We are anonymous, we are legion

Comments to the proposed amendments to The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

Divyansha Sehgal and Torsha Sarkar — 2023-02-07T15:21:47Z

This note presents comments by the Centre for Internet and Society (CIS), India, on the proposed amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“proposed amendments”). We thank Isha Suri for her review of this submission.

Preliminary

In these comments, we examine the constitutional validity of the proposed amendments, as well as whether the language of the amendments provide sufficient clarity for its intended recipients. This commentary is in-line with CIS’ previous engagement with other iterations of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

General Comments

Ultra vires the parent act

Section 79(1) of the Information Technology (IT) Act states that the intermediary will not be held liable for any third-party information if the intermediary complies with the conditions laid out in Section 79(2). One of these conditions is that the intermediary observe “due diligence while discharging his duties under this Act and also observe such other guidelines as the Central Government may prescribe in this behalf.” Further, Section 87(2)(zg) empowers the central government to prescribe “guidelines to be observed by the intermediaries under sub-section (2) of section 79.”

A combined reading of Section 79(2) read with Section 89(2)(zg) makes it clear that the power of the Central Government is limited to prescribing guidelines related to the due diligence to be observed by the intermediaries while discharging its duties under the IT Act. However, the proposed amendments extend the original scope of the provisions within the IT Act.

In particular, the IT Act does not prescribe for any classification of intermediaries. Section 2(1) (w) of the Act defines intermediaries as “with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes”. Intermediaries are treated and regarded as a single monolithic entity with the same responsibilities and obligations.

The proposed amendments have now established a new category of intermediaries, namely online gaming intermediary. This classification comes with additional obligations, codified within Rule 4A of the proposed amendments, including enabling the verification of user-identity and setting up grievance redressal mechanisms. The additional obligations placed on online gaming intermediaries find no basis in the IT Act, which does not specify or demarcate between different categories of intermediaries.

The 2021 Rules have been prescribed under Section 87(1) and Section 87(2)(z) and (zg) of the IT Act. These provisions do not empower the Central Government to make any amendment to Section 2(w) or create any classification of intermediaries. As has been held by the Supreme Court in State of Karnataka and Another v. Ganesh Kamath & Ors that: “It is a well settled principle of interpretation of statutes that conferment of rule making power by an Act does not enable the rule making authority to make a rule which travels beyond the scope of the enabling Act or which is inconsistent therewith or repugnant thereto.” In this light, we argue that the proposed amendment cannot go beyond the parent act or prescribe policies in the absence of any law/regulation authorising them to do so.

Recommendation

We recommend that a regulatory intervention seeking to classify intermediaries and prescribe regulations specific to the unique nature of specific intermediaries should happen through an amendment to the parent act. The amendment should prescribe additional responsibilities and obligations of online gaming intermediaries.

A note on the following sections

Since the legality of classifying intermediaries into further categories is under question, our subsequent discussions on the language of the provisions related to online gaming intermediary are recommended to be taken into account for formulating any new legislations relating to these entities.

Specific comments

Fact checking amendment

Amendment to Rule 3(1)(b)(v) states that intermediaries are obligated to ask their users to not host any content that is, inter alia, “identified as fake or false by the fact check unit at the Press Information Bureau of the Ministry of Information and Broadcasting or other agency authorised by the Central Government for fact checking”.

Read together with Rule 3(1)(c), which gives intermediaries the prerogative to terminate user access to their resources on non-compliance with their rules and regulations, Rule 3(1)(b)(v) essentially affirms the intermediary’s right to remove content that the Central government deems to be ‘fake’. However, in the larger context of the intermediary liability framework of India, where intermediaries found to be not complying with the legal framework of section 79 lose their immunity, provisions such as Rule 3(1)(b)(v) compel intermediaries to actively censor content, on the apprehension of legal sanctions.

In this light, we argue that Rule 3(1)(b)(v) is constitutionally invalid, inasmuch that Article 19(2), which prescribes grounds under which the government restrict the right to free speech, does not permit restricting speech on the ground that it is ostensibly “fake or false”. In addition, the net effect of this rule would be that the government would be the ultimate arbiter of what is considered ‘truth’, and every contradictions to this narrative would be deemed to be false. In a democratic system like India’s, this cannot be a tenable position, and would go against a rich jurisprudence of constitutional history on the need for plurality.

For instance, in Indian Express Newspapers v Union of India, the Supreme Court had held that ‘the freedom of the press rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public.’ Applying this interpretation to the present case, it could be said that the government’s monopoly on directing what constitutes “fake or false” in the online space would prevent citizens from accessing dissenting voices and counterpoints to government policies .

This is problematic when one considers that in the Indian context, freedom of speech and expression has always been valued for its instrumental role in ensuring a healthy democracy, and its power to influence public opinion. In the present case, the government, far from facilitating any such condition, is instead actively indulging in guardianship of the public mind (Sarkar et al, 2019).

Other provisions in the IT Act which permit for censorship of content, including section 69A, permit the government to only do so when content is relatable to grounds enumerated in Article 19(2) of the Constitution. In addition, in the case of Shreya Singhal vs Union of India, where, the constitutionality of section 69A was challenged, the Supreme Court upheld the provision because of the legal safeguards inherent in the provision, including offering a hearing to the originator of the impugned content and reasons for censoring content to be recorded in writing.

In contrast, a fact check by the Press Information Bureau or by another authorised agency provides no such safeguards, and does not relate to any constitutionally recognized ground for restricting speech.

Recommendation

The proposed amendment to Rule 3(1)(b)(v) is unconstitutional, and should be removed from the final draft of the law.

Clarifications are needed for online games rules definitions

The definitions of an "online game" and "online gaming intermediary" are currently extremely unclear and require further clarification.

As the proposed amendments stand, online games are characterised by the user's “deposit with the expectation of earning winnings”. Both deposit and winnings can be “cash” or “in kind", which does not adequately draw a boundary on the type of games this amendment seeks to cover. Can the time invested by the player in playing a game be answered under the “in kind” definition of deposit? If the game provides a virtual in-game currency that can be exchanged for internal power ups, even if there are no cash or gift cards used as payout, is that considered to be an “in kind” winnings? The rules, as currently drafted, are vague in their reference towards “in kind” deposits and payouts.

This definition of online games also does not differentiate between single or multiplayer games, and traditional games like chess which have found an audience online such as Candy Crush (single player), Minecraft (multiplayer collaborative) or chess (traditional). It is unclear whether these games were intended to fall within the purview of these amendments to the rules, and if they are all subjected to the same due diligence requirements as pay-to-play games. This, in conjunction with the proposed rule 6A which allows the Ministry to term any other game as an online game for the purposes of the rules, also provides them with broad, unpredictable powers . This ambiguity hinders clear comprehension of the expectations among the target stakeholders, thus affecting the consistency and predictability of the implementation of the rules.

Similarly, "online gaming intermediaries" are also defined very broadly as "intermediary that offers one or more than one online game". As defined, any intermediary that even hosts a link to a game is classified as an online gaming intermediary since the game is now "offered" through the intermediary. As drafted, there does not seem to be a material distinction between an "intermediary" as defined by the act and "online gaming intermediary" as specified by these rules.

Recommendation

We recommend further clarification on the definitions of these terms, especially for “in kind” and “offers” which are currently extremely vague terms that provide overbroad powers to the Ministry.

Intermediaries and Games

"Online gaming intermediaries" are defined very broadly as "intermediary that offers one or more than one online game". Intermediaries are defined in the Act as "any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message".

According to the media coverage (Barik, 2023) around these amendments, it seems that there is an effort to classify gaming companies as "online gaming intermediaries" but the language of the drafted amendments do not support this. An “intermediary” status is given to a company due to its functional role in primarily offering third party content. It is not a classification for different types of internet companies that exist and thus must not be used to make rules for entities that do not perform this function.

Not all gaming companies present a collection of games for their users to play. According to the drafted definition multiple platforms where games might be present like, an app stores where multiple game developers can publish their games for access by users, a website that lists links to online games, a social media platform that acts as an intermediary between two users exchanging links to games, as well as websites that host games for users to directly access may all be classified as an "online gaming intermediary" since they "offer" games to users. These are a rather broad range of companies and functions to be singularly classified an "online gaming intermediary".

Recommendation

We recommend a thoroughly researched legislative solution to regulating gaming companies that operate online rather than through amendments to intermediary rules. If some companies are indeed to be classified as “online gaming intermediaries”, there is a need for further reasoning on which type of gaming companies and their functions are intermediary functions for the purposes of these Rules.

Comments can be downloaded here

For more details visit https://cis-india.org/internet-governance/blog/comments-to-proposed-amendments-to-it-intermediary-guidelines-and-digital-media-ethics-code-rules

Comments to the Personal Data Protection Bill 2019

Amber Sinha, Elonnai Hickok, Pallavi Bedi, Shweta Mohandas, Tanaya Rajwade — 2020-02-21T10:13:35Z

The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019.

Please view our general comments below, or download as PDF here.

Our comments and recommendations can be downloaded as PDF here.

We have also prepared an annotated version of the Bill, where our detailed comments and recommendations can be viewed alongside the Bill, available as PDF here.

General Comments

1. Executive notification cannot abrogate fundamental rights

In 2017, the Supreme Court in K.S. Puttaswamy v Union of India [1] held the right to privacy to be a fundamental right. While this right is subject to reasonable restrictions, the restrictions have to meet a three fold requirement, namely (i) existence of a law; (ii) legitimate state aim; (iii) proportionality.Under the 2018 Bill, the exemption to government agencies for processing of personal data from the provisions of the Bill in the ‘interest of the security of the State’ [2] was subject to a law being passed by Parliament. However, under Clause 35 of the present Bill, the Central Government is merely required to pass a written order exempting the government agency from the provisions of the Bill.Any restriction on the right to privacy will have to comply with the conditions prescribed in Puttaswamy I. An executive order issued by the central government authorising any agency of the government to process personal data does not satisfy the first requirement laid down by the Supreme Court in Puttaswamy I — as it is not a law passed by Parliament. The Supreme Court while deciding upon the validity of Aadhar in K.S. Puttaswamy v Union of India [3] noted that “an executive notification does not satisfy the requirement of a valid law contemplated under Puttaswamy. A valid law in this case would mean a law passed by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right cannot be sustained by an executive notification.”

2. Exemptions under Clause 35 do not comply with the legitimacy and proportionality test

The lead judgement in Puttaswamy I while formulating the three fold test held that the restraint on privacy emanate from the procedural and content based mandate of Article 21 [4]. The Supreme Court in Maneka Gandhi v Union India [5] had clearly established that “mere prescription of some kind of procedure cannot ever meet the mandate of Article 21. The procedure prescribed by law has to be fair, just and reasonable, not fanciful, oppressive and arbitrary” [6]. The existence of a law is the first requirement; the second requirement is that of ‘legitimate state aim’. As per the lead judgement this requirement ensures that “the nature and content of the law which imposes the restriction falls within the zone of reasonableness mandated by Article 14, which is a guarantee against arbitrary state action” [7]. It is established that for a provision which confers upon the executive or administrative authority discretionary powers to be regarded as non-arbitrary, the provision should lay down clear and specific guidelines for the executive to exercise the power [8]. The third test to be complied with is that the restriction should be ‘proportionate,’ i.e. the means that are adopted by the legislature are proportional to the object and needs sought to be fulfilled by the law. The Supreme Court in Modern Dental College & Research Centre v State of Madhya Pradesh [9] specified the components of proportionality standards —

A measure restricting a right must have a legitimate goal;
It must be a suitable means of furthering this goal;
There must not be any less restrictive, but equally effective alternative; and
The measure must not have any disproportionate impact on the right holder

Clause 35 provides extensive grounds for the Central Government to exempt any agency from the requirements of the bill but does not specify the procedure to be followed by the agency while processing personal data under this provision. It merely states that the ‘procedure, safeguards and oversight mechanism to be followed’ will be prescribed in the rules.The wide powers conferred on the central government without clearly specifying the procedure may be contrary to the three fold test laid down in Puttaswamy I, as it is difficult to ascertain whether a legitimate or proportionate objective is being fulfilled [10].

3. Limited powers of Data Protection Authority in comparison with the Central Government

In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example:

In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so.
Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.

In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate and resources. The political nature of the personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Authority are independent of the Executive.

4. No clarity on data sandbox

The Bill contemplates a sandbox for “ innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” A Data Sandbox is a non-operational environment where the analyst can model and manipulate data inside the data management system. Data sandboxes have been envisioned as a secure area where only a copy of the company’s or participant companies’ data is located [11]. In essence, it refers to the scalable and creation platform which can be used to explore an enterprise’s information sets. On the other hand, regulatory sandboxes are controlled environments where firms can introduce innovations to a limited customer base within a relaxed regulatory framework, after which they may be allowed entry into the larger market after meeting certain conditions. This purportedly encourages innovation through the lowering of entry barriers by protecting newer entrants from unnecessary and burdensome regulation. Regulatory sandboxes can be interpreted as a form of responsive regulation by governments that seek to encourage innovation – they allow selected companies to experiment with solutions within an environment that is relatively free of most of the cumbersome regulations that they would ordinarily be subject to, while still subject to some appropriate safeguards and regulatory requirements. Sandboxes are regulatory tools which may be used to permit companies to innovate in the absence of heavy regulatory burdens. However, these ordinarily refer to burdens related to high barriers to entry (such as capital requirements for financial and banking companies), or regulatory costs. In this Bill, however, the relaxing of data protection provisions for data fiduciaries would lead to restrictions of the privacy of individuals. Limitations to a fundamental rights on grounds of ‘fostering innovation’ is not a constitutional tenable position, and contradict the primary objectives of a data protection law.

5. The primacy of ‘harm’ in the Bill ought to be reconsidered

While a harms based approach is necessary for data protection frameworks, such approaches should be restricted to the positive obligations, penal provisions and responsive regulation of the Authority. The Bill does not provide any guidance on either the interpretation of the term ‘harm,’ [12] or on the various activities covered within the definition of the term. Terms such as ‘loss of reputation or humiliation’ ‘any discriminatory treatment’ are a subjective standard and are open to varied interpretations. This ambiguity in the definition will make it difficult for the data principal to demonstrate harm and for the DPA to take necessary action as several provisions are based upon harm being caused or likely to be caused.Some of the significant provisions where ‘harm’ is a precondition for the provision to come into effect are —

Clause 25: Data Fiduciary is required to notify the Authority about the breach of personal data processed by the data fiduciary, if such breach is likely to cause harm to any data principal. The Authority after taking into account the severity of the harm that may be caused to the data principal will determine whether the data principal should be notified about the breach.
Clause 32 (2): A data principal can file a complaint with the data fiduciary for a contravention of any of the provisions of the Act, which has caused or is likely to cause ‘harm’ to the data principal.
Clause 64 (1): A data principal who has suffered harm as a result of any violation of the provision of the Act by a data fiduciary, has the right to seek compensation from the data fiduciary.

Clause 16 (5): The guardian data fiduciary is barred from profiling, tracking or undertaking targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.

6. Non personal data should be outside the scope of this Bill

Clause 91 (1) states that the Act does not prevent the Central Government from framing a policy for the digital economy, in so far as such policy does not govern personal data. The Central Government can, in consultation with the Authority, direct any data fiduciary to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence based policies in any manner as may be prescribed.It is concerning that the data protection bill has specifically carved out an exception for the Central Government to frame policies for the digital economy and seems to indicate that the government plans to freely use any and all anonymized and/or non-personal data that rests with any data fiduciary that falls under the ambit of the bill to support the digital economy including for its growth, security, integrity, and prevention of misuse. It is unclear how the government, in practice, will be able to compel organizations to share this data. Further, there is a lack of clarity on the contours of the definition of non-personal data and the Bill does not define the term. It is also unclear whether the Central Government can compel the data fiduciary to transfer/share all forms of non-personal data and the rights and obligations of the data fiduciaries and data principals over such forms of data. Anonymised data refers to data which has ‘ irreversibly’ been converted into a form in which the data principal cannot be identified. However, as several instances have shown ‘ irreversible’ anonymisation is not possible. In the United States, the home addresses of taxi drivers were uncovered and in Australia individual health records were mined from anonymised medical bills [13]. In September 2019, the Ministry of Electronics and Information Technology, constituted an expert committee under the chairmanship of Kris Gopalkrishnan to study various issues relating to non-personal data and to deliberate over a data governance framework for the regulation of such data.The provision should be deleted and the scope of the bill should be limited to protection of personal data and to provide a framework for the protection of individual privacy. Until the report of the expert committee is published, the Central Government should not frame any law/regulation on the access and monetisation of non-personal/ anonymised data nor can they create a blanket provision allowing them to request such data from any data fiduciary that falls within the ambit of the bill. If the government wishes to use data resting with a data fiduciary; it must do so on a case to case basis and under formal and legal agreements with each data fiduciary.

7. Steps towards greater decentralisation of power

We propose the following steps towards greater decentralisation of powers and devolved jurisdiction —

Creation of State Data Protection Authorities: A single centralised body may not be the appropriate form of such a regulator. We propose that on the lines of central and state commissions under the Right to Information Act, 2005, state data protection authorities are set up which are in a position to respond to local complaints and exercise jurisdiction over entities within their territorial jurisdictions.
More involvement of industry bodies and civil society actors: In order to lessen the burden on the data protection authorities it is necessary that there is active engagement with industry bodies, sectoral regulators and civil society bodies engaged in privacy research. Currently, the Bill provides for involvement of industry or trade association, association representing the interests of data principals, sectoral regulator or statutory Authority, or an departments or ministries of the Central or State Government in the formulation of codes of practice. However, it would be useful to also have a more active participation of industry associations and civil society bodies in activities such as promoting awareness among data fiduciaries of their obligations under this Act, promoting measures and undertaking research for innovation in the field of protection of personal data.

8. The Authority must be empowered to exercise responsive regulation

In a country like India, the challenge is to move rapidly from a state of little or no data protection law, and consequently an abysmal state of data privacy practices to a strong data protection regulation and a powerful regulator capable of enabling a state of robust data privacy practices. This requires a system of supportive mechanisms to the stakeholders in the data ecosystem, as well as systemic measures which enable the proactive detection of breaches. Further, keeping in mind the limited regulatory capacity in India, there is a need for the Authority to make use of different kinds of inexpensive and innovative strategies.We recommend the following additional powers for the Authority to be clearly spelt out in the Bill —

Informal Guidance: It would be useful for the Authority to set up a mechanism on the lines of the Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law. Given that this is the first omnibus data protection law in India, and there is very little jurisprudence on the subject from India, it would be extremely useful for regulated entities to get guidance from the regulator.
Power to name and shame: When a DPA makes public the names of organisations that have seriously contravened data protection legislation, this is a practice known as “naming and shaming.” The UK ICO and other DPAs recognise the power of publicity, as evidenced by their willingness to co-operate with the media. The ICO does not simply post monetary penalty notices (MPNs or fines) on its websites for journalists to find, but frequently issues press releases, briefs journalists and uses social media. The ICO’s publicity statement on communicating enforcement activities states that the “ICO aims to get media coverage for enforcement activities.”
Undertakings: The UK ICO has also leveraged the threats of fines into an alternative enforcement mechanism seeking contractual undertakings from data controllers to take certain remedial steps. Undertakings have significant advantages for the regulator. Since an undertaking is a more “co-operative”solution, it is less likely that a data controller will change it. An undertaking is simpler and easier to put in place. Furthermore, the Authority can put an undertaking in place quickly as opposed to legal proceedings which are longer.

9. No clear roadmap for the implementation of the Bill

The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified [14]. It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within within which the Authority shall be established and specific rules and regulations notified. Considering that 25 provisions have been deferred to rules that have to be framed by the Central Government and a further 19 provisions have been deferred to the regulations to be notified by the Authority the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill.The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Authority. This is important to give full and effective effect to the right of privacy of the
individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.For offences, we suggest a system of mail boxing where provisions and punishments are enforced in a staggered manner, for a period till the fiduciaries are aligned with the provisions of the Act. The Authority must ensure that data principals and fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment are brought into force. This will allow the data fiduciaries to align their practices with the provisions of this new legislation and the Authority will also have time to define and determine certain provisions that the Bill has left the Authority to define. Additionally enforcing penalties for offences initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders from paying a high price. This will relieve the fear of smaller companies and startups who might fear processing data for the fear of paying penalties for offences.

10. Lack of interoperability

In its current form, a number of the provisions in the Bill will make it difficult for India’s framework to be interoperable with other frameworks globally and in the region. For example, differences between the draft Bill and the GDPR can be found in the grounds for processing, data localization frameworks, the framework for cross border transfers, definitions of sensitive personal data, inclusion of the undefined category of ‘critical data’, and the roles of the authority and the central government.

11. Legal Uncertainty

In its current structure, there are a number of provisions in the Bill that, when implemented, run the risk of creating an environment of legal uncertainty. These include: lack of definition of critical data, lack of clarity in the interpretation of the terms ‘harm’ and ‘significant harm’, ability of the government to define further categories of sensitive personal data, inclusion of requirements for ‘social media intermediaries’, inclusion of ‘non-personal data’, framing of the requirements for data transfers, bar on processing of certain forms of biometric data as defined by the Central Government, the functioning between a consent manager and another data fiduciary, the inclusion of an AI sandbox and the definition of state. To ensure the greatest amount of protection of individual privacy rights and the protection of personal data while also enabling innovation, it is important that any data protection framework is structured and drafted in a way to provide as much legal certainty as possible.

Endnotes

1. (2017) 10 SCC 641 (“Puttaswamy I”).

2. Clause 42(1) of the 2018 Bill states that “Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to such interests being achieved.”

3. (2019) 1 SCC 1 (“Puttaswamy II”)

4. Puttaswamy I, supra, para 180.

5. (1978) 1 SCC 248.

6. Ibid para 48.

7. Puttaswamy I supra para 180.

8. State of W.B. v. Anwar Ali Sarkar, 1952 SCR 284; Satwant Singh Sawhney v A.P.O AIR 1967 SC1836.

9. (2016)7 SCC 353.

10. Dvara Research “Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill, 2019 introduced in Lok Sabha on 11 December 2019”, January 2020, https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/ (“Dvara Research”).

11. “A Data Sandbox for Your Company”, Terrific Data, last accessed on January 31, 2019, http://terrificdata.com/2016/12/02/3221/.

12. Clause 3(20) — “harm” includes (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (ii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of service,benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal.

13. Alex Hern “Anonymised data can never be totally anonymous, says study”, July 23, 2019 https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds.

14. Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6)The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f ) security safeguards under section 31; (g) research purposes under section 45; (h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019

Comments to the ID4D Practitioners’ Guide

Yesha Tshering Paul, Prakriti Singh, and Amber Sinha — 2019-08-08T10:25:13Z

This post presents our comments to the ID4D Practitioners’ Guide: Draft For Consultation released by ID4D in June, 2019. CIS has conducted research on issues related to digital identity since 2012. This submission is divided into three main parts. The first part (General Comments) contains the high-level comments on the Practitioners’ Guide, while the second part (Specific Comments) addresses individual sections in the Guide. The third and final part (Additional Comments) does not relate to particulars in the Practitioners' Guide but other documents that it relies upon. We submitted these comments to ID4D on August 5, 2019. Read our comments here.

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide

Comments to the Draft National Health Data Management Policy 2.0

Anamika Kundu, Shweta Mohandas and Pallavi Bedi — 2022-05-24T16:06:15Z

Anamika Kundu, Shweta Mohandas and Pallavi Bedi along with 9 other organizations / individuals drafted comments to the Draft National Health Data Management Policy 2.0.

This is a joint submission on behalf of (i) Access Now, (ii) Article 21, (iii) Centre for New Economic Studies, (iv) Center for Internet and Society, (v) Internet Freedom Foundation, (vi) Centre for Justice, Law and Society at Jindal Global Law School, (vii) Priyam Lizmary Cherian, Advocate, High Court of Delhi (ix) Swasti-Health Catalyst, (x) Population Fund of India.

At the outset, we would like to thank the National Health Authority (NHA) for inviting public comments on the draft version of the National Health Data Management Policy 2.0 (NDHMPolicy 2.0) (Policy) We have not provided comments to each section/clause, but have instead highlighted specific broad concerns which we believe are essential to be addressed prior tothe launch of NDHM Policy 2.0.

Read on to view the full submission here

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-draft-national-health-data-management-policy-2.0

Comments to the draft Motor Vehicle Aggregators Scheme, 2021

Chiara Furtado, Aayush Rathi and Abhishek Sekharan — 2022-04-01T15:25:06Z

This submission presents a response by researchers at the Centre for Internet and Society, India (CIS) to the draft Motor Vehicle Aggregators Scheme, 2021 published by the Transport Department, Government of National Capital Territory of Delhi, (hereafter “draft Scheme”).

CIS, established in Bengaluru in 2008 as a non-profit organisation, undertakes interdisciplinary research on internet and digital technologies from public policy andacademic perspectives. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and regulatory practices around internet, technology,and society in India, and elsewhere.

CIS is grateful for the opportunity to submit its comments to the draft Scheme. Please find below our thematically organised comments.

Click here to read more.

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-draft-motor-vehicle-aggregators-scheme-2021

Comments to the Draft Digital Competition Bill, 2024

Abhineet Nayyar, Isha Suri, and Pallavi Bedi (in alphabetical order) — 2024-06-11T10:13:22Z

This submission is a response by researchers at the Centre for Internet and Society India (CIS) to the draft Digital Competition Bill, 2024, published by the Committee on Digital Competition Law (CDCL), Ministry of Corporate Affairs (MCA), (hereafter “draft DCB” or “draft Bill”).

We would like to thank the Ministry of Corporate Affairs for soliciting public comments on this important legislation and are grateful for this opportunity.

At the outset, CIS affirms the Committee’s approach to transition from a predominantly ex-post to an ex-ante approach for regulating competition in digital markets. The Committee’s assessment of the ex-post regime being too time-consuming for the digital domain has been substantiated by frequent and expensive delays in antitrust disputes, a fact that has also recently drawn the attention of the Ministry of Corporate Affairs. And not just in India, the ex-post regime has been found to be too time-consuming in other jurisdictions as well, as a consequence of which many other countries are also moving towards an ex-post regime for digital markets. This also allows India to be in harmony with both developing and developed countries, which makes regulating global competition more consistent and efficient. In fact, “international cooperation between competition authorities” and “greater coherence between regulatory frameworks” are key in facilitating global investigations and lowering the cost of doing business.

Moreover, by adopting a principles-based approach to designing the law’s obligations, the draft Bill also addresses the concern that ex-ante regulations, due to their prescriptive nature, tend to be sector-agnostic. The fact that these principles are based on the findings of the Parliamentary Standing Committee’s (PSC) Report on ‘Anti-Competitive Practices by Big Tech Companies’ only lends them more evidence. The draft DCB empowers the Commission to clarify the Obligations for different services, and also provides CCI with the flexibility to undertake independent consultations to accommodate varying contexts and the needs of different core digital services. We do, however, have specific comments regarding implementing some of these provisions, which are elaborated in the accompanying document.

We would also like to emphasise that adequate enforcement of an ex-ante approach requires bolstering and strengthening regulatory capacity. Therefore, to minimise risks relating to underenforcement as well as overenforcement, CCI, its Digital Markets and Data Unit (DMDU), and the Director General’s (DG) office will have to substantially increase their technical capacity. A comparison of CCI’s current strength with its global counterparts that have adopted or are in the process of adopting an ex-ante approach to competition regulation reveals a stark picture. For example, the European Union (EU) had over 870 people in its DG COMP unit in 2022, and its DG CONNECT unit is expected to hire another 100 people in 2024 alone. Similarly, the United Kingdom’s Competition and Markets Authority (CMA) has a permanent staff of 800+, the Japan Fair Trade Commission (JTFC) has about 400 officials just for regulating anti-competitive conduct, and South Korea’s KFTC has about 600 employees. In contrast, CCI and DG, combined, have a sanctioned strength of only 195 posts, out of which 71 remain vacant. Bridging this capacity gap through frequent and high-quality recruitment is, therefore, the need of the hour. Most importantly, there is a need to create a culture of interdisciplinary coordination among legal, technical, and economic domains.

Moreover, as we come to rely on an increasingly digitised economy, most technology companies will work with critical technology components such as key infrastructure, algorithms, and Artificial Intelligence to business models that are based on data collection and processing practices. Consequently, there will be a need to bolster CCI’s capacity in the technical domain by hiring and integrating new roles including technologists, software and hardware engineers, product managers, UX designers, data scientists, investigative researchers, and subject matter experts dealing with new and emerging areas of technology.21 Therefore, we recommend CCI to ensure that the proposed DMDU has the requisite diversity of skills to effectively use existing tools for enforcement and is also able to keep pace with new and emerging technological developments.

Along with this overall observation of CCI's capacity, we have also submitted detailed comments on specific clauses of the draft DCB. These submissions are structured across the following six categories: i) Classification of Core Digital Services; ii) Designation of a Systemically Significant Digital Enterprise (SSDE) and Associate Digital Enterprise (ADE); iii) Obligations on SSDEs and ADEs; iv) Powers of the Commission to Conduct an Inquiry; v) Penalties and Appeals; and vi) Powers of the Central Government. In addition to these suggestions, the detailed comments and their summarised version focus on three important gaps in the draft DCB – limited representation from workers’ groups and MSMEs, exclusion of merger and acquisition (M&A) from the discussions, and lack of a formalised framework for interregulatory coordination.

For our full comments, click here

For a detailed summary of our comments, click here

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-draft-digital-competition-bill

Comments to the draft amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

Anamika Kundu, Digvijay Chaudhary, Divyansha Sehgal, Isha Suri and Torsha Sarkar — 2022-07-07T02:39:28Z

The Centre for Internet & Society (CIS) presented its comments on the draft amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘the rules’), which were released on 6 June, 2022 for public comments.

These comments examine whether the proposed amendments are in adherence to established principles of constitutional law, intermediary liability and other relevant legal doctrines. We thank the Ministry of Electronics and Information Technology (MEITY) for allowing us this opportunity. Our comments are divided into two parts. In the first part, we reiterate some of our comments to the existing version of the rules, which we believe holds relevance for the proposed amendments as well. And in the second part, we provide issue-wise comments that we believe need to be addressed prior to finalising the amendments to the rules.

To access the full text of the Comments to the draft amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, click here

For more details visit https://cis-india.org/internet-governance/blog/comments-to-draft-amendments-to-the-it-rules-2021

Comments to the Code on Social Security, 2019

Aayush Rathi , Amruta Mahuli and Ambika Tandon — 2019-10-27T03:57:15Z

This submission presents a response by researchers at the Centre for Internet & Society, India (CIS) to the draft Code on Social Security, 2019 (hereinafter “ Draft Code ”) prepared by the Government of India’s Ministry of Labour and Employment.

CIS is an 11-year old non-profit organisation that undertakes interdisciplinary research oninternet and digital technologies from policy and academic perspectives. Through itsdiverse initiatives, CIS explores, intervenes in, and advances contemporary discourse andregulatory practices around internet, technology, and society in India, and elsewhere.Current focus areas include cybersecurity, privacy, freedom of speech and artificialintelligence. CIS is also producing research at the intersection of labour, gender andtechnology.

CIS is grateful for the opportunity to put forth its views and comments. Our comments are captured in the prescribed format in the table, click here to view the full comments.

For more details visit https://cis-india.org/internet-governance/blog/aayush-rathi-ambika-tandon-amruta-mahuli-october-25-2019-comments-to-code-on-social-security

Comments to the BIS on Smart Cities Indicators

Elonnai Hickok, Rohini Lakshané and Udbhav Tiwari — 2016-12-11T07:56:16Z

The Bureau of Indian Standards released the Smart Cities - Indicator on 30 September 2016. The Centre for Internet & Society (CIS) presented its views.

View the PDF

Name of the Commentator/ Organisation: The Centre for Internet and Society, India^[1]

PRELIMINARY

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Smart Cities - Indicators (dated 30 September 2016), released by the Bureau of Indian Standards (“BIS”).
CIS is thankful for the opportunity to put forth its views.
This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.

ABOUT CIS

CIS is a non-profit organisation^{^[2]} that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.
CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.

III. Comments

Clause/ Para/ Table/ Figure No. commented	Comments/Modified Wordings	Justification of Proposed Change
General Comment	The indicators could generally utilize more of smart data, from both analog and digital sources, to better reflect the performance of various	Using technology to gather information rather than limiting its scope to existing mostly non-digital sources of data. There is a lot of potential information,

	indicators.	already collected, that simply goes unused or underutilized. Principled use of such information to make informed decisions on key aspects of urban development will lead to ‘truly’ smart cities. Further, the indicators should include actionable aspects and include avenues to leverage research to better their performance. Moreover, indicators that allow for audits for rights and transparency should be focused on as core indicators.
General Comment	Indicators are limited in scope to basic sustainability.	The indicators in their current form restrict themselves to sustainability, focused on basic sustenance, which seems to limit the scope of the Smart Cities project. Having a core set of indicators that is more relevant to India but also have an optional, more ambitious set of indicators for cities to become truly advanced and for the standard to be more dynamic. Encourage them by leveraging technology in a sustainable, human welfare and development-oriented approach, which the indicators can inculcate. Further, policy pivots being driven by these indicators could be given to make the decision making in smart cities more transparent and accountable.
Economy	Granularity of information pertaining to macro-level economic indicators	All the indicators in the Economic section pertain to macro-level standards/ indicators. Their limitation is that they provide very little information about the diversity of the economy of a city, the factors responsible for positive or negative effects and offer no real way to encourage microeconomic changes that can lead to the improvement of the economic condition of a city, aided by modern technology. Example indicators could be: average GDP of districts within a city, and total number of operating businesses and merchants in sub-localities in the city. All of this data can also be used to drive micro policies to enable localized development.

Education	Include data at city-level and indicators for higher education.	The indicators measured in the Education section only look at city level information about schools, ignoring district and even school level information already recorded and present in the system. Teacher and student attendance rates, level of basic infrastructure present in schools, presence of toilets for both genders, provisions for meals, etc. are some of the parameters that can be included in the indicator list. Further, the list completely excludes college education (both degree and diploma level) as a relevant indicator, nor does it include indicators for the average education of the population of the city, both of which can be easily measured using census data.

		Further, data that allows for a holistic decision making process - poverty levels, distance to schools, transportation levels, access to higher learning, etc. can also be used as supporting indicators. These could come from studies already done that call out the factors.
5. Education 5.1, 5.2, 5.3, 5.5	Include gender-specific indicators for students completing primary education, secondary education, and higher education, and enrolled in education institutions. Change the term “survival rate” to “retention rate”.	Indicators for the “survival rate” (may be better represented as retention rate) of students who identify as female or transgender in schools and universities, and enrollment of school-aged and college-aged girls, women and transgender students would help work towards an inclusive smart city.
Energy	Better utilisation of data from digital electricity meters.	The advent of digital meters allows for home/business level capturing of energy usage. This information can be leveraged to better target energy leaks, theft, repair work, pricing and even renewable energy incentives.
Finance	Indicators for digital and cashless payment and transaction systems.	The strong push by the government towards digital payments could also be reflected on the list of indicators, such as the “number of establishments accepting (and not accepting) digital payment systems” being a supporting indicator. Similar standards can be extended to include microfinance (number of avenues available for lending, successful payback of loans, et cetera.)

Governance	Recommended inclusion of indicators pertaining to the Right to Information Act, 2005	The number of requests made under the Right to Information Act, 2005, and the time taken by the responding office to reply to them (in terms of the number of days) by the government offices in the city as a relevant factor to gauge transparency and accountability of the governance structures. The same can also be extended to map the parliamentary performance of the elected officials from the city at the state and national level, especially for the interests of the city. Parliamentary performance here would mean attendance records, number of question raised, resources spent on constituency development, et cetera.
10. Governance 10.2, 10.3, 10.6	Indicators for the number of women and transgenders elected to public office in the city, employed in the government workforce in the city in reserved positions. Indicators for women and transgendered voters registered as a percentage of the voting-age population.	In the interest of inclusive smart cities, this indicator would help fathom if positions reserved for women and transgenders are filled out and the possible reasons, if any, for some of them going vacant.The number of women and transgender voters would help track the participation of women and transgendered voters in democracy. Further, inclusion of indicators that check voter fraud, political participation levels and technologies that enable secure voter participation and involvement would also be beneficial.
Health	“Cost of basic health services” and number of healthcare facilities as a supporting indicator.	The cost, quality and access of public primary healthcare services, which can be easily measured using digital systems, should also be included in the overall scheme as a supporting indicator.

Recreation	“Utilisation of public spaces” as a supporting indicator.	Information about the utilisation of public spaces, such as parks and grounds. can be included as a supporting indicator. Relevant information could footfalls per month or year, number of public events held at these locations, et cetera. Most of this information is already present via figures for ticket sales while the rest could be collected using digital attendance systems. Other supporting indicators could include green space per resident, play area/park space per child, quality of the public space - (lack of garbage, sewage, etc).
Safety	“Overall crime reporting statistics”as a core indicator.	The overall incidence rates of various crimes reported, crimes solved, and data regarding investigations (such as mapping of the crime to a map, number of FIR's filed, not filed, outcomes of investigations, etc.) should all be included as core indicators to better gauge the safety record of the city.
Safety 13.3	Include “crimes carried out using technology or the Internet, as per the Criminal Procedure Code and Information Technology Act, 2008 (Amended)”.	This indicator will expand the scope of crimes against women to include acts of crime carried out using the Internet as well.
Safety 13.4	Include “Response time of the police department from the initial call in instances of crimes against women”	This would include crimes against women as defined in 13.3. This indicator gives more granular information about safety in general and women’s safety in particular, and of the perception of certain kinds of crimes not being serious enough for the police to respond to.

Shelter	Expansion of indicators to include per capita living space, basic amenities within the houses.	The scope of shelter should be expanded to include per capita living space in housing units as well as availability of basic home amenities to provide a more wholesome view of the living situation in a city. Some basic amenities that could be included are electricity uptime, water distribution (in liters/ per household), number of residents in the household, kind of house roofing, etc.
Telecommunication and Innovation	Inclusion of indicators on mobile phone usage, mobile network connectivity and computer literacy.	There are no indicators for mobile phone usage and computer literacy, both of which are essential for the healthy functioning of any city. Indicators to gauge this could include number of mobile phone users, number of (active) mobile connections, number of computer literate people, etc. Similar indicators should also be included for cellphone network coverage, public WiFi connectivity and digital public service provisions as well. Indicators for the same could be number of neighbourhoods/ localities/ suburbs covered by 2G/3G/4G/ 5G out of the total number in city, total number of Public WiFi spots per unit area, etc.
Transportation	Inclusion of indicators for efficiency, sustainability and planning of city-level transportation.	The current set of indicators do not include indicators to measure the efficiency, fuel consumption, sustainability and reach of public transport, especially in the outskirts or suburban areas. These can be included as supporting indicators: the number of GPS-connected public transport vehicles to the total number, number of vehicles equipped with panic buttons, quantum of vehicles in the city using renewable energy sources as fuel, automation of toll booths, automation of points where traffic offences can be logged (e.g illegal honking) or overspeeding.

Urban Planning	Digital information, such as geospatial data, remote sensing and digital mapping can be used to provide better and more sustainable core indicators.	Geo-spatial information (from surveys and satellites) can be utilised to provide macro-level data that can then be utilised to factor city expansions, illegal structures, suburban development, etc. Digital mapping and remote sensing capabilities can be leveraged to provide this information and the utilisation of such information in city development can be made a supporting indicator.
Sewerage and Sanitation	Indicators governing community hygiene and sanitation.	Information about covered toilets per capita of the population, sewage treatment plants, etc. are either absent or too vaguely detailed in the current set of indicators, despite the push from the government towards the Swachh Bharat programme. They should be included as Core Indicators to encourage sanitation at a citizen level.
Water Supply	Indicators for digital measurement of water consumption per capita and at the city-level.	Digital water meters are starting to become pervasive and can provide detailed information about water consumption at a household level that was previously unavailable in city planning. A supporting indicator at a minimum can be included to further bolster information aware governance in the field.

[1] This submission is authored, in alphabetical order, by Elonnai Hickok (elonnai@cis-india.org), Rohini Lakshané (rohini@cis-india.org) and Udbhav Tiwari (udbhav@cis-india.org) on behalf of the Centre for Internet and Society, India.

[2] See The Centre for Internet and Society,available at http://cisindia.org for details of the organization, and our work.

For more details visit https://cis-india.org/internet-governance/blog/comments-to-bis-on-smart-cities-indicators

Comments to National Digital Health Mission: Health Data Management Policy

Shweta Mohandas, Pallavi Bedi, Shweta Reddy, and Saumyaa Naidu — 2020-10-05T15:56:51Z

CIS has submitted comments to the National Health Data Management Policy. We welcome the opportunity provided to our comments on the Policy and we hope that the final Policy will consider the interests of all the stakeholders to ensure that it protects the privacy of the individual while encouraging a digital health ecosystem.

Read the full set of comments here.

For more details visit https://cis-india.org/internet-governance/blog/comments-to-national-digital-health-mission-health-data-management-policy

Comments to ICANN Supporting the DNS Industry in Underserved Regions

jyoti — 2014-07-04T06:48:36Z

Towards exploring ideas and strategies to help promote the domain name industry in regions that have typically been underserved, ICANN published a call for public comments on May 14, 2014. In particular, ICANN sought comments related to existing barriers to Registrar Accreditation and operation and suggestions on how these challenges might be mitigated. CIS contributed to the comments on this report, which will be used to determine next steps to support the domain name industry in underserved regions.

Domain names and the DNS are used in virtually every aspect of the Internet, and without the DNS, the Internet as we know it, would not exist. The DNS root zone has economic value and ICANN's contract with Verisign delineates the selling of domain names via only ICANN accredited registrars. By the indirect virtue of its control of the root, ICANN has the power and capacity to influence the decisions of entities involved in the management and operations of the DNS, including registrars.

Too far, too many?

We acknowledge some of the efforts for improvements, in particular with reference to barriers to participation in DNS-related business in regions such as Africa and the Middle East, including the creation of a fellowship program, and increased availability of translated materials. However, despite these efforts, the gaps in the distribution of the DNS registrars and registries across the world has become an issue of heightened concern.

This is particularly true, in light of the distribution of registrars and given that, of the 1124 ICANN-accredited registrars, North America has a total of 765 registrars. US and Canada together, have more than double the number of registrars than the rest of the world taken collectively. To put things further into perspective, of the total number of registrars 725 are from the United States alone, and 7 from the 54 countries of Africa.

A barrier to ICANN's capacity building initiatives has been the lack of trust, given the general view that, ICANN focuses on policies that favour entrenched incumbents from richer countries. Without adequate representation from poorer countries, and adequate representation from the rest of the world's Internet population, there is no hope of changing these policies or establishing trust. The entire region of Latin America and the Caribbean, comprising of a population of 542.4 million internet users[1] in 2012, has only 22 registrars spread across a total of 10 countries. In Europe, covering a population of 518.5 million internet users[2], are 158 registrars and 94 of those are spread across Germany, UK, France, Spain and Netherlands. The figures paint the most dismal picture with respect to South Asia, in particular India, where just 16 registrars cater to the population of internet users that is expected to reach 243 million by June 2014[3].

While we welcome ICANN's research and outreach initiatives with regard to the DNS ecosystem in underserved regions, without the crucial first step of clarifying the metrics that constitute an underserved region, these efforts might not bear their intended impact. ICANN cannot hope to identify strategies towards bridging the gaps that exist in the DNS ecosystem, without going beyond the current ICANN community, which, while nominally being 'multistakeholder' and open to all, grossly under-represents those parts of the world that aren't North America and Western Europe.

The lack of registries in the developing world is another significant issue that needs to be highlighted and addressed. The top 5 gTLD registries are in the USA and it is important that users and the community feels that the fees being collected are equivalent compensation for the services they provide. As registries operate in captive markets that is allocated by ICANN, we invite ICANN to improve its financial accountability, by enabling its stakeholders to assess the finances collected on these registrations.

Multistakeholderism—community and consensus

As an organization that holds itself a champion of the bottom-up policy development process, and, as a private corporation fulfilling a public interest function, ICANN, is in a unique position to establish new norms of managing common resources. In theory and under ICANN’s extensive governance rules, the board is a legislative body that is only supposed to approve the consensus decisions of the community and the staff wield executive control. However in reality, both board and the staff have been criticised for decisions that are not backed by the community.

The formal negotiations between ICANN and Registrar Stakeholder Group Negotiating Team (Registrar NT) over the new Registrar Accreditation Agreement (RAA), is an example of processes that have a multistakeholder approach but fail on values of deliberation and pluralistic decision making.[4] ICANN staff insisted on including a "proposed Revocation (or "blow up") Clause that would have given them the ability to unilaterally terminate all registrar accreditations" and another proposal seeking to provide ICANN Board ability to unilaterally amend the RAA (identical to proposal inserted in the gTLD registry agreement - a clause met with strong opposition not only from the Registry Stakeholder Group but from the broader ICANN community).

Both proposals undermine the multistakeholder approach of the ICANN governance framework, as they seek more authority for the Board, rather than the community or protections for registrars and more importantly, registrants. The proposed amendments to the RAA were not issues raised by Law Enforcement, GAC or the GNSO but by the ICANN staff and received considerable pushback from the Registrar Stakeholder Group Negotiating Team (Registrar NT). The bottom-up policy making process at ICANN has also been questioned with reference to the ruling on vertical integration between registries and registrars, where the community could not even approach consensus.[5] Concerns have also been raised about the extent of the power granted to special advisory bodies handpicked by the ICANN president, the inadequacy of existing accountability mechanisms for providing a meaningful and external check on Board decisions and the lack of representation of underserved regions on these special bodies. ICANN must evolve its accountability mechanisms, to go beyond the opportunity to provide comments on proposed policy, and extend to a role for stakeholders in decision making, which is presently a privilege reserved for staff rather than bottom-up consensus.

ICANN was created as a consensus based organisation that would enable the Internet, its stakeholders and beneficiaries to move forward in the most streamlined, cohesive manner.[6] Through its management of the DNS, ICANN is undertaking public governance duties, and it is crucial that it upholds the democratic values entrenched in the multistakeholder framework. Bottom up policy making extends beyond passive participation and has an impact on the direction of the policy. Presently, while anyone can comment on policy issues, only a few have a say in which comments are integrated towards outcomes and action. We would like to stress not just improving and introducing checks and balances within the ICANN ecosystem, but also, integrating accountability and transparency practices at all levels of decision making.

Bridging the gap

We welcome the Africa Strategy working group and the public community process that was initiated by ICANN towards building domain name business industry in Africa, and, we are sure there will be lessons that will applicable to many other underserved regions. In the context of this report CIS, wants to examine the existing criteria of the accreditation process. As ICANN's role evolves and its revenues grow across the DNS and the larger Internet landscape, it is important in our view, that ICANN review and evolve it's processes for accreditation and see if they are as relevant today, as they were when launched.

The relationship between ICANN and every accredited registrar is governed by the individual RAA, which set out the obligations of both parties, and, we recommend simplifying and improving them. The RAA language is complex, technical and not relevant to all regions and presently, there are no online forms for the accreditation process. While ICANN's language will be English, the present framing has an American bias—we recommend—creating an online application process and simplifying the language keeping it contextual to the region. It would also be helpful, if ICANN invested in introducing some amount of standardization across forms, this would reduce the barrier of time and effort it takes to go through complex legal documents and contribute to the growth of DNS business.

The existing accreditation process for registrars requires applicants to procure US$70,000 or more for the ICANN accreditation to become effective. The applicants are also required to obtain and maintain for the length of accreditation process, a commercial general liability insurance with a policy limit of US$500,000 or more. The working capital and the insurance are quite high and create a barrier to entrance of underserved regions in the DNS ecosystem.

With lack of appropriate mechanisms registrars resort to using US companies for insurance, creating more foreign currency pressures on themselves. The commercial general liability insurance requirement for the registrars is not limited to their functioning as a registrar perhaps not the most appropriate option. ICANN should, and must, increase efforts towards helping registrars find suitable insurance providers and scaling down the working capital. Solutions may lie in exploring variable fee structures adjusted against profits, and derived after considering factors such as cost of managing domain names and sub-domain names, expansion needs, ICANN obligations and services, financial capacities of LDCs and financial help pledged to disadvantaged groups or countries.

Presently, the start-up capital required is too high for developing countries, and this is reflected in the number of registries in these areas. Any efforts to improve the DNS ecosystem in underserved regions, must tackle this by scaling down the capital in proportion to the requirements of the region.

Another potential issue that ICANN should consider, is that users getting sub-domain names from local registrars located in their own country, are usually taxed on the transaction, however, online registration through US registrars spares users from paying taxes in their country.[7] This could create a reverse incentive for registering domain sub-names online from US registrars. ICANN should push forward on efforts to ensure that registrars are sustainable by providing incentives for registering in underserved regions and help towards maintain critical mass of the registrants. The Business Constituency (BC)—the voice of commercial Internet users within ICANN, could play a role in this and ICANN should endeavour to either, expand the BC function or create a separate constituency for the representation of underserved regions.

[1] Internet Users and Population stats 2012. http://www.internetworldstats.com/stats2.htm

[2] Internet Users and Population stats 2012. http://www.internetworldstats.com/stats4.htm

[3] Times of India IAMAI Report. http://timesofindia.indiatimes.com/tech/tech-news/India-to-have-243-million-internet-users-by-June-2014-IAMAI/articleshow/29563698.cms

[4] Mar/07/2013 - Registrar Stakeholder Group Negotiating Team (Registrar NT) Statement Regarding ICANN RAA Negotiations.http://www.icannregistrars.org/calendar/announcements.php

[5] Kevin Murphy, Who runs the internet? An ICANN 49 primer. http://domainincite.com/16177-who-runs-the-internet-an-icann-49-primer

[6] Stephen Ryan, Governing Cyberspace: ICANN, a Controversial Internet Standards Body http://www.fed-soc.org/publications/detail/governing-cyberspace-icann-a-controversial-internet-standards-body

[7] Open Root-Financing LDCs in the WSIS process. See: http://www.open-root.eu/about-open-root/news/financing-ldcs-in-the-wsis-process

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-supporting-the-dns-industry-in-underserved-regions

Comments on the Zero Draft of the UN General Assembly’s Overall Review of the Implementation of WSIS Outcomes (WSIS+10)

geetha — 2015-10-16T02:44:16Z

On 9 October 2015, the Zero Draft of the UN General Assembly's Overall Review of implementation of WSIS Outcomes was released. Comments were sought on the Zero Draft from diverse stakeholders. The Centre for Internet & Society's response to the call for comments is below.

These comments were prepared by Geetha Hariharan with inputs from Sumandro Chattapadhyay, Pranesh Prakash, Sunil Abraham, Japreet Grewal and Nehaa Chaudhari. Download the comments here.

The Zero Draft of the UN General Assembly’s Overall Review of the Implementation of WSIS Outcomes (“Zero Draft”) is divided into three sections: (A) ICT for Development; (B) Internet Governance; (C) Implementation and Follow-up. CIS’ comments follow the same structure.
The Zero Draft is a commendable document, covering crucial areas of growth and challenges surrounding the WSIS. The Zero Draft makes detailed references to development-related challenges, noting the persistent digital divide, the importance of universal access, innovation and investment, and of enabling legal and regulatory environments conducive to the same. It also takes note of financial mechanisms, without which principles would remain toothless. Issues surrounding Internet governance, particularly net neutrality, privacy and the continuation of the IGF are included in the Zero Draft.
However, we believe that references to these issues are inadequate to make progress on existing challenges. Issues surrounding ICT for Development and Internet Governance have scarcely changed in the past ten years. Though we may laud the progress so far achieved, universal access and connectivity, the digital divide, insufficient funding, diverse and conflicting legal systems surrounding the Internet, the gender divide and online harassment persist. Moreover, the working of the IGF and the process of Enhanced Cooperation, both laid down with great anticipation in the Tunis Agenda, have been found wanting.
These need to be addressed more clearly and strongly in the Zero Draft. In light of these shortcomings, we suggest the following changes to the Zero Draft, in the hope that they are accepted.
A. ICT for Development
Paragraphs 16-21 elaborate upon the digital divide – both the progresses made and challenges. While the Zero Draft recognizes the disparities in access to the Internet among countries, between men and women, and of the languages of Internet content, it fails to attend to two issues.
First, accessibility for persons with disabilities continues to be an immense challenge. Since the mandate of the WSIS involves universal access and the bridging of the digital divide, it is necessary that the Zero Draft take note of this continuing challenge.
We suggest the insertion of Para 20A after Para 20:
“20A. We draw attention also to the digital divide adversely affecting the accessibility of persons with disabilities. We call on all stakeholders to take immediate measures to ensure accessibility for persons with disabilities by 2020, and to enhance their capacity and access to ICTs.”
Second, while the digital divide among the consumers of ICTs has decreased since 2003-2005, the digital production divide goes unmentioned. The developing world continues to have fewer producers of technology compared to their sheer concentration in the developed world – so much so that countries like India are currently pushing for foreign investment through missions like ‘Digital India’. Of course, the Zero Draft refers to the importance of private sector investment (Para 31). But it fails to point out that currently, such investment originates from corporations in the developed world. For this digital production divide to disappear, restrictions on innovation – restrictive patent or copyright regimes, for instance – should be removed, among other measures. Equitable development is the key.
Ongoing negotiations of plurilateral agreements such as the Trans-Pacific Partnership (TPP) go unmentioned in the Zero Draft. This is shocking. The TPP has been criticized for its excessive leeway and support for IP rightsholders, while incorporating non-binding commitments involving the rights of users (see Clause QQ.G.17 on copyright exceptions and limitations, QQ.H.4 on damages and QQ.C. 12 on ccTLD WHOIS, https://wikileaks.org/tpp-ip3/WikiLeaks-TPP-IP-Chapter/WikiLeaks-TPP-IP-Chapter-051015.pdf). Plaudits for progress make on the digital divide would be lip service if such agreements were not denounced.
Therefore, we propose the addition of Para 20B after Para 20:
“20B. We draw attention also to the digital production divide among countries, recognizing that domestic innovation and production are instrumental in achieving universal connectivity. Taking note of recent negotiations surrounding restrictive and unbalanced plurilateral trade agreements, we call on stakeholders to adopt policies to ensure globally equitable development, removing restrictions on innovation and conducive to fostering domestic and local production.”
Paragraph 22 of the Zero Draft acknowledges that “school curriculum requirements for ICT, open access to data and free flow of information, fostering of competition, access to finance”, etc. have “in many countries, facilitated significant gains in connectivity and sustainable development”.
This is, of course, true. However, as Para 23 also recognises, access to knowledge, data and innovation have come with large costs, particularly for developing countries like India. These costs are heightened by a lack of promotion and adoption of open standards, open access, open educational resources, open data (including open government data), and other free and open source practices. These can help alleviate costs, reduce duplication of efforts, and provide an impetus to innovation and connectivity globally.
Not only this, but the implications of open access to data and knowledge (including open government data), and responsible collection and dissemination of data are much larger in light of the importance of ICTs in today’s world. As Para 7 of the Zero Draft indicates, ICTs are now becoming an indicator of development itself, as well as being a key facilitator for achieving other developmental goals. As Para 56 of the Zero Draft recognizes, in order to measure the impact of ICTs on the ground – undoubtedly within the mandate of WSIS – it is necessary that there be an enabling environment to collect and analyse reliable data. Efforts towards the same have already been undertaken by the United Nations in the form of “Data Revolution for Sustainable Development”. In this light, the Zero Draft rightly calls for enhancement of regional, national and local capacity to collect and conduct analyses of development and ICT statistics (Para 56). Achieving the central goals of the WSIS process requires that such data is collected and disseminated under open standards and open licenses, leading to creation of global open data on the ICT indicators concerned.
As such, we suggest that following clause be inserted as Para 23A to the Zero Draft:

“23A. We recognize the importance of access to open, affordable, and reliable technologies and services, open access to knowledge, and open data, including open government data, and encourage all stakeholders to explore concrete options to facilitate the same.”

15. Paragraph 30 of the Zero Draft laments “the lack of progress on the Digital Solidarity Fund”, and calls “for a review of options for its future”.

16. The Digital Solidarity Fund was established with the objective of “transforming the digital divide into digital opportunities for the developing world” through voluntary contributions [Para 28, Tunis Agenda]. It was an innovative financial mechanism to help bridge the digital divide between developed and developing countries. This divide continues to exist, as the Zero Draft itself recognizes in Paragraphs 16-21.

17. Given the persistent digital divide, a “call for review of options” as to the future of the Digital Solidarity Fund is inadequate to enable developing countries to achieve parity with developed countries. A stronger and more definite commitment is required.

18. As such, we suggest the following language in place of the current Para 30:

“30. We express concern at the lack of progress on the Digital Solidarity Fund, welcomed in Tunis as an innovative financial mechanism of a voluntary nature, and we call for voluntary commitments from States to revive and sustain the Digital Solidarity Fund.”

19. Paragraph 31 of the Zero Draft recognizes the importance of “legal and regulatory frameworks conducive to investment and innovation”. This is eminently laudable. However, a broader vision is more compatible with paving the way for affordable and widespread access to devices and technology necessary for universal connectivity.

20. We suggest the following additions to Para 31:

“31. We recognise the critical importance of private sector investment in ICT access, content and services, and of legal and regulatory frameworks conducive to local investment and expansive, permissionless innovation.”

B. Internet Governance

21. Paragraph 32 of the Zero Draft recognizes the “general agreement that the governance of the Internet should be open, inclusive, and transparent”. Para 37 takes into account “the report of the CSTD Working Group on improvements to the IGF”. Para 37 also affirms the intention of the General Assembly to extend the life of the IGF by (at least) another 5 years, and acknowledges the “unique role of the IGF”.

22. The IGF is, of course, unique and crucial to global Internet governance. In the last 10 years, major strides have been made among diverse stakeholders in beginning and sustaining conversations on issues critical to Internet governance. These include issues such as human rights, inclusiveness and diversity, universal access to connectivity, emerging issues such as net neutrality, the right to be forgotten, and several others. Through its many arms like the Dynamic Coalitions, the Best Practices Forums, Birds-of-a-Feather meetings and Workshops, the IGF has made it possible for stakeholders to connect.

23. However, the constitution and functioning of the IGF have not been without lament and controversy. Foremost among the laments was the IGF’s evident lack of outcome-orientation; this continues to be debatable. Second, the composition and functioning of the MAG, particularly its transparency, have come under the microscope several times. One of the suggestions of the CSTD Working Group on Improvements to the IGF concerned the structure and working methods of the Multistakeholder Advisory Group (MAG). The Working Group recommended that the “process of selection of MAG members should be inclusive, predictable, transparent and fully documented” (Section II.2, Clause 21(a), Page 5 of the Report).

24. Transparency in the structure and working methods of the MAG are critical to the credibility and impact of the IGF. The functioning of the IGF depends, in a large part, on the MAG. The UN Secretary General established the MAG, and it advises the Secretary General on the programme and schedule of the IGF meetings each year (see <http://www.intgovforum.org/cms/mag/44-about-the-mag>). Under its Terms of Reference, the MAG decides the main themes and sub-themes for each IGF, sets or modifies the rules of engagement, organizes the main plenary sessions, coordinates workshop panels and speakers, and crucially, evaluates the many submissions it receives to choose from amongst them the workshops for each IGF meeting. The content of each IGF, then, is in the hands of the MAG.

25. But the MAG is not inclusive or transparent. The MAG itself has lamented its opaque ‘black box approach’ to nomination and selection. Also, CIS’ research has shown that the process of nomination and selection of the MAG continues to be opaque. When CIS sought information on the nominators of the MAG, the IGF Secretariat responded that this information would not be made public (see <http://cis-india.org/internet-governance/blog/mag-analysis>).

26. Further, our analysis of MAG membership shows that since 2006, 26 persons have served for 6 years or more on the MAG. This is astounding, since under the MAG Terms of Reference, MAG members are nominated for a term of 1 year. This 1-year-term is “automatically renewable for 2 more consecutive years”, but such renewal is contingent on an evaluation of the engagement of MAG members in their activities (see <http://www.intgovforum.org/cms/175-igf-2015/2041-mag-terms-of-reference>). MAG members ought not serve for over 3 consecutive years, in accordance with their Terms of Reference. But out of 182 MAG members, around 62 members have served more than the 3-year terms designated by their Terms of Reference (see <http://cis-india.org/internet-governance/blog/mag-analysis>).

27. Not only this, but our research showed 36% of all MAG members since 2006 have hailed from the Western European and Others Group (see <http://cis-india.org/internet-governance/blog/mag-analysis>). This indicates a lack of inclusiveness, though the MAG is certainly more inclusive than the composition and functioning of other I-Star organisations such as ICANN.

28. Tackling these infirmities within the MAG would go a long way in ensuring that the IGF lives up to its purpose. Therefore, we suggest the following additions to Para 37:

“37. We acknowledge the unique role of the Internet Governance Forum (IGF) as a multistakeholder platform for discussion of Internet governance issues, and take note of the report and recommendations of the CSTD Working Group on improvements to the IGF, which was approved by the General Assembly in its resolution, and ongoing work to implement the findings of that report. We reaffirm the principles of openness, inclusiveness and transparency in the constitution, organisation and functioning of the IGF, and in particular, in the nomination and selection of the Multistakeholder Advisory Group (MAG). We extend the IGF mandate for another five years with its current mandate as set out in paragraph 72 of the Tunis Agenda for the Information Society. We recognize that, at the end of this period, progress must be made on Forum outcomes and participation of relevant stakeholders from developing countries.”

29. Paragraphs 32-37 of the Zero Draft make mention of “open, inclusive, and transparent” governance of the Internet. It fails to take note of the lack of inclusiveness and diversity in Internet governance organisations – extending across representation, participation and operations of these organisations. In many cases, mention of inclusiveness and diversity becomes tokenism or formal (but not operational) principle. In substantive terms, the developing world is pitifully represented in standards organisations and in ICANN, and policy discussions in organisations like ISOC occur largely in cities like Geneva and New York. For example, the ‘diversity’ mailing list of IETF has very low traffic. Within ICANN, 307 out of 672 registries listed in ICANN’s registry directory are based in the United States, while 624 of the 1010 ICANN-accredited registrars are US-based. Not only this, but 80% of the responses received by ICANN during the ICG’s call for proposals were male. A truly global and open, inclusive and transparent governance of the Internet must not be so skewed.

30. We propose, therefore, the addition of a Para 37A after Para 37:

“37A. We draw attention to the challenges surrounding diversity and inclusiveness in organisations involved in Internet governance, and call upon these organisations to take immediate measures to ensure diversity and inclusiveness in a substantive manner.”

31. Paragraphs 36 of the Zero Draft notes that “a number of member states have called for an international legal framework for Internet governance.” But it makes no reference to ICANN or the importance of the ongoing IANA transition to global Internet governance. ICANN and its monopoly over several critical Internet resources was one of the key drivers of the WSIS in 2003-2005. Unfortunately, this focus seems to have shifted entirely. Open, inclusive, transparent and global Internet are misnomer-principles when ICANN – and in effect, the United States – continues to have monopoly over critical Internet resources. The allocation and administration of these resources should be decentralized and distributed, and should not be within the disproportionate control of any one jurisdiction.

32. Therefore, we suggest the following Para 37A after Para 37:

“37A. We affirm that the allocation, administration and policy involving critical Internet resources must be inclusive and decentralized, and call upon all stakeholders and in particular, states and organizations responsible for essential tasks associated with the Internet, to take immediate measures to create an environment that facilitates this development.”

33. Paragraph 43 of the Zero Draft encourages “all stakeholders to ensure respect for privacy and the protection of personal information and data”. But the Zero Draft inadvertently leaves out the report of the Office of the UN High Commissioner for Human Rights on digital privacy, ‘The right to privacy in the digital age’ (A/HRC/27/37). This report, adopted by the Human Rights Council in June 2014, affirms the importance of the right to privacy in our increasingly digital age, and offers crucial insight into recent erosions of privacy. It is both fitting and necessary that the General Assembly take note of and affirm the said report in the context of digital privacy.

34. We offer the following suggestion as an addition to Para 43:

“43. We emphasise that no person shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence, consistent with countries’ applicable obligations under international human rights law. In this regard, we acknowledge the report of the Office of the UN High Commissioner for Human Rights, ‘The right to privacy in the digital age’ (A/HRC/27/37, 30 June 2014), and take note of its findings. We encourage all stakeholders to ensure respect for privacy and the protection of personal information and data.”

35. Paragraphs 40-44 of the Zero Draft state that communication is a fundamental human need, reaffirming Article 19 of the Covenant on Civil and Political Rights, with its attendant narrow limitations. The Zero Draft also underscores the need to respect the independence of the press. Particularly, it reaffirms the principle that the same rights that people enjoy offline must also be protected online.

36. Further, in Para 31, the Zero Draft recognizes the “critical importance of private sector investment in ICT access, content, and services”. This is true, of course, but corporations also play a crucial role in facilitating the freedom of speech and expression (and all other related rights) on the Internet. As the Internet is led largely by the private sector in the development and distribution of devices, protocols and content-platforms, corporations play a major role in facilitating – and sometimes, in restricting – human rights online. They are, in sum, intermediaries without whom the Internet cannot function.

37. Given this, it is essential that the outcome document of the WSIS+10 Overall Review recognize and affirm the role of the private sector, and crucially, its responsibilities to respect and protect human rights online.

38. We suggest, therefore, the insertion of the following paragraph Para 42A, after Para 42:

“42A. We recognize the critical role played by corporations and the private sector in facilitating human rights online. We affirm, in this regard, the responsibilities of the private sector set out in the Report of the Special Representative of the Secretary General on the issue of human rights and transnational corporations and other business enterprises, A/HRC/17/31 (21 March 2011), and encourage policies and commitments towards respect and remedies for human rights.”

C. Implementation and Follow-up

39. Para 57 of the Zero Draft calls for a review of the WSIS Outcomes, and leaves a black space inviting suggestions for the year of the review. How often, then, should the review of implementation of WSIS+10 Outcomes take place?

40. It is true, of course, that reviews of the implementation of WSIS Outcomes are necessary to take stock of progress and challenges. However, we caution against annual, biennal or other such closely-spaced reviews due to concerns surrounding budgetary allocations.

41. Reviews of implementation of outcomes (typically followed by an Outcome Document) come at considerable cost, which are budgeted and achieved through contributions (sometimes voluntary) from states. Were Reviews to be too closely spaced, budgets that ideally ought to be utilized to bridge digital divides and ensure universal connectivity, particularly for developing states, would be misspent in reviews. Moreover, closely-spaced reviews would only provide superficial quantitative assessments of progress, but would not throw light on longer term or qualitative impacts.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-zero-draft-of-the-un-general-assembly2019s-overall-review-of-the-implementation-of-wsis-outcomes-wsis-10

Comments on the Telecom Commercial Communications Customer Preference Regulations

Sandeep Kumar, Torsha Sarkar, Swaraj Barooah, Gurshabad Grover — 2018-06-23T00:44:47Z

This submission presents comments by the Centre for Internet & Society, India (“CIS”) on the Telecom Commercial Communications Customer Preference Regulations which was released to the public by the Telecom Regulatory Authority of India (TRAI) on 29th May 2018 for comments and views.

Preliminary

This submission presents comments by the Centre for Internet & Society (“CIS”), India on ‘The Telecom Commercial Communications Customer Preference Regulations, 2018’ which were released on 29th May 2018 for comments and counter-comments.

CIS appreciates the intent and efforts of Telecom Regulatory Authority of India (TRAI) to curb the problem of Unsolicited Commercial Communication (UCC), or spam. Spam messages are constant irritants for telecom subscribers. Acknowledging the same, TRAI has proposed regulations which aim to empower subscribers in effectively dealing with UCC. CIS is grateful for the opportunity to put forth its views and comments on the regulations. This submission was made on 18th June 2018. This text has been slightly edited for readability.

The first part of the submission highlights some general issues with the regulations. While TRAI has offered a technological solution to the menace of UCC, the policy documents have no accompanying technical details. TRAI has not made a compelling case for why Distributed Ledger Technologies (DLTs) should be used for storing data instead of a distributed database. There is no clarity on the technical aspects of the proposed DLTs: the participating nodes in the network, how these nodes arrive at a consensus, whether they are independent of each other, are questions that remain unanswered. The draft regulations also mention curbing Robocalls, but technical challenges associated with the same have not been discussed. Spam which is non-commercial in nature remains out of the scope of the current regulations.

The second part of this submission puts forth specific comments related to various sections of the draft and suggests improvements therein. While CIS appreciates the extension of the deadline from 11th June to 18th June, we would like to highlight that the Draft was released on 29th May, and despite the extension, the time to submit comments remains less than a month. Considering the fact that the draft regulations hold significance for the entire telecom industry and nearly 1.5 billion subscribers, TRAI should have granted at least a month’s time for the stakeholder’s sound scrutiny.

General Comments

Distributed Ledger Technology (DLT)

The draft greatly emphasizes the fact that data regarding Consent, Complaints, Headers, Preferences, Content Template Register and Entities are stored on distributed ledgers. The intent is to keep data cryptographically secure with no centralized point of control. However, the regulations do not go into the technical details of the working of these distributed ledgers leading to several potential pitfalls.

As per the draft, every access provider has to establish distributed ledgers for Complaints, Consent, Content, Preference, Header, Entities and so on. There are specific entities mentioned which will act as nodes in the network, and these nodes are preselected.

Whenever a sender seeks to send commercial communications across a list of subscribers, the list is ‘scrubbed’ against the DL-Consent and DL-Preference, to check whether the subscriber has given consent and registered their preference. The sender can only send the commercial communication to the numbers which are present in the scrubbed list.

The objective of these regulations is to protect consumers’ rights but the consumer, i.e., the subscriber, is not a node in the distributed ledger. Since the primary benefits of decentralization are gained when the trust is devolved to the individual subscribers, and the individual users are not specified as participating nodes in the ledger, the justification behind a distributed ledger is unclear.

Additionally, the proposed regime requires the subscriber to place her trust in the access provider to register the complaint, thus offers no tangible benefit over the current regulation. While there are penalties for non-compliant Access Providers (APs), there are no business incentives for APs to expend the extra amount of resources required in for effective implementation of this technology, to act in the users’ interest. This builds a system where APs interests clash with subscribers, but they are nonetheless required to be the guardian of the subscribers’ concerns.

Further, the nodes are entities constituted by the access providers (APs), and there is no mechanism to ensure that they behave independently of each other. In such case, it is wholly possible that all nodes on a distributed ledger are run by the same entity, thus defeating the purpose of establishing consensus. The proposed regulations do not address this scenario.

One solution would be to add subscribers as nodes to the DLT network. But this would be impractical as the technical challenges associated therein, including generating public-private key pairs of each user, the computational complexity of the network, are immense. If this is indeed the intention of TRAI, this has not been spelled out clearly in the draft regulations. Additionally, in such a scenario, there would be no requirement for mandating every AP to maintain their own DLT for customer preference and consent artifacts.

Considering the points mentioned above, we request TRAI to publish the technical specifications of DLTs, which addresses the following issues:

Who can participate in the network other than the entities mentioned in the regulations? Are these participating entities independent of each other? If not, then how will the conflict of interest be resolved?
What is the consensus algorithm used in the DLTs?
Will the code to implement DLTs be open-source?

Our recommendations are three-fold in this regard:

If distributed ledger is used, then, mechanisms should be devised to ensure the integrity of the consensus. For this, participating nodes in the network must be independent of each other. Aforementioned points regarding consensus protocol should be taken into consideration as well.

In place of DLTs, we recommend the use of a distributed database with signature-based authentication and encryption of the data to be stored. The immutability and non-repudiation of data can be achieved in this way. Distributed ledgers such as DL-consent, DL-preference, DL-complaints are instances where authentication of data and subscriber can be done using simplers means such as OTP verification, etc. So, such ledgers need not necessarily utilize DLTs.

The regulations should mandate the open-source publication of the implementation of the DLTs. This will enable interoperability, add transparency to the functioning of the regulations, and enable security audits to ensure accountability of the APs.

Broadening the scope of the Regulations to non-commercial communication

The proposed regulations attempt to specifically curb unsolicited commercial communications as defined in Regulation 2(bt). But, there are other forms of communication which are unsolicited and non-commercial, including political messages and market surveys.

We recommend that the scope of the regulations should be broadened to include both commercial and non-commercial communications. And both of these should be grouped under the category of Institutional Communications. Wherever needed, changes should be made to the regulations dealing with UCC to suit the specific requirements of dealing with unsolicited non-commercial communications as well. At the same time, the regulations should ensure that individual communications are not brought within their ambit.

Technical challenges in combating Robocalls

Robocalls are defined in Regulation 2(ba) and in Schedule IV, provision 3, it has been clubbed with other kinds of spam. However, there are some specific technical challenges in regulating robocalls. Right now, ‘block listing’ is a prevalent model where one can identify a number and then block it so that it cannot be used further. But with robocalls, spoofing of other numbers is easily achievable which makes the blocking of the real identity of caller difficult. The proposed regulations do not adequately address this challenge.

The Alliance for Telecommunications Industry Solutions, with working groups of the Internet Engineering Task Force (IETF), has been working on a different approach to solve this problem. They are working on standards for all mobile and VoIP calling services which would enable them to do cryptographic digital call signing, “so calls can be validated as originating from a legitimate source, and not a spoofed robocall system. The protocols, known as ‘STIR’ and ‘SHAKEN,’ are in industry testing right now through ATIS's Robocalling Testbed, which has been used by companies like Sprint, AT&T, Google, Comcast, and Verizon so far”.

TRAI should take into account these developments and propose a specific regime accordingly. One possible way forward, for now, could be the banning of robocalls unless there is explicit opt-in by subscribers.

Registration of content-template

The draft envisages a distributed ledger system for registration of content template which would have both a fixed part and a variable part. The content template needs to be registered by the content template registrar, which would be an authorized entity.

Problematically, the content template is defined to include the fixed part as well as the variable part. Further, Schedule I, provision 4(3)(e) mandates that content template registration functions should be utilized to extract fixed and the variable portion from actual messages offered for delivery or already delivered. The variable portion of the message contains information specific to a customer, as defined in regulation 2(q)(ii). In addition to privacy concerns with accessing the variable part, there is no functional reason for variable portions to be extracted from the actual message, as only the fixed portion needs to be verified.

The hash of the fixed portion of the message can be used to identify whether a user has received UCC or not. We, therefore, recommend that the variable portion of the message shall not be made accessible to entities because it is not required for the identification of a message as UCC.

‘Safe and Secure Manner’

Throughout the draft, reference is made to the data collected being stored and/or exchanged in a ‘safe and secure manner’, without any clarification as to what this term implies.

We recommend that the term be defined as ‘measures in accordance with reasonable security practices and procedures’ as given in section 43A of the Information Technology Act, 2008 read with section 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

Bulk Registration

In the Consultation paper published by TRAI, bulk registration was envisaged as a way to curb UCC wherein one member of the family can register on behalf of the family. Australia has already implemented this mechanism.

In India, evidence suggests that major victims of spam are the elderly and people with limited financial capacities. In such cases, consent and preference registration on behalf of these people by one person may help in the successful control of UCC.

Some telecom service providers argued against this by emphasizing the individual choice of a subscriber. However, in cases where there is authorization given by the customer, the primary user can register consent on his/her behalf. Similarly, since corporate connections are by definition owned and paid for by corporates, bulk registration in those situations can be also be done.

We recommend that given the situation in India, the provision for bulk registration be incorporated in the regulations for specific scenarios, as mentioned above. An authorization template giving the nominee power to register on behalf of a class can be incorporated to this effect. Also, an opt-out option must be incorporated in case an individual choice differs from the choice registered in the bulk-registration.

Specific Comments

Inferred Consent [Regulation 2(k)(II)(A)]

Comments
Regulation 2(k)(ii)(a) of the Draft defines consent as “voluntary permission given by the customer to the sender to receive commercial communication”. However, the draft also includes, “inferred consent”, which is defined as consent that can be “reasonably inferred from the customer’s conduct or the business and the relationship between the individual and the sender”.

When consent is derived from the customer’s conduct, rather than being given explicitly, it defeats its ‘voluntary nature’. The provision of consent being ‘reasonably inferred’ from the customer’s conduct is also vague, and there is no indication given in the draft as to what kind of conduct would lead to a reasonable inference of implied consent. The definition can also be interpreted to mean that customer’s conduct will be subject to monitoring, which raises privacy concerns.

Recommendations
Consent shall not be derived from the customer’s conduct unless the person provides it explicitly. We recommend amendment to the definition of ‘inferred consent’ accordingly.

Three years history to be stored in DL-Complaints [Regulations 24(3) and 24(4)]

Comments

Regulation 24(3) and (4) states that the DL-Ledger for Complaints (DL-Complaints) shall record ‘three years history’ of both the complainant and the sender, with details of complaints made, date, time and status of the resolution of the complaint. It is not clear from the regulation whether the mentioned set of data is exhaustive or not.

Recommendations
We recognize that the legislative intent behind drafting Regulation 24(3) and (4) was to curb frivolous or false complaints, which has already been a concern of TRAI. Storing both the complainant and the sender’s history, in such cases, may aid in resolving these.

We recommend that the language of the regulations may be amended to “three years history which only includes details of all complaint(s) made by him, with date(s) and time(s) . . .”, thereby giving a limiting qualification to the broad scope of the term.

The responsibility of the APs to ensure that the devices support the requisite permissions [Regulation 34]

Comments
Regulation 34 mandates that the APs are to ensure that the devices “registered in the network” shall support the requisite permissions of the Apps under this regulations.

In terms of jurisdiction, regulation of the functioning of electronic devices (which can be phones, tablets or smart watches) is outside the scope of the proposed regulations, and probably out of TRAI's regulatory competence.

Even if TRAI can impose the regulation on end devices, this regulation puts the burden on the APs to ensure that devices support the pertinent app permissions. Considering that TRAI itself has been weighing legal recourse against device manufacturers on similar grounds, it is unclear why TRAI assumes that APs have any legal or technical method to ensure control of a device which has neither been manufactured by them nor is it under their physical or remote control.

In modern smartphones, the end-user has full control over most app installations and permissions. This practice is consistent with a consumer's autonomy over the device and its functioning. Considering the fact that TRAI has not implemented basic security features in the 'Do Not Disturb' app, TRAI is putting at risk the privacy of millions of device owners by legally mandating permissions for an app with the second proviso. The proviso further gives TRAI the power to order APs to derecognize devices from their network. This regulation is draconic and inimical to the rights of consumers, who are at risk of losing network access and connectivity because of their device choice, which is a completely different business and market.

Recommendations
Reporting unsolicited messages or calls is a consumer right, and the regulations are in furtherance of the same goals. TRAI should enable consumer rights by giving subscribers the option to report spam and has no reason to force users to report spam possibly through legal overreach and privacy invasion. Accordingly, we recommend the removal of Regulation 34.

Additional Suggestions

Consumer and subscriber

The usage of the terms ‘customer’ and ‘subscriber’ in Regulation 3(1) implies that the terms have two different meanings. This interpretation, however, clashes with the actual definition given in Regulation 2(u) and 2(bk), whereby a customer is a subscriber. This is an inconsistent interpretation.

Either the definition of a ‘customer’ must be clarified or differentiated from that of a ‘subscriber’ in regulation 2, or regulation 3 must be amended to indicate what its actual object of regulation is - the customer or the subscriber.

Drafting misnumbering

There are a few instances of misnumbering of regulations and reference regulations which are non-existent.

Regulations 25(5)(b) and (c) make a reference to regulation 25(3)(a), which does not exist in the given draft. A bare reading of regulation 25, however, indicate that the intention was to refer to regulation 25(5)(a), and as such, this misnumbering should be rectified.

Regulation 34 makes a reference to regulation 7(2), which again, does not exist. In such case, either regulation 34 or regulation 7(2) must be amended to keep a consistent interpretation.

Ambiguous terms

‘Allocation and assignment principles and policies’ - Provision 4(1)(a) of Schedule I of the regulations indicate that header assignment should be done on the basis of ‘allocation and assignment principles and policies’, without any clarification to the meaning of this term. We recommend an amendment to this provision accordingly.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-telecom-commercial-communications-customer-preference-regulations

Comments on the Statistical Disclosure Control Report

Srinivs Kodali and Amber Sinha — 2019-03-13T00:28:44Z

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.

1. PRELIMINARY

CIS is thankful for the opportunity to put forth its views.
This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.

2. ABOUT CIS

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.

CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.

3. Comments

3.1 General Comments

As a non-profit organisation we recognize the importance of the efforts by the Ministry of Statistics and Programme Implementation (MoSPI) to make the data you collect available to the public in open formats with relevant information about reliability of statistical estimates.

We at CIS have recently released a report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. We encountered several central and state government departments collecting socioeconomic data from citizens, linking it with Aadhaar and even publishing them in exportable data formats like EXCEL and MS ACCESS Databases. While we understand this issue primarily concerns to Unique Identification Authority of India (UIDAI), the lack of standards around information/statistical disclosure are a general threat to transparency in a democracy and privacy of individuals. Going through the report we understand the committee is unable to prescribe a standard for other ministries and departments until they try and pilot these standards within Ministry of Statistics and Programme Implementation. This delay in prescribing the standards can be really dangerous in the current circumstances of massive data collection by government departments and linking all the databases with a unique identifier, Aadhaar Number. At the same time we understand the importance of data dissemination to be carried out and we recommend the following for improving the standards around data disclosure control.

3.2 Integrity of Information and Data

We agree with the committee that the error rates need to be kept in mind while designing practices to convert raw data. But we request the process of changes being made be actively measured and documented. In case of errors being computed, guidelines can be made to decrease the possibilities of misinterpretation of errors causing loss of integrity of information. Statistics are important for decision making in governance, errors in computations can be biased towards millions of people. Statistical biases are important to be looked into while converting data from its raw format to make sure there are no damage caused by information.

3.3 Data Security

One of the important issues around storage and publication of Aadhaar information is the lack of masking standards. With the availability of data from multiple departments, it is possible to reconstruct identification details by linking data from multiple databases. It is recommended to bring masking standards while personally identifiable micro data is being published. There is an urgent need for departments to also look at auditing access to information and tracking sharing of information. It is recommended the department digitally signs all the information and documents being published or shared by them to keep track of who had accessed the information and verifying the authenticity of information.

We request the department to define what exactly is “usage for statistical purposes only” and recommend standards to control and restrict usage of information for this purpose. It is important they design frameworks or mechanisms to allow others to report violations around this. This process should be transparent and documented heavily.

3.4 Anonymization of microdata

We recommend the data being collected be anonymized at source to evade the possibility of the accidental disclosure of personally identifiable information. While the current anonymization efforts have been helpful, with steady increase in data mining and classification algorithms and practices it is recommended to evolve the standards around this area.

3.5 Data Dissemination

Data dissemination is an important aspect for district statistics officers, we recommend they actively communicate their work through monthly newsletters, quarterly workshops to help improve the conversations around statistics and at the same time engage with the users who would benefit from the data.

We also recommend that data when being published includes metadata of collection, modification, storage and other important information. Also the information needs to be published in open formats which does not require proprietary software to be used to open them. At the same time data should be published in multiple formats like CSV, XLS, PDF,

The committee also recognizes the need for having data users part of discussions around important decisions and be part of committees. We would like the department to recognize our efforts and consider us for future committee representations.

Thank you for this opportunity and we look forward to work with you in future.

For more details visit https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report

Comments on the Proposed Rule 138A of the Central Motor Vehicle Rules, 1989 Concerning Radio Frequency Identification Tags

bhairav — 2012-12-04T15:32:55Z

The Centre for Internet & Society gave its comments on the proposed Rule 138A of the Central Motor Vehicle Rules, 1989. The comments were made in response to Notification GSR 738(E) published in the Gazette of India on October 3, 2012.

I Preliminary

1.1 These initial comments are made with regard to Notification GSR 738(E), published in the Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i), on 3 October 2012
(“Impugned Notification”).

1.2 The Impugned Notification proposes to insert a new rule 138A in the Central Motor Vehicle Rules, 1989 (“CMV Rules”) to make mandatory the installation of radio frequency identification (“RFID”) tags on all light and heavy motor vehicles to enable their instant identification and monitoring by electronic toll collection booths, the police and any other authority or person that is able to query and read RFID tags.

II Validity of the Impugned Notification

(a) The Scope and Limits of the Executive Power of the Union

2.1 The competence of the Central Government to govern by executive action (such as the Impugned Notification) is restricted to the extent of the executive power of the Union.[1] Following the Ram Jawaya Kapur case,[2] it is settled that the extent of the Union’s executive power is coterminous with the legislative power of Parliament even in the absence of controlling legislation in that field.[3] This is in addition to the Union’s subordinate executive power to give effect to legislation through statutory delegation[4] and its directory executive power to give directions to the States.[5] Thus, there are three kinds of executive power exercisable by the Union:

(a) the regular power, exercisable in the absence of controlling legislation, if the subject of executive action is a matter upon which Parliament is competent to legislate;
(b) the subordinate power, exercisable under the terms of a controlling statute, if that statute specifically delegates such a power to the Union; and
(c) the directory power, exercisable within judicial limits, to secure the compliance of the States with the laws of the Union.

2.2 The regular executive power of the Union cannot be exercised over a matter that is controlled by parliamentary legislation.[6] This principle is akin to, but does not correspond exactly with, the doctrine of occupied field which is primarily concerned with the legislative entries contained in Schedule VII of the Constitution of India. Nevertheless, it is settled that since the power of the executive to act is subject to the control of the legislature, a statutory regime, where it exists, cannot be circumvented by the free exercise of executive power.[7] In the case of the Impugned Notification, the Motor Vehicles Act, 1988 constitutes a statutory regime that occupies the field to preclude regular executive action by the Central Government with regard to RFID tags in motor vehicles. The Impugned Notification should next be examined only in light of the scope and limits of the Union’s subordinate executive power since, as the Impugned Notification is not a direction to the States, the Union’s directory executive power is not in issue.

(b) Extent of the Central Government’s Rule-Making Power

2.3 The subordinate executive power of the Union emanates from section 110 of the Motor Vehicles Act, 1988 (“MV Act”) that confers the Central Government with the power to make rules to implement the statute. At this point it is important to note that the legislative competence of the MV Act is traceable to Entry 35 of List III, Schedule VII of the Constitution of India. Entry 35 concerns:

Mechanically propelled vehicles including the principles on which taxes on such vehicles are to be levied.

Entry 35 being a concurrent subject, it is open to both the Union and the States to act to regulate motor vehicles.[8] Accordingly, the MV Act also vests the States with subordinate executive power through sections 28, 38, 65, 95, 96, 107, 111, 138 and 176 which confer State Governments with the power to make rules to implement the statute in, and amend its application to, their particular states. As for the Union, so for the States is the regular executive power precluded by the existence of a statutory regime.[9]

2.4 Section 110 of the MV Act states:

110. Power of the Central Government to make rules. – (1) The Central Government may make rules regulating the construction, equipment and maintenance of motor vehicles and trailers with respect to all or any of the following matters, namely:-

(a) the width, height, length and overhand of vehicles and of the loads carried;
(b) the size, nature, maximum retail price and condition of tyres, including embossing thereon of date and year of manufacture, and the maximum load carrying capacity;
(c) brakes and steering gear;
(d) the use of safety glasses including prohibition of the use of tinted safety glasses;
(e) signalling appliances, lamps and reflectors;
(f) speed governors;
(g) the emission of smoke, visible vapour, sparks, ashes, grit or oil;
(h) the reduction of noise emitted by or caused by vehicles;
(i) the embossment of chassis number and engine number and the date of manufacture;
(j) safety belts, handle bars of motor cycles, auto-dippers and other equipments essential for safety of drivers, passengers and other road-user;
(k) standards of the components used in the vehicle as inbuilt safety devices;
(l) provision for transportation of goods of dangerous or hazardous nature to human life;
(m) standards for emission of air pollutants;
(n) installation of catalytic convertors in the class of vehicles to be prescribed;
(o) the placement of audio-visual or radio or tape recorder type of devices in public vehicles;
(p) warranty after sale of vehicle and norms therefor:

Provided that any rules relating to the matters dealing with the protection of environment, so far as may be, shall be made after consultation with the Ministry of the Government of India dealing with environment.

(2) Rules may be made under sub-section (1) governing the matters mentioned therein, including the manner of ensuring the compliance with such matters and the maintenance of motor vehicles in respect of such matters, either generally in respect of motor vehicles or trailers or in respect of motor vehicles or trailers of a particular class or in particular circumstances.

(3) Notwithstanding anything contained in this section,-

(a) the Central Government may exempt any class of motor vehicles from the provisions of this Chapter;
(b) a State Government may exempt any motor vehicle or any class or description of motor vehicles from the rules made under sub-section (1) subject to such conditions as may be prescribed by the Central Government.

2.5 The subordinate executive power of the Union, i.e. the rule-making power, is restricted to the exact extent of the delegation.[10] This is a well settled and undisputed principle of administrative law. Therefore, the Central Government cannot, in exercise of the rule-making power granted under section 110 of the MV Act, frame rules for matters for which it has not been specifically empowered under that section. Section 110 of the MV Act does not grant the Central Government the power to make rules for mandating RFID tags on vehicles. Clauses (a) to (p) of section 110(1) descriptively list the matters relating to the construction, equipment and maintenance of motor vehicles that the Central Government is competent to regulate by exercising its executive power. This list is exactingly drafted; the absence of general words or a miscellaneous empowerment obviates the need for examining any particular word or words in clauses (a) to (p) in light of the principle of ejusdem generis.

2.6 In the absence of a specific empowerment, or even a general empowerment that may be positively construed ejusdem generis, only two clauses of section 110(1) require further examination. These are:

(e) signalling appliances, lamps and reflectors; and,
(o) the placement of audio-visual or radio or tape recorder type of devices in public vehicles;

Clause (e), which deals with signalling appliances, cannot be read to include RFID tags since, in accordance with the principle of noscitur a sociis, the meaning of the words “signalling appliances” is derived from its association with the words “lamps and reflectors.”[11] Therefore, RFID tags, which are totally unrelated to lamps, reflectors and related signalling appliances, are not the subject of clause (e). On the other hand, while clause (o) contains an executive empowerment in respect of radio devices, the empowerment only concerns “public vehicles”; and, hence, the installation of RFID tags in non-public vehicles including light vehicles, such as cars, and heavy vehicles, such trucks and lorries, cannot be carried out under this clause. In any event, the word “radio” must be interpreted noscitur a sociis in light of its association with the words “audio-visual” and “tape recorder” to yield an executive empowerment in respect of in-vehicle entertainment devices only.

2.7 Therefore, in the absence of an empowerment under section 110 of the MV Act in respect of RFID tags, the Impugned Notification of the Central Government is ultra vires the MV Act. Rules that are ultra vires the parent statute for exceeding the limits of subordinate executive power are void.[12] The Impugned Notification is both ultra vires its parent statute and void. In this regard, it is instructive to note that it is settled that void rules neither acquire validity by a subsequent conferment of statutory power nor by their publication in the Official Gazette.[13]

III Constitutional Implications regarding Privacy

3.1 Across the world, RFID technology has been challenged on the basis of its intrusion into personal privacy. RFID tags operate on a pre-determined radio frequency; and, unless the tags are programmed to rapidly, constantly and randomly switch frequencies or are able to jam unauthorised queries – an extremely expensive proposition, RFID signals can be easily intercepted. The interception a vehicle’s RFID signals, whether by public authorities or by private persons, can yield detailed locational information of the driver of the vehicle. This is an unwarranted intrusion into the locational privacy of individuals.

3.2 Locational privacy is an intrinsic part of the right to privacy. An intrusion into this right, such as in the form of mandatory RFID tags on vehicles, will reveal information as to inter alia a person’s whereabouts and daily routine as well as addresses of friends’ houses, visits to the hospital, visits to a place of worship, restaurant preferences, addresses of children’s schools and so on. This will affect ordinary citizens, politicians and civil servants equally. All this information will be at the hands of the police. To place the power of tracking and monitoring ordinary individuals with the police, when such technology is not even available with intelligence agencies, would be an act of recklessness. This is compounded by the total lack of safeguards accompanying the attempted imposition of RFID technology.

3.3 Following the Kharak Singh[14] and Gobind[15] cases, the locational privacy of individuals, specifically in relation to their privacy from the police, is constitutionally protected.[16] It is now accepted that privacy is an essential ingredient of personal liberty forming a part of the right recognised under Article 21 of the Constitution. It is further settled that the personal liberty of an individual cannot be taken away except by a law that establishes a procedure that is fair, just and reasonable that withstands the tests of Article 14 and Article 19 of the Constitution.[17]The Impugned Notification, while constituting a “law” under Article 13 of the Constitution, does not create a fair, just and reasonable procedure to deprive individuals of their personal liberty and therefore fails the tests imposed by Maneka Gandhi. Therefore, the Impugned Notification, even if it were not void for want of competence, would be ultra vires the Constitution for violating Article 21.[18]

IV Summary

4.1 In sum:

(a) Section 110 of the MV Act does not bestow on the Central Government a specific empowerment to make rules in respect of RFID tags;
(b) The Impugned Notification exceeds the delegated limits of the Central Government’s subordinate executive power;
(c) The Impugned Notification is ultra vires the MV Act, its parent statute;
(d) Rules that are ultra vires the parent statute for exceeding the limits of subordinate executive power are void;
(e) The Impugned Notification is void;
(f)   The imposition of mandatory RFID tags on vehicles will yield locational information to seriously invade the right to privacy;
(g) The right to privacy is an essential ingredient of personal liberty and is constitutionally protected;
(h) The Impugned Notification violates the right to privacy without creating a fair, just and reasonable procedure to deprive persons of their personal liberty;
(i)   The Impugned Notification is ultra vires the Constitution for violating Article 21;
(j)   Any rule that mandates RFID tags on vehicles to violate the right to privacy is void ab initio.

[1]. Article 73 of the Constitution of India.
[2]. Ram Jawaya Kapur AIR 1955 SC 549.
[3]. Ibid at prs. 12-14.
[4]. See generally, In re Delhi Laws Act AIR 1951 SC 332, Harishankar Bagla AIR 1954 SC 465, Rajnarain Singh AIR 1954 SC 569 and Edward Mills AIR 1955 SC 25.
[5]. See Articles 256 and 257 of the Constitution and State of Rajasthan (1977) 3 SCC 592.
[6]. Bishamber Dayal (1982) 1 SCC 39 at pr. 20.
[7]. Bharat Coking Coal (1990) 4 SCC 557 at prs. 15-17.
[8].Article 253 of the Constitution.
[9]. Article 162 of the Constitution.
[10]. See In re Delhi Laws Act AIR 1951 SC 332, State of Bihar (2000) 4 SCC 640, Shri Sitaram Sugar (1990) 3 SCC 223 [all Constitution Benches], Ramakrishnan Kulwant Rai 1989 Supp (1) SCC 541, K. M. Charia Abdullah (1965) 1 SCR 601, Charanjit Gill (2000) 5 SCC 742, ADM (Rev.) Delhi Administration (2000) 5 SCC 451 and State of Karnataka (1983) 2 SCC 402.
[11]. For foundational Indian case law on the principle of noscitur a sociis, see generally, M. K. Ranganathan AIR 1955 SC 604, Hospital Mazdoor Sabha AIR 1960 SC 110 and Corporation of the City of Nagpur AIR 1960 SC 675.
[12]. See Supreme Court Welfare Association (1989) 4 SCC 187 and State of Karnataka (1983) 2 SCC 402.
[35]. General Officer Commanding-in-Chief (1988) 2 SCC 351 at prs. 12-14.
[14]. Kharak Singh AIR 1963 SC 1295. The majority, speaking through Ayyangar, J., found that ‘domiciliary visits’ conducted by the police in exercise of powers granted under police regulations violated Article 21 of the Constitution; and, the minority speaking through Subba Rao, J., found that both secret police picketing (as to the location of individuals) and domiciliary visits violated both Article 21 and Article 19(1)(d) of the Constitution.
[15]. Gobind (1975) 2 SCC 148.
[16]. For a jurisprudential development of the right to privacy in India, see generally Kharak Singh AIR 1963 SC 1295, R. M. Malkani (1973) 1 SCC 471, Gobind (1975) 2 SCC 148, R. Rajagopal (1994) 6 SCC 632, People’s Union for Civil Liberties (1997) 1 SCC 301, Mr ‘X’ (1998) 8 SCC 296, Canara Bank (2005) 1 SCC 496, Bharat Shah (2008) 13 SCC 5, Naz Foundation (2009) 160 DLT 277, Selvi (2010) 7 SCC 263 and Ram Jethmalani (2011) 8 SCC 1.
[17]. Maneka Gandhi (1978) 1 SCC 248 at prs. 4-14 (per Bhagwati, Untwalia and Fazal Ali, JJ.), 48-49 (per Chandrachud, J.), 62-78 and 79-91 (per Krishna Iyer, J.) and 192-199, 201, 203 and 211-215 (per Beg, CJI.)
[18]. In this regard, see also Supreme Court Welfare Association (1989) 4 SCC 187 and N. Bakshi 1962 Supp (1) SCR 505 for the proposition that rules violating the Constitution are void ab initio.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-motor-vehicle-rules