Centre for Internet and Society

Use of Visuals and Nudges in Privacy Notices

saumyaa — 2018-08-22T13:16:15Z

Nudging in privacy notices can be a privacy-enhancing tool. For example, informing users of how many people would have access to their data would help them make a decision. However, nudges can also be used to influence users towards making choices that compromise their privacy. For example, the visual design of default options on digital platforms currently nudge users to share their data. It is critical to ensure that there is mindful use of nudges, and that it is directed at the well being of the users.

Edited by Elonnai Hickok and Amber Sinha

Former Supreme Court judge, Justice B.N. Srikrishna, who is currently involved in drafting the new data-privacy laws for India, was quoted recently by the Bloomberg^[1]. Acknowledging the ineffectiveness of consent forms of tech companies that leads to users’ data being collected and misused, he asked if we should have pictograph warnings for consent much like the warnings that are given on cigarette packets. His concern is that an average Indian does not realise how much data they are generating or how it is being used. He attributed this to the access issues with the consent forms presented by companies which are in the English language. In the Indian context, Justice Srikrishna pointed out, considerations around literacy and languages should be addressed.

The new framework being worked on by Srikrishna and his committee comprising academics and government officials, would make the tech companies more accountable for data collection and use, and allow users to have more control over their own data. But, in addition to this regulatory step towards privacy and data protection, the concern towards communication of companies’ data practices through consent forms or privacy notices is also critical for users. Currently, the cryptic notices are a barrier for users, as are the services that do not provide incremental information about the use of the service - for example, what data is being shared with how many people or what data is being collected at what point, instead relying on blanket consent forms taken at the beginning of a service. Visuals can go a long way in making these notices and services accessible to users.

Although, Justice Srikrishna chose the extreme example of warnings on cigarette packets, visually depicting the health risks of cigarette smoking using repulsive imagery, the underlying intent seems to be of using visuals as a means of giving an immediate and clear warning about how people’s data is being used and by whom. It must be noted that the effectiveness of warnings on cigarette packets is debatable. These warnings are also a way in which manufacturers consider their accountability met, which is a possible danger with privacy notices as well. Most companies consider that their accountability is limited to giving all the information to the users without ensuring that the information is communicated to help the user understand the risks. Hence, one has to be cautious of the role of visuals in notices so that they are used with the primary purpose of meaningful communication and accessibility that can be used to inform further action. The visual summary of the data practice in terms of how it will affect the user will also serve as a warning.

The warning images on cigarette packets are an example of the user-influencing design approach called nudging^{^[2]}. While nudging techniques are meant to be aimed at the users’ well being, it brings forward the question of who decides what is beneficial for the users. Moreover, the harm in cigarette smoking is more obvious, and thus the favourable choice for the users is also clearer. But, in the context of data privacy, the harms are less apparent. It is difficult to demonstrate the harms or benefits of data use, particularly when data is re-purposed or used indirectly. There is also no single choice that can be pushed when it comes to the use and collection of data. Different users may have different preferences or degrees to which they would like to allow the use of their data. This raises deeper questions about the extent to which privacy law and regulation should be paternalistic.

Nudges are considered to follow the soft or libertarian paternalism approach, where the user is not forbidden any options but only given a push to alter their behaviour in a predictable way^{^[3]}. It is crucial to differentiate between the strong paternalistic approach that doesn’t allow a choice at all, the usability approach, and the soft paternalistic approach of nudging, as mentioned by Alessandro Acquisti in his paper, ‘The Behavioral Economics of Personal Information’^{^[4]}. In the usability approach, the design of the system would make it intuitive for users to change settings and secure their data. The soft paternalistic approach of nudging would be a step further and present secure settings as a default. Usability is often prioritised by designers. However, soft paternalism techniques help to enhance choice for users and lead to larger welfare^{^[5]}.

Nudging in privacy notices can be a privacy-enhancing tool. For example, informing users of how many people would have access to their data would help them make a decision^{^[6]}. However, nudges can also be used to influence users towards making choices that compromise their privacy. For example, the visual design of default options on digital platforms currently nudge users to share their data. It is critical to ensure that there is mindful use of nudges, and that it is directed at the well being of the users.

The design of privacy notices should be re-conceptualised to ensure that they inform the users effectively, keeping in mind certain best practices. For instance, a multilayered privacy notice can be used, which includes a very short notice designed for use on portable digital devices where there is limited space, condensed notice that contains all the key factors in an easy to understand way, and a complete notice with all the legal requirements^{^[7]}. Along with the layering of information, the timing of notices should also be designed to be at setup, just in time of the user’s action, or at periodic intervals. In terms of visuals, infographics can be used to depict data flows in a system. Another best practice is to integrate privacy notices with the rest of the system. Designers are needed to be involved early in the process so that the design decisions are not purely visual but also consider information architecture, content design, and research.

Practice based frameworks should be developed for communication designers in order to have a standardised vocabulary around creating privacy notices. Additionally, multiple user groups and their varied privacy preferences must be taken into account. Finally, an ethical framework must be put into place for design practitioners in order to ensure that the users’ well being is prioritised, and notices are designed to facilitate informed consent. Further recommendations and concerns regarding the design of privacy notices, and the use of visuals can be read here.

Justice Srikrishna’s statement is an important step towards creating effective privacy notices with visuals. The conversation on the need to design privacy notices can lead to clearer and more comprehensible notices. Combined with the enforcement of fair collection and use of data by companies, well designed notices will allow users more control and a real choice to opt-in or out of a service and make informed choices as they engage with a service. Justice Srikrishna’s analogy seems to recommend using visuals to describe what type of data is being collected and for what purposes at the time of taking consent. Though cigarette warnings may not be the most appropriate analogy, this is a good start, and it is important to explore how visuals and design can be used throughout a service - from beginning to end - to convey and promote awareness and informed choices by users. It is also important to extend this conversation outside of privacy into the realm of security and understand how visuals and design can inform users’ awareness and personal choices around security when using a service.

^{^[1]} https://www.bloomberg.com/news/articles/2018-06-10/tech-giants-nervous-as-judge-drafts-first-data-rules-in-india

^{^[2]} http://www.ijdesign.org/index.php/IJDesign/article/viewFile/1512/584

^{^[3]} https://www.andrew.cmu.edu/user/pgl/psosm2013.pdf

^{^[4]} https://www.heinz.cmu.edu/~acquisti/papers/acquisti-privacy-nudging.pdf

^{^[5]} https://www.heinz.cmu.edu/~acquisti/papers/acquisti-privacy-nudging.pdf

^{^[6]} https://cis-india.org/internet-governance/files/rethinking-privacy-principles

^{^[7]} https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/ten_steps_to_develop_a_multilayered_privacy_notice__white_paper_march_2007_.pdf

For more details visit https://cis-india.org/internet-governance/blog/use-of-visuals-and-nudges-in-privacy-notices

National Health Stack: Data For Data’s Sake, A Manmade Health Hazard

Murali Neelakantan, Swaraj Barooah, Swagam Dasgupta and Torsha Sarkar — 2018-09-16T05:01:18Z

On Oct. 5, 2017, an HIV positive woman was denied admission in Hyderabad’s Osmania General Hospital even though she was entitled to free treatment under India’s National AIDS Control Organisation programme. Another incident around the same time witnessed a 24-year-old pregnant woman at Tikamgarh district hospital in Madhya Pradesh being denied treatment by hospital doctors once she tested positive for HIV. The patient reportedly delivered the twins outside the maternity ward after she was turned away by the hospital, but her newborn twin girls died soon after.

The op-ed was published in Bloomberg Quint on August 14, 2018.

Apart from facing the severity of their condition, patients afflicted with diseases such as HIV, tuberculosis, and mental illnesses, are often subject to social stigma, sometimes even leading to the denial of medical treatment. Given this grim reality would patients want their full medical history in a database?

The ‘National Health Stack’ as described by the NITI Aayog in its consultation paper, is an ambitious attempt to build a digital infrastructure with a “deep understanding of the incentive structures prevalent in the Indian healthcare ecosystem”. If the government is to create a database of individuals’ health records, then it should appreciate the differential impact that it could have on the patients.

The collection of health data, without sensitisation and accountability, has the potential to deny healthcare to the vulnerable.

We have innumerable instances of denial of services due to Aadhaar and there is a real risk that another database will lead to more denial of access to the most vulnerable.

Earlier, we had outlined some key aspects of the NHS, the ‘world’s largest’ government-funded national healthcare scheme. Here we discuss some of the core technical issues surrounding the question of data collection, updating, quality, and utilisation.

Resting On A Flimsy Foundation: The Unique Health ID

The National Health Stack envisages the creation of a unique ID for registered beneficiaries in the system — a ‘Digital Health ID’. Upon the submission of a ‘national identifier’ and completion of the Know Your Customer process, the patient would be registered in the system, and a unique health ID generated.

This seemingly straightforward process rests on a very flimsy foundation. The base entry in the beneficiary registry would be linked to a ‘strong foundational ID’. Extreme care needs to be taken to ensure that this is not limited to an Aadhaar number. Currently, the unavailability of Aadhaar would not be a ground for denial of treatment to a patient only for their first visit; the patient must provide Aadhaar or an Aadhaar enrolment slip to avail treatment thereafter. This suggests that the national healthcare infrastructure will be geared towards increasing Aadhaar enrollment, with the unstated implication that healthcare is a benefit or subsidy — a largess of government, and not, as the courts have confirmed, a fundamental right.

Not only is this project using government-funded infrastructure to deny its citizens the fundamental right to healthcare, it is using the desperate need of the vulnerable for healthcare to push the ‘Aadhaar’ agenda.

Any pretence that Aadhaar is voluntary is slowly fading with the government mandating it at every step of our lives.

Aadhaar Seva kendra. (Source: Aadhaar Official Account/Facebook

Is The Health ID An Effective And Unique Identifier?

Even if we choose to look past the fact that the validity of Aadhaar is still pending the test of legality before the apex court, a foundational ID would mean that the data contained within that ID is unique, accurate, incorruptible, and cannot be misused. These principles, unfortunately, have been compromised by the UIDAI in the Aadhaar project with its lack of uniqueness of identity (i.e, fake IDs and duplicity), failure to authenticate identity, numerous alleged data leaks (‘alleged’ because UIDAI maintains that there haven’t been any leaks), lack of connectivity to be able to authenticate identity and numerous instances of inaccurate information which cannot be corrected.

Linking something as crucial and basic as healthcare data with such a database is a potential disaster.

There is a real risk that incorrect linking could cause deaths or inappropriate medical care.

The High Risk Of Poor Quality Data

The NITI Aayog paper envisages several expansive databases that are capable of being updated by different entities. It includes enrollment and updating processes but seems to assume that all these extra steps will be taken by all the relevant stakeholders and does not explain the motivation for stakeholders to do so.

In a country where government doctors, hospitals, wellness centres, etc are overburdened and understaffed, this reliance is simply not credible. For instance, all attributes within the registries are to be digitally signed by an authorised updater, there must be an audit trail for all changes made to the registries, and surveyors will be tasked with visiting providers in person to validate the data. Identifying these precautions as measures to assure accurate data is a great step towards building a national health database, but this seems an impossible task.

Who are these actors and what will incentivise them to ensure the accuracy and integrity of data?

In other words, what incentive and accountability structures will ensure that data entry and updating is accurate, and not approached from a more ‘jugaad’ ‘let’s just get this done for the sake of it’ attitude that permeates much of the country. How will patients have access to the database to be able to check its accuracy? Is it possible for a patient (who will presumably be ill) to gain easy access to an updater to change their data? If so, how? It is worth noting that the patient’s ‘right’ to check her data assumes that they have access to a computer that is connected to the internet as well as a good level of digital literacy, which is not the case in India for a significant section of the population. Even data portability loses its potential benefits if the quality of data on these registries is not reliable. In this case, healthcare providers will need to verify their patients’ health history using physical records instead, rendering the stack redundant.

Who will be liable to the patient for misdiagnosis based on the database?

A sonographic image is displayed on a monitor as a patient undergoes an ultrasound scan in Bikaner, Rajasthan, India. (Photographer: Prashanth Vishwanathan/Bloomberg)

Leaving the question of accountability vague opens updaters to the possibility of facing dangerous and unnecessarily punitive measures in the future. The NITI Aayog paper fails to address this key issue which arose recently. Despite being a notifiable disease, there are reports that numerous doctors from the private sector failed to notify or update TB cases to the Ministry of Health and Family Welfare ostensibly on the grounds that they did not receive consent from their patients to share their information with the government. This was met with a harsh response from the government which stated that clinical establishment that failed to notify tuberculosis patients would face jail time. According to a few doctors, the government’s new move would coerce patients to go to ‘underground clinics’ to receive treatment discreetly and hence, would not solve the issue of TB.

The document also offers no specific recommended procedures regarding how inaccurate entries will be corrected or deleted.

It is then perhaps not a stretch to imagine that these scenarios would affect the quality of the data stored; defeating NITI Aayog’s objective of researchers using the stack for high-quality medical data.

The reason why the quality and integrity of data is at the head of the table is that all the proposed applications of the NHS (analytics, fraud detection etc.) assume a high quality, accurate dataset. At the same time, the enrolment process, updating process and disclosed measures to ensure data quality will effectively lead to poor quality data. If this is the case, then applications derived from the NHS dataset should assume an imperfect data, rather than an accurate dataset, which should make one wonder if no data is better than data that is certainly inaccurate.

Lack Of Data Utilisation Guidelines

Issues with data quality are exacerbated depending on how and where it is used, and who uses it. The paper has identified some users to be health-sector stakeholders such as healthcare providers (hospitals, clinics, labs etc), beneficiaries, doctors, insurers and accredited social health activists but misses laying down utilisation guidelines. The foresight to create a dataset that can be utilised by multiple actors for numerous applications is commendable, but potentially problematic -- especially if guidelines on how this data is to be used by stakeholders (especially the private sector) are ignored.

In order to bridge this knowledge gap, India has the opportunity to learn from the legal precedent set by foreign institutions. As an example, one could examine the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. which sets out strict guidelines for how businesses are to handle sensitive health data in order to maintain the individual’s privacy and security. It goes one step further to also lay down incentive and accountability structures in order that business associates necessarily report security breaches to their respective covered entities.

If we do not take necessary precautions now, we not only run the risk of poor security and breach of privacy but of inaccurate data that renders the national health data repository a health risk for the whole patient population.

There’s also the lack of clarity on who is meant to benefit from using such a database or whether the benefits are equal to all stakeholders, but more on that in a subsequent piece.

A medical team uses a glucometer to check the blood glucose level of a patient at a mobile clinic in Pancharala, on the outskirts of Bengaluru, India. (Photographer: Dhiraj Singh/Bloomberg)

It’s Your Recipe, You Try It First!

If the NITI Aayog and the government are sure that there is a need for a national healthcare database, perhaps they can start using the Central Government Health Scheme (which includes all current and retired government employees and their families) as a pilot scheme for this. Once the software, database and the various apps built on it are found to be good value for money and patients benefit from excellent treatment all over the country, it could be expanded to those who use the Employees’ State Insurance system, and then perhaps to the armed forces. After all, these three groups already have a unique identifier and would benefit from the portability of healthcare records since they are likely to be transferred and posted all over the country. If, and only if, it works for these groups and the claimed benefits are observed, then perhaps it can be expanded to the rest of the country’s healthcare systems.

Murali Neelakantan is an expert in healthcare laws. Swaraj Barooah is Policy Director at The Centre for Internet and Society. Swagam Dasgupta and Torsha Sarkar are interns at The Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-quint-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-august-14-2018-national-health-stack-data-for-datas-sake-a-manmade-health-hazard

India's Contribution to Internet Governance Debates

Sunil Abraham, Mukta Batra, Geetha Hariharan, Swaraj Barooah and Akriti Bopanna — 2018-08-16T15:38:02Z

India's Contribution to Internet Governance Debates", an article by Sunil Abraham, Mukta Batra, Geetha Hariharan, Swaraj Barooah and Akriti Bopanna, was recently published in the NLUD Student Law Journal, an annual peer-reviewed journal published by the National Law University, Delhi.

Abstract

India is the leader that championed ‘access to knowledge’ and ‘access to medicine’. However, India holds seemingly conflicting views on the future of the Internet, and how it will be governed. India’s stance is evolving and is distinct from that of authoritarian states who do not care for equal footing and multi-stakeholderism.

Introduction

Despite John Perry Barlow’s defiant and idealistic Declaration of Independence of Cyberspace1 in 1996, debates about governing the Internet have been alive since the late 1990s. The tug-of-war over its governance continues to bubble among states, businesses, techies, civil society and users. These stakeholders have wondered who should govern the Internet or parts of it: Should it be the Internet Corporation for Assigned Names and Numbers (ICANN)? The International Telecommunications Union (ITU)? The offspring of the World Summit on Information Society (WSIS) - the Internet Governance Forum (IGF) or Enhanced Cooperation (EC) under the UN? Underlying this debate has been the role and power of each stakeholder at the decision-making table.States in both the global North and South have taken various positions on this issue.

Whether all stakeholders ought to have an equal say in governing the unique structure of the Internet or do states have sovereign public policy authority? India has, in the past, subscribed to the latter view. For instance, at WSIS in 2003, through Arun Shourie, then India’s Minister for Information Technology, India supported the move ‘requesting the Secretary General to set up a Working Group to think through issues concerning Internet Governance,’ offering him ‘considerable experience in this regard... [and] contribute in whatever way the Secretary General deems appropriate’. The United States (US), United Kingdom (UK) and New Zealand have expressed their support for ‘equal footing multi-stakeholderism’ and Australia subscribes to the status quo.

India’s position has been much followed, discussed and criticised. In this article, we trace and summarise India’s participation in the IGF, UN General Assembly (‘UNGA’), ITU and the NETmundial conference (April 2014) as a representative sample of Internet governance fora. In these fora, India has been represented by one of three arms of its government: the Department of Electronics and Information Technology (DeitY), the Department of Telecommunications (DoT) and the Ministry of External Affairs (MEA). The DeitY was converted to a full-fledged ministry in 2016 known as the Ministry of Electronics and Information Technology (MeitY). DeitY and DoT were part of the Ministry of Communications and Information Technology (MCIT) until 2016 when it was bifurcated into the Ministry of Communications and MeitY.

DeitY used to be and DoT still is, within the Ministry of Communications and Information Technology (MCIT) in India. Though India has been acknowledged globally for championing ‘access to knowledge’ and ‘access to medicine’ at the World Intellectual Property Organization (WIPO) and World Trade Organization (WTO), global civil society and other stakeholders have criticised India’s behaviour in Internet governance for reasons such as lack of continuity and coherence and for holding policy positions overlapping with those of authoritarian states.

We argue that even though confusion about the Indian position arises from a multiplicity of views held within the Indian government, India’s position, in totality, is distinct from those of authoritarian states. Since criticism of the Indian government became more strident in 2011, after India introduced a proposal at the UNGA for a UN Committee on Internet-related Policies (CIRP) comprising states as members, we will begin to trace India's position chronologically from that point onwards.

Download the paper published in NLUD Student Law Journal here
For a timeline of the events described in the article click here
Read the paper published by NLUD Student Law Journal on their website

For more details visit https://cis-india.org/internet-governance/blog/nlud-student-law-journal-sunil-abraham-mukta-batra-geetha-hariharan-swaraj-barooah-and-akriti-bopanna-indias-contribution-to-internet-governance-debates

Spreading unhappiness equally around

sunil — 2018-07-31T14:49:52Z

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.

The article was published in Business Standard on July 31, 2018.

There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.

Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.

Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with
the henhouse.

Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.

Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.

Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.

Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around

Lining up the data on the Srikrishna Privacy Draft Bill

sunil — 2018-07-31T02:52:23Z

In the run-up to the Justice BN Srikrishna committee report, some stakeholders have advocated that consent be eliminated and replaced with stronger accountability obligations. This was rejected and the committee has released a draft bill that has consent as the bedrock just like the GDPR. And like the GDPR there exists legal basis for nonconsensual processing of data for the “functions of the state”. What does this mean for lawabiding persons?

The article was published in Economic Times on July 30, 2018

Non-consensual processing is permitted in the bill as long it is “necessary for any function of the” Parliament or any state legislature. These functions need not be authorised by law.

Or alternatively “necessary for any function of the state authorised by law” for the provision of a service or benefit, issuance of any certification, licence or permit.
Fortunately, however, the state remains bound by the eight obligations in chapter two i.e., fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice and data quality and data storage limitations and accountability. This ground in the GDPR has two sub-clauses: one, the task passes the public interest test and two, the loophole like the Indian bill that possibly includes all interactions the state has with all persons.

The “necessary” test appears both on the grounds for non-consensual processing, and in the “collection limitation” obligation in chapter two of the bill. For sensitive personal data, the test is raised to “strictly necessary”. But the difference is not clarified and the word “necessary” is used in multiple senses.

Under the “collection limitation” obligation the bill says “necessary for the purposes of processing” which indicates a connection to the “purpose limitation” obligation. The “purpose limitation” obligation, however, only requires the state to have a purpose that is “clear, specific and lawful” and processing limited to the “specific purpose” and “any other incidental purpose that the data principal would reasonably expect the personal data to be used for”. It is perhaps important at this point to note that the phrase “data minimisation” does not appear anywhere in the bill.

Therefore “necessary” could broadly understood to mean data Parliament or the state legislature requires to perform some function unauthorised by law, and data the citizen might reasonably expect a state authority to consider incidental to the provision of a service or benefit, issuance of a certificate, licence or permit.

Or alternatively more conservatively understood to mean data without which it would be impossible for Parliament and state legislature to carry out functions mandated by the law, and data without it would be impossible for the state to provide the specific service or benefit or issue certificates, licences and permits. It is completely unclear like with the GDPR why an additional test of “strictly necessary” is — if you will forgive the redundancy — necessary.

After 10 years of Aadhaar, the average citizen “reasonably expects” the state to ask for biometric data to provide subsidised grain. But it is not impossible to provide subsidised grain in a corruption-free manner without using surveillance technology that can be used to remotely, covertly and non-consensually identify persons. Smart cards, for example, implement privacy by design. Therefore a “reasonable expectation” test is not inappropriate since this is not a question about changing social mores.

When it comes to persons that are not law abiding the bill has two exceptions — “security of the state” and “prevention, detection, investigation and prosecution of contraventions of law”. Here the “necessary” test is combined with the “proportionate” test.

The proportionate test further constrains processing. For example, GPS data may be necessary for detecting someone has jumped a traffic signal but it might not be a proportionate response for a minor violation. Along with the requirement for “procedure established by law”, this is indeed a well carved out exception if the “necessary” test is interpreted conservatively. The only points of concern here is that the infringement of a fundamental right for minor offences and also the “prevention” of offences which implies processing of personal data of innocent persons.

Ideally consent should be introduced for law-abiding citizens even if it is merely tokenism because you cannot revoke consent if you have not granted it in the first place. Or alternatively, a less protective option would be to admit that all egovernance in India will be based on surveillance, therefore “necessary” should be conservatively defined and the “proportionate” test should be introduced as an additional safeguard.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-july-30-2018-sunil-abraham-lining-up-data-on-srikrishna-privacy-draft-bill

People Should Have Right To Their Data, Not Companies, Says TRAI

Admin — 2018-07-29T05:44:51Z

Rules for protection of personal data in the telecom space are not sufficient, regulator TRAI said today while suggesting that consumers be given the right to choice, consent and to be forgotten to safeguard their privacy.

This was published by Bloomberg Quint on July 16, 2018. Pranesh Prakash was interviewed.

Recommending a series of measures of "privacy, security and ownership of data in telecom networks", the Telecom Regulatory Authority of India held that consumers are owners of their data and that entities controlling, processing their information are "mere custodians and do not have primary rights over this data".

"The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers," TRAI recommended to the Department of Telecom. In order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers, the regulator added.

TRAI has suggested that all entities in the digital ecosystem including telecom operators should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.

“This is the first time I’ve seen TRAI being bold enough to venture into this area,” said Pranesh Prakash, a policy director at the Centre for Internet Society. “There are many positives here in terms of the data protection regime that they want to set up,” he told BloombergQuint in an interview. “It talks about user choice, consent, about notice being mandatory and simplified in language that people understand rather than two hundred pages of legal forms.”

There are many things in it that law and technology nerds will rejoice over, for example, the need for greater amounts of encryption and asks DoT to revisit the limitations it has put on encryption because those limitations actually harm national security and user privacy.

Pranesh Prakash, Policy Director, Centre for Internet Society

Here are the highlights from the TRAI’s recommendation:

All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify the individual users.
A study should be undertaken to formulate the standards for annonymisation/de-identification of personal data generated and collected in the digital eco-system.
Till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to TSPs for protection of users' privacy be made applicable to all the entities in the digital ecosystem.
The Right to Choice, Notice, Consent, Data Portability, and Right to be forgotten should be conferred upon the telecommunication consumers.
Data Controllers should be prohibited from using "preticked boxes" to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.
Sharing of information concerning to data security breaches should be encouraged and incentivised to prevent/mitigate such occurrences in future.

The recommendations from TRAI come at a time when there are rising concerns around privacy and safety of user data, especially through mobile apps and social media platforms.

The regulator had issued a consultation paper entitled Privacy, Security and Ownership of Data in the Telecom Sector on Aug 9 last year and an open house discussion was held on Feb. 2. The TRAI had also invited comments and counter comments as part of the consultation.

(With inputs from PTI)

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-july-16-2018-people-should-have-right-to-their-data-not-companies-says-trai

The crown of thorns that awaits Facebook’s India MD hire

Admin — 2018-07-29T02:00:23Z

Between 2015 to 2017, Facebook nearly doubled its user base to about 250 million in India. The two other popular Facebook products, WhatsApp and Instagram, became swimmingly popular in the country, too – the messaging platform counts 200 million users here and the photos and videos sharing app some 60 million.

The article by Sunny Sen and Jayadevan PK was published by Factor Daily on July 25, 2018. Sunil Abraham was quoted.

By advertising metrics, such a reach – buttressed by usage through the day – is unprecedented and unrivalled. That should make Facebook India the most powerful advertising platform in the country. And, by corollary, its managing director or CEO among the most powerful executives in India, right?

Yes, except that no such person exists.

The corner room position at Facebook India has been unoccupied since October last year despite an extensive search (even on LinkedIn), a $2-million compensation package, and the immense power that comes with the job.

Long, winding months of search – there have been extensive meetings with more than half a dozen shortlisted candidates – are yet to culminate in an announcement that will tell the Indian advertising and media world who will lead Facebook in India, the social media giant’s second-largest market by several metrics.

Why? To put it simply, a yawning trust deficit and the difficulty in fixing it. A deficit that Facebook faces with almost all stakeholders in its ecosystem: users, regulators, advertisers, publishers, and agencies.

In India, the trust gap with regulators began to form with founder Mark Zuckerberg’s pet Free Basics program of early 2015 that ran afoul of net neutrality principles. India’s telecom regulator intervened and the project was ultimately shuttered in February 2016.

Facebook tried to change public perception of Free Basics by running multi-million advertising campaigns.

Facebook tried to change public perception of Free Basics by running multi-million advertising campaigns – billboards, newspaper advertisements, and the works – but the scepticism and opposition from large swathes of the startup ecosystem, proponents of net neutrality, and many Facebook users saw it in. Facebook also has an important case in the Supreme Court from last year, where petitioners have challenged the sharing of data between Facebook, WhatsApp, and third parties. If that was not all, the Cambridge Analytica scandal from early 2018 has all but singed the company’s reputation – its actions in the country have been questioned by the government with one minister even saying he would subpoena Zuckerberg if needed. The recent spate of lynchings, some traced to rumours that spread on WhatsApp, had the government asking the messaging platform what it is doing to stop the killings.

Facebook’s troubles with publishers is well documented. First, it was accused of promoting clickbaity content that forced people to spend more and more time on the platform. After Facebook changed news feed algorithms to show more of friends and family related content and less of news, publishers who had dived headlong into the Facebook ecosystem felt jilted. “Media companies are not making much money from Facebook. DB Corp has said that it is not getting enough revenue from social media so it is taking its content off the platforms… it will try to drive traffic directly to its own websites,” said Abneesh Roy, senior vice president at Edelweiss Capital, a Mumbai investment bank.

“Media companies are not making much money from Facebook. DB Corp has said that it is not getting enough revenue from social media so it is taking its content off the platforms”

Agencies, who often play a cosy role mediating between the buyers of advertisement space or time and the sellers, don’t like digital platforms such as Facebook and Google because both ultimately aim to disintermediate agencies through a set of self-service tools. The suspicion is rooted in commissions that are squeezed by the digital platforms: while print, TV and other media platforms pay a generous 15% or more commission on ad billings, agencies receive only 2% to 4 % from Facebook and 8% to 10% from Google. The digital platforms get away – or, at least, have gotten away so far thanks to the scale and low costs they operate at.

Overall, all this makes Facebook look ogreish that it – and, importantly, its people – may not be in real life. But, American writer Terry Goodkind’s “Reality is irrelevant; perception is everything

” holds true more than ever in the times we live and public perception is hurting the company in India. At least a dozen people, both from within, close and around the company, have told FactorDaily that while user metrics continue to grow strongly in India, especially on the back of an upsurge of data use in India in the last two years (thanks to Reliance Jio), Facebook India is a little at sea. “Facebook needs a face like Rajan Anandan is for Google,” is how one person with close knowledge of the situation put it. Anandan is vice president, South East Asia and India for Google and is its face for the company in this part of the world.

Facebook did not respond to a request mailed for comments.

Hotshot names all but…

Facebook is said to have interviewed – a few of these conversations continue – some of the top names from the India corporate landscape for its India CEO position: Star India MD Sanjay Gupta; Ajit Mohan, CEO, Hotstar; Sameer Nair, CEO, Applause Entertainment, part of the Aditya Birla Group; D Shivakumar, group president, strategy at the Aditya Birla Group; Tata Sky MD Harit Nagpal; Sudhanshu Vats, Viacom18 group CEO; and Sudhir Sitapati, executive director-refreshments at Hindustan Unilever. The hiring conversations even covered Srivatsa Krishna, an Indian Administrative Service officer who was the Karnataka IT secretary until last year.

Some of these people confirmed to FactorDaily they had been reached out to by Facebook and the headhunter Spencer Stuart it has engaged for the task, one denied it, and others didn’t respond to requests for comment.

Mohan and Nair have an edge, according to a hiring firm source and one of the other candidates. “We have heard quite a few names but it seems that Ajit Mohan is a front-runner. He has successfully built Hotstar,” a Facebook insider told FactorDaily, on the condition of anonymity because he is not authorised to speak with the media.

A person with knowledge of the job position said that Facebook was gravitating towards someone with experience in the media industry. “They believe that they are in the content game and want to build that cache,” the person said describing his conversations with David Fischer, Facebook’s vice president of business and marketing partnerships, who is leading the CEO search.

More details were not immediately available on what Facebook wants in a person for the role. “I’m sorry but Spencer Stuart is under confidentiality agreements and may not talk about its work,” a spokesperson for the headhunter said on email.

Facebook’s India leadership crisis, ironically, comes from its stupendous success in the country. India was more a development outpost for the social media giant when it started here in 2010 with a centre in Hyderabad. Kirthiga Reddy, its first Indian employee, transitioned into a market-facing India managing director role when Facebook saw its user base here explode a couple of years later. “She did a great job with setting the foundations of relationships with the big advertisers and agencies here,” said the person with knowledge of the open CEO position quoted earlier. Her successor Umang Bedi, too, was into a sales-heavy role with demand for ad inventory going through the roof at Facebook India.

But, with its growing presence – the company closed calendar 2017 with $700 million in sales, including spots bought by small businesses by swiping a credit card which typically gets registered outside India – the role of the India managing director now has to change, Facebook seems to have acknowledged. When Reddy’s successor, Bedi was the managing director, India, he reported into Dan Neary, vice president for Asia Pacific at Facebook. Neary’s boss was Carolyn Everson, vice president, global marketing solutions at Facebook, who, in turn, reported to Fischer.

“For David, India is a big thing. Sheryl (Sandberg) brought him from Google… He understands India well,” said a second source close to Facebook. Sources say Facebook is thinking of making the reporting relationship of the India MD directly into Fischer cutting two layers from the hierarchy.

“You need a grown-up to lead the market. The kind of role (of a sales head) didn’t help anymore,” said a third source, close to Facebook. “It was like a merry-go-round, especially with the kind of problems (Facebook) India was facing from FreeBasics to fake news.”

The missing hand at the wheel

Without a country head, Facebook India is missing on a lot of things. Like any other country head, the role of the new India head will be that of an ambassador at Facebook’s headquarters in Menlo Park, California. A map-tap approach of a leader achieving numbers isn’t enough. “It is very bad for FB or any company to go headless in a rapidly growing market like India,” said Kavil Ramachandran, Thomas Schmidheiny chair professor of family business and wealth management, Indian School of Business.

The leader will not only have to lobby for investments but also show that India is not a problem child. The company will have to have a growth story of every app and every product that gets rolled out in India. “Why shouldn’t there be a product coming out of India to fight fake news and why does everything have to go up to Dublin,” the third source said. Dublin is where Facebook does a lot of its development work in Europe.

Apart from Facebook Lite, there is no other product that is aimed at the Indian user. Google, in contrast, offers a slew of them like YouTube Go and Google Tez and projects such as Google Wifi or Internet Saathis – all initiatives rooted or aimed at India. Even Apple, with all its premium swag, is looking at India to build maps and brought out the iPhone SE to stay relevant among Indian buyers.

Ramachandran helps put the difficulty of finding someone to fill Facebook’s India MD position – Bedi announced his resignation last October – in context. “Typically, this happens when the job is not attractive for various reasons. In the case of FB, it can’t be money. Then what? Most likely, potential legal implications of any action that may not be under the control of the country head. If the head office does something and the company is breaching the country’s law, the local head will be liable or potentially so. (Cambridge) Analytica is a case in point,” he said.

“Headquarters has a lot to learn from the India team in terms of sophistication and honesty in the regulatory debate. The Californian ideology has run its course.”

Then, there is the question of building trust in a sullied platform. “Basically Facebook has lost consumer trust over the years because they don’t consistently tell the truth, the whole truth and nothing but the truth. Headquarters has a lot to learn from the India team in terms of sophistication and honesty in the regulatory debate. The Californian ideology has run its course,” said Sunil Abraham, executive director of Bengaluru-based Centre for Internet and Society. The California reference is to the brazen manner in which San Francisco-based platforms have grown unmindful of the law and societal norms at times.

At the end of the day, Facebook is valuable to customers as it is able to tell brands what customers want and thus help target ads. The internal thinking, some of which finds some takers in the advertising fraternity, is that Facebook has headroom in sales growth waiting to be grabbed. They point to Google’s India revenues of over $1 billion or nearly Rs 6,900 crore, and projections for the Indian digital ad market of some Rs 19,000 crore by 2020. The real value of the Indian digital ad market is actually a lot more: the estimates understate what is actually made because many companies register their ad revenue in tax havens to lower the incidence of tax on them.

But signing on potential revenues is easier said than done. “In the past one year, our digital ad spend has grown five times. Almost two-thirds of that increased spending has gone to Google,” said a marketing executive with a large two-wheeler company, hinting that Facebook has lost at least a large portion of the incremental revenue. He did not want his name taken in this story because the company doesn’t disclose how it splits its ad spends.

The marketing head of a leading carmaker said that Facebook is very good when it comes to narrowly targeting people but search-based advertising is still big in India. Many of his company’s dealers prefer campaigns on Google and “that is why a large portion of digital revenue is being cornered by Google,” this executive said.

The CEO of a consumer durables company said being on Facebook was “unsexy” now. “There has been so much of trust issues with Facebook that I don’t want my product to be seen there so often… I have scaled down on my Facebook budget,” the CEO said without sharing more details.

An image makeover, then, will be the new India MD’s biggest task and global bosses don’t want it lost in the hierarchical process that most MNCs operate in. The bosses want someone who can take India from $500 million to $5 billion. Fast.

Preparing an organisation for that kind of growth means resourcing it with people who have handled scale in the past or have the potential to do so. Take the example of Nokia – now gone and buried as a brand but 10 years ago, it was India’s biggest MNC. When Shivakumar, now with Aditya Birla Group, was hired as its India managing director in 2006, Nokia had understood the potential that the country offered. The goal was to grow operations of half a billion dollars manifold. Nokia India became a company with $4 billion in sales in the 2008-2009 period. One way to assess that performance is to check where the team that delivered the vision is today. Vipul Sabharwal, whose five-year stint with Nokia ended in 2011 as sales director is now managing director of Luminous Power. V Ramnath, who also left Nokia as its sales director in 2013 is managing director, Racold Thermo. Vineet Taneja, head of marketing at Nokia when he is left in 2010, is now CEO of Dyson in India after stints in between at Bharti Airtel and Samsung India. Poonam Kaul, former director of communications at Nokia, is director of marketing at Apple India now.

Large operations need capable people and Facebook is missing its go-to person in India badly. This is evident in its ask of the CEO candidate here and the changes it is willing to put in place. Gurprriet Siingh, senior client partner with headhunter Korn Ferry, said that there are three reasons why the India head role has been moved closer to the US: to speed up decision-making, to signal the importance of India, and to give context to the individual of what is expected. “A managing director’s role is to manage investors, customers, sales, regulators and government relations,” Siingh added.

With great powers come great responsibilities. That line, immortalised in Spiderman movies, will be playing on the minds of the person who signs up for the Facebook India job. With one tweak: “With great powers come great responsibilities. And, a lot to do.”

For more details visit https://cis-india.org/internet-governance/news/factor-daily-sunny-sen-and-jayadevan-pk-july-25-2018-the-crown-of-thorns-that-awaits-facebook-india-md-hire

Bit by byte protecting her privacy

Admin — 2018-07-29T01:46:38Z

The Srikrishna committee draft law on data protection is days away. Here’s a bucket list of issues that will matter

The article by Mihir Dalal and Anirban Sen was published in Livemint on July 26, 2018. Amber Sinha was quoted.

In an era dominated by “free” platforms such as Google, Facebook and Amazon, among others, data privacy had largely been considered an academic matter. However, in the past one year that notion has changed forever, bringing data privacy to the fore, as one of the defining issues of the internet, both in India and abroad.

Last August, the Supreme Court ruled that privacy was a fundamental right under the Constitution of India. Concomitantly, the debate over Aadhaar and its potential misuse picked up steam on the back of reports about data breaches in the biometric ID system though these reports were denied by the Unique Identification Authority of India, which built Aadhaar. (The apex Court will deliver its verdict on petitions that have challenged the constitutional validity of Aadhaar and its legal framework)

Globally, Facebook came under severe criticism after it was revealed that the social media giant had compromised user data in the run up to the US elections. Finally, in May, Europe introduced its landmark data privacy law, General Data Protection Regulation (GDPR), which has put users in control of their data through various measures.

The stage is now set for the much-delayed draft law on data protection, which is expected to be submitted soon by the 10-member panel headed by former Supreme Court justice B.N. Srikrishna.

The committee, which had been set up last July, has attracted criticism from some quarters. Earlier this month, more than 150 lawyers, activists and journalists, among others, wrote to the Srikrishna committee, complaining about the lack of transparency in its process, the lack of diversity in the views held by members of the committee, besides other issues. In an earlier letter in November last, activists, lawyers and others had alleged that too many members of the committee held pro-Aadhaar views. Some experts believe that the mandate of the committee was flawed to begin with. “Given that personal information is omnipresent in so many different sectors, it is better to have a light touch legislation that deals mostly with key principles of data privacy and empowers a data commissioner to frame more detailed regulations,” said Stephen Mathias, partner, Kochhar and Co.

Last week, the Telecom Regulatory Authority of India (Trai) released a set of recommendations on data privacy that favour giving users control of their data and personal information, while severely restricting the ways in which telecom and internet companies can use customer data. Here are the major issues to watch out for in the draft data protection law.

Users vs. collectors

This broad umbrella includes mandatory consent of users for data collection, data portability, the right to be forgotten and the right to erasure. Last week, Trai gave its recommendations on some of these issues in what were considered pro-privacy and progressive suggestions. Those recommendations tracked GDPR measures. The Srikrishna committee is also expected to suggest pro-privacy measures, though the details will be all-important. The committee is also expected to define what is ‘sensitive’ or ‘critical’ data. “In India, government agencies, private entities and others collect various forms of data on individuals,” said Chetan Nagendra, partner, AZB Partners. “The committee will have to clarify what category of data is allowed to be collected and whether this should this be standardized across different entities. It will also have to standardize rules on how long is it okay to store such user-collected data.”

The flip side of user rights is the role of data repositories that collect and process user data. The committee will be required to clarify what data firms and government agencies can gather on users and what will be their responsibilities toward the usage of that data. This includes the principle of privacy by design, that is, companies must ensure by default that their platforms are designed to protect rather than exploit user data and privacy.

IndusLaw partner Namita Viswanath said that in terms of data repositories, there was a need to distinguish between a data controller and a data processor. A data controller is the user-facing platform that gathers data, whereas a data processor is often a third-party firm that provides infrastructure for the platform. “Responsibilities of user personal data should be shared between a data controller and processor. The nature and extent of liability should depend on the nature of data, the party responsible for handling data and the measures adopted, but ultimately, the data controller should most responsibility,” Viswanath said.

Regulation vs. Self-control

Given that data is such a broad-ranging topic, the Srikrishna committee will be expected to recommend who should have oversight of data-related matters. Will there be a new data protection authority? If so, what will be its scope, given that regulators, such as the RBI, Sebi and Trai, will all be affected by a privacy framework in their respective areas? And what will be the punitive measures and fines for offenders on data matters?

Some experts said the government should appoint a data protection authority. As the recent travails at Facebook show, relying solely on self-regulation of internet platforms, is a disastrous policy. But it’s unlikely that the entire burden of regulation will fall on one authority.

“Logistical problems are likely, especially in the early days, with having a top-down regulatory approach,” said Kriti Trehan, partner, Panag and Babu. “The process of training, requirement of funding and access to skilled human resources will necessitate organisational and administrative inputs. With this in mind, I believe that a co-regulatory framework for data protection will be efficient. With this approach, established parameters may guide escalation in specific instances.”

Data localisation

In April, the RBI had issued norms on the storage of payments system data, which requires digital payment providers to store data in India. That has sparked another debate over the possible stance of the Srikrishna committee. Many start-ups and firms use data servers located in overseas locations because of several reasons, including economies of scale and tax planning. “Data protection should not be confused with data access,” said Kartik Maheshwari, leader, Nishith Desai Associates. “For instance, if a firm is storing user data abroad, that should be fine as long as it is secure and access in India is provided, whenever required. Storing data locally is not necessarily the best solution from the perspective of data security as better infrastructure may be available abroad. However, the government may, in exceptional cases of sensitivity, legitimately require local storage of very narrowly defined streams of data.”

Surveillance is key

The law will also need to clearly define the contours of the contentious issue of surveillance and how to ensure that India does not end up replicating the policies in place in countries such as China, which are notorious for mass surveillance practices. Surveillance that has been legally sanctioned is part of the exceptions to regular privacy practices. The committee will have to define the parameters of these exceptions. In the case of surveillance, some experts, including Amber Sinha of Centre for Internet and Society, said that while it needs to be allowed in specific instances such as issues related to national security, a judicial system needs to be in place to protect the rights of the parties that are being put under surveillance. This, in many ways, is the heart of a very important matter.

The Aadhaar factor

The most hot-button of all issues for the committee is, of course, Aadhaar. Former UIDAI chairman Nandan Nilekani told Mint this week that “if something needs to be modified in the Aadhaar law, it will be done” by the Srikrishna committee. The changes that the committee will suggest to the Aadhaar law will go a long way in determining whether its draft law is truly pro-privacy.

For more details visit https://cis-india.org/internet-governance/news/livemint-july-26-2018-mihir-dalal-and-anirban-sen-byte-by-byte-protecting-her-privacy

Govt asks CBI to probe Cambridge Analytica in data breach case

Admin — 2018-07-29T01:47:01Z

Centre directs social media platforms to take prompt action against fake messages

The article by Komal Gupta was published in Livemint on July 27, 2018. Pranesh Prakash was quoted.

The government has written to the Central Bureau of Investigation (CBI) seeking an enquiry into London-based political consultancy Cambridge Analytica, and asked all social media platforms to take prompt action against fake messages, including tracing their origin. Cambridge Analytica is at the centre of a Facebook data breach row, including those of around 562,000 Indian users.

“It is suspected that Cambridge Analytica may have been involved in illegally obtaining data of Indians which could be misused. The government has entrusted this issue to be investigated by the CBI for possible violation of Information Technology Act, 2000 and IPC,” said Ravi Shankar Prasad, electronics and IT minister in response to a calling attention motion in the Rajya Sabha on “Misuse of social media platforms and propagation of fake news causing unrest and violence.”

Media platforms have been directed to work with Indian officials to receive grievance in real time and also inform law enforcement agencies.

“They (social media platforms) will have to ensure that their platforms do not become vehicles of promoting hatred, terrorism money laundering, mob violence and rumour mongering,” said Prasad.

Over the last couple of months, there have been several instances of data breach and fake messages being circulated through social media platforms.

In March, after the data of Indians was allegedly compromised through Facebook by Cambridge Analytica, the government issued notices to the two companies and sought their response. According to Prasad, Facebook responded that it will streamline its internal processes on handling of personal data and Cambridge Analytica violated its platform policies. Cambridge Analytica had said that data of Indians was not breached but this was not in conformity with what was reported by Facebook.

After initial responses, Cambridge Analytica stopped responding to letters from the IT ministry after which the government ordered a CBI probe into the matter. Over the last month, a spate of mob lynchings has been reported from several states, including Assam, Maharashtra, Karnataka, Tripura, Jharkhand and West Bengal, following fake messages spread through Facebook-owned messaging service WhatsApp.

According to Prasad, the government is initiating measures to increase awareness about fake news with the support of all stakeholders.

On 19 July, the government directed WhatsApp to come out with more effective solutions that can bring in accountability and facilitate enforcement of law in addition to their efforts to label forwards and identify fake news. After this, the social media giant limited forward messages to five chats at once instead of multiple chats at once.

“It now plans to the remove forward button (icon) adjacent to a video or audio message. They also plan to bring fact checking and fake news verification mechanism,” added Prasad.

Earlier this month, WhatsApp rolled out a new feature that would clearly mark forwarded messages in a move aimed at curbing the spread of rumours.

As of March, there were more than 460 million Indian users of social media platforms, including Facebook, Twitter, YouTube and WhatsApp.

The ministry of home affairs (MHA) has issued a number of advisories on incidents of lynching by mobs fuelled by rumours of lifting/kidnapping of children and cyber crime prevention and control. It has also constituted a group of ministers and a high level committee to formulate appropriate measures to address mob violence and lynchings in the country.

“The government doesn’t seem to have understood the meaning of ‘abetment’ under the IPC, nor does it seem to understand the protections afforded to intermediaries like messaging platforms under section 79 of the Information Technology Act. Messaging platforms like WhatsApp cannot legally be held to be abettors, plain and simple,”said Pranesh Prakash, fellow at the Centre for Internet and Society, a Bengaluru-based think tank.

For more details visit https://cis-india.org/internet-governance/news/livemint-july-27-2018-komal-gupta-govt-asks-cbi-to-probe-cambridge-analytica-in-data-breach-case

Ethical Data Design Practices in the AI (Artificial Intelligence) Age

Admin — 2018-08-01T23:14:21Z

Shweta Mohandas was a panelist at discussion on Ethical Data Design Practices in the AI (Artificial Intelligence) Age, organised by Startup Grind, Bangalore on July 28, 2018 at NUMA Bangalore.

Agenda

Ethical Data Design Practices in the Age

The panel discussion is intended to explore the challenges we face when designing the user experiences of the complex behavioral agents that increasingly run our lives.

Discussion centred around how to:

Understand current thinking by the AI community on ethics and morality in computing and the challenges it presents.
Explore examples of the ethical choices that products make now and will make in the near future.
Learn how designers might approach designing experiences that face moral dilemmas.

For more details visit https://cis-india.org/internet-governance/news/ethical-data-design-practices-in-the-ai-artificial-intelligence-age

Firms find wealth in your data

Admin — 2018-07-25T16:06:30Z

Data collection and theft is quite prevalent and there is little an individual can do right now.

Data protection and privacy are the new buzzwords in the corridors of power in India. While a Ministry of Electronics and Technology committee led by retired Supreme Court Justice B N Srikrishna is working on a draft Data Protection Bill, the Telecom Regulatory Authority of India (TRAI) has come out with its own recommendations regarding privacy, security, and ownership of data in the telecom sector.

How is your data collected?

Every minute you spend online leads to your data being generated, collected and collated somewhere. “There is data that we volunteer. If I create an account for myself on any website I will provide my name, age, banking and so on,” says Amber Sinha, senior programme manager, Centre for Internet and Society.

“Then there is data which gets collected by telecom companies and companies which provide OTT (Over-The-Top) services, like Google Chrome. Much of this data is collected automatically — my browsing history, what links were open, what ads did I click on in Facebook etc. Most websites use trackers and cookies that continue working in the background. Even when you have closed the link and move on to another website, they still continue to collect data about you,” he adds.

What is the method behind this?

“In order to provide a service, there is some data that they need to collect. For example, a cab aggregator has to get my location in order to connect me to nearest cabs. Yet most companies collect data beyond what might be needed. Suppose you are availing an online service which involves a payment aspect. For authentication, an OTP is sent in the form of a text message. The online services will seek permission to read our messages so that they can automatically pull the OTP, saving us the trouble of having to key it in manually. But the system is designed in such a way that the permission they seek is for my entire message box,” explains Amber.

Read the complete article by Rajitha Menon in Deccan Herald published on July 20, 2018. Amber Sinha has been quoted.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-july-20-2018-rajitha-menon-firms-find-wealth-in-your-data

WhatsApp races against time to fix fake news mess ahead of 2019 general elections

Admin — 2018-07-25T15:27:20Z

On Friday, when WhatsApp announced that it would pilot a ‘five media-based forwards limit’ in India, the government came up with an unequivocal reminder.

The article by Venkat Ananth was published in Economic Times on July 24, 2018. Sunil Abraham was quoted.

“When rumours and fake news get propagated by mischief mongers, the medium used for such propagation cannot evade responsibility and accountability. If they remain mute spectators, they are liable to be treated as abettors and thereafter face consequent legal action,” noted a ministry of electronics and information technology (MeitY) statement.

The statement also said there was a need for bringing in traceability and accountability, “when a provocative/inflammatory message is detected and a request is made by law enforcement agencies.”

Significantly, MeitY took aim at WhatsApp’s core end-to-end encryptionbased product feature and its oft-quoted and reiterated commitment to privacy. It was specific, going beyond the usual “do more” requests.

The stand also poses an interesting dilemma for the messenger service. How can it act while protecting its privacy commitment?

“It is practical ly impossible for WhatsApp to regulate content in the peer-to-peer encrypted environment it is set up in,” says Rahul Matthan, partner, Trilegal. “An encrypted platform is what we want. The government is trying to maintain a strict and difficult balance. The government tends to err on the side of violating civil liberties over offering privacy to innocent users. The WhatsApp case is going in that direction.”

No Longer Low-Key

In India, its largest market, WhatsApp has benefitted from quietly operating in the shadows of its more popular parent, Facebook, growing to a currently active user base of 200 million.

However, in the last six months, while it continues to be perceived as an asset by politicos for outreach and propaganda, WhatsApp is now increasingly being tapped by the bad guys to disseminate deliberate misinformation, rumour mongering and fake news. And not the Donald Trump kind either.

It is leading to loss of lives on the ground, through lynchings, kidnappings and related crimes.

WhatsApp spokesperson Carl Woog says, “The recent acts of violence in India have been heartbreaking and reinforce the need for government, civil society and technology companies to work together to keep people safe.”

“By focusing on solutions to fake news inside our smartphones, we are ignoring a tougher problem that requires several complementary solutions,” says Apar Gupta, a Delhi-based lawyer and cofounder of the Internet Freedom Foundation.

“Let us not forget that a platform is not responsible for policing.”

But the general public and government perception — and, to some extent, concern — remains that WhatsApp has been slow to react to these situations.

To Police or Not to Police

Interestingly, the government and ruling party realise WhatsApp could be pivotal to their fortunes in the next electoral cycle — in the run-up to Elections
2019.

“The government is coming under increased pressure to act on these lynchings, which is why it is taking a shootthe-messenger kind of an approach,” says Matthan. “An unsophisticated government would have advocated a blanket ban on the source. But here, the government, it appears, wants to regulate tech by having access to your device, through an app, in the case of the (telecom regulator) Trai DND app to battle spam.”

This is also why WhatsApp has intensified its outreach efforts. Over the past 10 days, a team of its US and India-based executives have been meeting key stakeholders in Delhi and Mumbai, including the Election Commission, political parties, the Reserve Bank of India, banks and civil society, as ET reported last week.

The team includes public policy manager Ben Supple, senior director, customer operations, Komal Lahiri and WhatsApp India communication manager Pragya Misra Mehrishi. They are now expected to meet key government officials from MeitY from Monday, sources say.

“The intense outreach efforts is essentially linked to WhatsApp wanting to protect its payments play in India,” says a Delhi-based public policy professional, who did not want to be named as he is not authorised to speak to the media.

“It (WhatsApp) is really worried about Google’s efforts with Tez and the gap that will only widen if the government delays grant of permission.”

WhatsApp is stressing some key points while reinforcing the steps it is taking to counter challenges. One, the best practices of using the platform. Two, the need to work together to prevent abuse of WhatsApp, and three, most importantly, to educate people about the best ways of using the platform. WhatsApp was primarily designed for private, oneon-one messaging or group chats among acquaintances, not for mass broadcast, which parties resort to during elections.

WhatsApp says it is working on a warfooting to tackle the problems. It has introduced product changes to counter user behaviour. There’s more control, where a group ‘admin’ can restrict users who can send messages to the group, modify a group icon or edit description, a feature for which it has taken a leaf out of rival Telegram’s book. To counter fake news, it added a ‘forwarded’ label. And now, limited the forwarding to five in India, and 20 in the rest of the markets, a significant reduction from 250 prior to that.

While the impact of these product tweaks is yet to be seen at an individual user level, the larger concern for WhatsApp today is the potential misuse of its platform to manipulate elections, a very real possibility next year.

Tipping Point

The company’s noticeable change of tack comes after it noticed certain trends during the recent Karnataka elections, during which one of its executives spent a week in Bengaluru.

One of the political parties, which a person aware of the developments in WhatsApp declined to name, was using “dozens of accounts to create thousands of groups,” as part of its campaign.

The party, the source says, was adding random numbers (approximately 100) to the group during creation. By random numbers, he meant people who did not know each other, something WhatsApp can identify using the metadata it collects when a user gives it access to its phone book. WhatsApp deems this behaviour ‘organised spamming.’

“These were real people not necessarily known to each other,” says the person quoted above. “A specific account would be added to that group to be made the admin.”

Mostly, this admin was the number used to create these multiple groups or, in WhatsApp terms, the account that was not behaving the way private or group communication happens.

Also, the users would be a mix of fake accounts, which is a major red flag for WhatsApp. “The group starts with some bulk added users and then the real ones get bulk-added,” says the source. WhatsApp deems this practice a violation of its terms of service.

Company sources add that WhatsApp was able to detect these trends and proactively banned these users before they were able to add people. “In some cases, our systems didn’t catch this in time, but we were able to proactively prevent users from receiving such spam. That detection is now internalised and if someone tries to replicate that behaviour anywhere in the world, we will be able to detect them,” says another person familiar with developments at WhatsApp.

According to several media reports, the BJP and the Congress too created over 30,000 groups for campaigning and organising efforts. To counter organised political spamming, WhatsApp has now begun using machine learning tools. WhatsApp can trace the last few messages in a group and block it entirely from the platform. At the detection level, WhatsApp checks for familiarity. “Do the persons know each other, or have they interacted before?” through metadata it possesses through phone numbers.

The second person quoted in the story says the company now focuses its detection “upstream,” that is, catching the user at the registration stage. “When you register on WhatsApp and immediately create a group, questions asked are, ‘Does this behaviour look like what a regular user does? Or does it look like users who have misused it in the past?’” he says.

WhatsApp, sources tell ET, is also using machine learning to detect sequential numbers that could be used to create these groups. “If they go and buy a phone number, they go to one carrier and its mostly sequential. If we notice 100 numbers with the same prefix have signed up, nearly 80 get automatically banned. What we do is feed these sequences, permutations and combinations to detect good/bad users,” the person quoted above says. “It learns millions of these combination signals on behaviour and help us make a decision.”

Civil Society as a Key Layer

WhatsApp also sees an enabling role for civil society, especially for digital literacy. Its team has currently met seven non-governmental organisations, including digital literacy groups and others involved in the area of financial inclusion. This is part of its public policy efforts while also solidifying its payments play.

“The level of responsibility for a platform is to not consciously cause — and, in fact, to take active measures to prevent — social harm,” says Gupta of IFF. “It has to be done without injury to end-to-end encryption, which offers safety and privacy to users.

Many products and product strategies can be adopted — from increasing media diversity on the platform to promoting auditing features that rely on partnerships with fact-checking organisations. We must demand accountability but resist the rhetorical attraction of technophobia.”

As ET has reported, WhatsApp will adapt a fact-checking model, Verificado 2018, deployed during the recent Mexican presidential elections. Verificado proactively debunked fake news and misinformation on the platform. “The rumours were found to be very similar to India.

Verificado was specifically focused on misinformation from candidates,” says the first person quoted in the story. “Plus, it helped effectively tackle misinformation during an earthquake in Mexico.”

For WhatsApp, one of the key learnings from the Mexico elections was that it could look at the spam reports and categorise them as politics-related. The company, unsurprisingly, saw an increase in political spam in the buildup to election day.

“They realised Verificado assists users to get help within the app. But it also aids news organisations, political parties, the government and users,” adds the person. The company is undertaking a similar exercise in Brazil, where 24 media outlets have come together under the Comprova initiative to fact-check viral content and rumours on WhatsApp.

Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society believes WhatsApp can further tweak its product to enable real-time checks. “They can enable a ‘fact check this’ button for users to upload content to a fact-checking database. If the content has already been fact-checked, the score can be displayed immediately. Alternatively, the fact-checking service can return the score at a later date,” he explains.

For more details visit https://cis-india.org/internet-governance/news/economic-times-venkat-ananth-july-24-2018-whatsapp-races-against-time-to-fix-fake-news-mess-ahead-of-2019-general-elections

The Centre for Internet and Society’s Comments and Recommendations to the: Indian Privacy Code, 2018

Shweta Mohandas, Elonnai Hickok, Amber Sinha and Shruti Trikanand — 2018-07-20T13:55:46Z

The debate surrounding privacy has in recent times gained momentum due to the Aadhaar judgement and the growing concerns around the use of personal data by corporations and governments.

Click to download the file here

As India moves towards greater digitization, and technology becomes even more pervasive, there is a need to ensure the privacy of the individual as well as hold the private and public sector accountable for the use of personal data. Towards enabling public discourse and furthering the development a privacy framework for India, a group of lawyers and policy analysts backed by the Internet Freedom Foundation (IFF) have put together a draft a citizen's bill encompassing a citizen centric privacy code that is based on seven guiding principles.^{^[1]} This draft builds on the Citizens Privacy Bill, 2013 that had been drafted by CIS on the basis of a series of roundtables conducted in India.^{^[2]} Privacy is one of the key areas of research at CIS and we welcome this initiative and hope that our comments make the Act a stronger embodiment of the right to privacy.

Section by Section Recommendations

Preamble

Comment: The Preamble specifies that the need for privacy has increased in the digital age, with the emergence of big data analytics.

Recommendation: It could instead be worded as ‘with the emergence of technologies such as big data analytics’, so as to recognize the impact of multiple technologies and processes including big data analytics.

Comment: The Preamble states that it is necessary for good governance that all interceptions of communication and surveillance be conducted in a systematic and transparent manner subservient to the rule of law.

Recommendation: The word ‘systematic’ is out of place, and can be interpreted incorrectly. It could instead be replaced with words such as ‘necessary’, ‘proportionate’, ‘specific’, and ‘narrow’, which would be more appropriate in this context.

Chapter 1 Preliminary

Section 2: This Section defines the terms used in the Act.

Comment: Some of the terms are incomplete and a few of the terms used in the Act have not been included in the list of definitions.

Recommendations:

The term “effective consent” needs to be defined. The term is first used in the Proviso to Section 7(2), which states “Provided that effective consent can only be said to have been obtained where...:”It is crucial that the Act defines effective consent especially when it is with respect to sensitive data.
The term “open data” needs to be defined. The term is first used in Section 5 that states the exemptions to the right to privacy. Subsection 1 clause ii states as follows “the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes which may be classified as open data by the Privacy Commission”. Hence the term open data needs to be defined in order to ensure that there is no ambiguity in terms of what open data means.
The Act does not define “erasure”, although the term erasure does come under the definition of destroy (Section 2(1)(p)). There are some provisions that use the word erasure , hence if erasure and destruction mean different acts then the term erasure needs to be defined, otherwise in order to maintain uniformity the sections where erasure is used could be substituted with the term “destroy” as defined under this Act.
The definition of “sensitive personal data” does not include location data and identification numbers. The definition of sensitive data must include location data as the Act also deals in depth with surveillance. With respect to identification numbers, the Act needs to consider identification numbers (eg. the Aadhaar number, PAN number etc.) as sensitive information as this number is linked to a person's identity and can reveal sensitive personal data such as name, age, location, biometrics etc. Example can be taken from Section 4(1) of the GDPR^{^[3]} which identifies location data as well as identification numbers as sensitive personal data along with other identifies such as biometric data, gender race etc.
The Act defines consent as the “unambiguous indication of a data subject’s agreement” however, the definition does not indicate that there needs to be an informed consent. Hence the revised definition could read as follows “the informed and unambiguous indication of a data subject’s agreement”. It is also unclear how this definition of consent relates to ‘effective consent’. This relationship needs to be clarified.
The Act defines ‘data controller’ in Section 2(1)(l) as “ any person including appropriate government..”. In order to remove any ambiguity over the definition of the term person, the definition could specify that the term person means any natural or legal person.
The Act defines ‘data processor’ in Section (2(1)(m) as “means any person including appropriate government”. In order to remove any ambiguity over the definition of the term ‘any person’, the definition could specify that the term person means any natural or legal person.

CHAPTER II

Right to Privacy

Section 5: This section provides exemption to the rights to privacy.

Comment: Section 5(1)(ii) states that the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes are exempted from the provisions of the right to privacy. This clause also states that this data may be classified as open data by the Privacy Commission. This section hence provides individuals the immunity from collection, storage, processing and dissemination of data of another person. However this provision fails to state what specific activities qualify as non commercial use.

Recommendation: This provision could potentially be strengthened by specifying that the use must be in the public interest. The other issue with this subsection is that it fails to define open data. If open data was to be examined using its common definition i.e “data that can be freely used, modified, and shared by anyone for any purpose”^{^[4]} then this section becomes highly problematic. As a simple interpretation would mean that any personal data that is collected, stored, processed or disseminated by a natural person can possibly become available to anyone. Beyond this, India has an existing framework governing open data. Ideally the privacy commissioner could work closely with government departments to ensure that open data practices in India are in compliance with the privacy law.

CHAPTER III

Protection of Personal Data

PART A

Notice by data controller

Section 6: This section specifies the obligations to be followed by data controllers in their communication, to maintain transparency and lays down provisions that all communications by Data Controllers need to be complied with.

Comment: There seems to be a error in the Proviso to this section. The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part shall may be refused when the Data Controller is, unable to identify or has a well founded basis for reasonable doubts as to the identity of the Data Subject or are manifestly unfounded, excessive and repetitive, with respect to the information sought by the Data Subject ”.

Recommendation: The proviso could read as follows “The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part may be refused when the Data Controller is…”. We suggest the use of the ‘may’ as this makes the provision less limiting to the rights of the data controller.

Additionally, it is not completely clear what ‘included but not limited to...’ would entail. This could be clarified further.

PART B

CONSENT OF DATA SUBJECTS

Section 10: This section talks about the collection of personal data.

Comment: Section 10(3) lays down the information that a person must provide before collecting the personal data of an individual.

Comment: Section 10(3)(xi) states as follows “the time and manner in which it will be destroyed, or the criteria used to Personal data collected in pursuance of a grant of consent by the data subject to whom it pertains shall, if that consent is subsequently withdrawn for any reason, be destroyed forthwith: determine that time period;”. There seems to be a problem with the sentence construction and the rather complex sentence is difficult to understand.

Recommendation: This section could be reworked in such as way that two conditions are clear, one - the time and manner in which the data will be destroyed and two the status of the data once consent is withdrawn.

Comment: Section 10(3)(xiii) states that the identity and contact details of the data controller and data processor must be provided. However it fails to state that the data controller should provide more details with regard to the process for grievance redressal. It does not provide guidance on what type of information needs to go into this notice and the process of redressal. This could lead to very broad disclosures about the existence of redress mechanisms without providing individuals an effective avenue to pursue.

Recommendation: As part of the requirement for providing the procedure for redress, data controllers could specifically be required to provide the details of the Privacy Officers, privacy commissioner, as well as provide more information on the redressal mechanisms and the process necessary to follow.

Section 11:This section lays out the provisions where collection of personal data without prior consent is possible.

Comment: Section 11 states “Personal data may be collected or received from a third party by a Data Controller the prior consent of the data subject only if it is:..”. However as the title of the section suggests the sentence could indicate the situations where it is permissible to collect personal data without prior consent from the data subject”. Hence the word “without” is missing from the sentence. Additionally the sentence could state that the personal data may be collected or received directly from an individual or from a third party as it is possible to directly collect personal data from an individual without consent.

Recommendation:The sentence could read as “Personal data may be collected or received from an individual or a third party by a Data Controller without the prior consent of the data subject only if it is:..”.

Comment: Section 11(1)(i) states that the collection of personal data without prior consent when it is “necessary for the provision of an emergency medical service or essential services”. However it does not specify the kind or severity of the medical emergency.

Recommendation: In addition to medical emergency another exception could be made for imminent threats to life.

Section 12: This section details the Special provisions in respect of data collected prior to the commencement of this Act.

Comment: This section states that all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force. Unless consent is obtained afresh within two years or that the personal data has been anonymised in such a manner to make re-identification of the data subject absolutely impossible. However this process can be highly difficult and impractical in terms of it being time consuming, expensive particularly, in cases of analog collections of data. This is especially problematic in cases where the controller cannot seek consent of the data subject due to change in address or inavailability or death. This will also be problematic in cases of digitized government records.

Recommendation: We suggest three ways in which the issue of data collected prior to the Act can be handled. One way is to make a distinction on the data based on whether the data controller has specified the purpose of the collection before collecting the data. If the purpose was not defined then the data can be deleted or anonymised. Hence there is no need to collect the data afresh for all the cases. The purpose of the data can also be intimated to the data subject at a later stage and the data subject can choose if they would like the controller to store or process the data.The second way is by seeking consent afresh only for the sensitive data. Lastly, the data controller could be permitted to retain records of data, but must necessarily obtain fresh consent before using them. By not having a blanket provision of retrospective data deletion the Act can address situations where deletion is complicated or might have a potential negative impact by allowing storage, deletion, or anonymisation of data based on its purpose and kind.

Comment: Section (2)(1)(i) of the Act states that the data will not be destroyed provided that effective consent is obtained afresh within two years. However as stated earlier the Act does not define effective consent.

Recommendation: The term effective consent needs to be defined in order to bring clarity to this provision.

PART C

FURTHER LIMITATIONS ON DATA CONTROLLERS

Section 16: This section deals with the security of personal data and duty of confidentiality.

Comment: Section 16(2) states “ Any person who collects, receives, stores, processes or otherwise handles any personal data shall be subject to a duty of confidentiality and secrecy in respect of it.” Similarly Section 16(3) states “data controllers and data processors shall be subject to a duty of confidentiality and secrecy in respect of personal data in their possession or control. However apart from the duty of confidentiality and secrecy the data collectors and processors could also have a duty to maintain the security of the data.” Though it is important for confidentiality and secrecy to be maintained, ensuring security requires adequate and effective technical controls to be in place.

Recommendation: This section could also emphasise on the duty of the data controllers to ensure the security of the data. The breach notification could include details about data that is impacted by a breach or attach as well as the technical details of the infrastructure compromised.

Section 17: This section details the conditions for the transfer of personal data outside the territory of India.

Comment: Section 17 allows a transfer of personal data outside the territory of India in 3 situations- If the Central Government issues a notification deciding that the country/international organization in question can ensure an adequate level of protection, compatible with privacy principles contained in this Act; if the transfer is pursuant to an agreement which binds the recipient of the data to similar or stronger conditions in relation to handling the data; or if there are appropriate legal instruments and safeguards in place, to the satisfaction of the data controller. However, there is no clarification for what would constitute ‘adequate’ or ‘appropriate’ protection, and it does not account for situations in which the Government has not yet notified a country/organisation as ensuring adequate protection. In comparison, the GDPR, in Chapter V^{^[5]}, contains factors that must be considered when determining adequacy of protection, including relevant legislation and data protection rules, the existence of independent supervisory authorities, and international commitments or obligations of the country/organization. Additionally, the GDPR allows data transfer even in the absence of the determination of such protection in certain instances, including the use of standard data protection clauses, that have been adopted or approved by the Commission; legally binding instruments between public authorities; approved code of conduct, etc. Additionally, it allows derogations from these measures in certain situations: when the data subject expressly agrees, despite being informed of the risks; or if the transfer is necessary for conclusion of contract between data subject and controller, or controller and third party in the interest of data subject; or if the transfer is necessary for reasons of public interest, etc. No such circumstances are accounted for in Section 17.

Recommendation: Additionally, data controllers and processors could be provided with a period to allow them to align their policies towards the new legislation. Making these provisions operational as soon as the Act is commenced might put the controllers or processors guilty of involuntary breaching the provisions of the Act.

Section 19: This section states the special provisions for sensitive personal data.

Comment: Section 19(2) states that in addition to the requirements set out under sub-clause (1), the Privacy Commission shall set out additional protections in respect of:i.sensitive personal data relating to data subjects who are minors; ii.biometric and deoxyribonucleic acid data; and iii.financial and credit data.This however creates additional categories of sensitive data apart from the ones that have already been created.^{^[6]} These additional categories can result in confusion and errors.

Recommendation: Sensitive data must not be further categorised as this can lead to confusion and errors. Hence all sensitive data could be subject to the same level of protection.

Section 20: This section states the special provisions for data impact assessment.

Comment: This section states that all data impact assessment reports will be submitted periodically to the State Privacy commission. This section does not make provisions for instances of circumstances in which such records may be made public. Additionally the data impact assessment could also include a human rights impact assessment.

Recommendation: The section could also have provisions for making the records of the impact assessment or relevant parts of the assessment public. This will ensure that the data controllers / processors are subjected to a standard of accountability and transparency. Additionally as privacy is linked to human rights the data impact assessment could also include a human rights impact assessment. The Act could further clarify the process for submission to State Privacy Commissions and potential access by the Central Privacy Commission to provide clarity in process.

Section 20 requires controllers who use new technology to assess the risks to the data protection rights that occur from processing. ‘New technology’ is defined to include pre-existing technology that is used anew. Additionally, the reports are required to be sent to the State Privacy Commission periodically. However, there is no clarification on the situations in which such an assessment becomes necessary, or whether all technology must undergo such an assessment before their use. Additionally, the differentiation between different data processing activities based on whether the data processing is incidental or a part of the functioning needs to be clarified. This differentiation is necessary as there are some data processors and controllers who need the data to function; for instance an ecommerce site would require your name and address to deliver the goods, although these sites do not process the data to make decisions. This can be compared to a credit rating agency that is using the data to make decisions as to who will be given a loan based on their creditworthiness. Example can taken from the GDPR, which in Article 35, specifies instances in which a data impact assessment is necessary: where a new technology, that is likely to result in a high risk to the rights of persons, is used; where personal aspects related to natural persons are processed automatically, including profiling; where processing of special categories of data (including data revealing ethnic/racial origin, sexual orientation etc), biometric/genetic data; where data relating to criminal convictions is processed; and with data concerning the monitoring of publicly accessible areas. Additionally, there is no requirement to publish the report, or send it to the supervising authority, but the controller is required to review the processor’s operations to ensure its compliance with the assessment report.

Recommendation: The reports could be sent to a central authority, which according to this Act is the Privacy Commission, along with the State Privacy Commission. Additionally there needs to be a differentiation between the incidental and express use of data. The data processors must be given at least a period of one year after the commencement of the Act to present their impact assessment report. This period is required for the processors to align themselves with the provisions of the Act as well as conduct capacity building initiatives.

PART C

RIGHTS OF A DATA SUBJECT

Section 21: This section explains the right of the data subject with regard to accessing her data. It states that the data subject has the right to obtain from the data controller information as to whether any personal data concerning her is collected or processed. The data controller also has to not only provide access to such information but also the personal data that has been collected or processed.

Comment: This section does not provide the data subject the right to seek information about security breaches.

Recommendation: This section could state that the data subject has the right to seek information about any security breaches that might have compromised her data (through theft, loss, leaks etc.). This could also include steps taken by the data controller to address the immediate breach as well as steps to minimise the occurrence of such breaches in the future.^{^[7]}

CHAPTER IV

INTERCEPTION AND SURVEILLANCE

Section 28: This section lists out the special provisions for competent organizations.

Comment: Section 28(1) states ”all provisions of Chapter III shall apply to personal data collected, processed, stored, transferred or disclosed by competent organizations unless when done as per the provisions under this chapter ”.This does not make provisions for other categories of data such as sensitive data.

Recommendation: This section needs to include not just personal data but also sensitive data, in order to ensure that all types of data are protected under this Act.

Section 30: This section states the provisions for prior authorisation by the appropriate Surveillance and Interception Review Tribunal.

Comment: Section 30(5) states “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception, or where communications relate to medical, journalistic, parliamentary or legally privileged material may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission as to the necessity for the interception and the safeguards providing for minimizing the material intercepted to the greatest extent possible and the destruction of all such material that is not strictly necessary to the purpose of the interception.” This section needs to state why these categories of communication are more sensitive than others. Additionally, interceptions typically target people and not topics of communication - thus medical may be part of a conversation between two construction workers and a doctor will communicate about finances.

Recommendation: The section could instead of singling out “medical, journalistic, parliamentary or legally privileged material” state that “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission.

Section 37: This section details the bar against surveillance.

Comment: Section 37(1) states that “no person shall order or carry out, or cause or assist the ordering or carrying out of, any surveillance of another person”. The section also prohibits indiscriminate monitoring, or mass surveillance, unless it is necessary and proportionate to the stated purpose. However, it is unclear whether this prohibits surveillance by a resident of their own residential property, which is allowed in Section 5, as the same could also fall within ‘indiscriminate monitoring/mass surveillance’. For instance, in the case of a camera installed in a residential property, which is outward facing, and therefore captures footage of the road/public space.

Recommendation: The Act needs to bring more clarity with regard to surveillance especially with respect to CCTV cameras that are installed in private places, but record public spaces such as public roads. The Act could have provisions that clearly define the use of CCTV cameras in order to ensure that cameras installed in private spaces are not used for carrying out mass surveillance. Further, the Act could address the use of emerging techniques and technology such as facial recognition technologies, that often rely on publicly available data.

CHAPTER V

THE PRIVACY COMMISSION

Section 53: This section details the powers and functions of the Privacy Commission.

Comment: Section 53(2)(xiv) states that the Privacy Commission shall publish periodic reports “providing description of performance, findings, conclusions or recommendations of any or all of the functions assigned to the Privacy Commission”. However this Section does not make provisions for such reporting to happen annually and to make them publicly available, as well as contain details including financial aspects of matters contained within the Act.

Recommendation: The functions could include a duty to disclose the information regarding the functioning and financial aspects of matters contained within the Act. Categories that could be included in such reports include: the number of data controllers, number of data processors, number of breaches detected and mitigated etc.

CHAPTER IX

OFFENCES AND PENALTIES

Sections 73 to 80: These sections lay out the different punishments for controlling and processing data in contravention to the provisions of this Act.

Comment: These sections, while laying out different punishments for controlling and processing data in contravention to the provisions of this Act, mets out a fine extending upto Rs. 10 crore. This is problematic as it does not base these penalties on the finer aspects of proportionality, such as offences that are not as serious as the others.

Recommendation: There could be a graded approach to the penalties based on the degree of severity of the offence.This could be in the form of name and shame, warnings and penalties that can be graded based on the degree of the offence.
----------------------------------------------------------------------

Additional thoughts: As India moves to a digital future there is a need for laws to be in place to ensure that individual's rights are not violated. By riding on the push to digitization, and emerging technologies such as AI, a strong all encompassing privacy legislation can allow India to leapfrog and use these emerging technologies for the benefit of the citizens without violating their privacy. A robust legislation can also ensure a level playing field for data driven enterprises within a framework of openness, fairness, accountability and transparency.

^{^[1]} These seven principles include: Right to Access, Right to Rectification, Right to Erasure And Destruction of Personal Data,Right to Restriction Of Processing, Right to Object, Right to Portability of Personal Data,Right to Seek Exemption from Automated Decision-Making.

^{^[2]}The Privacy (Protection) Bill 2013: A Citizen’s Draft, Bhairav Acharya, Centre for Internet & Society, https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft

^{^[3]}General Data Protection Regulation, available at https://gdpr-info.eu/art-4-gdpr/.

^{^[4]} Antonio Vetro, Open Data Quality Measurement Framework: Definition and Application to Open Government Data, available at https://www.sciencedirect.com/science/article/pii/S0740624X16300132

^{^[5]} General Data Protection Regulation, available at https://gdpr-info.eu/chapter-5/.

^{^[6]} Sensitive personal data under Section 2(bb) includes, biometric data; deoxyribonucleic acid data;
sexual preferences and practices;medical history and health information;political affiliation;
membership of a political, cultural, social organisations including but not limited to a trade union as defined under Section 2(h) of the Trade Union Act, 1926;ethnicity, religion, race or caste; and
financial and credit information, including financial history and transactions.

^{^[7]} Submission to the Committee of Experts on a Data Protection Framework for India, Amber Sinha, Centre for Internet & Society, available at https://cis-india.org/internet-governance/files/data-protection-submission

For more details visit https://cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018

Srikrishna panel upset at timing of Trai suggestions

Admin — 2018-07-19T14:17:19Z

The Justice BN Srikrishna Committee, which is drafting a model data protection and privacy law for India, is upset by the timing of recommendations made by the country’s telecom regulator this week, according to a senior member of the panel, as it fears this will delay the submission of its own report, due later this month.

The article by Megha Mandavia was published in Economic Times on July 19, 2018. Swaraj Paul Barooah was quoted.

On Monday, Telecom Regulatory Authority of India (Trai) in a surprise move recommended rules that give users control of their data and personal information while severely restricting ways in which telecom and internet firms can use customer data. Its rules are applicable for apps, browsers, operating systems and handset makers.

“Next week somebody will make some recommendations and that will have to be merged, then again somebody will make some other recommendations,” the person told ET. He added that the committee will look into Trai’s submissions.

On Wednesday, ET reported that officials of ministry of electronics and information technology (MeitY), besides industry groupings such as Internet and Mobile Association of India (IAMAI) and the Indian Cellular Association (ICA) were unhappy with Trai’s move.

“Like any other sector, the data protection Act will be the final thing. In respect of telecom matters, there will be a role for Trai as sectoral regulator but the basics of privacy will be governed by the data protection Act,” a MeitY official told ET.

Legal experts and industry analysts also questioned the need for the regulatory announcement just before the Justice Srikrishna committee releases its report, after a year of deliberations.

The high-powered group — consisting of jurists, academicians and policymakers — was formed last July with a brief to suggest principles for data privacy and a draft data protection bill for the country.

“Why is Trai then pre-empting the law?” said Kartik Maheshwari, leader for technology companies at law firm Nishith Desai Associates.

“Now that Trai has published its recommendations in public domain, the government may not be able to completely ignore them. But it’s so late in the day that it may not have any real impact on the final recommendations of the Justice Srikrishna committee,” he said.

The ten-member panel may incorporate some of Trai’s suggestions even as it submits its report to the union government next week. Trai chairman RS Sharma said the regulatory body has jurisdiction to tackle data protection under consumer interest, and those who feed off the industry — content providers, or apps, browsers, operating systems, and devices — were only custodians.

“We will send these recommendations to the committee, but we did not time it to coincide. We’re not dependent on the committee and we had issued this suo moto, since we felt the need to rigorously deliberate on the issue,” Sharma told ET on Tuesday.

There could be sector-specific laws within the general data protection framework for the telecom sector, he added.

Analysts say that regulators making public their recommendations before the data framework only adds to the confusion. “Industry was looking forward to a common primary framework. There are many independent suggestions coming from various regulators. It is creating confusion and chaos. I do expect considerable delay in finalising the law. Once the draft is out, there will be public consultation; all regulators will also have a say,” said Vidur Gupta, partner, government and public sector, EY India.

Others say that while there is clarity on what Trai is expecting, it has to be bound by the panel’s recommendations.

“It is good that a regulator has an eye on the market. It gives us an idea about what Trai has on its mind. The Reserve Bank of India also had not waited for Srikrishna Committee report before issuing a directive on data localisation,” said Swaraj Paul Barooah, policy director at Centre for Internet and Society.

“But the major point is that Trai’s recommendations are not binding; the data privacy law will be influenced by Justice Srikrishna committee only.”

For more details visit https://cis-india.org/internet-governance/news/economic-times-megha-mandavia-july-19-2018-srikrishna-panel-upset-at-timing-of-trai-suggestions

TRAI recommendations on data privacy raises eyebrows

Admin — 2018-07-19T13:33:44Z

The telecom regulator’s recommendations on data privacy have raised eyebrows over jurisdiction and timing, with IT ministry officials as well as companies questioning the need for it at a time when the government appointed Justice BN Srikrishna committee is in the final stages of drafting the data protection law.

The article by Surabhi Agarwal and Gulveen Aulakh was published in Economic Times on July 18, 2018. Swaraj Paul Barooah was quoted.

Telecom Regulatory Authority of India (TRAI) Chairman RS Sharma though countered that the sectoral watchdog has the jurisdiction to protect consumer interest in the sector, and those who feed off the industry - content providers, or apps, browsers, operating systems, and devices - need to be accountable as far as data protection is concerned.

TRAI Monday released its recommendations on the subject titled ‘Privacy, Security and Ownership of Data in the Telecom Sector’ which are applicable for apps, browsers, operating systems and handset makers.

An official of the Ministry of electronics and IT, which is tasked with drafting the data protection law, said that the Act will “prevail” over everything else. “Like any other sector, the data protection Act will be the final thing. In respect of telecom matters, there will be a role for TRAI as sectoral regulator but the basics of privacy will be governed by the data protection Act.”

The official also added that TRAI saying that their recommendations will be applicable till the data protection law comes into force "doesn't make sense since it won't have a legal mandate."

Industry bodies such as Internet and Mobile Association of India (IAMAI) and the Indian Cellular Association (ICA) have also criticised TRAI, saying the recommendations were “illegal” and akin to “jumping the gun” ahead of the release of the Srikrishna committee report.

Some of the clauses such as no use of metadata to identify individuals coupled with data minimisation will be detrimental to building the data business in the country, they said.

But Sharma was argued Trai was well within its rights to protect telecom consumers.

"Do I not have the jurisdiction to protect the interest of consumers in the telecom sector? I have that. And data protection of consumers in the telecom sector is an issue which is certainly related to the interest of consumers. I have deliberated on that issue, and I’m not saying that bring all those entities under my jurisdiction,” Sharma said.

He added that there is a regulatory imbalance because entities such as devices, OS, browsers and apps are not following any law. “So, the government can come up with a broad framework but till that time let the telecom rules apply on them too."

In its recommendations, TRAI said that individual users owned their data, or personal information, and entities such as devices were "mere custodians” and do not have primary rights over that information. It also said that the current framework for protection of personal information is “not sufficient” and suggested expanding the ambit of licence conditions governing telcos to all entities handling customer information.

In its statement, IAMAI, which represents companies such as Facebook and Google, called TRAI’s assertion that the existing framework is not sufficient to protect telecom consumers “contradictory.”

“The TRAI recommendations on privacy are premised on a voice and SMS regime. It is not meant for data driven business, which the app companies are. App companies use pseudo anonymous data and app companies do not give Call Detail Records. Incidentally, the Sri Krishna Committee under the Ministry of IT, which is the nodal body for apps as well as for handset manufacturers, is deeply, looking into this issue of consent, which is a fair thing to do.”

Voicing similar concerns, the ICA, which represents most of India’s top handset makers, said that the telecom watchdog has absolutely no powers to begin regulating on issues of privacy and ownership of data, leave alone having jurisdiction over devices, operating systems, browsers and applications.

“The industry rejects TRAI's attempts to expand its powers and usurp government's jurisdiction.” It added that TRAI “jumped the gun” by seeking to regulate the digital ecosystem without waiting for the data protection law under consideration by the Justice Srikrishna Committee. “This piecemeal approach is dangerous and unproductive.”

Handset makers such as Intex and Karbonn added they should be kept out of the ambit of the proposed regulations because they don't use customer data or monetise from it, which is mostly what apps do. Any additional pressure on indirect costs will lead to wafer-thin margins getting eroded further and consumers will have to bear the brunt, as it will lead to increase in prices of mobile phones.

Trai’s recommendations have been sent to the Department of Telecommunications (DoT) which has to take a final call on whether they will be adopted.

An official spokesperson for Zomato said that they have not been contacted by any of the regulatory bodies on this, as of now. “Our country is still undergoing the process of setting up a regulatory framework, and what happens between the TRAI recommendations and the B N Srikrishna's committee's draft for Data Protection bill will eventually help set up a much required benchmark.

In its suggestions, Trai said that as with telcos, all user data flows through smart devices, putting the device manufacturers, browsers, operating systems, and applications etc. in a prime position to collect and process the personal information of users. Since all user data passes through telcos and devices, appropriate steps must be taken to protect user privacy vis-a-vis these entities. “This will ensure, in prevailing circumstances, that the privacy of users is protected and maintained”.

Swaraj Paul Barooah, policy director at Center for Internet and Society, said that the recommendations is worrying at one level since “There is nothing in the telecom sector that requires interim urgent intervention and it may mean that the privacy framework maybe further delayed.”

For more details visit https://cis-india.org/internet-governance/news/economic-times-july-18-2018-surabhi-agarwal-and-gulveen-aulakh-trai-recommendations-on-data-privacy-raises-eyebrows