Centre for Internet and Society

Comments to Telecommunications Bill 2023

shweta — 2024-01-06T01:18:38Z

For more details visit https://cis-india.org/telecom/files/cis-comments-to-telecommunications-bill-2023

Health Data Management Policies - Differences Between the EU and India

shweta — 2023-07-10T16:36:25Z

Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.

This issue brief was reviewed and edited by Pallavi Bedi

Introduction

Health data has seen an increased interest the world over, on account of the amount of information and inferences that can be drawn not just about a person but also about the population in general. The Covid 19 pandemic also brought about an increased focus on health data, and brought players that earlier did not collect health data to be required to collect such data, including offices and public spaces. This increased interest has led to further thought on how health data is regulated and a greater understanding of the sensitivity of such data, because of which countries are in varying processes to get health data regulated over and above the existing data protection regulations. The regulations not only look at ensuring the privacy of the individual but also look at ways in which this data can be shared with companies, researchers and public bodies to foster innovation and to monetise this valuable data. However for a number of countries the effort is still on the digitisation of health data. India has been in the process of implementing a nationwide health ID that can be used by a person to get all their medical records in one place. The National Health Authority (NHA) has also since 2017 been publishing policies that look at the framework and ecosystem of health data, as well as the management and sharing of health data. However these policies and a scattered implementation of the health ID are being carried out without a data protection legislation in place. In comparison, Europe, which already has an established health Id system, and a data protection legislation (GDPR) is looking at the next stage of health data management through the EU Health Data Space (EUHDS). Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.

Background

EU Health Data Space

The EU Health Data Space (EUHDS) was proposed by the EU Council as a way to create an ecosystem which combines rules, standards, practices and infrastructure, around health data under a common governance framework. The EUHDS is set to rely on two pillars; namelyMyHealth@EU and HealthData@EU, where MyHealth@EU facilitates easy flow of health data between patients and healthcare professionals within member states, the HealthData@EU,faciliates secondary use of data which allows policy makers,researchers access to health data to foster research and innovation.^{^[1]} The EUHDS aims to provide a trustworthy system to access and process health data and builds up from the General Data Protection Regulation (GDPR), proposed Data Governance Act.^{^[2]}

India’s health data policies:

The last few years has seen a flurry of health policies and documents being published and the creation of a framework for the evolution of a National Digital Health Ecosystem (NDHE). The components for this ecosystem were the National Digital Health Blueprint published in 2019 (NDHB) and the National Digital Health Mission (NDHM). The BluePrint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs.^{^[3]} Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.^{^[4]}

The National Health Authority (NHA) established in 2018 has been given the responsibility of implementing the National Digital Health Mission. 2018 also saw the Digital Information Security in Healthcare Act (DISHA) which was to be a legislation that laid down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data ("DHD") and associated personal data.^{^[5]} However since its call for public consultation no progress has been made on this front.

Along with these three strategy documents the NHA has also released policy documents more particularly the Health Data Management Policy (which was revised three times; the latest version released in April 2022), the Health Data Retention Policy (released April 2021), and the Consultation Paper on Unified Health Interface (UHI) (released March 2021). Along with this in 2022 the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) India’s state health insurance policy.

However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines published in August 2022 did not even refer to the draft National Digital Health Data Management Policy (published in April 2022). As stated through the examples above these documents do not cross-refer or mention preceding health data documents, creating a lack of clarity of which documents are being used as guidelines by health care providers.

In addition to this the Personal Data Protection Bill has been revised three times since its release in 2018. The latest version was published for public comments on November 18, 2022; the Bill has removed the distinction between sensitive personal data and personal data and clubbed all personal data under one umbrella heading of personal data. Health and health data definition has also been deleted; creating further uncertainty with respect to health data as the different policies mentioned above rely on the data protection legislation to define health data.

Comparison of the Health Data Management Approaches
Interoperability with Data Protection Legislations

At the outset the key difference between the EU and India’s health data management policies has been the legal backing of GDPR which the EUHDS has. EUHDS has a strong base in terms of rules for privacy and data protection as it follows, draws inference and works in tandem with the General Data Protection Regulation (GDPR). The provisions also build upon legislation such as Medical Devices Regulation and the In Vitro Diagnostics Regulation. With particular respect to GDPR the EUHDS draws from the rights set out for protection of personal data including that of electronic health data.

The Indian Health data policies however currently exist in the vacuum created by the multiple versions of the Data Protection Bill that are published and repealed or replaced. The current version called the Digital Personal Data Protection Bill 2022 seems to take a step backward in terms of health data. The current version does away with sensitive personal data (which health data was a part of) and keeps only one category of data - personal data. It can be construed that the Bill currently considers all personal data as needing the same level of protection but it is not so in practice. The Bill does not at the moment mandate more responsibilities on data fiduciaries^{^[6]} that deal with health data (something that was present in all the earlier versions of the Bill) and in other data protection legislation across different jurisdictions and leaves the creation of Significant Data Fiduciaries (who have more responsibilities) to be created by rules, based on the sensitivity of data decided by the government at a later date.^{^[7]} In addition to this the Bill does not define “health data”, the reason why this is a cause for worry is that the existing health data policies also do not define health data often relying on the definition mentioned in the versions of Data Protection Bill.

Definitions and Scope

The EUHDS defines ‘personal electronic health data’ as data concerning health and genetic data as defined in Regulation (EU) 2016/679^{^[8]}, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form. Health data by these parameters would then include not just data about the status of health of a person which includes reports and diagnosis, but also data from medical devices.

In India the Health Data Management Policy 2022, defines “Personal Health Records” (PHR) as a health record that is initiated and maintained by an individual. The policy also states that a PHR would be able to reveal a complete and accurate summary of the health and medical history of an individual by gathering data from multiple sources and making this accessible online. However there is no definition of health data which can be used by companies or users to know what comes under health data. The 2018, 2019 and 2021 version of the Data Protection Legislation had definitions of the term health data, however the 2022 version of the Bill does away with the definition.

Health data and wearable devices

One of the forward looking provisions in the EUHDS is the inclusion of devices that records health data into this legislation. This also includes the requirement of them to be added to registries to provide easy access and scrutiny. The document also requires voluntary labeling of wellness applications and registration of EHR systems and wellness applications. This is not just for the regulation point of view but also in the case of data portability, in order for people to control the data they share. In addition to this in the case where manufacturers of medical devices and high-risk AI systems declare interoperability with the EHR systems, they will need to comply with the essential requirements on interoperability under the EHDS.

In India the health data management policy 2022 while stating the applicable entities and individuals who are part of the ABDM ecosystem^{^[9]} mention medical device manufacturers, does not mention device sellers or use terms such as wellness applications or wearable devices. Currently the regulation of medical devices falls under the purview of the Drugs and Cosmetics Act, 1940 (DCA) read along with the Medical Device Rules, 2017 (MDR). However in 2020 possibly due to the pandemic the Indian Government along with the Drugs Technical Advisory Board (DTAB) issued two notifications the first one expanded the scope of medical devices which earlier was limited to only 37 categories excluding medical apps, and second one notified the Medical Device (Amendment) Rules, 2020. These two changes together brought all medical devices under the DCA as well as expanded the categories of medical devices. However it is still unclear whether fitness tracker apps that come with devices are regulated, as the rules and the DCA still rely on the manufacturer to self-identify as a medical device.^{^[10]} However, this regulatory uncertainty has not brought about any change in how this data is being used and insurance companies at times encourage people to sync their fitness tracker data.^{^[11]}

Multiple use of health data

The EUHDS states two types of uses of data: primary and secondary use of data. In the document the EU states that while there are a number of organisations collecting data, this data is not made available for purposes other than for which it was collected. In order to ensure that researchers, innovators and policy makers can use this data. the EU encourages the data holders to contribute to this effort in making different categories of electronic health data they are holding available for secondary use. The data that can be used for secondary use would also include user generated data such as from devices, applications or other wearables and digital health applications.However, the regulation cautions against using this data for measures and making decisions that are detrimental to the individual, in ways such as increasing insurance premiums. The EUHDS also states that as the data is sensitive personal data care should be taken by the data access bodies, to ensure that while data is being shared it is necessary to ensure that the data will be processed in a privacy preserving manner. This could include through pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data.

While the document states how important it is to have secondary use of the data for public health, research and innovation it also requires that the data is not provided without adequate checks. The EUHDS requires the organisation seeking access to provide several pieces of information and be evaluated by the data access body. The information should include legitimate interest, the necessity and the process the data will go through. In the case where the organisation is seeking pseudonymised data, there is a need to explain why anonymous data would not be sufficient. In order to ensure a comprehensive approach between health data access bodies, the EUHDS states that the European Commission should support the harmonisation of data application, as well as data request.

In India, while multiple health data documents state the need to share data for public interest, research and innovation, not much thought has been given to ensuring that the data is not misused and that there is harmonisation between bodies that provide the data. Most recently the PMJay documents states that the NHA shall make aggregated and anonymised data available through a public dashboard for the purpose of facilitating health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NHA. Such data can be accessed through a request to the Data Sharing Committee^{^[12]} for the sharing of such information through secure modes, including clean rooms and other such secure modes specified by NHA. However the document does not mention what clean rooms are in this context.

The Health Data Management Policy 2022 states that Data fiduciaries (data controllers/ processors according to the data protection legislation) can themselves make anonymised or de-identified data in an aggregated form available based in technical processes and anonymisation protocols which may be specified by the NDHM in consultation with the MeitY. The purposes mentioned in this policy included health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NDHMP. The policy states that in order to access the anonymised or de-identified data the entity requesting the data would have to provide relevant information such as name, purpose of use and nodal person of contact details. While the policy does not go into details about the scrutiny of the organisations seeking this data, it does state that the data will be provided based on the term as may be stipulated.

However the issue arises as both the documents published by the NHA do not have a similar process for getting the data, for example the NDHMP requires the data fiduciary to share the data directly, while the PMJay guidelines requires the data to be shared by the Data Sharing Committee, creating duplicate datasets as well as affecting the quality of the data being shared.

Recommendations for India
Need for a data protection legislation:

While the EUHDS is still a draft document and the end result could be different based on the consultations and deliberations, the document has a strong base with respect to the privacy and data protection based on the earlier regulations and the GDPR. The definitions of what counts as health data, and the parameters for managing the data creates a more streamlined process for all stakeholders. More importantly the GDPR and other regulations provide a way of recourse for people. In India the health data related policies and strategy documents have been published and enforced before the data protection legislation is passed. In addition to this India, unlike the EU has just begun looking at a universal health ID and digitisation of the healthcare system, ideally it would be better to take each step at a time, and at first look at the issues that may arise due to the universal health ID. In addition to this, multiple policies, without a strong data protection legislation providing parameters and definitions could mean that the health data management policies only benefit certain people. This also creates uncertainty in terms of where an individual will go in case of harms caused by the processing of their data, and who would be the authority to govern questions around health data. The division of health data management between different documents also creates multiple silos of data management which creates data duplication and issues with data quality.

Secondary use of data

While both the EUHDS and India's Health Data Management Policy look at the sharing of health data with researchers and private organisations in order to foster innovation, the division of sharing of data based on who uses the data is a good way to ensure that only interested parties have access to the data. With respect to the health data policies in India, a number of policies talk about the sharing of anonymised data with researchers, however the documents being scattered could cause the same data to be shared by multiple health data entities, making it possible to identify people. For example, the health data management policy could share anonymised data of health services used by a person, whereas the PMJAY policy could share data about insurance covers, and the researcher could probably match the data and be closer to identifying people. It has also been revealed in multiple studies that anonymisation of data is not permanent and that the anonymisation can be broken. This is more concerning since the polices do not put limits or checks on who the researchers are and what is the end goal of the data sought by them, the policies seem to rely on the anonymisation of the data as the only check for privacy. This data could be used to de-anonymise people, could be used by companies working with the researchers to get large amounts of data to train their systems,

train data that could lead to greater surveillance, increase insurance scrutiny etc. The NHA and Indian health policy makers could look at the restrictions and checks that the EUHDS creates for the secondary use of data and create systems of checks and categories of researchers and organisations seeking data to ensure minimal risks to an individual’s data.

Conclusion

While the EU Health data space has been criticised for facilitating vast amounts of data with private companies and the collecting of data by governments, the codification of the legislation does in some way give some way to regulate the flow of health data. While India does not have to emulate the EU and have a similar document, it could look at the best practices and issues that are being highlighted with the EUHDS. Indian lawmakers have looked at the GDPR for guidance for the draft data protection legislation, similarly it could do so with regard to health data and health data management. One possible way to ensure both the free flow of health data and the safeguards of a regulation could be to re-introduce the DISHA Act which much like the EUHDS could act as a legislation which provides an anchor to the multiple health data policies, including standard definition of health data, grievance redressal bodies, and adjudicating authorities and their functions. In addition a legislation dedicated to the health data would also remove the existing burden on the to be formed data protection authority.

^{^[1]} “European Health Data Space”, European Commission, 03 May 2022,https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space_en

^{^[2]}“European Health Data Space”

^{^[3]} “National Digital Health Blueprint”, Ministry of Health and Family Welfare Government of India, https://abdm.gov.in:8081/uploads/ndhb_1_56ec695bc8.pdf

^{^[4]} “National Digital Health Blueprint”

^{^[5]} “Mondaq” “DISHA – India's Probable Response To The Law On Protection Of Digital Health Data” accessed 13 June 2023,https://www.mondaq.com/india/healthcare/1059266/disha-india39s-probable-response-to-the-law-on-protection-of-digital-health-data

^{^[6]}“The Digital Personal Data Protection Bill 2022”, accessed 13 June 2023 , https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf

^{^[7]}The Digital Personal Data Protection Bill 2022

^{^[8]} Regulation (EU) 2016/679 defines health data as “Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (1) to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

^{^[9]} For creating an integrated, uniform and interoperable ecosystem in a patient or individual centric manner, all the government healthcare facilities and programs, in a gradual/phased manner, should start assigning the same number for providing any benefit to individuals.

^{^[10]} For example a manufacturer of a fitness tracker which is capable of monitoring heart rate could state that the intended purpose of the device was fitness or wellness as opposed to early detection of heart disease thereby not falling under the purview of the regulation.

^{^[11]}“Healthcare Executive” “GOQii Launches GOQii Smart Vital 2.0, an ECG-Enabled Smart Watch with Integrated Outcome based Health Insurance & Life Insurance, accessed 13 June 2023
https://www.healthcareexecutive.in/blog/ecg-enabled-smart-watch

^{^[12]} The guidelines only state that the Committee will be responsible for ensuring the compliance of the guidelines in relation to the personal data under its control. And does not go into details of defining the Committee.

For more details visit https://cis-india.org/internet-governance/blog/health-data-management-policies

WIPO SCCR 43: Notes from Day 3

shweta — 2023-04-28T13:03:42Z

Working towards a binding international L&E instrument
Iran, Pakistan and Kenya highlighted their support toward the African proposal as well emphasized the need for an internationally binding treaty on L&E. Saudi Arabia mentioned the need for Limitations and Exceptions to benefit the preservation and sharing of cultural heritage, as well as for persons with disabilities. Iran emphasied on the need for adequate balance and copyright protection and a balance between different national legislations. Iran stated that there was a need to have an international legal instrument in order to harmonise national legislations, in the absence of which there would not be a free flow of information. Iran also emphasised on the need to look at the priorities of developing countries with respect to the Development Agenda. Pakistan also highlighted the issues that came to light during the pandemic, especially with regard to cross border use of information by educational institutions. In addition to this Pakistan stated that it looked forward to a binding instrument that was not too prescriptive. Kenya shed light on the concerns around the increasing knowledge gap between the developed and the developing countries, and the migration from analogue to digital environment.

WIPO SCCR 43: Notes from Day 4

Limitations and Exceptions and Cross Border Flow of Data
Nigeria, South Africa, Russia, Brazil, Argentina, Iran, Uganda and Algeria extended their support to the Work Programme on L&E by the African Group. Nigeria in their statement expressed how L&E were essential for research, cultural exchange, and how it had the potential to help people around the world who still lack access to educational and research materials. Nigeria also highlighted that a legally binding international treaty would help harmonise and balance the copyright system with other instruments such as the TRIPS agreement and the WIPO internet treaties, and facilitate smooth transborder trade in both online and traditional media. Iran stated that the creation of L&E for online and crossborder use of data is imperative, especially for the benefit of online teaching and research as well as bridge the digital divide by facilitating access to knowledge and technology.

The European Union (EU) and France however were not in support of a legally binding instrument.The EU stated that they would prefer a non-binding instrument such as a toolkit, while France stated that the current international framework of copyright is sufficiently flexible to allow members to implement L&E in their national legislations, as well as to find appropriate tools to meet the needs of education, research and preservation. France expressed their reservation in moving towards a normative framework and stated that the states could look at the exchange of best practice at national level and support in drafting national legislations. The United States stated that topics such as text and data mining and contract override were not issues that were fully discussed yet at the committee level.

Observations by the Chair

The Chair noted that there continued to be a disagreement on whether to pursue international instruments for Limitations and Exceptions.
The Chair also noted that while there was a lot of support for the proposal, there still was no consensus on the proposal. The Chair suggested that the African Group work with the member states that highlighted their reservations and work together with the Chair to see if the proposal could be revised, or to look at portions of the proposal that enjoyed the support to be advanced.

For more details visit https://cis-india.org/a2k/blogs/wipo-sccr-43-notes-from-day-3

WIPO SCCR 43: Notes from Day 2

shweta — 2023-04-28T12:22:24Z

Rights of broadcasters
Iran wanted clarifications about whether the rights granted to broadcasters under the treaty would be a negative right (right to prohibit) or a positive right (right to authorise). Iran also highlighted that there was a need to clarify definitions in the treaty, particularly with respect to user generated contents shared on websites such as Youtube, in comparison with traditional broadcasters.

The Chair clarified that the treaty provides two sets of rights, positive rights under Article 6 and 7 and negative rights under Article 8 and 9. The Chair also clarified that the treaty aimed to bridge the various legal frameworks, based on copyright, under a rights based approach and a signal based approach. In the signal based approach, the positive right under Article 6 is based to protect only live signal and the protection ends at the point of fixation, hence there is no relation between the right of fixation Article 7 and the right to prohibit transmission and deferred transmission under article 8. The Chair further clarified that the positive right ends at fixation after which the right to prohibit comes into play. With respect to User Generated Content the Chair clarified that the current draft of the treaty focused protection to traditional broadcasters and not other service providers.

Terms of the Right The USA highlighted their concern over the possible perpetual term of fixation rights and requested that a revised text could have some explicit time limit. Singapore echoed USA’s concern over the absence of limitations on the duration of the rights of the broadcasters which could give broadcasters perpetual protection of a programme. Similarly Pakistan questioned the need for a right of fixation highlighting that piracy was an enforcement issue. With respect to the term of protection the Chair clarified that the treaty sought to provide practical protection to broadcasters of their live signal, and not the content of the broadcast. Further clarifying that one of the main aims of the treaty was the protection of simultaneous retransmission, and to provide protection in case there was a fixation of the signals.

Limitations and Exceptions
Iran and Brazil highlighted issues about limitations and exceptions. While Iran stated that the inclusion of the three step test in the treaty would water down the limitations and exceptions provisions, Brazil highlighted that the Article 11 of the treaty did not follow the text of the Marakesh convention or the Beijing treaty regarding Limitations and Exceptions. Brazil highlighted that there was a need to clarify in the text of the treaty itself that the list provided under the Article is illustrative and not exhaustive. In addition to this they stated that the text of the treaty should also establish the presumption that all the examples listed have already fulfilled the three steps. Brazil also highlighted the question about the consequence of the proposal on works in the public domain that are not sufficiently clear. The draft should ensure that public domain content when broadcasted should not receive another layer of protection.

Communia, Knowledge Ecology International (KEI) and Innovarte also highlighted issues that might come up with broadcasting works that are in the public domain. Communia provided examples where the broadcasters might have the only good copy of historic events and reporting that have now become a part of the public domain, however the broadcasters could reappropriate these which are in the public domain with new exclusive rights through this treaty. Communia hence suggested a need for exclusion of public domain works in the treaty. Innovarte highlighted Article 6 of the Berne convention which allows for exceptions related to public interest such as use of excerpts.

Agenda Item 6 and 7 - Limitations and Exceptions for Libraries and Archives, for Educational and Research Institutions and for Persons with Other disabilities

Working towards a binding international L&E instrument
The beginning of the discussion on Limitations and Exceptions began with the CEBS Group, Group B, the European Union and the USA emphasising on the need to look at other avenues to implement L and E without going for a legally binding international instrument. Some of the solutions provided included strengthening existing national legislations, existing solutions within the framework of the existing international treaties, exchange of best practices, and capacity building for countries to implement L&E’s in their national legislations.

Ghana on behalf of the African Group stated that there was a need to provide mutual benefit between those who generate and those who use creative works. Ghana also highlighted the issues with cross border access and sharing of copyrighted materials which is becoming increasingly difficult for libraries, archives, museums and research institutions to access. Ghana highlighted the need for a strong support in development of a legal instrument on Limitations and Exceptions, for libraries, archives, museums and for persons with disabilities other than blindness. South Africa in their statement also highlighted the benefit L&E’s would provide to both creators and users, and the cross border transfer of data. And extended their support to the statement of Ghana and work towards an international instrument whether model law, joint recommendation or a treaty.

For more details visit https://cis-india.org/a2k/blogs/wipo-sccr-43-notes-from-day-2

WIPO SCCR 43: Notes from Day 1

shweta — 2023-04-28T12:01:31Z

Member states delivered opening statements and deliberated on the progress, substantive provisions, and method of work on the draft broadcasting treaty text. This blog post summarises positions and contentions that supported: 1)The need for balance between rights of broadcasters and that of users and researchers 2) Questions around fixation and signal piracy 3) Need for consensus and towards a diplomatic conference

Opening Statements by Group Coordinators

Uruguay on behalf of the GRULAC spoke about the Marrakesh treaty and highlighted how this was the first treaty that looked at human rights and copyright. Uruguay also mentioned the need to look at exclusion and the need for dissemination of knowledge.

On behalf of the Baltic states, Poland expressed their interest in discussing the Limitations and Exceptions (L&E) agenda, with focus on persons with other disabilities, as well as conveyed their interest in examining the T oolkit on Preservation.

The African group coordinator Ghana, highlighted the need to look at the contribution to Sustainable Development Goals, they also showed support for Senegal and Congo on their work on artist copyright and resale rights.

Singapore made the statements on behalf of the Asia and the Pacific Group (APG) group coordinator Indonesia, they commented on the need to work towards a fair and balanced broadcast treaty, and to narrow existing gaps which would require a delicate balance. They also stated that the treaty needs to be comprehensive and inclusive, with limitations and expectations for Libraries, Archives and Museums and areas of cultural importance, as well as access to broadcast content for education and research.

Agenda Item 5: Protection of Broadcasting Organisations

The need for Balance between rights of broadcasters and that of users and researchers

China, Ghana, Colombia, Saudi Arabia, Iran, in their statements highlighted the need for balance between the rights of the broadcasters with suitable limitations and exceptions. Iran in their statements also highlighted the work of libraries, archives and museums in education. Iran also highlighted that different parameters for Limitations and Exceptions in member states' national legislations has the potential to cause barriers in the free flow of data for researchers and educators.

Colombia spoke about their concerns regarding the fixation rights laid out in the treaty and the working of limitations and exceptions under Article 11. Colombia stated that the use of the term “may” in Article 11 could result in countries ignoring the limitations and exceptions provisions when they adopt this treaty into their national legislations. They suggested the changing of the wording in Article 11 from “may” to “shall” to reflect a balanced and progressive treaty.

Nigeria in their statement highlighted the difficulties that were faced by students and educators during Covid 19, when schools and libraries were closed. They also shed light on how limitations and exceptions were not granted uniformly.

Pakistan also emphasised on the need to look at the interests of educators, and supported the inclusion of mandatory limitations and exceptions while protecting the rights of the creators.

Questions around fixation and signal piracy

The Central European and Baltic States Group (CEBS) group, The United Kingdom (UK) , Canada, Tajikistan and The United States of America and Japan in their statements mentioned the need to protect broadcasters especially with respect to stopping piracy. The CEBS group stated that in the era of rapidly evolving technologies and changing digital environments there was a need to extend international protection against piracy to different types of transmissions of broadcasting organizations, including those over computer networks. Similarly, the United Kingdom also highlighted the rapid advancements in technology, which enables signal piracy through redirecting. The UK stated that Article 7 of the draft treaty did not provide sufficient protection, an issue that needed more deliberations.

Need for consensus and progress towards a diplomatic conference

Pakistan, China, Kingdom of Eswatini, The African Regional Intellectual Property Organization (ARIPO) in their statements mentioned that they were looking forward to a diplomatic conference. Pakistan highlighted the need for open and inclusive negotiation in the diplomatic conference.

India expressed that the scope of protection in the revised draft is more comprehensive and in line with technological developments. The definition of the term broadcasting has also been made more comprehensive with the inclusion of the word “any means”. The definition provided for fixation has been provided along with the rights of fixation under Article 7, which may be the most relevant steps to prevent unauthorised exploitation by a third party to the values represented by the signal. India also stated that the treaty is capable of covering piracy in the digital environment and includes broadcasting of all types of broadcast. India also stated that they support the finalisation of the treaty, maintaining the interest of all member states on fundamental issues.

Presentation by the Chair and Vice Chair

On Article 11 the Chair stated that the list could be made clearer, and also clarified that the list is not a closed list. With respect to the works in the public domain the Chair clarified that the broadcasting and distributing of works in public domain, only the work carrying the signal will be under the treaty.
With regard to the scope of fixation the Chair clarified that the scope of fixation is only for the entity emitting the signal. The focus of the treaty is to limit the rights to signal based rights.

For more details visit https://cis-india.org/a2k/blogs/wipo-sccr-43-notes-from-day-1

Making Voices Heard

shweta — 2022-06-27T16:18:36Z

We are happy to announce the launch of our final report on the study ‘Making Voices Heard: Privacy, Inclusivity, and Accessibility of Voice Interfaces in India. The study was undertaken with support from the Mozilla Corporation.

We believe that voice interfaces have the potential to democratise the use of the internet by addressing limitations related to reading and writing on digital text-only platforms and devices. This report examines the current landscape of voice interfaces in India, with a focus on concerns related to privacy and data protection, linguistic barriers, and accessibility for persons with disabilities (PwDs).

The report features a visual mapping of 23 voice interfaces and technologies publicly available in India, along with a literature survey, a policy brief towards development and use of voice interfaces and a design brief documenting best practices and users’ needs, both with a focus on privacy, languages, and accessibility considerations, and a set of case studies on three voice technology platforms. Read and download the full report here

Credits

Research: Shweta Mohandas, Saumyaa Naidu, Deepika Nandagudi Srinivasa, Divya Pinheiro, and Sweta Bisht.

Conceptualisation, Planning, and Research Inputs: Sumandro Chattapadhyay, and Puthiya Purayil Sneha.

Illustration: Kruthika NS (Instagram @theworkplacedoodler). Website Design Saumyaa Naidu. Website Development Sumandro Chattapadhyay, and Pranav M Bidare.

Review and Editing: Puthiya Purayil Sneha, Divyank Katira, Pranav M Bidare, Torsha Sarkar, Pallavi Bedi, and Divya Pinheiro.

Copy Editing: The Clean Copy

For more details visit https://cis-india.org/internet-governance/blog/making-voices-heard

A Guide to Personal Data Protection Bill, 2019 Compliance - Privacy Policy

shweta — 2021-09-17T14:37:52Z

For more details visit https://cis-india.org/internet-governance/guide-to-personal-data-protection-bill.pdf

Making Voices Heard: Privacy, Inclusivity, and Accessibility of Voice Interfaces in India

shweta — 2019-12-18T12:10:05Z

We believe that voice interfaces have the potential to democratise the use of internet by addressing barriers such as accessibility concerns, lack of abilities of reading and writing on digital text interfaces, and lack of options for people to interact with digital devices in their own languages. Through the Making Voice Heard Project supported by Mozilla Corporation, we will examine the current landscape of voice interfaces in India.

Download the project announcement cards (shown above): Card 01, Card 02, and Card 03

Making Voices Heard: Project Announcement

Although voice enabled interfaces are being deployed there is a need to understand how they are beneficial, and what have been important knowledge gaps and challenges in their development, adoption, use, and regulation. Through the Making Voice Heard Project supported by Mozilla Corporation, we will be examining the current landscape of voice interfaces in India, and seek to address the following questions:

What is the broad (sectoral and functional) typology of available voice interfaces in Indian languages? How widely are these voice interfaces (in Indian languages) used, and what barriers prevent their further adoption and use?
What are concerns related to privacy and data protection that emerge with the growth of voice interfaces? What kind of protocols for data processing may need to be built into the design of these interfaces?
How accessible are these interfaces for persons with disabilities (PWDs)? What kinds of accessibility features, especially for Indian languages, may need to be developed to ensure effective use of voice technologies by PWDs?
Where do challenges in these three areas intersect? For instance, is compromising on users’ privacy, including weak or missing data protection regulations, required to create comprehensive speech datasets that may help develop better accessibility features, and address linguistic barriers?

In order to approach these questions we have begun mapping the various developers and users of voice interfaces in India. In the next stage of the process we will be looking at these interfaces through the lens of privacy, language, accessibility, and design. In order to add to the mapping and questions, we will be conducting interviews and workshops with users, developers, designers and researchers of voice interfaces in India, including the Common Voice team at Mozilla.

We hereby invite researchers, developers and designers of voice interfaces to speak to us and help inform the study. You may contact Shweta Mohandas at shweta@cis-india.org.

- Shweta Mohandas, Saumyaa Naidu, Puthiya Purayil Sneha, and Sumandro Chattapadhyay (project team)

For more details visit https://cis-india.org/raw/making-voices-heard-project-announcement

In India, Privacy Policies of Fintech Companies Pay Lip Service to User Rights

shweta — 2019-07-31T02:21:40Z

A study of the privacy policies of 48 fintech companies that operate in India shows that none comply with even the basic requirements of the IT Rules, 2011.

The article by Shweta Mohandas highlighting the key observations in Fintech study conducted by CIS was published in the Wire on July 30, 2019.

Earlier this month, an investigation revealed that a Hyderabad-based fintech company called CreditVidya was sneakily collecting user data through their devotional and music apps to assess people’s creditworthiness.

This should be unsurprising as the privacy policies of most Indian fintech companies do not specify who they will be sharing the information with. Instead, they employ vague terminology to identify sharing arrangements such as ‘third-party’, ‘affiliates’ etc.

This is one of the many findings that we came across while analysing the privacy policies of 48 fintech companies that operate in India.

The study looked at how the privacy policies complied with the requirements of the existing data protection regime in India – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The IT Rules, among other things, require that privacy policies specify the type of data being used, the purpose of collection, the third parties the data will be shared with, the option to withdraw consent and the grievance redressal mechanism.

The rules also require the privacy policy to be easily accessible as well as easy to understand. The problem is that they are not as comprehensive and specific as, say, the draft Personal Data Protection Bill, which is awaiting passage through parliament, and hence require the companies to do much less than privacy and data protection practices emerging globally.

Nevertheless, despite the limited requirements, none of the companies in our sample of 48 were fully compliant with the parameters set by the IT Rules.

While 95% of the companies did fulfil the basic requirement of actually formulating and having a privacy policy, two major players stood out as defaulters: Airtel Payments Bank and Bhim UPI, for which we were not able to locate a privacy policy.

Though a majority of the privacy policies contained the statement “we take your privacy and security seriously”, 43% of the companies did not provide adequate details of the reasonable security practices and procedures followed.

The requirement in which most companies did not provide information for was regarding a grievance redressal mechanism, where only 10% of the companies comply.

While 31% of the companies provided the contact of a grievance redressal officer (some without even mentioning the redressal mechanism), 37% of the companies provided contact details of a representative but did not specify if this person could be contacted in case of any grievance.

Throughout the study, it was noted that the wording of the IT Rules allowed companies to use ambiguous terms to ensure compliance without exposing their actual data practices. For example, Rule 5 (7) requires a fintech company to provide an option to withdraw consent. Twenty three percent of the companies allowed the user to opt out or withdraw from certain services such as mailing list, direct marketing and in app public forums but they did not allow the user to withdraw their consent completely. While several of 17 companies did provide the option to withdraw consent, they did not clarify whether the withdrawal also meant that the user’s data was no processed or shared.

However, when it came to data retention, most of the 27 companies that provided some degree of information about the retention policy stated that some data would be stored for perpetuity either for analytics or for complying with law enforcement. The remaining 21 companies say nothing about their data retention policy.

In local languages

The issue of ambiguity most clearly arises when the user is actually able to cross the first hurdle – reading an app’s privacy policy.

With fintech often projected as one of the drivers of greater financial inclusion in India, it is telling that only one company (PhonePe) had the option to read the privacy policy in a language other than English. With respect to readability, we noted that the privacy policies were difficult to follow not just because of legalese and length, but also because of fonts and formatting – smaller and lighter texts, no distinction between paragraphs etc. added to the disincentive to read the privacy policy.

Privacy policies act as a notice to individuals about the terms on which their data will be treated by the entity collecting data. However, they are a monologue in terms of consent where the user only has the option to either agree to it or decline and not avail the services. Moreover, even the notice function is not served when the user is unable to read the privacy policy.

They, thus, serve as mere symbols of compliance, where they are drafted to ensure bare minimum conformity to legal requirements. However, the responsibility of these companies lies in giving the user the autonomy to provide an informed consent as well as to be notified in case of any change in how the data is being handled (this could be when and whom the data is being shared with, if there has been a breach etc).

With the growth of fintech companies and the promise of financial inclusion, it is imperative that the people using these services make informed decisions about their data. The draft Personal Data Protection Bill – in its current form – would encumber companies processing sensitive personal data with greater responsibility and accountability than before. However, the Bill, similar to the IT Rules, endorses the view of blanket consent, where the requirement for change in data processing is only of periodic notice (Section 30 (2)), a lesson that needs to be learnt from the CreditVidya story.

In addition to blanket consent, the SPD/I Rules and well as the PDP Bill does not require the user to be notified in all cases of a breach. While the information that is provided to data subjects is necessary to be designed keeping the user in mind, neither the SPD/I Rules, nor the PDP Bill take into account the manner in which data flows operate in the context of ‘disruptive’ business models that are a hallmark of the ‘fintech revolution’.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-shweta-mohandas-july-30-2019-in-india-privacy-policies-of-fintech-companies-pay-lip-service-to-user-rights