Centre for Internet and Society

CIS’ Comments to the (Draft) Indian Telecommunication Bill 2022

Abhishek Raj, Divyank Katira, Isha Suri, Shweta Mohandas, and Vipul Kharbanda — 2022-11-22T13:22:24Z

The Department of Telecommunications, Government of India invited comments on the Draft Indian Telecommunication Bill, 2022. The Centre for Internet & Society (CIS) submitted its comments.

Reviewed by Pallavi Bedi

Preliminary

The Centre for Internet and Society (CIS) is a non-profit organization that undertakes interdisciplinary research on the internet and digital technologies from policy and academic perspectives. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and practices around the internet, technology, and society in India, and elsewhere. Over the last decade, CIS has worked extensively on policy issues related to telecommunication, internet access, digital inclusion, and so on.

In the past, CIS has responded to various public consultations pertaining to telecommunication such as the Telecom Regulatory Authority of India (TRAI) consultation on 5G Auctions^{^[1]}, TRAI consultation on regulation of over-the-top (OTT) services^{^[2]}, to name a few .

We appreciate the efforts of the Department of Telecommunications (DoT) for having consultation on the “Draft Indian Telecommunication Bill 2022”. We are grateful for the opportunity to put forth our views and comments to the draft bill.

Summary of Recommendations

At the outset, we recommend that in the interest of transparency and accountability, prior to enacting important legislations like the Telecom Bill, the government would be well-advised to conduct an “impact assessment” exercise such as “regulatory impact assessment” and put the report in public as practised in jurisdictions such as the European Union.^{^[3]} We would also recommend the government to disclose responses and submissions that it receives during the process to ensure a transparent and consultative process of policymaking.

We recommend that the scope of the bill should be reconsidered and internet-based services should be removed from the definition of telecommunication services. From this definition read with other clauses of the bill, it appears that the bill tries to licence (or control !) not just telecommunication but all kinds of communication and internet-based services. Putting onerous regulatory requirements on every bit and byte flowing through the internet is unnecessary and regulatory overreach.

The draft bill’s attempt to provide for a non-discriminatory and an affordable Right-of-way (RoW) regime is appreciable. However, the central government has been given an overriding power over the local government which has constitutional powers with regard to permissions in their jurisdiction. The bill must clarify the modalities to ensure coordination between centre, state, and local authorities.

We recommend that clause 46 of the draft bill which significantly dilutes TRAI’s power should be deleted. Moreover, the government must work towards further strengthening TRAI by hiring subject matter experts to ensure that India has a powerful sector regulator which is well prepared to usher in the next wave of innovation.

We recommend that the Bill be inline with the Puttaswamy Judgement, and that of Anuradha Bhasin vs Union of India. The Bill, while paying close attention to the protection of users and duty of the user, fails to uphold rights of the user such as the right to privacy and the freedom of speech and expression.

As per clause 29, the objectives for which Telecommunication Development Fund (TDF) can be utilised is broad and therefore the government would be well-advised to specify that TDF can only be utilised to ensure digital access, adoption and usage for digitally marginalised groups. Furthermore, TDF must be ring fenced and not credited to the Consolidated Fund of India to ensure timely implementation which has thus far remained a significant challenge with the universal funds (USOF) regime.

The bill does not have any provisions upholding the principles of net neutrality. The government must act on TRAI’s recommendations and set up the multistakeholder body to check adherence to net neutrality requirements by incorporating provisions to that effect.

In the interest of transparency and accountability, a clause requiring the government to report (quarterly or annually) vital statistics relating to the functioning and financial aspects of matters contained within the draft legislation. The reporting should also include the number of licences provided, licences revoked, number of blocking and suspension orders passed among others.

Detailed Response

Preamble

No comments

Chapter 1: Short Title, Extent and Commencement

No comments

Chapter 2: Definitions

➔ 2(9): “message” means any sign, signal, writing, image, sound, video, data stream or intelligence or information intended for telecommunication.

Comment: The terms “intelligence” and “data stream” are not clear in the definition and these terms have not been defined elsewhere in the bill. Moreover, the definition of message is broad and may have implications with regard to surveillance and privacy of users, when read with clause 4(8) and clause 24(2)(a).

Recommendation: We recommend that the terms “intelligence” and “data stream” are defined under the bill, in order to reduce chances of excessive surveillance and to maintain the informational privacy of the individual. Additionally the definition could have an expansive list of what could constitute a message in order to prevent mission creep.

➔ 2(18): “telecommunication equipment” means any equipment, appliance, instrument, device, material or apparatus, including customer equipment, that can be or is being used for telecommunication, and includes software integral to such telecommunication equipment;”

Comment: The inclusion of customer equipment in the definition of telecommunication equipment has implications. The definition of the “customer equipment”^{^[4]} as provided in clause 2(5) of the Bill is broad enough to include personal devices such as phones, routers, among others. As per clauses 23 to 26 the Central Government has wide ranging powers with respect to telecommunications equipment and telecommunications networks such as issuing various directions for telecommunications networks and even has the power to take over such networks. As the definitions currently stand, these provisions would automatically become applicable to customer equipment as well which may be a violation of the right to privacy of the citizens of the country.

Moreover, according to 3(2)(c), possession of wireless equipment requires authorization. On reading 3(2)(c) with the definitions of wireless equipment in 2(23) and customer equipment in 2(5), an argument could be framed that the customer equipment could technically also require a licence, and so would the software integral to such equipment. If customer equipment is in fact included in telecom equipment and software integral to it is also included therein, then arguably even Android OS or other OS can be licensable.

Recommendation: Thus, we suggest that the government should remove customer equipment from the definition of telecommunication equipment.

➔ 2(21): “telecommunication services" means service of any description (including broadcasting services, electronic mail, voice mail, voice, video and data communication services, audiotex services, videotex services, fixed and mobile services, internet and broadband services, satellite based communication services, internet based communication services, in-flight and maritime connectivity services, interpersonal communications services, machine to machine communication services, over-the-top (OTT) communication services) which is made available to users by telecommunication, and includes any other service that the Central Government may notify to be telecommunication services;”

Comment: Clause 2(21) expands the scope of “telecommunication services” significantly. The overly-broad definition of “telecommunication services”, and what constitutes a “message”^{^[5]}, brings within its ambit a host of internet services including but not limited to email, instant messaging, social media services, and even payments and e-commerce transactions. Neither the bill, nor the accompanying explanatory note provides a satisfactory rationale for an all-encompassing definition of “telecommunication services”. The explanatory note attached to the bill suggests that legislations in Australia, EU, UK, Singapore, Japan, and USA have been examined while drafting this bill. However, our research^{^[6]} suggests that none of these jurisdictions define “telecommunication services” so expansively and seek to regulate entities offering only internet based services companies through licensing, in particular. It may also be worthwhile to note that TRAI recommended against such an approach and also clarified that there is no issue of financial arbitrage.^{^[7]} However, the bill attempts to bring OTT communication services within the purview of licensing. From this definition read with other clauses of the bill, it appears that the bill tries to licence (or control !) not just telecommunication but all kinds of communication and internet-based services. Putting onerous regulatory requirements on every bit and byte flowing through the internet is unnecessary and regulatory overreach. There can be major implications of expanding the definition of telecommunication services, some of which are listed below:

● The draft bill has stringent provisions on surveillance and shutdowns [clause 23 to clause 28]. These clauses would be naturally applicable to the expanded bucket of telecommunication services. This has serious implications on user’s right to privacy and freedom of expression online. For example, the bill gives the government the power to surveil citizens over apps such as WhatsApp, Telegram, to name a few, and even email. [some of this will be delved into greater detail in the foregoing sections]

● Some of the internet-based services listed in the definition in 2(21) are already regulated under the Information Technology (IT) Act 2000. For example, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 regulates intermediaries, including the significant social media intermediaries (SSMI) such as Facebook and Twitter. Putting an additional regulatory burden on these service layer companies in the form of licensing, as envisaged in clause 3 and clause 4 of the bill would hamper the innovation in the sector. Furthermore, it has been observed that the compliance burden of regulations is higher on small businesses in cases where regulations impose identical requirements on entities regardless of the firm size.^{^[8]} Therefore, inserting such a requirement would have a detrimental impact on innovation because excessive compliance requirements would act as a significant entry barrier for smaller firms.

Moreover, there is significant overlap between various services that are mentioned in the definition of telecommunication services which may lead to significant challenges. As these services are not defined elsewhere in the bill, it leaves scope for ambiguity. The bill makes a mention of “over-the-top (OTT) communication services” without defining it. We argue that making a distinction between communication and non-communication OTT services is superficial and does not take into account today’s realities where categorising applications into different categories is extremely difficult. A majority of the OTT applications such as e-commerce, healthcare, food delivery, payments, and so on, provide integrated communication channels. Disaggregation and making an artificial distinction of such apps into communication (with licensing requirements) and non-communication (without licensing requirements) would result in fragmentation of the internet which is definitely not a desirable outcome.

The “same-service same-rules” argument put forth by Telecommunication Service Providers (TSPs/ telcos) for the regulation of OTT apps which provide communication services [generally referred to as OTT communication services] at par with them is flawed for the reasons elaborated herein below:

● It is well recognized that there are significant differences at the technical and architectural level between TSPs and OTT apps which provide communication services . Regulating OTT apps which provide communication services at par with TSPs just on the basis of functionality without considering the inherent technical and architectural differences between them is a definite recipe for failure.

● Moreover, even at the functional level, OTT communication apps offer several additional features which are not available in the traditional TSP services.^{^[9]} Due to this, establishing functional equivalence between TSP’s services and OTT communication services is not only technically unfeasible but also unnecessary since those apps are better regulated by MEITY.

● Furthermore, TSPs enjoy privileges which OTTs don't. For example, TSPs have exclusive rights to spectrum, right of Way (RoW), numbering resources, to name a few. TSPs have control over underlying broadband infrastructure which OTTs and other internet-based service companies do not have.

As opposed to what has been suggested in the bill i.e, licence all telecommunication services [clause 3(2)(a)] including the internet-based services, it may be prudent to explore alternative approaches to regulate this space. For instance, a “two-layered framework”^{^[10]} for regulatory intervention can be considered. In this two-layered framework, the first layer would be the network layer consisting of the network and infrastructure; and the second layer would be the service layer consisting of applications and services. The services in the second layer can be further refined into the following three categories: (i) services provided over a non-Internet Protocol (IP) based architecture e.g Public Switched Telephone Network (PSTN) voice calls provided over a circuit switched network; (ii) specialised services that are provided over an IP based architecture in a closed network including facility-based services e.g., facilities-based VoLTE calls to PSTN and IPTV; (iii) IP-based/ Internet-based services such as OTTs. The gist^{^[11]} of the framework is:

The network layer may be regulated by way of licensing.

Non-IP Services and Specialised services may be regulated by way of licensing.

Internet-based services should be regulated by instruments other than licensing. Such instruments should preferably be in the form of legislations like the IT Act and its rules thereunder.

While there can be approaches apart from the one described above to regulate internet-based services such as the OTT and those approaches can be discussed and debated, putting licensing requirements for every internet-based service is not the way forward.

Recommendation: We recommend that the scope of the bill should be reconsidered and internet-based services should be removed from the definition of telecommunication services. In the interest of transparency and accountability, prior to enacting such a legislation the government would be well-advised to conduct a “regulatory impact assessment” exercise and put the report in public, as done in jurisdictions such as the European Union.

Chapter 3: Licensing, Registration, Authorization and Assignment

Clause 4. Licensing, Registration Authorization and Assignment

➔ 4(6): “The possession and use of any equipment that blocks telecommunication is prohibited, unless authorised by the Central Government for specific purposes.”

Comment: While assuming jurisdiction over equipment capable of blocking telecommunication via this clause is a welcome step, it is not clear why equipment capable of intercepting telecommunications has been kept out of the scope of this clause. Since unlawful and unauthorised interception of telecommunications is a violation of the fundamental right to privacy of an individual,^{^[12]} it is imperative that the scope of this clause be increased to include interception equipment as well. Furthermore, the latter part of the provision mentions “specific purposes” without adequate checks and balances in place. As such, the specific purposes must be defined exhaustively to ensure that this power is not misused.

➔ 4(7): "Any entity which is granted a licence under sub-clause (2) of clause 3, shall unequivocally identify the person to whom it provides services, through a verifiable mode of identification as may be prescribed."

Comment: All services do not require a verification of the identity of a person. There is a legitimate need to verify a person in the case of financial transactions, however a similar level of scrutiny is not warranted for applications that a person might use once, or applications that do not pose a threat to anyone. For example the need to verify a person through Know Your Customer (KYC) or otherwise for an application to order food, or an application which is meant for communication can be excessive regulation. Furthermore, number based internet communication apps such as Whatsapp require users to sign in through a mobile number, which have already gone through a KYC process. Therefore, dual KYC would be redundant and serve no purpose.

The Supreme Court while looking at the constitutionality of the Aadhaar Act upheld the need for banking and financial institutions to require an individual’s Aadhaar number stating the legitimate aim of preventing money laundering; however, the Court struck down the provision that required any private entity to collect Aadhaar details.^{^[13]} Justice Bhushan held that the collection by private entities violated the right to privacy, by failing the first prong of the test laid down in Puttaswamy, the test of legality.^{^[14]}

Recommendation : Clause 4(7) should be deleted.

➔ 4(8) “The identity of a person sending a message using telecommunication services shall be available to the user receiving such message, in such form as may be prescribed, unless specified otherwise by the Central Government.”

Comment: Although the intent behind this provision may have been to curb the menace of anonymous harassment of users, a blanket requirement to reveal the identity of the sender of a message in every instance may be considered a violation of the right to privacy of the sender. . There are clearly a number of competing rights involved here and the issue needs to be addressed in a more nuanced manner. Additionally there are a number of services such as chat applications providing support for mental health, that allow users to be anonymous in order to remove the concern and stigma around seeking help. A requirement that the user's name be revealed in these applications could hinder the functioning of these services as well as prevent more people from seeking help.

Anonymity was also explained in the Puttaswamy Judgment where it was stated that - “Privacy involves hiding information whereas anonymity involves hiding what makes it personal. An unauthorised parting of the medical records of an individual which have been furnished to a hospital will amount to an invasion of privacy.” In his judgement, Justice F. Nariman talks about different aspects of the right to privacy in the Indian context and observes “Informational privacy which does not deal with a person’s body but deals with a person’s mind, and therefore recognises that an individual may have control over the dissemination of material that is personal to him. Unauthorised use of such information may, therefore lead to infringement of this right”.^{^[15]}

In this backdrop it is perhaps preferable that the issue be addressed through separate guidelines rather than through a blanket direction in the Statute. Recently the Department of Telecom sent a reference to the TRAI for framing a mechanism for using KYC based identification.^{^[16]} It would be advisable if the TRAI in its response also takes into account the competing rights involved in this issue of caller identification and suggests a framework that addresses these concerns as well.

Retaining anonymity on the internet: Individuals may choose to remain anonymous online for a number of reasons. This includes employees expressing opinions about their employers and whistleblowers, people providing anonymous tips to newspapers or law enforcement, people expressing political opinions and criticism that may be subject to persecution, or simply someone saying something that they may be embarrassed about.^{^[17]} In India, in particular, an individual’s caste can be derived from their name, and they may choose to remain anonymous or adopt a pseudonym to escape centuries of stigma and discrimination that their communities have faced. Religious, gender and sexual minorities may also make this choice for similar reasons. The broad definition of telecommunication services in the bill places restrictions on anonymity online and severely degrades an individual’s ability to exercise their fundamental right to freedom of expression.

Right to privacy: The overly broad definition of “telecommunication services” and what constitutes a “message” also brings a number of digital services under the ambit of this bill. This can include email, instant messaging, social media services, and even payments and e-commerce transactions. Mandating identification of individuals as they navigate these services, which they require to go about their daily lives, creates an unprecedented potential for surveillance and abuse of personal information. To evaluate the legal validity of this infringement on privacy, we can utilise the necessity and proportionality tests put forth by the Puttaswamy Judgment. The explanatory note accompanying the bill states that the purpose of this provision is to “prevent cyber frauds”, establishing a legitimate aim for mandating identification. However, it fails to justify whether this is the least intrusive means necessary to achieve the stated aim. Law enforcement agencies have access to a wide variety of metadata, such as IP addresses, already collected by digital services today, which can be used to identify individuals committing cyber crimes. Furthermore, as the internet is a global network, bad actors can evade identification by routing their internet traffic through another country by using services such as Virtual Private Network (VPNs), proxies and onion routing. Well resourced actors can simply hire someone in another country to communicate on their behalf. The infringement upon the right to privacy by this provision is also disproportionate to the objective sought. By mandating storage of personally identifiable information that is not required for the operation of the wide range of services that fall under the ambit of this bill, it allows not only for state surveillance, but also creates the possibility of misuse by criminal actors and hostile states who may gain unlawful access to this information through data breaches. Overall, this provision can easily be circumvented by the bad actors it intends to catch, leaving us with a surveillance mechanism that is ripe for misuse against ordinary, law-abiding citizens.

Misunderstanding how the internet works: This draft bill assumes and propagates a centralised view of the internet. Unlike traditional telecommunication services, which require access to a finite spectrum or other physical infrastructure, the internet allows any individual or organisation to self-host their own communication service. Several organisations and technologically savvy individuals host their own email services, instant messaging services, blogs and social media networks. It is unclear how the licensing provisions in this bill apply to people developing and hosting their own communication equipment.

Recommendation : Clause 4(8) should be deleted.

Clause 5. Spectrum Management

➔ 5(2)(b): “administrative process for governmental functions or purposes in view of public interest or necessity as provided in Schedule 1; or”

Comment: Even though the draft bill seeks to provide an explicit statutory framework and predictability for spectrum management policy in India, it appears that for the large part it would be relying on spectrum auctions for assignment of spectrum. While the bill provides for administrative allocation of spectrum for governmental functions or purposes in view of public interest or necessity as provided in Schedule 1, the explanatory note provided for the draft bill indicates auction to be the predominant method for spectrum assignment. Even though the explanatory memorandum cannot be used for legal interpretation, it can be used to indicate that for the foreseeable future the government intends to allocate spectrum predominantly through auctions. While it can be argued that an auction based regime ensures transparency, it also creates significant barriers to entry for smaller operators. It is also pertinent to mention that in the seven auctions held since 2010, the government has successfully sold 100 percent of the auction only once. Relying solely on auctions since 2010 has led to unsold spectrum, lost revenue, and deferring of the rural digital ecosystem.^{^[18]} Therefore, auctions should be supplemented with “administrative allocation” and other innovative approaches to ensure that affordable broadband connectivity does not remain within the remit of a few. For instance, Canada has initiated a consultation on a non-competitive local licensing framework in the 3900-3980 MHz Band and Portions of the 26, 28 and 38 GHz Bands, and one of its objectives is to facilitate broadband connectivity in rural areas.^{^[19]} Therefore, we would like to recommend the DoT to explore other forms of spectrum assignment and not rely solely on auctions to ensure efficient utilisation of available spectrum and to also ensure affordable access to hitherto underserved regions.

Moreover, the bill does not provide clarity with regard to unlicensed spectrum for public Wi-Fi, and assignment of shared spectrum for satcom services.^{^[20]} Spectrum allocation for satcom becomes all the more important as the draft bill seems to give a preference to auction for spectrum assignment, while the global practice on spectrum assignment for satcom has been administrative allocation.

Furthermore, clause 5(2)(b) read with Schedule 1 suggests that BSNL and MTNL can acquire spectrum through an administrative process in view of public interest or necessity. However, we would like to submit that spectrum assignment to BSNL and MTNL may no longer serve the public interest and it only protects a very small interest group. For context, BSNL and MTNL have a combined market share of only 9.83%, as per TRAI subscription data of Aug 31, 2022.^{^[21]} For such a small subscriber share, it cannot be argued that these PSUs serve a public interest. The government can easily migrate these subscribers to the other three telcos. Moreover, this also provides the PSUs with an unfair advantage over its competitors and distorts the level playing field, thereby creating competition concerns in the market.

➔ 5(8): “The Central Government may, to promote optimal use of the available spectrum assign a particular part of a spectrum that has already been assigned to an entity (“primary assignee”), to one or more additional entity/ entities (“secondary assignees”), where such secondary assignment does not cause harmful interference in the use of the relevant part of the spectrum by the primary assignee, subject to the terms and conditions as may be prescribed.”

Comment: “Secondary assignment” of spectrum and the shift from “right to exclusive use” to “right to protection from interference”, as envisaged in 5(8) is a progressive move towards efficient utilisation of spectrum.

CIS, in its past submission^{^[22]} to the TRAI had highlighted the merits of a “use-or-share” approach in spectrum. The chasm that exists between expensive exclusive spectrum licensing and the licence-exempt ecosystem can be bridged by enshrining “use-it-or-share-it” provisions in spectrum licences. As such, ‘use-it-or-share-it’ rules enable the regulator to grant secondary access to licensed or governmental spectrum that is unused or underutilised.^{^[23]} ‘Use-it-or-share-it’ rules expand the productive use of spectrum without risking harmful interference or undermining the deployment plans of primary licensees. Clauses such as 5(8) enable “use-or-share” provisions are a step in the right direction.

➔ 5(9): “The Central Government, after providing a reasonable opportunity of being heard to the assignee concerned, if it determines that spectrum that has been assigned, has remained unutilized for insufficient reasons for a prescribed period, may terminate such assignment, or a part of such assignment, or prescribe further terms and conditions relating to spectrum utilization.”

Comment: There is lack of coherence between 5(8) and 5(9) when read together. 5(8) and 5(9) should be put as sub-clauses under a parent clause to ensure clarity.

We believe that the provision must be articulated clearly to state that licensees would first be given an opportunity to share spectrum and in cases where the entity fails to do so within a reasonable amount of time, the spectrum licence would be cancelled to prevent wilful spectrum hoarding. The Independent Communications Authority of South Africa (ICASA) in the 2nd Information Memorandum has expressed similar provisions with clarity. While, we feel five years may be an unnecessarily long timeframe for the government to enact spectrum sharing provisions, the language put forth by ICASA captures the essence of our argument:

“11.6.2 In cases where the spectrum is not fully utilised by the licensee within 5 years of issuance of the Radio Frequency Spectrum Licences, the Authority will initiate the process for the Licensee:

11.6.2.1 to share unused spectrum in all areas to ECNS licensees who may, inter alia, combine licensed spectrum in any innovative combinations in order to address local and rural connectivity in some municipalities including by entrepreneurial SMMEs;

11.6.2.2 to surrender the radio frequency spectrum licence or portion of the unused assigned spectrum in accordance with Radio Frequency Spectrum Regulations, 2015”

Recommendation: Clause 5(8) and 5(9) must be brought under one clause and it must be clarified that licence holders would lose their licence in case they fail to successfully incorporate spectrum sharing.

Clause 7. Breach of Terms and Conditions

➔ 7(1): “In case of breach of any of the terms and conditions of licence, registration, authorization or assignment granted under this Act, the Central Government may, after providing an opportunity of being heard to the party concerned, do any one or more of the following: ……”

Comment: Usually the consequences of breach are specifically illustrated in the licence. Listing the consequences of breach in the statute itself may lead to lack of clarity unless the terms of licence are also referenced. It could also be argued by a defaulting licensee that the powers listed in clause 7(1) are exhaustive and the Central Government cannot add any other conditions for breach of the conditions of the licence as in the licence agreement and any such conditions not specified in clause 7(1) are void and ultra vires the Statute.

Recommendation: In order to avoid such a situation, the clause should clearly state whether the powers listed in clause 7(1) are in addition to the terms and conditions that may be specified in the licence.

Chapter 4: Right of Way for Telecommunication Infrastructure

Comment: The draft bill attempts to provide for a non-discriminatory and an affordable Right-of-way regime, which is appreciable. However, the provision suggests that the central government has an overriding power over the local government. Provided that the Constitution of India defines certain powers which reside with the local authority in terms of providing permissions in the local areas, it is unclear from the bill on how the coordination between various authorities will take place. We recommend that there needs to be a mechanism that ensures coordination between centre, state, and local authorities.

❖ 14(3) : “In the event the person under sub-clause (1) does not provide the right of way requested, and the Central Government determines that it is necessary to do so in the public interest, it may, either by itself or through any other authority designated by the Central Government for this purpose, proceed to acquire the right of way for enabling the facility provider to establish, operate, maintain such telecommunication infrastructure, in the manner as may be prescribed.”

Comment: The right of the Central Government to acquire the right of way should be in lieu of adequate and appropriate compensation to be paid to the property owner. This requirement should be clearly mentioned in sub-clause (3). The clause as it currently stands only mentions the Central Government’s right to acquire but contains no mention of said acquisition being in lieu of adequate and proportionate compensation.

Chapter 5. Restructuring, Defaults in Payment and Insolvency

➔ 19(1): “Any licensee or registered entity may undertake any merger, demerger or acquisition, or other forms of restructuring, subject to provisions of applicable law, after providing notice to the Central Government of the same.”

Comment: Sub-clause (1) only requires that the Central Government be given a notice in case of merger, demerger, acquisition or restructuring of the licensee. Although sub-clause (2) requires that the successor entity shall comply with all the terms and conditions of the licence, considering the strategic nature of the telecommunications sector^{^[24]} it would be advisable to change the requirement of notice to a requirement of permission from the Central Government for restructuring the business rather than a mere notice requirement. In order for this requirement to not be a hindrance to the growth of the industry there could be a provision for deemed approval if the approval is not granted within a particular period of time.^{^[25]}

Recommendation: Any merger in the sector must be approved by the DoT. In order to ensure that this does not lead to unnecessary delays, a deemed approval route may be considered.

Chapter 6: Standards, Public Safety and National Security

❖ 24(2): “On the occurrence of any public emergency or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central or a State Government, may, if satisfied that it is necessary or expedient to do so, in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence, for reasons to be recorded in writing, by order:

(a) direct that any message or class of messages, to or from any person or class of persons, or relating to any particular subject, brought for transmission by, or transmitted or received by any telecommunication services or telecommunication network, shall not be transmitted, or shall be intercepted or detained or disclosed to the officer mentioned in such order; or

(b) direct that communications or class of communications to or from any person or class of persons, or relating to any particular subject, transmitted or received by any telecommunication network shall be suspended”.

Comment: The pre-conditions for interception contained in the Bill are similar to those contained in the Telegraph Act, 1885, i.e. “occurrence of any public emergency or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central or a State Government, may, if satisfied that it is necessary or expedient to do so, in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence”. Although more stringent, these conditions are different from those contained in the Information Technology Act, 2000 which does not contain the added safeguard of there being a “public emergency or in the interest of public safety”.^{^[26]} With consumers spending more and more time on the internet and using internet based technologies and applications for communications, there is significant regulatory overlap between the Telecommunications Bill and the Information Technology Act, 2000. It is therefore advisable that the interception and blocking provisions under both the legislations should be aligned and standardised.

The judgement in the Puttaswamy case provides some guidance to assess the limits and scope of the constitutional right to privacy in the form of the three prong test. The test requires the existence of a law, a legitimate state interest and the restriction (to privacy) should be ‘proportionate'. The order to intercept, detain, disclose or suspend a communication made between private individuals, acts as a violation of privacy and to ensure that this does not provide extensive grounds to surveil people, the three prong test especially the grounds of proportionality combined with the necessity provision are essential to ensure that this provision is not used disproportionately.

More recently in Anuradha Bhasin vs Union Of India the Supreme Court stated “A public emergency usually would involve different stages and the authorities are required to have regards to the stage, before the power can be utilised under the aforesaid rules. The appropriate balancing of the factors differs, when considering the stages of emergency and accordingly, the authorities are required to triangulate the necessity of imposition of such restriction after satisfying the proportionality requirement.” The court while passing the judgement also stated “The concept of proportionality requires a restriction to be tailored in accordance with the territorial extent of the restriction, the stage of emergency, nature of urgency, duration of such restrictive measure and nature of such restriction. The triangulation of a restriction requires the consideration of appropriateness, necessity and the least restrictive measure before being imposed.”^{^[27]} The judgement while examining the duration of the suspension mentioned that any order which suspends the internet must adhere to the principle of proportionality and must not extend beyond necessary duration.

Recommendation: There is a need to look at the implications of such an order enabling blocking or suspension of services post the Puttaswamy judgement where informational privacy, and dignity were considered as some of the aspects of privacy. While this clause uses the test of necessity and expediency, we suggest that along with these two the clause also introduce the three prong test laid out in Puttaswamy I. In addition to this since this legislation has been drafted subsequent to the Anuradha Bhasin judgement the provisions of the legislation must be in conformity with the same in order to avoid confusion and reduce litigation.

Chapter 7: Telecommunication Development Fund

➔ Clause 29: “The sums of money received towards the Telecommunication Development Fund under clause 27, shall first be credited to the Consolidated Fund of India, which shall be appropriated by the Central Government, in accordance with law made by the Parliament, to the Telecommunication Development Fund from time to time for being utilised to meet any or all of the following objectives:

(a) support universal service through promoting access to and delivery of telecommunication services in underserved rural, remote and urban areas;

(b) research and development of new telecommunication services, technologies, and products;

(d) support pilot projects, consultancy assistance and advisory support towards provision of universal service under sub-clause (a) of this clause; and

(e) support introduction of new telecommunication services, technologies, and products.”

Comment: Clause 27 of the draft bill proposes to rename the Universal Service Obligation Fund (USOF) to Telecommunication Development Fund (TDF) and expand its scope to include underserved urban areas in addition to rural and remote areas. This has been done, ostensibly to expand the scope of current USOF to include within its ambit underserved urban areas, research and development, and skill development, among others.^{^[28]} While there is a need to spend the vast amount of unspent balance within the USOF, and spending it on skill development, investments in innovative low cost-technology that enables affordable broadband connectivity for all is important, the manner in which the TDF is currently defined is loose and vague. In order to ensure that the fund is spent to include digitally marginalised groups only, the purpose for which the TDF can be used needs to have an “exact” and “specific definition”. The purpose should be narrowly defined to include only those activities that have the potential to mitigate and bridge the many digital divides that exist in our country because in its absence TDF may be misused to subsidise urban middle class users as opposed to originally intended beneficiaries - the hitherto marginalised sections of the society.

Furthermore, the Bill suggests that the money received towards the TDF shall first be credited to the Consolidated Fund of India, which shall be appropriated by the Central Government, in accordance with law made by the Parliament. This is a relic of the erstwhile USOF policy funds, and allocations are made on a demand and review basis. One of the reasons that India has an unspent balance of nearly INR 50,000 crore in USOF is owing to a delay in its implementation due to bureaucratic delays since all credits to this fund require parliamentary approvals.^{^[29]} In order to ensure that funds received through USOF/TDF are utilised efficiently, the government must ring fence these funds and ensure that they are only spent on the objectives envisaged under the TDF. Furthermore, funds collected for this purpose must not be credited to the Consolidated Fund of India since requiring additional approvals delays implementation of the fund. For instance, the rural road fund is ring fenced which has ensured smoother flow of funds.^{^[30]} Moreover, auction proceeds, and other levies on the sector such as service tax and GST are already credited to the Consolidated Fund of India, therefore the government can afford to ring fence funds collected for universal service as opposed to crediting them to the Consolidated Fund of India.

Recommendation: The objectives for which the TDF can be utilised is vague and too broad and therefore the government would be well-advised to specify that TDF can only be utilised to ensure digital access, adoption and usage for digitally marginalised groups. This would go a long way in ensuring that the funds are not misspent on providing subsidies to users that may not be in need for such a subsidy. Furthermore, TDF must be ring fenced and not credited to the Consolidated Fund of India to ensure timely implementation.

Chapter 9: Protection of users

➔ Clause 34 : “In the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence, no user shall furnish any false particulars, suppress any material information or impersonate another person while establishing identity for availing telecommunication services.”

Comment: The intent behind this provision appears to be to prevent misrepresentation or identity and the giving of false information for availing telecom services. Whilst it is understandable that there may be privacy issues involved in the matter of revealing one’s identity for availing telecommunications services, the requirement to provide correct identity documents is a well established and accepted norm in the industry today which is manifest in the KYC requirements that have to be fulfilled by every customer. Therefore there is no need to qualify the obligation to provide true and accurate documents with the phrase “in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence”.

Chapter 10: Miscellaneous

➔ Clause 46: Amendment to Act 24 of 1997

Comment: Clause 46 of the Bill significantly dilutes the power of TRAI and effectively renders the Regulator to the role of the government’s rubber stamp through proposed amendments to clause 11^{^[31]} of the TRAI Act. Section 11 of the TRAI Act as it currently stands requires DoT to solicit recommendations from TRAI on issues pertaining to licensing, new services, and spectrum management, where the powers vest with the government. However, if the Bill becomes a law, this would not be mandatory on the government’s part. It may or may not seek the Regulator’s recommendations, thus eroding the transparency which was built in the process of policymaking. Consequently, as per the current Bill, the government will effectively be the licensor, operator, and the Regulator. Since the government owns BSNL/MTNL (a telecom operator) the role of an independent regulator assumes even more significance. Even without the proposed amendments, the Indian regulator has been largely ineffective since it lacks significant functional autonomy including negligible penalisation powers, limited role in its hiring decisions, and lack of financial autonomy since it needs DoT’s approvals for its budget.^{^[32]} Even in its present form, TRAI has lesser power as compared to many regulators across the globe. For instance Federal Communications Commission (FCC) of the USA, Ofcom of the UK, and regulators in Pakistan, Bangladesh, and Sri Lanka have powers over spectrum and licensing, while TRAI has only recommendatory powers.^{^[33]} With the advent of 5G, the lines between telecom and digital services are likely to blur even more and in order to ensure that we are able to exploit the vast potential this new wave of innovations could unleash, it is important to have skilled policymakers well-versed with technology at the helm of affairs. Amidst this backdrop, it is important to invest in enhancing TRAI’s competence by hiring subject matter experts, and ensuring that TRAI functions as an independent and transparent regulator.

Furthermore, the bill empowers the government to set up an alternate dispute resolution mechanism effectively making the role of Telecom Disputes Settlement and Appellate Tribunal (TDSAT) redundant. Currently, TDSAT is the first body which looks into any dispute between two (i) telecom operators, (ii) telecom operators and the government, and (iii) between operators, the government and as well as the regulator. Only once the TDSAT has passed orders on such disputes can they be appealed in the Supreme Court. Therefore, clauses diluting the power of TRAI must be deleted. The government must also clarify what it means by an alternate dispute resolution mechanism, and the role it envisages for TDSAT.

Lastly, TRAI process is consultative by design providing various stakeholders with an opportunity to participate in the policymaking process. However, the proposed bill does not have any provisions mandating the DoT to hold transparent stakeholder consultations.

Recommendation: Clause 46 of the proposed bill should be deleted. Furthermore, the government must work towards further strengthening TRAI by hiring subject matter experts and further empowering TRAI by giving it penalising powers. Also, TRAI must be responsible for conducting spectrum audits and ensuring that licensees are adhering to licensing conditions.

➔ 46(k): “Provided further that the Authority may direct a licensee or class of licensees to abstain from predatory pricing that is harmful to the overall health of the telecommunication sector, competition, long term development and fair market mechanism” shall be inserted.”

Comment: The Bill through clause 46 (k) empowers the TRAI to decide on ‘predatory pricing’, which falls within the remit of the Competition Commission of India (CCI) which could potentially create jurisdictional overlaps between the two regulators. Even in the past, there has been friction between the two regulators on whether TRAI has jurisdiction to decide on matters relating to competition and predatory pricing in telecom tariffs.^{^[34]} In Competition Commission of India v. Bharti Airtel Limited & Ors^{^[35]}, Supreme Court of India rejected the contention by the incumbent dominant operators (IDOs) that TRAI, as the sectoral regulator, had exclusive jurisdiction to rule on competition-related aspects in the industry. It ruled that if TRAI had determined that the IDOs had formed a cartel or colluded to block Jio’s entry, the CCI then would have jurisdiction to decide whether the IDOs’ actions had an appreciable adverse effect on competition. While TRAI’s powers of sanction were limited by the TRAI Act, the CCI had the power to prescribe and enforce structural remedies to promote genuine competition in the telecom sector. The court prescribed comity between TRAI and the CCI in the discharge of their roles.^{^[36]} Over time, the telecom sector has evolved from being a rudimentary voice service to being a complex data-centric converged service, and even though overlapping jurisdictions cannot be completely wished away,^{^[37]} there is a need for clearly defined roles for various ministries and regulators. And there will also be a need to adopt a consultative approach towards policymaking through inter-departmental consultations, an area that India has thus far been lacking in. As evidenced by the International Telecommunication Union’s (ITU) Global ICT Regulatory Outlook 2020, which ranks India at 94 (out of a total of 193) countries in terms of the maturity and collaborative approach shown by telecom regulatory bodies, lower than countries such as Japan, Singapore, Korea, Pakistan, Kenya, and Nigeria.^{^[38]}

Therefore, inserting such a provision may create more chaos and regulatory uncertainty. It is advisable that the government ensures there are no jurisdictional issues between the two regulators by clearly defining the role of TRAI and inserting provisions to facilitate inter regulatory consultation mechanism.

➔ Clause 48: “If the person committing an offence under this Act is a company, the employee(s) who at the time the offence was committed, was responsible to the company for the conduct of the business relating to the offence, shall be liable to be proceeded against and punished accordingly.”

Comment: While there is a need to ensure that offenders and violators of provisions under this Act are provided with penalties, there is a need to look at ways to ensure that the fear of penalties does not stifle innovation. This legislation intends to bring into its ambit a number of new stakeholders who might not be able to comply with all the requirements due to the inexperience, which could lead to inadvertent offences and violations. The current wording of clause 48, does not make any distinction between offences that were done with prior knowledge and malafide intentions and those done without knowledge of its commission.

Recommendation: We suggest that the Act keeps the wordings in line with similar legislations such as the draft Personal Data Protection Bill 2019. The revised text could have a proviso that reads as “Nothing contained in sub-clause (1) shall render any such person liable to any punishment provided in this Act, if he proves that the offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence.”

Keeping in mind the existing burden of work both on the executive and the judiciary, and the time sensitive nature of the provisions of the Bill there is a need to look at different, swift, and inexpensive strategies. One possible way could be through Informal Guidances, similar to Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law.^{^[39]} As there will be a number of new players that will be under the Bill, it would be useful for entities to get guidance. Another possible step could be to use Undertakings, where the regulator enforces the errant party to seek contractual undertakings to take certain remedial steps.^{^[40]}

➔ Clause 51: “Notwithstanding anything contained in any law for the time being in force, where the Central Government, a State Government or a Government of a Union Territory is satisfied that any information, document or record in possession or control of any licensee, registered entity or assignee relating to any telecommunication services, telecommunication network, telecommunication infrastructure or use of spectrum, availed of by any entity or consumer or subscriber is necessary to be furnished in relation to any pending or apprehended civil or criminal proceedings, an officer, specially authorised in writing by such Government in this behalf, shall direct such licensee, registered entity or assignee to furnish such information, document or record to him and the licensee, registered entity or assignee shall comply with the direction of such officer.”

Comment: The requirement to provide information or document even for “pending or apprehended civil or criminal proceedings” is too wide and could be misutilised, specially given the fact that there is no judicial authority making the determination that the information or document is required for such proceedings. Even in clause 91 of the Cr.P.C. , the requirement to provide documents or information is only for existing investigations, inquiries, trials or proceedings. Therefore the requirement to provide information, document or record for apprehended civil proceedings should be deleted.

Additional Comments

➔ Comment: The bill fails to incorporate net neutrality requirements

Technological convergence and vertical integration within the sector make adherence to net neutrality critical to keep discrimination and anti-competitive conduct in check. While extant TRAI regulations, forbid TSPs from discriminating on the basis of content, sender or receiver, protocols or user equipment based on prior arrangements, by slowing down one application or providing fast lanes to another. However, there is lack of clarity on how adherence to net-neutrality principles is currently being monitored. In 2020, TRAI had recommended setting up a Multistakeholder body for monitoring adherence to net neutrality by licensees.^{^[41]} However, the draft bill fails to codify net neutrality requirements and as such non-discriminatory treatment of traffic does not find a mention in the bill or the explanatory note accompanying it.

Recommendation: The government must act on TRAI’s recommendations and set up the multistakeholder body to check adherence to net neutrality requirements by incorporating provisions to that effect.

➔ Comment: There is no provision in the bill that requires the government to report vital statistics and other information relating to the sector. We understand that both TRAI and DoT have taken efforts in publishing those statistics through DoT dashboard and reports such as the annual report, performance indicator reports, and subscriber reports. But, putting reporting requirements in the statute would be better.

Recommendation: In the interest of transparency and accountability, a clause requiring the government to report (quarterly or annually) vital statistics relating to the functioning and financial aspects of matters contained within the draft legislation. The reporting should also include the number of licences provided, licences revoked, number of blocking and suspension orders passed among others.

^{^[1]} “Response to TRAI consultation on Auction of Spectrum in frequency bands identified for IMT/5G”, Centre for Internet and Society, accessed 10 November 2022,https://cis-india.org/telecom/blog/response-to-trai-consultation-auction-of-spectrum-in-frequency-bands-identified-for-imt-5g

^{^[2]} “Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services”,Centre for Internet and Society, accessed 10 November 2022, https://cis-india.org/internet-governance/blog/response-to-trai-consultation-paper-on-regulatory-framework-for-over-the-top-ott-communication-services

^{^[3]} “Impact Assessments”, European Commission, accessed 10 November 2022,<https://ec.europa.eu/info/law/law-making-process/planning-and-proposing-law/impact-assessments_en#:~:text=Impact%20assessments%20examine%20whether%20there,support%20the%20decision%2Dmaking%20process.>

^{^[4]} Clause 2(5) defines customer equipment as follows: “ “customer equipment” means equipment deployed on the premises of a person, other than the equipment of the licensee or registered entity, to originate, route or terminate telecommunication, or equipment used by such person for accessing telecommunication services;”

^{^[5]} As defined in clause 2(9) of the draft bill.

^{^[6]} Japan: "Telecommunications service" means intermediating communications of others through the use of telecommunications facilities, or any other acts of providing telecommunications facilities for the use of communications by others; Singapore: “telecommunication service” means any service for telecommunications but excludes any broadcasting service; UK: “electronic communications service” means a service of any of the types specified in subsection (2A) provided by means of an electronic communications network, except so far as it is a content service. Those types of service are— (a)an internet access service; (b)a number-based interpersonal communications service; and (c)any other service consisting in, or having as its principal feature, the conveyance of signals, such as a transmission service used for machine-to-machine services or for broadcasting.

^{^[7]} Muntazir Abbas, “Regulating OTT players complicated: Trai”, The Economic Times, 30 January 2020,<https://economictimes.indiatimes.com/industry/telecom/telecom-policy/regulating-ott-players-complicated-trai/articleshow/73759307.cms?from=mdr >

^{^[8]} Justin Douglas and Amy Land Pejoska, Regulation and Small Business, <https://treasury.gov.au/sites/default/files/2019-03/p2017-t213722-Roundup_Sml_bus_regulation-final.pdf>

^{^[9]} See, for instance, “Features, Whatsapp (2020), <https://www.whatsapp.com/features>; “Signal

Messenger Features”, Signal (2020)

^{^[10]} CIS has recommended this “two layered framework” in its previous submissions to TRAI.

^{^[11]} “Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services”,Centre for Internet and Society.

^{^[12]} “Internet Privacy in India”,Centre for Internet and Society, accessed 10 November 2022,https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india

^{^[13]}Justice K. Puttaswamy and Others v. Union of India and Others 1 SCC 1 (2019)

^{^[14]}“Judgement in Plain English Constitutionality of Aadhaar Act”, “Supreme Court Observer, accessed 10 November 20222,https://www.scobserver.in/reports/constitutionality-of-aadhaar-justice-k-s-puttaswamy-union-of-india-judgment-in-plain-english/

^{^[15]} “Right to Encrypt : Subset of Right to Privacy?”, SFLC, accessed 10 November 20222,https://sflc.in/right-encrypt-subset-right-privacy

^{^[16]} PTI, “Trai to moot mechanism for KYC-based caller name display”,The Economic Times, 20 May 2022,https://economictimes.indiatimes.com/industry/telecom/telecom-news/trai-to-moot-mechanism-for-kyc-based-caller-name-display/articleshow/91695117.cms?from=mdr

^{^[17]} Palme, Jacob, and Mikael Berglund. "Anonymity on the Internet.” <https://people.dsv.su.se/~jpalme/society/anonymity.pdf >

^{^[18]} Rajat Kathuria, Isha Suri “Why spectrum needs a change in approach”, Indian Express, 20 October 2022, https://indianexpress.com/article/opinion/columns/why-spectrum-needs-a-change-in-approach-8235997/

^{^[19]} Consultation on a Non-Competitive Local Licensing Framework, Including Spectrum in the 3900-3980 MHz Band and Portions of the 26, 28 and 38 GHz Bands - Spectrum management and telecommunications

^{^[20]} Aneesh Phadnis“Extant rules choke growth, telecom bill needs review: Broadband India Forum”, Business Standard, 23 September2022<https://www.business-standard.com/article/companies/extant-rules-choke-growth-telecom-bill-needs-review-broadband-india-forum-122092301265_1.html >

^{^[21]} Highlights of Telecom Subscription Data as on 31st August, 2022, TRAI, accessed 10 November 2022, https://www.trai.gov.in/sites/default/files/PR_No.67of2022.pdf

^{^[22]} “Response to TRAI consultation on Auction of Spectrum in frequency bands identified for IMT/5G”, Centre for Internet and Society.

^{^[23]} Calabrese, M. (2021). Use it or Share It: A New Default Policy for Spectrum Management. Available at SSRN 3762098. <https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3762098_code2826029.pdf?abstractid=3762098&mirid=1 >

^{^[24]} “Guidelines for Implementation of New Public Sector Enterprises (PSEI Policy for CPSEs in Non-Strategic Sector' regarding”, “Government of India Ministry of Finance Department of Public EnterPrises, 10 November 2022, https://dpe.gov.in/sites/default/files/DPE_OM_DTD_13.12.21_Guidelines_on_New_PSE_Policy_0.pdf, Economic Survey 2021-2022, India Budget, accessed 10 November 2022, <https://www.indiabudget.gov.in/economicsurvey/ebook_es2022/index.html#p=86 >

^{^[25]} A similar approach has been taken in the new Occupational Safety, Health and Working Conditions Code, 2020 for registration of establishments under clause 3(3) of the Code.

^{^[26]} Sections 69 and 69A of the Information Technology Act, 2000.

^{^[27]} Anuradha Bhasin vs Union Of India, 3 SCC 637 (2020)

^{^[28]} Explanatory Note to the draft Indian Telecommunication Bill, 2022, Pg. 14.

^{^[29]}“USOF Scheme for Aspirational Districts in 5 states”, “Drishti IAS”, accessed 10 November 2022, https://www.drishtiias.com/daily-updates/daily-news-analysis/usof-scheme-for-aspirational-districts-in-5-states

^{^[30]}“What BharatNet can learn from the rural-roads scheme: involve states, local bodies, private sector” “ Centre for Internet and Society, accessed 10 November 2022, https://cis-india.org/telecom/blog/what-bharatnet-can-learn-from-the-rural-roads-scheme-involve-states-local-bodies-private-sector

^{^[31]} Functions of Authority, clause 11, TRAI Act, 1997.

^{^[32]} Pratap Vikram Singh, “Trai, try again: India’s toothless telecom regulator fights for more powers”, Aug 31, 2021, The Ken, <https://the-ken.com/story/trai-try-again-indias-toothless-telecom-regulator-fights-for-more-powers/>

^{^[33]} Ibid.

^{^[34]} “PTI” “Have power to settle competitive tariff issues: TRAI to CCI”, Aug 7, 2017, The Economic Times, https://economictimes.indiatimes.com/news/economy/policy/have-power-to-settle-competitive-tariff-issues-trai-to-cci/articleshow/59959144.cms?from=mdr

^{^[35]} CIVIL APPEAL NO(S). 11843 OF 2018

^{^[36]} Ibid at Para 90

^{^[37]} “Market Study on the Telecom Sector”, Jan 22, 2021, Competition Commission of India

^{^[38]} Global ICT Regulatory Outlook 2020 - Pointing the way forward to collaborative regulation (2020), ITU, https://www.itu.int/dms_pub/itu-d/opb/pref/D-PREF-BB.REG_OUT01-2020-PDF-E.pdf

^{^[39]}Informal Guidance Scheme of SEBI: Understanding the Concept and Analyzing the Guidance Provided by SEBI, Vijay Kumar Singh https://www.researchgate.net/publication/228226352_Informal_Guidance_Scheme_of_SEBI_Understanding_the_Concept_and_Analyzing_the_Guidance_Provided_by_SEBI>

^{^[40]} We have made similar recommendations to the Personal Data Protection Bill 2019, on the offences and penalties under the Bill. The comments can be viewed here: <https://cis-india.org/accessibility/blog/cis-general-comments-to-the-pdp-bill-2019>

^{^[41]}Recommendations On Traffic Management Practices (TMPs) and MultiStakeholder Body for Net Neutrality, TRAI, accessed 10 November 2022, https://www.trai.gov.in/sites/default/files/Recommendations_22092020_0.pdf

The comments were drafted by Abhishek Raj, Divyank Katira, Isha Suri, Shweta Mohandas and Vipul Kharbanda, and reviewed by Pallavi Bedi. Click to download the submission here

For more details visit https://cis-india.org/telecom/blog/cis-comments-to-draft-indian-telecom-bill-2022

Demystifying Data Breaches in India

Pawan Singh — 2022-10-17T16:14:03Z

Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.

Edited by Arindrajit Basu and Saumyaa Naidu

India saw a 62% drop in data breaches in the first quarter of 2022. Yet, it ranked fifth on the list of countries most hit by cyberattacks according to a 2022 report by Surfshark, a Netherlands-based VPN company. Another report on the cost of data breaches researched by the Ponemon Institute and published by IBM reveals that the breach of about 29500 records between March 2021 and March 2022 resulted in a 25% increase in the average cost from INR 165 million in 2021 to INR 176 million in 2022.

These statistics are certainly a cause for concern, especially in the context of India’s rapidly burgeoning digital economy shaped by the pervasive platformization of private and public services such as welfare, banking, finance, health, and shopping among others. Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.

While expert articulations of cybersecurity in general and data breaches in particular tend to predominate the public discourse on data privacy, this post aims to situate broader understandings of data breaches within the historical context of India’s IT revolution and delve into specific concepts and terminology that have shaped the broader discourse on data protection. The late 1990s and early 2000s offer a useful point of entry into the genesis of the data security landscape in India.

Data Breaches and their Predecessor Forms

The articulation of data security concerns around the late 1990s and early 2000s isn’t always consistent in deploying the phrase, ‘data breach’ to signal cybersecurity concerns in India. The terms such as ‘data/ identity theft’ and ‘data leak’ figure prominently in the public articulation of concerns with the handling of personal information by IT systems, particularly in the context of business process outsourcing (BPO) and e-commerce activities. Other pertinent terms such as “security breach”, “data security”, and ‘“cyberfraud” also capture the specificity of growing concerns around outsourced data to India. At the time, i.e. around mid-2000s regulatory frameworks were still evolving to accommodate and address the complexities arising from a dynamic reconfiguration of the telecommunications and IT landscape in India.

Some of the formative cases that instantiate the usage of the aforementioned terms are instructive to understand shifts in the reporting of such incidents over time. The earliest case during that period concerns a 2002 case concerning the theft and sale of source code by an IIT Kharagpur student who intended to sell the code to two undercover FBI agents who worked with the CBI to catch the thief. A straightforward case of data theft was framed by media stories around the time as a cybercrime involving the illegal sale of the source code of a software package, as software theft of intellectual property in the context of outsourcing and as an instance of industrial espionage in poor nations without laws protecting foreign companies. This case became the basis of the earliest calls for the protection of data privacy and security in the context of the Indian BPO sector. The Indian IT Act, 2000 at the time only covered unauthorized access and data theft from computers and networks without any provisions for data protection, interception or computer forgery. The BPO boom in India brought with it employment opportunities for India’s English-speaking, educated youth but in the absence of concrete data privacy legislation, the country was regarded as an unsafe destination for outsourcing aside from the political ramifications concerning the loss of American jobs.

In a major 2005 incident, employees of the Mphasis BFL call centre in Pune extracted sensitive bank account information of Citibank’s American customers to divert INR 1.90 crore into new accounts set up in India. The media coverage of this incident calls it India’s first outsourcing cyberfraud and a well planned scam, a cybercrime in a globalized world, and a case of financial fraud and a scam that required no hacking skills, and a case of data theft and misuse. Within the ambit of cybercrime, media reports of these incidents refer to them as cases of “fraud”, “scam” and “theft''.

Two other incidents in 2005 set the trend for a critical spotlight on data security practices in India. In a June 2005 incident, an employee of a Delhi-based BPO firm, Infinity e-systems, sold the account numbers and passwords of 1000 bank customers to the British Tabloid, The Sun. The Indian newspaper, Telegraph India, carried an online story headlined, “BPO Blot in British Backlash: Indian Sells Secret Data,” which reported that the employee, Kkaran Bahree, 24, was set up by a British journalist, Oliver Harvey. Harvey filmed Bahree accepting wads of cash for the stolen data. Bahree’s theft of sensitive information is described both as a data fraud and a leak in the above 2005 BBC story by Soutik Biswar. Another story on the incident calls it a “scam” involving the leakage of credit card information. The use of the term ‘leak’ appears consistently across other media accounts such as a 2005 story on Karan Bahree in the Times of India and another story in the Economic Times about the Australian Broadcasting Corporation’s (ABC) sting operation similar to the one in Delhi, describing the scam by the fraudsters as a leak of the online information of Australians. Another media account of the coverage describes the incident in more generic terms such as an “outsourcing crime”.

The other case concerned four former employees of Parsec technologies who stole classified information and diverted calls from potential customers, causing a sudden drop in the productivity of call centres managed by the company in November 2005. Another call centre fraud came to light in 2009 through a BBC sting operation in which British reporters went to Delhi and secretly filmed a deal with a man selling credit card and debit card details obtained from Symantec call centres, which sold software made by Norton. This BBC story uses the term “breach” to refer to the incident.

In the broader framing of these cases generally understood as cybercrime, which received transnational media coverage, the terms “fraud”, “leak”, “scam”, and “theft” appear interchangeably. The term “data breach” does not seem to be a popular or common usage in these media accounts of the BPO-related incidents. A broader sense of breach (of confidentiality, privacy) figures in the media reportage in implicitly racial terms of cultural trust, as a matter of ethics and professionalism and in the language of scandal in some cases.

These early cases typify a specific kind of cybercrime concerning the theft or misappropriation of outsourced personal data belonging to British or American residents. What’s remarkable about these cases is the utmost sensitivity of the stolen personal information including financial details, bank account and credit/debit card numbers, passwords, and in one case, source code. While these cases rang the alarm bells on the Indian BPO sector’s data security protocols, they also directed attention to concerns around the training of Indian employees on the ethics of data confidentiality and vetting through psychometric tests for character assessment. In the wake of these incidents, the National Association of Software and Service Companies (NASSCOM), an Indian non-governmental trade and advocacy group, launched a National Skills Registry for IT professionals to enable employers to conduct background checks in 2006.

These data theft incidents earned India a global reputation of an unsafe destination for business process outsourcing, seen to be lacking both, a culture of maintaining data confidentiality and concrete legislation for data protection at the time. Importantly, the incidents of data theft or misappropriation were also traceable back to a known source, a BPO employee or a group of malefactors, who often sold sensitive data belonging to foreign nationals to others in India.

The phrase “data leak” also caught on in another register in the context of the widespread use of camera-equipped mobile phones in India. The 2004 Delhi MMS case offers an instance of a date leak, recapitulating the language of scandal in moralistic terms.

The Delhi MMS Case

The infamous 2004 incident involved two underage Delhi Public School (DPS) students who recorded themselves in a sexually explicit act on a cellular phone. After a fall out, the male student passed the low-resolution clip on to his friend in which his female friend’s face is seen. The clip, distributed far and wide in India, ended up on the famous e-shopping and auction website, bazee.com leading to the arrest of the website’s CEO Avinash Bajaj for hosting the listing for sale. Another similar case in 2004 mimicked the mechanics of visual capture through hand-held MMS-enabled mobile phones. A two-minute MMS of a top South-Indian actress taking a shower went viral on the Internet in 2004, the year when another MMS of two prominent Bollywood actors kissing had already done the rounds. The MMS case also marked the onset of a national moral panic around the amateur uses of mobile phone technologies, capable of corrupting young Indian minds under a sneaky regime of new media modernity. The MMS case, not strictly the classic case of a data breach - non-visual information generally stored in databases - became an iconic case of a data leak framed in the media as a scandal that shocked the country, with calls for the regulation of mobile phone use in schools. The case continued its scandalous afterlife in a 2009 Bollywood film, Dev D and another 2010 film, Love, Sex and Dhokha,

Taken together, the BPO data thefts and frauds and the data leak scandals prefigure the contemporary discourse on data breaches in the second decade of the 21st century, or what may also be called the Decade of Datafication. The launch of the Indian biometric identity project, Aadhaar, in 2009, which linked access to public services and welfare delivery with biometric identification, resulted in large-scale data collection of the scheme’s subscribers. Such linking raised the spectre of state surveillance as alleged by the critics of Aadhaar, marking a watershed moment in the discourse on data privacy and protection.

Aadhaar Data Security and Other Data Breaches

Aadhaar was challenged in the Indian Supreme Court in 2012 when it was made mandatory for welfare and other services such as banking, taxation and mobile telephony. The national debate on the status of privacy as a cultural practice in Indian society and a fundamental right in the Indian Constitution led to two landmark judgments - the 2017 Puttaswamy ruling holding privacy to be a constitutional right subject to limitations and the 2018 Supreme Court judgment holding mandatory Aadhaar to be constitutional only for welfare and taxation but no other service.

While these judgments sought to rein in Aadhaar’s proliferating mandatory uses, biometric verification remained the most common mode of identity authentication with most organizations claiming it to be mandatory for various purposes. During the same period from 2010 onwards, a range of data security events concerning Aadhaar came to light. These included app-based flaws, government websites publishing Aadhaar details of subscribers, third party leaks of demographic data, duplicate and forged Aadhaar cards and other misuses.

In 2015, the Indian government launched its ambitious Digital India Campaign to provide government services to Indian citizens through online platforms. Yet, data security breach incidents continued to increase, particularly the trade in the sale and purchase of sensitive financial information related to bank accounts and credit card numbers. The online availability of a rich trove of data, accessible via a simple Google search without the use of any extractive software or hacking skills within a thriving shadow economy of data buyers and sellers makes India a particularly vulnerable digital economy, especially in the absence of robust legislation. The lack of awareness around digital crimes and low digital literacy further exacerbates the situation given that datafication via government portals, e-commerce, and online apps has outpaced the enforcement of legislative frameworks for data protection and cybersecurity.

In the context of Aadhaar data security issues, the term “data leak” seems to have more traction in media stories followed by the term “security breach”. Given the complexity of the myriad ways in which Aadhaar data has been breached, terms such as data leak and exposure (of 11 crore Indian farmers’ sensitive information) add to the specificity of the data security compromise. The term “fraud” also makes a comeback in the context of Aadhaar-related data security incidents. These cases represent a mix of data frauds involving fake identities, theft of thumb prints for instance from land registries and inadvertent data leaks in numerous incidents involving government employees in Jharkhand, voter ID information of Indian citizens in Andhra Pradesh and Telangana and activist reports of Indian government websites leaking Aadhaar data.

Aadhaar-related data security events parallel the increase in corporate data breaches during the decade of datafication. The term “data leak” again alternates with the term “data breach” in most media accounts while other terms such as “theft” and “scam” all but disappear in the media coverage of corporate data breaches.

From 2016 onwards, incidents of corporate data breaches in India continued to rise. A massive debit card data breach involving the YES Bank ATMs and point-of-sale (PoS) machines compromised through malware between May and July of 2016 resulted in the exposure of ATM PINs and non-personal identifiable information of customers. It went undetected for nearly three months. Another data leak in 2018 concerned a system run by Indane, a state-owned utility company, which allowed anyone to download private information on all Aadhaar holders including their names, services they were connected to and the unique 12-digit Aadhaar number. Data breaches continued to be reported in India concurrent with the incidents of data mismanagement related to Aadhaar. Some prominent data breaches included a cyberattack on the systems of airline data service provider SITA resulting in the leak of Air India passenger data, leakage of the personal details of the Common Admission Test (CAT) applicants, details of credit card and order preferences of Domino’s pizza customers on the dark web, leakage of COVID-19 patients’ test results leaked by government websites, user data of Justpay and Big Basket for sale on the dark web and an SBI data breach among others between 2019 and 2021.

The media reportage of these data breaches use the term “cyberattack” to describe the activities of hackers and cybercriminals operating within a shadow economy or the dark web. Recent examples of cyberattacks by hackers who leak user data for sale on the dark web include 8.2 terabytes of 110 million sensitive financial data (KYC details, Aadhaar, credit/debit cards and phone numbers) of the payments app MobiKwik users, 180 million Domino’s pizza orders (name, location, emails, mobile numbers), and Flipkart’s Cleartrip users’ data. In these incidents again, three terms appear prominently in the media reportage - cyberattack, data breach, and leak. The term “data breach” remains the most frequently used epithet in the media coverage of the lapses of data security. While it alternates with the term “leak” in the stories, the term “data breach” appears consistently across most headlines in the news stories.

The exposure of sensitive, personal, and non-personal data by public and private entities in India is certainly a cause for concern, given the ongoing data protection legislative vacuum.

The media coverage of data breaches tends to emphasize the quantum of compromised user data aside from the types of data exposed. The media framing of these breaches in quantitative terms of financial loss as well as the magnitude and the number of breaches certainly highlights the gravity of these incidents but harm to individual users is often not addressed.

Evolving Terminology and the Source of Data Harms

The main difference in the media reportage of the BPO cybersecurity incidents during the early aughts and the contemporary context of datafication is the usage of the term, “data breach”, which figures prominently in contemporary reportage of data security incidents but not so much in the BPO-related cybercrimes.

THe BPO incidents of data theft and the attendant fraud must be understood in the context of the anxieties brought on by a globalizing world of Internet-enabled systems and transnational communications. In most of these incidents regarded as cybercrimes, the language of fraud and scam ventures further to attribute such illegal actions of the identifiable malefactors to cultural factors such as lack of ethics and professionalism.The usage of the term “data leak” in these media reports functions more specifically to underscore a broader lapse in data security as well as a lack of robust cybersecurity laws. The broader term, “breach”, is occasionally used to refer to these incidents but the term, “data breach” doesn’t appear as such.

The term “data breach” gains more prominence in media accounts from 2009 onwards in the context of Aadhaar and the online delivery of goods and services by public and private players. The term “data breach” is often used interchangeably with the term “leak” within the broader ambit of cyberattacks in the corporate sector. The media reportage frames Aadhaar-related security lapses as instances of security/data breaches, data leaks, fraud, and occasionally scam.

In contrast to the handful of data security cases in the BPO sector, data breaches have abounded in the second decade of the twenty-first century. What further differentiates the BPO-related incidents to the contemporary data breaches is the source of the data security lapse. Most corporate data breaches remain attributable to the actions of hackers and cybercriminals while the BPO security lapses were traceable back to ex-employees or insiders with access to sensitive data. We also see in the coverage of the BPO-related incidents, the attribution of such data security lapses to cultural factors including a lack of ethics and professionalism often in racial overtones. The media reportage of the BBC and ABC sting operations suggests that the India BPOs lack of preparedness to handle and maintain personal data confidentiality of foreigners point to the absence of a privacy culture in India. Interestingly, this transnational attribution recurs in a different form in the national debate on Aadhaar and how Indians don’t care about their privacy.

The question of the harms of data breaches to individuals is also an important one. In the discourse on contemporary data breaches, the actual material harm to an individual user is rarely ever established in the media reportage and generally framed as potential harm that could be devastating given the sensitivity of the compromised data. The harm is reported to be predominantly a function of organizational cybersecurity weakness or attributed to hackers and cybercriminals.

The reporting of harm in collective terms of the number of accounts breached, financial costs of a data breach, the sheer number of breaches and the global rankings of countries with the highest reported cases certainly suggests a problem with cybersecurity and the lack of organizational preparedness. However, this collective framing of a data breach’s impact usually elides an individual user’s experience of harm. Even in the case of Aadhaar-related breaches - a mix of leaking data on government websites and other online portals and breaches - the notion of harm owing to exposed data isn’t clearly established. This is, however, different from the extensively documented cases of Aadhaar-related issues in which welfare benefits have been denied, identities stolen and legitimate beneficiaries erased from the system due to technological errors.

Future Directions of Research

This brief, qualitative foray into the media coverage of data breaches over two decades has aimed to trace the usage of various terms in two different contexts - the Indian BPO-related incidents and the contemporary context of datafication. It would be worth exploring at length, the relationship between frequent reports of data breaches, and the language used to convey harm in the contemporary context of a concrete data protection legislation vacuum. It would be instructive to examine the specific uses of the terms such as “fraud”, “leak”, “scam”, “theft” and “breach” in media reporting of such data security incidents more exhaustively. Such analysis would elucidate how media reportage shapes public perception towards the safety of user data and an anticipation of attendant harm as data protection legislation continues to evolve.

Especially with Aadhaar, which represents a paradigm shift in identity verification through digital means, it would be useful to conduct a sentiment analysis of how biometric identity related frauds, scams, and leaks are reported by the mainstream news media. A study of user attitudes and behaviours in response to the specific terminology of data security lapses such as the terms “breach”, “leak”, “fraud”, “scam”, “cybercrime”, and “cyberattack” would further contribute to how lay users understand the gravity of a data security lapse. Such research would go beyond expert understandings of data security incidents that tend to dominate media reportage to elucidate the concerns of lay users and further clarify the cultural meanings of data privacy.

For more details visit https://cis-india.org/internet-governance/blog/demistifying-data-breaches-in-india

Getting the (Digital) Indo-Pacific Economic Framework Right

arindrajit — 2022-10-03T14:56:22Z

On the eve of the Tokyo Quad Summit in May 2022, President Biden unveiled the Indo-Pacific Economic Framework (IPEF), visualising cooperation across the Indo-Pacific based on four pillars: trade; supply chains; clean energy, decarbonisation and infrastructure; and tax and anti-corruption. Galvanised by the US, the other 13 founding members of the IPEF are Australia, Brunei Darussalam, India, Indonesia, Japan, Republic of Korea, Malaysia, New Zealand, Philippines, Singapore, Thailand and Vietnam. The first official in-person Ministerial meeting was held in Los Angeles on 9 September 2022.

The article was originally published in Directions on 16 September 2022.

It is still early days. Given the broad and noncommittal scope of the economic arrangement, it is unlikely that the IPEF will lead to a trade deal among members in the short run. Instead, experts believe that this new arrangement is designed to serve as a ‘framework or starting point’ for members to cooperate on geo-economic issues relevant to the Indo-Pacific, buoyed in no small part by the United States’ desire to make up lost ground and counter Chinese economic influence in the region.

United States Trade Representative (USTR) Katherine Tai has underscored the relevance of the Indo-Pacific digital economy to the US agenda with the IPEF. She has emphasized the importance of collaboratively addressing key connectivity and technology challenges, including standards on cross-border data flows, data localisation and online privacy, as well as the discriminatory and unethical use of artificial intelligence. This is an ambitious agenda given the divergence among members in terms of technological advancement, domestic policy preferences and international negotiating stances at digital trade forums. There is a significant risk that imposing external standards or values on this evolving and politically-contested digital economy landscape will not work, and may even undermine the core potential of the IPEF in the Indo-Pacific. This post evaluates the domestic policy preferences and strategic interests of the Framework’s member states, and how the IPEF can navigate key points of divergence in order to achieve meaningful outcomes.

State of domestic digital policy among IPEF members

Data localisation is a core point of divergence in global digital policymaking. It continues to dominate discourse and trigger dissent at all international trade forums, including the World Trade Organization. IPEF members have a range of domestic mandates restricting cross-border flows, which vary in scope, format and rigidity (see table below). Most countries only have a conditional data localisation requirement, meaning data can only be transferred to countries where it is accorded an equivalent level of protection – unless the individual whose data is being transferred consents to said transfer. Australia and the United States have sectoral localisation requirements for health and defence data respectively. India presently has multiple sectoral data localisation requirements. In particular, a 2018 Reserve Bank of India (RBI) directive imposed strict local storage requirements along with a 24-hour window for foreign processing of payments data generated in India. The RBI imposed a moratorium on the issuance of new cards by several US-based card companies until compliance issues with the data localisation directive were resolved. Furthermore, several iterations of India’s recently withdrawn Personal Data Protection Bill contained localisation requirements for some categories of personal data.

Indonesia and Vietnam have diluted the scopes of their data localisation mandates to apply, respectively, only to companies providing public services and to companies not complying with other local laws. These dilutions may have occurred in response to concerted pushback from foreign technology companies operating in these countries. In addition to sectoral restrictions on the transfer of geospatial data, South Korea retains several procedural checks on cross-border flows, including formalities regarding providing notice to individual users.

Moving onto another issue flagged by USTR Tai, while all IPEF members recognise the right to information privacy at an overarching or constitutional level, the legal and policy contours of data protection are at different stages of evolution in different countries. Japan, South Korea, Malaysia, New Zealand, Philippines, Singapore and Thailand have data protection frameworks in place. Data protection frameworks in India and Brunei are under consultation. Notably, the US does not have a comprehensive federal framework on data privacy, although there are patchworks of data privacy regulations at both the federal and state levels.

Regulation and strategic thinking on artificial intelligence (AI) are also at varying levels of development among IPEF members. India has produced a slew of policy papers on Responsible Artificial Intelligence. The most recent policy paper published by NITI AAYOG (the Indian government’s think tank) refers to constitutional values and endorses a risk-based approach to AI regulation, much like that adopted by the EU. The US National Security Commission on Artificial Intelligence (NSCAI), chaired by Google CEO Eric Schmidt, expressed concerns about the US ceding AI leadership ground to China. The NSCAI’s final report emphasised the need for US leadership of a ‘coalition of democracies’ as an alternative to China’s autocratic and control-oriented model. Singapore has also made key strides on trusted AI, launching A.I. verify – the world’s first AI Governance Testing Framework for companies that wish to demonstrate their use of responsible AI through a minimum verifiable product.

IPEF and pipe dreams of digital trade

Some members of the IPEF are signatories to other regional trade agreements. With the exception of Fiji, India and the US, all the IPEF countries are members of the Regional Comprehensive Economic Partnership (RCEP), which also includes China. Five IPEF member countries are also members of the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) that President Trump backed out of in 2017. Several IPEF members also have bilateral or trilateral trading agreements among themselves, an example being the Digital Economic Partnership Agreement (DEPA) between Singapore, New Zealand and Chile.

All these ‘mega-regional’ trading agreements contain provisions on data flows, including prohibitions on domestic legal provisions that mandate local computing facilities or restrict cross-border data transfers. Notably, these agreements also incorporate exceptions to these rules. The CPTPP includes within its ambit an exception on the grounds of ‘legitimate public policy objectives’ of the member, while the RCEP incorporates an additional exception for ‘essential security interests’.

IPEF members are also spearheading multilateral efforts related to the digital economy: Australia, Japan and Singapore are working as convenors of the plurilateral Joint Statement Initiative (JSI) at the World Trade Organization (WTO), which counts 86 WTO members as parties. India (along with South Africa) vehemently opposes this plurilateral push on the grounds that the WTO is a multilateral forum functioning on consensus and a plurilateral trade agreement should not be negotiated within the aegis of the WTO. They fear, rightly, that such gambits close out the domestic policy space, especially for evolving digital economy regimes where keen debate and contestation exist among domestic stakeholders. While wary of the implications of the JSI, other IPEF members, such as Indonesia, have cautiously joined the initiative to ensure that they have a voice at the table.

It is unlikely that the IPEF will lead to a digital trade arrangement in the short run. Policymaking on issues as complex as the digital economy that must respond to specific social, economic and (geo)political realities cannot be steamrolled through external trade agreements. For instance, after the Los Angeles Ministerial India opted out of the IPEF trade pillar citing both India’s evolving domestic legislative framework on data and privacy as well as a broader lack of consensus among IPEF members on several issues, including digital trade. Commerce Minister Piyush Goyal explained that India would wait for the “final contours” of the digital trade track to emerge before making any commitments.

Besides, brokering a trade agreement through the IPEF runs a risk of redundancy. Already, there exists a ‘spaghetti bowl’ of regional trading agreements that IPEF members can choose from, in addition to forming bilateral trade ties with each other.

This is why Washington has been clear about calling the IPEF an ‘economic arrangement’ and not a trade agreement. Membership does not imply any legal obligations. Rather than duplicating ongoing efforts or setting unrealistic targets, the IPEF is an opportunity for all players to shape conversations, share best practices and reach compromises, which could feed back into ongoing efforts to negotiate trade deals. For example, several members of RCEP have domestic data localisation mandates that do not violate trade deals because the agreement carves out exceptions that legitimise domestic policy decisions. Exchanges on how these exceptions work in future trade agreements could be a part of the IPEF arrangement and nudge states towards framing digital trade negotiations through other channels, including at the WTO. Furthermore, states like Singapore that have launched AI self-governance mechanisms could share best practices on how these mechanisms were developed as well as evaluations of how they have helped policy goals be met. And these exchanges shouldn’t be limited to existing IPEF members. If the forum works well, countries that share strategic interests in the region with IPEF members, including, most notably, the European Union, may also want to get involved and further develop partnerships in the region.

Countering China

Talking shop on digital trade should certainly not be the only objective of the IPEF. The US has made it clear that they want the message emanating from the IPEF ‘to be heard in Beijing’. Indeed, the IPEF offers an opportunity for the reassertion of US economic interests in a region where President Trump’s withdrawal from the CPTPP has left a vacuum for China to fill. Accordingly, it is no surprise that the IPEF has representation from several regions of the Indo-Pacific: South Asia, Southeast Asia and the Pacific.

This should be an urgent policy priority for all IPEF members. Since its initial announcement in 2015, the Digital Silk Road (DSR), the digital arm of China’s Belt and Road Initiative, has spearheaded massive investments by the Chinese private sector (allegedly under close control of the Chinese state) in e-commerce, fintech, smart cities, data centres, fibre optic cables and telecom networks. This expansion has also happened in the Indo-Pacific, unhampered by China’s aggressive geopolitical posturing in the region through maritime land grabs in the South China Sea. With the exception of Vietnam, which remains wary of China’s economic expansionism, countries in Southeast Asia welcome Chinese investments, extolling their developmental benefits. Several IPEF members – including Indonesia, Malaysia and Singapore – have associations with Chinese private sector companies, predominantly Huawei and ZTE. A study evaluating Indonesia’s response to such investments indicates that while they are aware of the risks posed by Chinese infrastructure, their calculus remains unaltered: development and capacity building remain their primary focuses. Furthermore, on the specific question of surveillance, given evidence of other countries such as the US and Australia also using digital infrastructure for surveillance, the threat from China is not perceived as a unique risk.

Setting expectations and approaches

Still, the risks of excessive dependence on one country for the development of digital infrastructure are well known. While the IPEF cannot realistically expect to displace the DSR, it can be utilised to provide countries with alternatives. This can only be done by issuing carrots rather than sticks. A US narrative extolling ‘digital democracy’ is unlikely to gain traction in a region characterised by a diversity of political systems that is focused on economic and development needs. At the same time, an excessive focus on thorny domestic policy issues – such as data localisation and the pipe dream of yet another mega-regional trade deal – could risk derailing the geo-economic benefits of the IPEF.

Instead, the IPEF must focus on capacity building, training and private sector investment in infrastructure across the Indo-Pacific. The US must position itself as a geopolitically reliable ally, interested in the overall stability of the digital Indo-Pacific, beyond its own economic or policy preferences. This applies equally to other external actors, like the EU, who may be interested in engaging with or shaping the digital economic landscape in the Indo-Pacific.

Countering Chinese economic influence and complementing security agendas set through other fora – such as the Quadrilateral Security Dialogue – should be the primary objective of the IPEF. It is crucial that unrealistic ambitions seeking convergence on values or domestic policy do not undermine strategic interests and dilute the immense potential of the IPEF in catalysing a more competitive and secure digital Indo-Pacific.

Table: Domestic policy positions on data localisation and data protection

For more details visit https://cis-india.org/internet-governance/blog/directions-cyber-digital-europe-arindrajit-basu-september-16-2022-getting-the-digital-indo-pacific-economic-framework-right

Surveillance Enabling Identity Systems in Africa: Tracing the Fingerprints of Aadhaar

Shruti Trikanad and Vrinda Bhandari — 2022-08-09T08:17:32Z

Biometric identity systems are being introduced around the world with a focus on promoting human development and social and economic inclusion, rather than previous goals of security. As a result, these systems being encouraged in developing countries, particularly in Africa and Asia, sometimes with disastrous consequences.

In this report, we identify the different external actors that influencing this “developmental” agenda. These range from philanthropic organisations, private companies, and technology vendors, to state and international institutions. Most notable among these is the World Bank, whose influence we investigated in the form of case studies of Nigeria and Kenya. We also explored the role played by the “success” of the Aadhaar programme in India on these new ID systems. A key characteristic of the growing “digital identity for development” trend is the consolidation of different databases that record beneficiary data for government programmes into one unified platform, accessed by a unique biometric ID. This “Aadhaar model” has emerged as a default model to be adopted in developing countries, with little concern for the risks it introduces. Read and download the full report here.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar

Surveillance Enabling Identity Systems in Africa

Shruti Trikanad and Vrinda Bhandari — 2022-08-09T08:13:34Z

For more details visit https://cis-india.org/internet-governance/surveillance-enabling-identity-systems-in-africa

CCTVs in Public Spaces and the Data Protection Bill, 2021

Anamika Kundu and Digvijay S Chaudhary — 2022-04-28T02:29:42Z

This article has been authored by Ms. Anamika Kundu, Research Assistant at the Centre for Internet and Society, and Digvijay S. Chaudhary, Researcher at the Centre for Internet and Society. This blog is a part of RSRR’s Blog Series on the Right to Privacy and the Legality of Surveillance, in collaboration with the Centre for Internet & Society.

The article by Anamika Kundu and Digvijay S. Chaudhary was originally published by RGNUL Student Research Review on April 20, 2022

Introduction

In recent times, Indian cities have seen an expansion of state deployed CCTV cameras. According to a recent report, in terms of CCTVs deployed, Delhi was considered as the most surveilled city in the world, surpassing even the most surveilled cities in China. Delhi was not the only Indian city in that list, Chennai and Mumbai also made it to the list. In Hyderabad as well, the development of a Command and Control Centre aims to link the city’s surveillance infrastructure in real-time. Even though studies have shown that there is little correlation between CCTVs and crime control, deployment of CCTV cameras has been justified on the basis of national security and crime deterrence. Such an activity brings about the collection and retention of audio-visual/visual information of all individuals frequenting spaces where CCTV cameras are deployed. This information could be used to identify them (directly or indirectly) based on their looks or other attributes. Potential risks associated with the misuse, and processing of such personal data also arise. These risks include large scale profiling, criminal abuse (law enforcement misusing CCTV information for personal gains), and discriminatory targeting (law enforcement disproportionately focusing on a particular group of people). As these devices capture personal data of individuals, this article seeks data protection safeguards available to data principals against CCTV surveillance employed by the State in a public space under the proposed Data Protection Bill, 2021 (the “DPB”).

Safeguards Available Under the Data Protection Bill, 2021

To use CCTV surveillance, the measures and compliance listed under the DPB have to be followed. Obligations of data fiduciaries available under Chapter II, such as consent (clause 11), notice requirement (clause 7), and fair and reasonable processing (clause 5) are common to all data processing entities for a variety of activities. Similarly, as the DPB follows the principles of data minimisation (clause 6), storage limitation (clause 9), purpose limitation (clause 5), lawful and fair processing (clause 4), transparency (clause 23), and privacy by design (clause 22), these safeguards too are common to all data processing entities/activities. If a data fiduciary processes personal data of children, it has to comply with the standards stated under clause 16.

Under the DPB, compliance differs on the basis of grounds and purpose of data processing. As such, if compliance standards differ, so do the availability of safeguards under the DPB. Of relevance to this article, there are three standards of compliance under the DPB wherein the standards of safeguards available to a data principal differ. First, cases which would fall under Chapter III and hence, not require consent. Chapter III lists grounds for processing of personal data without consent. Second, cases which would fall under exemption clauses in Chapter VIII. In such cases, the DPB or some of its provisions would be inapplicable. Clause 35 under Chapter VIII gives power to the Central Government to exempt any agency from the application of the DPB. Similarly, Clause 36 under Chapter VIII, exempts certain provisions for certain processing of personal data. Third, cases which would not fall under either of the above Chapters. In such cases, all safeguards available under the DPB would be available to the data principals. Consequently, safeguards available to data principals in each of these standards are different. We will go through each of these separately.

First, if the grounds of processing of CCTV information is such that it falls under the scope of Chapter III of the DPB, wherein the consent requirement is done away with, then in those cases, the notice requirement has to reflect such purpose, meaning that even if consent is not necessary for certain cases, other requirements under the DPB would still apply. Here, we must note that CCTV deployment by the state on such a large scale may be justified on the basis of conditions stated under clauses 12 and 14 of DPB – specifically, the condition for the performance of state function authorised by law, and public interest. The requirement under clause 12 of “authorised by law” simply means that the state function should have legal backing. Deployment of CCTVs is most likely to fall under clause 12 as various states have enacted legislations providing for CCTV deployment in the name of public safety. As a result, even if section 12 takes away the requirement of consent for certain cases, data principals should be able to exercise all rights accorded to them under the DPB (chapter V) except the right to data portability under clause 19.

Second, processing of personal data via CCTVs by government agencies could be exempted from DPB under clause 35 for certain cases under the clause. Another exemption that is particularly concerning with regard to the use of CCTVs is the exemption provided under clause 36(a). Section 36(a) says that the provisions of chapters II-VII would not apply where the data is processed in the interest of prevention, detection, investigation, and prosecution of any offence under the law. Chapters II-VII govern the obligations of data fiduciaries, grounds where consent would not be required, personal data of children, rights of data principals, transparency and accountability measures, and restrictions on transfer of personal data outside India respectively. In these cases, the requirement of fair and reasonable processing under clause 5 would also not apply. As a broad justification provided for CCTVs deployment by the government is crime control, it is possible that section 36(a) justification can be used to exempt the processing of CCTV footage from the above-mentioned safeguards.

From the above discussion, the following can be concluded. First, if the grounds of processing fall under Chapter III, then standards of fair and reasonable processing, notice requirement, and all rights except the right to data portability u/s 19 would be available to data principals. Second, if the grounds of processing fall under clause 36, then, in that case, consent requirement, notice requirement, and the rights under DPB would be unavailable as that section mandates the non-application of those chapters. In such a case, even the processing requirements of a fair and reasonable manner stand suspended. Third, if the grounds of processing of CCTV information doesn’t fall under Chapter III, then all obligations listed under Chapter II would have to be followed. Moreover, the data principal would be able to exercise all the rights available under Chapter V of the DPB.

Constitutional Standards

When the Supreme Court recognised privacy as a fundamental right in the case of Puttaswamy v. Union of India (“Puttaswamy”), it located the principles of informed consent and purpose limitation as central to informational privacy. It recognised that privacy inheres not in spaces but in an individual. It also recognised that privacy is not an absolute right and certain restrictions may be imposed on the exercise of the right. Before listing the constitutional standards that activities infringing privacy must adhere to, it’s important to answer whether there exists a reasonable expectation of privacy in CCTV footage deployed in a public space by the State?

In Puttaswamy, the court recognised that privacy is not denuded in public spaces. Writing for the plurality judgement, Chandrachud J. recognised that the notion of a reasonable expectation of privacy has elements both of a subjective and objective nature. Defining these concepts, he writes, “Privacy at a subjective level is a reflection of those areas where an individual desire to be left alone. On an objective plane, privacy is defined by those constitutional values which shape the content of the protected zone where the individual ought to be left alone…hence while the individual is entitled to a zone of privacy, its extent is based not only on the subjective expectation of the individual but on an objective principle which defines a reasonable expectation.” Note how in the above sentences, the plurality judgement recognises “a reasonable expectation” to be inherent in “constitutional values”. This is important as the meaning of what’s reasonable is to be constituted according to constitutional values and not societal norms. A second consideration that the phrase “reasonable expectation of privacy” requires is that an individual’s reasonable expectation is allied to the purpose for which the information is provided, as held in the case of Hyderabad v. Canara Bank (“Canara Bank”). Finally, the third consideration in defining the phrase is that it is context dependent. For example, in the case of In the matter of an application by JR38 for Judicial Review (Northern Ireland) 242 (2015) (link here), the UK Supreme Court was faced with a scenario where the police published the CCTV footage of the appellant involved in riotous behaviour. The question before the court was: “Whether the publication of photographs by the police to identify a young person suspected of being involved in riotous behaviour and attempted criminal damage can ever be a necessary and proportionate interference with that person’s article 8 [privacy] rights?” The majority held that there was no reasonable expectation of privacy in the case because of the nature of the criminal activity the appellant was involved in. However, the majority’s formulation of this conclusion was based on the reasoning that “expectation of privacy” was dependent on the “identification” purpose of the police. The court stated, “Thus, if the photographs had been published for some reason other than identification, the position would have been different and might well have engaged his rights to respect for his private life within article 8.1”. Therefore, as the purpose of publishing the footage was “identification” of the wrongdoer, the reasonable expectation of privacy stood excluded. The Canara Bank case was relied on by the SC in Puttaswamy. The plurality judgement in Puttaswamy also quoted the above paragraphs from the UK Supreme Court judgement.

Finally, the SC in the Aadhaar case, laid down the factors of “reasonable expectation of privacy.” Relying on those factors, the Supreme Court observed that demographic information and photographs do not raise a reasonable expectation of privacy. It further held that face photographs for the purpose of identification are not covered by a reasonable expectation of privacy. As this author has recognised, the majority in the Aadhaar case misconstrued the “reasonable expectation of privacy” to lie not in constitutional values as held in Puttaswamy but in societal norms. Even with the misapplication of the Puttaswamy principles by the majority in Aadhaar, it is clear that the exclusion of a “reasonable expectation of privacy” in face photographs is valid only for the purpose of “identification”. For purposes other than “identification”, there should exist a reasonable expectation of privacy in CCTV footage. Having recognised the existence of “reasonable expectation of privacy” in CCTV footage, let’s see how the safeguards mentioned under the DPB stand the constitutional standards of privacy laid down in Puttaswamy.

The bench in Puttaswamy located privacy not only in Article 21 but the entirety of part III of the Indian Constitution. Where transgression to privacy relates to different provisions under Part III, the tests evolved under those Articles would apply. Puttaswamy recognised that national security and crime control are legitimate state objectives. However, it also recognised that any limitation on the right must satisfy the proportionality test. The proportionality test requires a legitimate state aim, rational nexus, necessity, and balancing of interests. Infringement on the right to privacy occurs under the first and second standard. The first requirement of proportionality stands justified as national security and crime control have been recognised to be legitimate state objectives. However, it must be noted that the EU Guidelines on Processing of Personal Data through video devices state that the mere purpose of “safety” or “for your safety” is not sufficiently specific and is contrary to the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The second requirement is a rational nexus. As stated above, there is little correlation between crime control and surveillance measures. Even if the state justifies a rational nexus between state aim and the action employed, it is the necessity part of the proportionality test where the CCTV surveillance measures fail (as explained by this author). Necessity requires us to draw a list of alternatives and their impact on an individual, and then do a balancing analysis with regard to the alternatives. Here, judicial scrutiny of the exemption order under clause 35 is a viable alternative that respects individual rights while at the same time, not interfering with the state’s aim.

Conclusion

Informed consent and purpose limitation were stated to be central principles of informational privacy in Puttaswamy. Among the three standards we identified, the principles of informed consent and purpose limitation remain available only in the third standard. In the first standard, even though the requirement of consent has become unavailable, the principle of purpose limitation would still be applicable to the processing of such data. The second standard is of particular concern wherein neither of those principles is available to data principals. It is worth mentioning here that in large scale monitoring activities such as CCTV surveillance, the safeguards which the DPB lists out would inevitably have an implementation flaw. The reason is that in scenarios where individuals refuse consent for large scale CCTV monitoring, what alternatives would the government offer to those individuals? Practically, CCTV surveillance would fall under clause 12 standards where consent would not be required. Even in those cases, would the notice requirement safeguard be diminished to “you are under surveillance” notices? When we talk about exercise of rights available under the DPB, how would an individual effectively exercise their right when the data processing is not limited to a particular individual? These questions arise because the safeguards under the DPB (and data protection laws in general) are based on individualistic notions of privacy. Interestingly, individual use cases of CCTVs have also increased with an increase in state use of CCTVs. Deployment of CCTVs for personal or domestic purposes would be exempt from the above-mentioned compliances as that would fall under the exemption provision of clause 36(d). Two additional concerns arise in relation to processing of data concerning CCTVs – the JPC report’s inclusion of Non-Personal Data (“NPD”) within the ambit of DPB, and the government’s plan to develop a National Automated Facial Recognition System (“AFRS”). A significant part of the data collected by CCTVs would fall within the ambit of NPD.With the JPC’s recommendation, it will be interesting to follow the processing standards for NPD under the DPB. AFRS has been imagined as a national database of photographs gathered from various agencies to be used in conjunction with facial recognition technology. The use of facial recognition technology with CCTV cameras raises concerns surrounding biometric data, and risks of large scale profiling. Indeed, section 27 of the DPB reflects this risk and mandates a data protection impact assessment to be undertaken by the data fiduciary with respect to processing involving new technologies or large scale profiling or use of biometric data by such technologies, however the DPB does not define what “new technology” means. Concerns around biometric data are outside the scope of the present article, however, it would be interesting to look at how the use of facial recognition technology with CCTVs could impact the safeguards under DPB.

For more details visit https://cis-india.org/internet-governance/blog/rssr-anamika-kundu-digvijay-s-chaudhary-april-20-2022-cctvs-in-public-spaces-and-data-protection-bill-2021

Surveillance

praskrishna — 2022-04-28T02:19:59Z

Surveillance

For more details visit https://cis-india.org/home-images/Surveillance.jpg

Rethinking Acquisition of Digital Devices by Law Enforcement Agencies

Harikartik Ramesh — 2022-05-02T09:27:54Z

This article has been selected as a part of The Right to Privacy and the Legality of Surveillance series organized in collaboration with the RGNUL Student Research Review (RSRR) Journal.

Read the article originally published in RGNUL Student Research Review (RSRR) Journal

Abstract

The Criminal Procedure Code was created in the 1970s when the concept of the right to privacy was highly unacknowledged. Following the Puttuswamy I (2017) judgement of the Supreme Court affirming the right to privacy, these antiquated codes must be re-evaluated. Today, the police can acquire digital devices through summons and gain direct access to a person’s life, despite the summons mechanism having been intended for targeted, narrow enquiries. Once in possession of a device, the police attempt to circumvent the right against self-incrimination by demanding biometric passwords, arguing that the right does not cover biometric information . However, due to the extent of information available on digital devices, courts ought to be cautious and strive to limit the power of the police to compel such disclosures, taking into consideration the right to privacy judgement.

Keywords: Privacy, Criminal Procedural Law, CrPc, Constitutional Law

Introduction

New challenges confront the Indian criminal investigation framework, particularly in the context of law enforcement agencies (LEAs) acquiring digital devices and their passwords. Criminal procedure codes delimiting police authority and procedures were created before the widespread use of digital devices and are no longer pertinent to the modern age due to the magnitude of information available on a single device. A single device could provide more information to LEAs than a complete search of a person’s home; yet, the acquisition of a digital device is not treated with the severity and caution it deserves. Following the affirmation of the right to privacy in Puttuswamy I (2017), criminal procedure codes must be revamped, taking into consideration that the acquisition of a person’s digital device constitutes a major infringement on their right to privacy.

Acquisition of digital devices by LEAs through summons

Section 91 of the Criminal Procedure Code (CrPc) grants powers to a court or police officer in charge of a police station to compel a person to produce any form of document or ‘thing’ necessary and desirable to a criminal investigation. In Rama Krishna v State, ‘necessary’ and ‘desirable’ have been interpreted as any piece of evidence relevant to the investigation or a link in the chain of evidence. Abhinav Sekhri, a criminal law litigator and writer, has argued that the wide wording of this section allows summons to be directed towards the retrieval of specific digital devices.

As summons are target-specific, the section has minimal safeguards. However, several issues arise in the context of summons regarding digital devices. In the current day, access to a user’s personal device can provide comprehensive insight into their life and personality due to the vast amounts of private and personal information stored on it. In Riley v California, the Supreme Court of the United States (SCOTUS) observed that due to the nature of the content present on digital devices, summons for them are equivalent to a roving search, i.e., demanding the simultaneous production of all contents of the home, bank records, call records, and lockers. The Riley decision correctly highlights the need for courts to recognise that digital devices ought to be treated distinctly compared to other forms of physical evidence due to the repository of information stored on digital devices.

The burden the state must surpass in order to issue summons is low as the relevancy requirement is easily provable. As noted in Riley, police must identify which evidence on a device is relevant. Due to the sheer amount of data on phones, it is very easy for police to claim that there will surely be some form of connection between the content on the device and the case. Due to the wide range of offences available for Indian LEAs to cite, it is easy for them to argue that the content on the device is relevant to any number of possible offences. LEAs rarely face consequences for slamming the accused with a huge roster of charges – even if many of them are baseless – leading to the system being prone to abuse. The Indian Supreme Court in its judgement in Canara Bank noted that the burden of proof must be higher for LEAs when investigations violate the right to privacy. Tarun Krishnakumar notes that the trickle-down effect of Puttuswamy I will lead to new privacy challenges with regards to a summons to appear in court. Puttuswamy I, will provide the bedrock and constitutional framework, within which future challenges to the criminal process will be undertaken. It is important for the court to recognise the transformative potential within the Puttuswamy judgement to help ensure that the right to privacy of citizens is safeguarded. The colonial logic of policing – wherein criminal procedure law was merely a tool to maximise the interest of the state at the cost of the people – must be abandoned. Courts ought to devise a framework under Section 91 to ensure that summons are narrowly framed to target specific information or content within digital devices. Additionally, the digital device must be collected following a judicial authority issuing the summons and not a police authority. Prior judicial warrants will require LEAs to demonstrate their requirement for the digital device; on estimating the impact on privacy, the authority can issue a suitable summons. Currently, the only consideration is if the item will furnish evidence relevant to the investigation; however, judges ought to balance the need for the digital device in the LEA’s investigation with the users’ right to privacy, dignity, and autonomy.

Puttuswamy I provides a triple test encompassing legality, necessity, and proportionality to test privacy claims. Legality requires that the measure be prescribed by law, necessity analyses if it is the least restrictive means being adopted by the state, and proportionality checks if the objective pursued by the measure is proportional to the degree of infringement of the right. The relevance standard, as mentioned before, is inadequate as it does not provide enough safeguards against abuse. The police can issue summons based on the slightest of suspicions and thus get access to a digital device, following which they can conduct a roving enquiry of the device to find evidence of any other offence, unrelated to the original cause of suspicion.

Unilateral police summons of digital devices cannot pass the triple test as it is grossly disproportionate and lacks any form of safeguard against the police. The current system has no mechanism for overseeing the LEAs; as long as LEAs themselves are of the view that they require the device, they can acquire it. In Riley, SCOTUS has already held that warrantless seizure of digital devices constitutes a violation of the right to privacy. India ought to also adopt a requirement of a prior judicial warrant for the procurement of devices by LEAs. A re-imagined criminal process would have to abide by the triple test in particular proportionality wherein the benefit claimed by the state ought not to be disproportionate to the impact on the fundamental right to privacy; and further, a framework must be proposed to provide safeguards against abuse.

Compelling the production of passwords of devices

In police investigations, gaining possession of a physical device is merely the first step in acquiring the data on the device, as the LEAs still require the passcodes needed to unlock the device. LEAs compelling the production of passcodes to gain access to potentially incriminating data raises obvious questions regarding the right against self-incrimination; however, in the context of digital devices, several privacy issues may crop up as well.

In Kathi Kalu Oghad, the SC held that compelling the production of fingerprints of an accused person to compare them with fingerprints discovered by the LEA in the course of their investigation does not violate the right to protection against self-incrimination of the accused. It has been argued that the ratio in the judgement prohibits the compelling of disclosure of passwords and biometrics for unlocking devices because Kathi Kalu Oghad only dealt with the production of fingerprints in order to compare the fingerprints with pre-existing evidence, as opposed to unlocking new evidence by utilising the fingerprint. However, the judgement deals with self-incrimination and does not address any privacy issues.

The right against self-incrimination approach alone may not be enough to resolve all concerns. Firstly, there may be varying levels of protection provided to different forms of password protections on digital devices; text- and pattern-based passcodes are inarguably protected under Art. 20(3) of the Constitution. However, the protection of biometrics-based passcodes relies upon the correct interpretation of the Kathi Kalu Oghad precedent. Secondly, Art. 20(3) only protects the accused in investigations and not when non-accused digital devices are acquired by LEAs and the passcodes of the devices demanded.

Therefore, considering the aforementioned points, it is pertinent to remember that the right against self-incrimination does not exist in a vacuum separate from privacy. It originates from the concept of decisional autonomy – the right of individuals to make decisions about matters intimate to their life without interference from the state and society. Puttuswamy I observed that decisional autonomy is the bedrock of the right to privacy, as privacy allows an individual to make these intimate decisions away from the glare of society and/or the state. This has heightened importance in this context as interference with such autonomy could lead to the person in question facing criminal prosecution. The SC in Selvi v Karnataka and Puttuswamy I has repeatedly affirmed that the right against self-incrimination and the right to privacy are linked concepts, with the court observing that the right to remain silent is an integral aspect of decisional autonomy.

In Virendra Khanna, the Karnataka High Court (HC) dealt with the privacy and self-incrimination concerns caused by LEAs compelling the disclosure of passwords. The HC brushes aside concerns related to privacy by noting that the right to privacy is not absolute and that an exception to the right to privacy is state interest and protection of law and order (para 5.11), and that unlawful disclosure of material to third parties could be an actionable wrong (para 15). The court’s interpretation of privacy effectively provides a free pass for the police to interfere with the right to privacy under the pretext of a criminal investigation. This conception of privacy is inadequate as the issue of proportionality is avoided, and the court does not attempt to ensure that the interference is proportionate with the outcome.

US courts also see the compelling of production of passcodes as an issue of self-incrimination as well as privacy. In its judgement in Application for a Search Warrant, a US court observed that compelling the disclosure of passcodes existed at an intersection of the right to privacy and self-incrimination; the right against self-incrimination serves to protect the privacy interests of suspects.

Disclosure of passwords to digital devices amounts to an intrusion of the privacy of the suspect as the collective contents on the digital device effectively amount to providing LEAs with a method to observe a person’s mind and identity. Police investigative techniques cannot override fundamental rights and must respect the personal autonomy of suspects – particularly, the choice between silence and speech. Through the production of passwords, LEAs can effectively get a snapshot of a suspect’s mind. This is analogous to the polygraph and narco-analysis test struck down as unconstitutional by the SC in Selvi as it violates decisional autonomy.

As Sekhri noted, a criminal process that reflects the aspirations of the Puttuswamy judgement would require LEAs to first explain with reasonable detail the material which they wish to find in the digital devices. Secondly, they must provide a timeline for the investigation to ensure that individuals are not subjected to inexhaustible investigations with police roving through their devices indefinitely. Thirdly, such a criminal process must demand, a higher burden to be discharged from the state if the privacy of the individual is infringed upon. These aspirations should form the bedrock of a system of judicial warrants that LEAs ought to be required to comply with if they wish to compel the disclosure of passwords from individuals. The framework proposed above is similar to the Virendra Khanna guidelines, as they provide a system of checks and balances that ensure that the intrusion on privacy is carried out proportionately; additionally, it would require LEAs to show a real requirement to demand access to the device. The independent eyes of a judicial magistrate provide a mechanism of oversight and a check against abuse of power by LEAs.

Conclusion

The criminal law apparatus is the most coercive power available to the state, and, therefore, privacy rights will become meaningless unless they can withstand it. Several criminal procedures in the country are rooted in colonial statutes, where the rights of the populace being policed were never a consideration; hence, a radical shift is required. However, post-1947 and Puttuswamy, the ignorance and refusal to submit to the rights of the population can no longer be justified and significant reformulation is necessary to guarantee meaningful protections to device owners. There is a need to ensure that the rights of individuals are protected, especially when the motivation for their infringement is the supposed noble intentions of the criminal justice system. Failing to defend the right to privacy in these moments would be an invitation for allowing the power of the state to increase and inevitably become absolute.

For more details visit https://cis-india.org/internet-governance/blog/rethinking-acquisition-of-digital-devices-by-law-enforcement-agencies

Response to the Pegasus Investigation

Anamika Kundu, Digvijay, Arindrajit Basu, Shweta Mohandas and Pallavi Bedi — 2022-04-13T14:44:43Z

For more details visit https://cis-india.org/internet-governance/response-to-the-pegasus-investigation

Personal Data Protection Bill must examine data collection practices that emerged during pandemic

Shweta Mohandas and Anamika Kundu — 2022-03-30T15:15:21Z

The PDP bill is speculated to be introduced during the winter session of the parliament soon. The PDP Bill in its current form provides wide-ranging exemptions which allow government agencies to process citizen’s data in order to fulfil its responsibilities. The bill could ensure that employers have some responsibility towards the data they collect from the employees.

The article by Shweta Mohandas and Anamika Kundu was originally published by news nine on November 29, 2021.

The Personal Data Protection Bill (PDP) is speculated to be introduced during the winter session of the parliament soon, and the report of the Joint Parliamentary Committee (JPC) has already been adopted by the committee on Monday. The Report of the JPC comes after almost two years of deliberation and secrecy over how the final version of the Personal Data Protection Bill will be. Since the publication of the 2019 version of the PDP Bill, the Covid 19 pandemic and the public safety measures have opened the way for a number of new organisations and reasons to collect personal data that was non-existent in 2019. Hence along with changes that have been suggested by multiple civil society organisations, the dissent notes submitted by the members of the JPC, the new version of the PDP Bill must also look at how data processing has changed over the span of two years.

Concerns with the bill

At the outset there are certain parts of the PDP Bill which need to be revised in order to uphold the spirit of privacy and individual autonomy laid out in the Puttaswamy judgement. The two sections that need to be in line with the privacy judgement are the ones that allow for non consensual processing of data by the government, and by employers. The PDP Bill in its current form provides wide-ranging exemptions which allow government agencies to process citizen's data in order to fulfil its responsibilities.

In the 2018 version of bill, drafted by the Justice Srikrishna Committee exemptions granted to the State with regard to processing of data was subject to a four pronged test which required the processing to be (i) authorised by law; (ii) in accordance with the procedure laid down by the law; (iii) necessary; and (iv) proportionate to the interests being achieved. This four pronged test was in line with the principles laid down by the Supreme Court in the Puttaswamy judgement. The 2019 version of the PDP Bill has diluted this principle by merely retaining the 'necessity principle' and removing the other requirements which is not in consonance with the test laid down by the Supreme Court in Puttaswamy.

Section 35 was also widely discussed in the panel meetings where members had argued the removal of 'public order' as a ground for exemption. The panel also insisted for 'judicial or parliamentary oversight' to grant such exemptions. The final report did not accept these suggestions stating a need to balance national security, liberty and privacy of an individual. There ought to be prior judicial review of the written order exempting the governmental agency from any provisions of the bill. Allowing the government to claim an exemption if it is satisfied to be "necessary or expedient" can be misused.

Another clause which gives the data principal a wide berth is with respect to employee data Section 13 of the current version of the bill provides the employer with a leeway into processing employee data (other than sensitive personal data) without consent based on two grounds: when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer.

The personal data so collected can only be collected for recruitment, termination, attendance, provision of any service or benefit, and assessing performance. This covers almost all of the activities that require data of the employee. Although the 2019 version of the bill excludes non-consensual collection of sensitive personal data (a provision that was missing in the 2018 version of the bill), there is still a lot of scope to improve this provision and provide employees further right to their data. At the outset the bill does not define employee and employer, which could result in confusion as there is no one definition of these terms across Indian Labour Laws.

Additionally, the bill distinguishes between employee and consumer, where the consumer of the same company or service has a greater right to their data than an employee. In the sense that the consumer as a data principal has the option to use any other product or service and also has the right to withdraw consent at any time, in the case of an employee the consequence of refusing consent or withdrawing consent would be being terminated from the employment. It is understood that there is a requirement for employee data to be collected, and that consent does not work the same way as it does in the case of a consumer.

The bill could ensure that employers have some responsibility towards the data they collect from the employees, such as ensuring that they are only used for the purpose for which they were collected, the employee knows how long their data will be retained, and know if the data is being processed by third parties. It is also worth mentioning that the Indian government is India's largest employer spanning a variety of agencies and public enterprises.

Concerns highlighted by JPC Members

Going back to the few members of the JPC who have moved dissent notes, specifically with regard to governmental exemptions. Jairam Ramesh filed a dissent note, to which many other opposition members followed suit. While Jairam Ramesh praised the JPC's functioning, he disagreed with certain aspects of the Report. According to him, the 2019 bill is designed in a manner where the right to privacy is given importance only in cases of private activities. He raised concerns regarding the unbridled powers given to the government to exempt itself from any of the provisions.

The amendment suggested by him would require parliamentary approval before exemption would take place. He also added that Section 12 of the bill which provided certain scenarios where consent was not needed for processing of personal data should have been made 'less sweeping'. Similarly, Gaurav Gogoi's note stated that the exemptions would create a surveillance state and similarly criticised Section 12 and 35 of the bill. He also mentioned that there ought to be parliamentary oversight for the exemptions provided in the bill.

On the same issue, Congress leader Manish Tiwari noted that the bill creates 'parallel universes' - one for the private sector which needs to be compliant and the other for the State which can exempt itself. He has opposed the entire bill stating there exists an "inherent design flaw". He has raised specific objections to 37 clauses and stated that any blanket exemptions to the state goes against the Puttaswamy Judgement.

In their joint dissent note, Derek O'Brien and Mahua Mitra have said that there is a lack of adequate safeguards to protect the data principals' privacy and the lack of time and opportunity for stakeholder consultations. They have also pointed out that the independence of the DPA will cease to exist with the present provision of allowing the government powers to choose members and the chairman. Amar Patnaik is to object to the lack of inclusion of state level authorities in the bill. Without such bodies, he says, there would be federal override.

Conclusion

While a number of issues were highlighted by civil society, the members of the JPC, and the media, the new version of the bill should also need to take into account the shifts that have taken place in view of the pandemic. The new version of the data protection bill should take into consideration the changes and new data collection practices that have emerged during the pandemic, be comprehensive and leave very little provisions to be decided later by the Rules.

For more details visit https://cis-india.org/internet-governance/blog/news-nine-shweta-mohandas-and-anamika-kundu-personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic

Comments on InDEA 2.0

divyank — 2022-03-22T06:26:39Z

For more details visit https://cis-india.org/internet-governance/comments-on-indea-2.0

Clause 12 Of The Data Protection Bill And Digital Healthcare: A Case Study

amber — 2022-03-01T15:07:44Z

In light of the state’s emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?

The blog post was published in Medianama on February 21, 2022. This is the second in a two-part series by Amber Sinha.

In the previous post, I looked at provisions on non-consensual data processing for state functions under the most recent version of recommendations by the Joint Parliamentary Committee on India’s Data Protection Bill (DPB). The true impact of these provisions can only be appreciated in light of ongoing policy developments and real-life implications.

To appreciate the significance of the dilutions in Clause 12, let us consider the Indian state’s range of schemes promoting digital healthcare. In July 2018, NITI Aayog, a central government policy think tank in India released a strategy and approach paper (Strategy Paper) on the formulation of the National Health Stack which envisions the creation of a federated application programming interface (API)-enabled health information ecosystem. While the Ministry of Health and Family Welfare has focused on the creation of Electronic Health Records (EHR) Standards for India during the last few years and also identified a contractor for the creation of a centralised health information platform (IHIP), this Strategy Paper advocates a completely different approach, which is described as a Personal Health Records (PHR) framework. In 2021, the National Digital Health Mission (NDHM) was launched under which a citizen shall have the option to obtain a digital health ID. A digital health ID is a unique ID and will carry all health records of a person.

A Stack Model for Big Data Ecosystem in Healthcare

A stack model as envisaged in the Strategy Paper, consists of several layers of open APIs connected to each other, often tied together by a unique health identifier. The open nature of APIs has the advantage that it allows public and private actors to build solutions on top of it, which are interoperable with all parts of the stack. It is however worth considering both the ‘openness’ and the role that the state plays in it.

Even though the APIs are themselves open, they are a part of a pre-decided technological paradigm, built by private actors and blessed by the state. Even though innovators can build on it, the options available to them are limited by the information architecture created by the stack model. When such a technological paradigm is created for healthcare reform and health data, the stack model poses additional challenges. By tying the stack model to the unique identity, without appropriate processes in place for access control, siloed information, and encrypted communication, the stack model poses tremendous privacy and security concerns. The broad language under Clause 12 of the DPB needs to be looked at in this context.

Clause 12 allows non-consensual processing of personal data where it is necessary “for the performance of any function of the state authorised by law” in order to provide a service or benefit from the State. In the previous post, I had highlighted the import of the use of only ‘necessity’ to the exclusion of ‘proportionality’. Now, we need to consider its significance in light of the emerging digital healthcare apparatus being created by the state.

The National Health Stack and National Digital Health Mission together envision an intricate system of data collection and exchange which in a regulatory vacuum would ensure unfettered access to sensitive healthcare data for both the state and private actors registered with the platforms. The Stack framework relies on repositories where data may be accessed from multiple nodes within the system. Importantly, the Strategy Paper also envisions health data fiduciaries to facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the health records for delivering services to the individual. The cast of characters involve the National Health Authority, health care providers and insurers who access the National Health Electronic Registries, unified data from different programmes such as National Health Resource Repository (NHRR), NIN database, NIC and the Registry of Hospitals in Network of Insurance (ROHINI), private actors such as Swasth, iSpirt who assist the Mission as volunteers. The currency that government and private actors are interested in is data.

The promised benefits of healthcare data in an anonymised and aggregate form range from Disease Surveillance to Pharmacovigilance as well as Health Schemes Management Systems and Nutrition Management, benefits which have only been more acutely emphasised during the pandemic. However, the pandemic has also normalised the sharing of sensitive healthcare data with a variety of actors, without much thinking on much-needed data minimisation practises.

The potential misuses of healthcare data include greater state surveillance and control, predatory and discriminatory practices by private actors which rely on Clause 12 to do away with even the pretense of informed consent so long as the processing of data is deemed necessary by the state and its private sector partners to provide any service or benefit.

Subclause (e) in Clause 12, which was added in the last version of the Bill drafted by MeitY and has been retained by the JPC, allows processing wherever it is necessary for ‘any measures’ to provide medical treatment or health services during an epidemic, outbreak or threat to public health. Yet again, the overly-broad language used here is designed to ensure that any annoyances of informed consent can be easily brushed aside wherever the state intends to take any measures under any scheme related to public health.

Effectively, how does the framework under Clause 12 alter the consent and purpose limitation model? Data protection laws introduce an element of control by tying purpose limitation to consent. Individuals provide consent to specified purposes, and data processors are required to respect that choice. Where there is no consent, the purposes of data processing are sought to be limited by the necessity principle in Clause 12. The state (or authorised parties) must be able to demonstrate necessity to the exercise of state function, and data must only be processed for those purposes which flow out of this necessity. However, unlike the consent model, this provides an opportunity to keep reinventing purposes for different state functions.

In the absence of a data protection law, data collected by one agency is shared indiscriminately with other agencies and used for multiple purposes beyond the purpose for which it was collected. The consent and purpose limitation model would have addressed this issue. But, by having a low threshold for non-consensual processing under Clause 12, this form of data processing is effectively being legitimised.

For more details visit https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study

General Comments on Data Protection Bill

Pallavi Bedi and Shweta Mohandas — 2022-02-14T15:55:10Z

For more details visit https://cis-india.org/internet-governance/general-comments-data-protection-bill.pdf

Notes for India as the digital trade juggernaut rolls on

basu — 2022-02-09T15:04:36Z

Sitting out trade negotiations could result in the country losing out on opportunities to shape the rules.

The article by Arindrajit Basu was published in the Hindu on February 8, 2022

Despite the cancellation of the Twelfth Ministerial Conference (MC12) of the World Trade Organization (WTO) late last year (scheduled date, November 30, 2021-December 3, 2021) due to COVID-19, digital trade negotiations continue their ambitious march forward. On December 14, Australia, Japan, and Singapore, co-convenors of the plurilateral Joint Statement Initiative (JSI) on e-commerce, welcomed the ‘substantial progress’ made at the talks over the past three years and stated that they expected a convergence on more issues by the end of 2022.

Holding out

But therein lies the rub: even though JSI members account for over 90% of global trade, and the initiative welcomes newer entrants, over half of WTO members (largely from the developing world) continue to opt out of these negotiations. They fear being arm-twisted into accepting global rules that could etiolate domestic policymaking and economic growth. India and South Africa have led the resistance and been the JSI’s most vocal critics. India has thus far resisted pressures from the developed world to jump onto the JSI bandwagon, largely through coherent legal argumentation against the JSI and a long-term developmental vision. Yet, given the increasingly fragmented global trading landscape and the rising importance of the global digital economy, can India tailor its engagement with the WTO to better accommodate its economic and geopolitical interests?

Global rules on digital trade

The WTO emerged in a largely analogue world in 1994. It was only at the Second Ministerial Conference (1998) that members agreed on core rules for e-commerce regulation. A temporary moratorium was imposed on customs duties relating to the electronic transmission of goods and services. This moratorium has been renewed continuously, to consistent opposition from India and South Africa. They argue that the moratorium imposes significant costs on developing countries as they are unable to benefit from the revenue customs duties would bring.

The members also agreed to set up a work programme on e-commerce across four issue areas at the General Council: goods, services, intellectual property, and development. Frustrated by a lack of progress in the two decades that followed, 70 members brokered the JSI in December 2017 to initiate exploratory work on the trade-related aspects of e-commerce. Several countries, including developing countries, signed up in 2019 despite holding contrary views to most JSI members on key issues. Surprise entrants, China and Indonesia, argued that they sought to shape the rules from within the initiative rather than sitting on the sidelines.

India and South Africa have rightly pointed out that the JSI contravenes the WTO’s consensus-based framework, where every member has a voice and vote regardless of economic standing. Unlike the General Council Work Programme, which India and South Africa have attempted to revitalise in the past year, the JSI does not include all WTO members. For the process to be legally valid, the initiative must either build consensus or negotiate a plurilateral agreement outside the aegis of the WTO.

India and South Africa’s positioning strikes a chord at the heart of the global trading regime: how to balance the sovereign right of states to shape domestic policy with international obligations that would enable them to reap the benefits of a global trading system.

A contested regime

There are several issues upon which the developed and developing worlds disagree. One such issue concerns international rules relating to the free flow of data across borders. Several countries, both within and outside the JSI, have imposed data localisation mandates that compel corporations to store and process data within territorial borders. This is a key policy priority for India. Several payment card companies, including Mastercard and American Express, were prohibited from issuing new cards for failure to comply with a 2018 financial data localisation directive from the Reserve Bank of India. The Joint Parliamentary Committee (JPC) on data protection has recommended stringent localisation measures for sensitive personal data and critical personal data in India’s data protection legislation. However, for nations and industries in the developed world looking to access new digital markets, these restrictions impose unnecessary compliance costs, thus arguably hampering innovation and supposedly amounting to unfair protectionism.

There is a similar disagreement regarding domestic laws that mandate the disclosure of source codes. Developed countries believe that this hampers innovation, whereas developing countries believe it is essential for algorithmic transparency and fairness — which was another key recommendation of the JPC report in December 2021.

India’s choices

India’s global position is reinforced through narrative building by political and industrial leaders alike. Data sovereignty is championed as a means of resisting ‘data colonialism’, the exploitative economic practices and intensive lobbying of Silicon Valley companies. Policymaking for India’s digital economy is at a critical juncture. Surveillance reform, personal data protection, algorithmic governance, and non-personal data regulation must be galvanised through evidenced insights,and work for individuals, communities, and aspiring local businesses — not just established larger players.

Hastily signing trading obligations could reduce the space available to frame appropriate policy. But sitting out trade negotiations will mean that the digital trade juggernaut will continue unchecked, through mega-regional trading agreements such as the Regional Comprehensive Economic Partnership (RCEP) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). India could risk becoming an unwitting standard-taker in an already fragmented trading regime and lose out on opportunities to shape these rules instead.

Alternatives exist; negotiations need not mean compromise. For example, exceptions to digital trade rules, such as ‘legitimate public policy objective’ or ‘essential security interests’, could be negotiated to preserve policymaking where needed while still acquiescing to the larger agreement. Further, any outcome need not be an all-or-nothing arrangement. Taking a cue from the Digital Economy Partnership Agreement (DEPA) between Singapore, Chile, and New Zealand, India can push for a framework where countries can pick and choose modules with which they wish to comply. These combinations can be amassed incrementally as emerging economies such as India work through domestic regulations.

Despite its failings, the WTO plays a critical role in global governance and is vital to India’s strategic interests. Negotiating without surrendering domestic policy-making holds the key to India’s digital future.

Arindrajit Basu is Research Lead at the Centre for Internet and Society, India. The views expressed are personal. The author would like to thank The Clean Copy for edits on a draft of this article.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-arindrajit-basu-february-8-2022-notes-for-india-as-the-digital-trade-juggernaut-rolls-on

CIS-ITfC-e-Shram-issue-brief-Dec-21 pdf

pranav — 2021-12-10T11:01:03Z

For more details visit https://cis-india.org/raw/cis-itfc-e-shram-issue-brief-dec-21-pdf