborative planning and working with the government. It has achieved the remarkable transformation of moving from BS-IV to BS-VI emission regulations in just three years, upgrading by two levels with an investment of Rs 70,000 crore, whereas European companies have taken five to six years to upgrade by one level. This has meant that there was no time for local sourcing, and therefore heavy reliance on global suppliers, including China. While the collaborative planning model adopted by the industry provides a model for other sectors, the question here is, what now. In a sense, it was not just the radical change in market demand with the advent of ridesharing and e-vehicles, but also the government’s approach to policies and taxation that aggravated its difficulties.

Going forward, policies that are more congruent in terms of societal goals, including employment that support the development of large manufacturing opportunities, need to be thought through from a perspective of aligning and integrating objectives (in this case, transportation). Areas such as automotive and other industries for the manufacture of road and rail transport vehicles need to be considered from the perspective of reconfiguring the purpose, flow, and value-added, to achieve both low-cost, accessible mass transport, and vehicles for private use that complement transportation objectives as also employment and welfare.

Systematic and convergent planning and implementation across sectors could help achieve a better revival.

Shyam (no space) Ponappa at gmail dot com

1: https://www.reuters.com/article/us-health-coronavirus-usa-reopen-analysi/the-u-s-weighs-the-grim-math-of-death-vs-the-economy-idUSKBN21H1B4

2: https://www.financialexpress.com/opinion/the-coronavirus-lockdown-and-indias-urban-vulnerables/1915316/

For more details visit https://cis-india.org/internet-governance/blog/after-the-lockdown

India’s ‘Self-Goal’ in Telecom

Shyam Ponappa — 2020-04-09T07:18:26Z

This post was first published in the Business Standard, on March 5, 2020.

The government apparently cannot resolve the problems in telecommunications. Why? Because the authorities are trying to balance the Supreme Court order on Adjusted Gross Revenue (AGR), with keeping the telecom sector healthy, while safeguarding consumer interest. These irreconcilable differences have arisen because both the United Progressive Alliance and the National Democratic Alliance governments prosecuted unreasonable claims for 15 years, despite adverse rulings! This imagined “impossible trinity” is an entirely self-created conflation.
If only the authorities focused on what they can do for India’s real needs instead of tilting at windmills, we’d fare better. Now, we are close to a collapse in communications that would impede many sectors, compound the problem of non-performing assets (NPAs), demoralise bankers, increase unemployment, and reduce investment, adding to our economic and social problems.
Is resolving the telecom crisis central to the public interest? Yes, because people need good infrastructure to use time, money, material, and mindshare effectively and efficiently, with minimal degradation of their environment, whether for productive purposes or for leisure. Systems that deliver water, sanitation, energy, transport and communications support all these activities. Nothing matches the transformation brought about by communications in India from 2004 to 2011 in our complex socio-economic terrain and demography. Its potential is still vast, limited only by our imagination and capacity for convergent action. Yet, the government’s dysfunctional approach to communications is in stark contrast to the constructive approach to make rail operations viable for private operators.
India’s interests are best served if people get the services they need for productivity and wellbeing with ease, at reasonable prices. This is why it is important for government and people to understand and work towards establishing good infrastructure.

What the Government Can Do

An absolute prerequisite is for all branches of government (legislative, executive, and judicial), the press and media, and society, to recognise that all of us must strive together to conceptualise and achieve good infrastructure. It is not “somebody else’s job”, and certainly not just the Department of Telecommunications’ (DoT’s). The latter cannot do it alone, or even take the lead, because the steps required far exceed its ambit.

Act Quickly

These actions are needed immediately:

First, annul the AGR demand using whatever legal means are available. For instance, the operators could file an appeal, and the government could settle out of court, renouncing the suit, accepting the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) ruling of 2015 on AGR.

Second, issue an appropriate ordinance that rescinds all extended claims. Follow up with the requisite legislation, working across political lines for consensus in the national interest.

Third, take action to organise and deliver communications services effectively and efficiently to as many people as possible. The following steps will help build and maintain more extensive networks with good services, reasonable prices, and more government revenues.

Enable Spectrum Usage on Feasible Terms

Wireless regulations

It is infeasible for fibre or cable to reach most people in India, compared with wireless alternatives. Realistically, the extension of connectivity beyond the nearest fibre termination point is through wireless middle-mile connections, and Wi-Fi for most last-mile links. The technology is available, and administrative decisions together with appropriate legislation can enable the use of spectrum immediately in 60GHz, 70-80GHz, and below 700MHz bands to be used by authorised operators for wireless connectivity. The first two bands are useful for high-capacity short and medium distance hops, while the third is for up to 10 km hops. The DoT can follow its own precedent set in October 2018 for 5GHz for Wi-Fi, i.e., use the US Federal Communications Commission regulations as a model.1 The one change needed is an adaptation to our circumstances that restricts their use to authorised operators for the middle-mile instead of open access, because of the spectrum payments made by operators. Policies in the public interest allowing spectrum use without auctions do not contravene Supreme Court orders.

Policies: Revenue sharing for spectrum

A second requirement is for all licensed spectrum to be paid for as a share of revenues based on usage as for licence fees, in lieu of auction payments. Legislation to this effect can ensure that spectrum for communications is either paid through revenue sharing for actual use, or is open access for all Wi-Fi bands. The restricted middle-mile use mentioned above can be charged at minimal administrative costs for management through geo-location databases to avoid interference. In the past, revenue-sharing has earned much more than up-front fees in India, and rejuvenated communications.2 There are two additional reasons for revenue sharing. One is the need to manufacture a significant proportion of equipment with Indian IPR or value-added, to not have to rely as much as we do on imports. This is critical for achieving a better balance-of-payments, and for strategic considerations. The second is to enable local talent to design and develop solutions for devices for local as well as global markets, which is denied because it is virtually impossible for them to access spectrum, no matter what the stated policies might claim.

Policies and Organisation for Infrastructure Sharing

Further, the government needs to actively facilitate shared infrastructure with policies and legislation. One way is through consortiums for network development and management, charging for usage by authorised operators. At least two consortiums that provide access for a fee, with government’s minority participation in both for security and the public interest, can ensure competition for quality and pricing. Authorised service providers could pay according to usage.
Press reports of a consortium approach to 5G where operators pay as before and the government “contributes” spectrum reflect seriously flawed thinking.3 Such extractive payments with no funds left for network development and service provision only support an illusion that genuine efforts are being made to the ill-informed, who simultaneously rejoice in the idea of free services while acclaiming high government charges (the two are obviously not compatible).
Instead of tilting at windmills that do not serve people’s needs while beggaring their prospects, commitment to our collective interests requires implementing what can be done with competence and integrity.

Shyam (no space) Ponappa at gmail dot com
1. https://dot.gov.in/sites/default/files/2018_10_29%20DCC.pdf
2. http://organizing-india.blogspot.in/2016/04/ breakthroughs- needed-for-digital-india.html
3. https://www.business-standard.com/article/economy-policy/govt-considering-spv-with-5g-sweetener-as-solution-to-telecom-crisis-120012300302_1.html

For more details visit https://cis-india.org/internet-governance/indias-self-goal-in-telecom

‘Future of Work’ in India’s IT/IT-es Sector

Aayush Rathi and Elonnai Hickok — 2020-04-28T09:52:59Z

The Centre for Internet and Society has recently undertaken research into the impact of Industry 4.0 on work in India. Industry 4.0, for the purposes of the research, is conceptualised as the technical integration of cyber physical systems (CPS) into production and logistics and the use of the ‘internet of things’ (connection between everyday objects) and services in (industrial) processes. By undertaking this research, CIS seeks to complement and contribute to the discourse and debates in India around the impact of Industry 4.0. In furtherance of the same, this report seeks to explore several key themes underpinning the impact of Industry 4.0 specifically in the IT/IT-es sector and broadly on the nature of work itself.

Read the complete case-study here: Download (PDF)

Introduction

Scholarship on 'Industry 4.0' that has emerged globally has sought to address the challenges of technological forecasting as it relates to work in varied forms. For instance, the Frey-Osborne methods examine characteristic tasks of each occupation and suggest that almost half of all jobs in the United States and other advanced countries are at risk of being substituted by computers or algorithms within the next 10 to 20 years. [1] On the other hand, scholars such as Autor and Handel as well as research produced by OECD on this subject argue that occupations as a whole are unlikely to be automated as there is great variability in the tasks within each occupation. [2] Existing literature on the impact on jobs in the IT sector in India too have arrived at mixed conclusions. Reports have raised concerns about job loss in the sector as a result of automation [3] whilst it has also been reported that employment from the IT sector reached 3.86 million in 2016-17 and an addition of around 105,000 was witnessed in FY18 itself. [4]

In this context, it is crucial to start by developing an understanding of which technologies are at the forefront of bringing in Industry 4.0. Such an understanding will further help understand which jobs, and more specifically, job functions are at the greatest risk of being replaced by automation technologies. To further contextualise the impact, it is imperative to develop a comprehensive understanding of how job functions are organised within the sector itself. This becomes especially relevant with the emphasis Industry 4.0 places on the horizontal and vertical integration of the various technologies constituting Industry 4.0. [5]

It is anticipated that to stay ahead of the curve of ‘technological unemployment’ there will be significant skilling and re-skilling challenges to enable new talent addition around emerging job roles. [6] The skilling challenge gains enhanced importance in the broader context of nurturing an inclusive digital economy. [7] This is particularly relevant in the context of female labour force participation, since it has been predicted that job creation will be concentrated in sectors where females are underrepresented and difficult to retain, while sectors with higher female participation, such as secretarial work, will undergo job loss. [8]

However, it is not clear how these trends will play out in the future, particularly because other structural changes are taking place simultaneously (such as globalisation and protectionism, demographic change, policy making, technological adoption etc.).

Objective and Scope

This research seeks to contribute to existing studies and dialogue on the impact and effect of industry 4.0 on work in the Information Technology services (IT) sector in India. Though the research focuses on the impact of technologies that comprise Industry 4.0, such technologies are frequently interchanged with the words ‘automation’ and ‘digitisation’. Thus, the desk research also examines the impact of ‘automation’ and ‘digitisation’ on the IT sector in India. The case study looks atthe IT sector broadly and where applicable, calls out information specific to sub-sectors such as IT enabled services (IT-eS) or Business Process Management (IT-BPM). The IT sector in India is uniquely placed; it is producing the technologies that are disrupting work in other industries as well as implementing them internally. This report focuses on the latter, but brings into context the former when relevant to work in the sector.

By drawing out trends and providing an analysis of contextual, quantitative and qualitative data on changes to work and labour markets in India as a result of technological uptake, it is anticipated that comparative research can be enabled by creating a framework that can be replicated in other, particularly developing, contexts.

References

[1] Carl Benedikt Frey and Michael A. Osborne, 2013. The future of employment: How susceptible are jobs to computerisation?, Oxford Martin School, September.

[2] See David H. Autor & Michael J. Handel, 2013. “Putting Tasks to the Test: Human Capital, Job Tasks, and Wages,” Journal of Labor Economics, University of Chicago Press, Vol. 31(S1), pages S59 -S96. See also: Future of Work and Skills, The Organisation for Economic Co-operation and Development, February 2017.

[3] Business Today, AI, automation will cost 7 lakh IT jobs by 2022, says report. (November 7, 2017) Retrieved https://www.businesstoday.in/sectors/it/ai-and-automation-to-cost-7-lakh-it-jobs-by-2022-says-report/story/259880.html

[4] Advantage India, India Brand Equity Foundation. Retrieved https://www.ibef.org/download/IT-ITeS-Report-Apr-2018.pdf

[5] Embracing Industry 4.0 -and Rediscovering Growth, Boston Consulting Group. Retrieved https://www.bcg.com/capabilities/operations/embracing-industry-4.0-rediscovering-growth.aspx

[6] India’s Readiness for Industry 4.0 -A Focus on Automotive Sector, Grant Thorton and Confederation of Indian Industry. Retrieved http://www.nasscom.in/sites/default/files/NASSCOM_Annual_Guidance_Final_22062017.pdf

[7] G20 Insights, Bridging the digital divide: Skills for the new age., Retrieved http://www.g20-insights.org/policy_briefs/bridging-digital-divide-skills-new-age/

[8] World Economic Forum, The Future of Jobs -Employment, Skills and Workforce Strategy for the Fourth Industrial Revolution, (January 2016).

For more details visit https://cis-india.org/internet-governance/blog/future-of-work-in-india-it-it-es-sector