Centre for Internet and Society

Beyond the PDP Bill: Governance Choices for the DPA

Trishi Jindal and S.Vivek — 2021-11-10T07:32:33Z

This article examines the specific governance choices the Data Protection Authority (DPA) in India must deliberate on vis-à-vis its standard-setting function, which are distinct from those it will encounter as part of its enforcement and supervision functions.

The Personal Data Protection Bill, 2019, was introduced in the Lok Sabha on 11 December 2019. It lays down an overarching framework for personal data protection in India. Once revised and approved by Parliament, it is likely to establish the first comprehensive data protection framework for India. However, the provisions of the Bill are only one component of the forthcoming data protection framework It further proposes setting up the Data Protection Authority (DPA) to oversee the final enforcement, supervision, and standard-setting. The Bill consciously chooses to vest the responsibility of administering the framework with a regulator instead of a government department. As an independent agency, the DPA is expected to be autonomous from the legislature and the Central Government and capable of making expert-driven regulatory decisions in enforcing the framework.

Furthermore, the DPA is not merely an implementing authority; it is also expected to develop privacy regulations for India by setting standards. As such, it will set the day-to-day obligations of regulated entities under its supervision. Thus, the effectiveness with which it carries out its functions will be the primary determinant of the impact of this Bill (or a revised version thereof) and the data protection framework set out under it.

The final version for the PDP Bill may or may not provide the DPA with clear guidance regarding its functions. In this article, we emphasise the need to look beyond the Bill and instead examine the specific governance choices the DPA must deliberate on vis-à-vis its standard-setting function, which are distinct from those it will encounter as part of its enforcement and supervision functions.

A brief timeline of the genesis of a distinct privacy regulator for India

The vision of an independent regulator for data protection in India emerged over the course of several intervening processes that set out to revise India’s data protection laws. In fact, the need for a dedicated data protection regulation for India, with enforceable obligations and rights, was debated years before the Aadhaar, Cambridge Analytica, and Pegasusrevelations captured the public imagination and mainstreamed conversations on privacy.

The Right to Privacy Bill, 2011, which never took off, recognised the right to privacy in line with Article 21 of the Constitution of India, which pertains to the right to life and personal liberty. The Bill laid down express conditions for collecting and processing data and the rights of data subjects. It also proposed setting up a Data Protection Authority (DPA) to supervise and enforce the law and advise the government in policy matters. Upon review by the Cabinet, it was suggested that the Authority be revised to an Advisory Council, given its role under the Bill was limited.

Subsequently, in 2012, the AP Shah Committee Report recommended a principle-based data protection law, focusing on set standards while refraining from providing granular rules, to be enforced through a co-regulatory structure. This structure would consist of central and regional-level privacy commissioners, self-regulatory bodies, and data protection officers appointed by data controllers. There were also a few private members’ bills introduced between 2011 and 2019.

None of these efforts materialised, and the regulatory regime for data protection and privacy remained embedded within the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). Though the SPDI Rules require body corporates to secure personal data, their enforcement is limited to cases of negligence in abiding by these limited set of obligations pertaining to sensitive personal information only, and which have caused wrongful loss or gain – a high threshold to prove for aggrieved individuals. Otherwise, the Intermediary Guidelines, 2011 require all intermediaries to generally follow these Rules under Rule 3(8). The enforcement of these obligations is entrusted to adjudicating officers (AO) appointed by the central government, who are typically bureaucrats appointed as AOs in an ex-officio capacity.

By 2017, the Aadhaar litigations had provided additional traction to the calls for a dedicated and enforceable data protection framework in India. In its judgement, the Supreme Court recognised the right to privacy as a fundamental right in India and stressed the need for a dedicated data protection law. Around the same time, the Ministry of Electronics and Information Technology (MeitY) constituted a committee of experts under the chairmanship of Justice BN Srikrishna. The Srikrishna Committee undertook public consultations on a 2017 white paper, which culminated in the nearly comprehensive Personal Data Protection Bill, 2018, and an accompanying report. This 2018 Bill outlined a regulatory framework of personal data processing for India and defined data processing entities as fiduciaries, which owe a duty of care to individuals to whom personal data relates. The Bill provided for the setting up of an independent regulator that would, among other things, specify further standards for data protection and administer and enforce the provisions of the Bill.

MeitY invited public comments on this Bill and tabled a revised version, the Personal Data Protection Bill, 2019 (PDP Bill), in the Lok Sabha in December 2019. Following public pressure calling for detailed discussions on the Bill before its passing, it was referred to a Joint Parliamentary Committee (JPC) constituted for this purpose. It currently remains under review; the JPC is reportedly expected to table its report in the 2021 Winter Session of Parliament. Though the Bill is likely to undergo another round of revisions following the JPC’s review, this is the closest India has come to realising its aspirations of establishing a dedicated and enforceable data protection framework.

This Bill carries forward the choice of a distinct regulatory body, though questions remain on the degree of its independence, given the direct control granted to the central government in appointing its members and funding the DPA.

Conceptualising an Independent DPA

The Srikrishna Committee’s 2017 white paper and its 2018 report on the PDP Bill discuss the need for a regulator in the context of enforcement of its provisions. However, the DPA under the PDP Bill is tasked with extensive powers to frame detailed regulations and codes of conduct to inform the day-to-day obligations of data fiduciaries and processors. To be clear, the standard-setting function for a regulator entails laying down the standards based on which regulated entities (i.e. the data fiduciaries) will be held accountable, and the manner in which they may conduct themselves while undertaking the regulated activity (i.e. personal data processing). This is in addition to its administrative and enforcement, and quasi-judicial functions, as outlined below:

Functions of the DPA under the PDP Bill 2019

At this stage, it is important to note that the choice of regulation via a regulator is distinct from the administration of the Bill by the central or state governments. Creating a distinct regulatory body allows government procedures to be replaced with expert-driven decision-making to ensure sound economic regulation of the sector. At the same time, the independence of the regulatory authority insulates it from political processes. The third advantage of independent regulatory authorities is the scope for ‘operational flexibility’, which is embodied in the relative autonomy of its employees and its decision-making from government scrutiny.

This is also the rationale provided by the Srikrishna Committee in stating their choice to entrust the administration of the data protection law to an independent DPA. The 2017 white paper that preceded the 2018 Srikrishna Committee Report proposed a distinct regulator to provide expert-driven enforcement of laws for the highly specialised data protection sphere. Secondly, the regulator would serve as a single point of contact for entities seeking guidance and will ensure consistency by issuing rules, standards, and guidelines. The Srikrishna Committee Report concretised this idea and proposed a sector-agnostic regulator that is expected to undertake expertise-driven standard-setting, enforcement, and adjudication under the Bill. The PDP Bill carries forward this conception of a DPA, which is distinct from the central government.

Conceptualised as such, the DPA has a completely new set of questions to contend with. Specifically, regulatory bodies require additional safeguards to overcome the legitimacy and accountability questions that arise when law-making is carried out not by elected members of the legislature, but via the unelected executive. The DPA would need to incorporate democratic decision-making processes to overcome the deficit of public participation in an expert-driven body. Thus, the meta-objective of ensuring autonomous, expertise-driven, and legitimate regulation of personal data processing necessitates that the regulator has sufficient independence from political interference, is populated with subject matter experts and competent decision-makers, and further has democratic decision-making procedures.

Further, the standard-setting role of the regulator does not receive sufficient attention in terms of providing distinct procedural or substantive safeguards either in the legislation or public policy guidance.

Reconnaissance under the PDP Bill: How well does it guide the DPA?

At this time, the PDP Bill is the primary guidance document that defines the DPA and its overall structure. India also lacks an overarching statute or binding framework that lays down granular guidance on regulation-making by regulatory agencies.

The PDP Bill, in its current iteration, sets out skeletal provisions to guide the DPA in achieving its objectives. Specifically, the Bill provides guidance limited to the following:

Parliamentary scrutiny of regulations: The DPA must table all its regulations before the Parliament. This is meant to accord legislative scrutiny to binding legal standards promulgated by unelected officials.
Consistency with the Act: All regulations should be consistent with the Act and the rules framed under it. This integrates a standard of administrative law to a limited extent within the regulation-making process.

However, India’s past track record indicates that regulations, once tabled before the Parliament, are rarely questioned or scrutinised. Judicial review is typically based on ‘thin’ procedural considerations such as whether the regulation is unconstitutional, arbitrary, ultra vires, or goes beyond the statutory obligations or jurisdiction of the regulator. In any event, judicial review is possible only when an instrument is challenged by a litigant, and, therefore, it may not always be a robust ex-ante check on the exercise of this power. A third challenge arises where instruments other than regulations are issued by the regulator. These could be circulars, directions, guidelines, and even FAQs, which are rarely bound by even the minimal procedural mandate of being tabled before the Parliament. To be sure, older regulators including the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) also face similar issues, which they have attempted to address through various methods including voluntary public consultations, stakeholder meetings, and publication of minutes of meetings. These are useful tools for the DPA to consider as well.

Apart from these, specific guidance is provided with respect to issuing and approving codes of practice and issuing directions as follows:

Codes of practice: The DPA is required to (i) ensure transparency,^{^[1]} (ii) consult with other sectoral regulators and stakeholders, and (iii) follow a procedure to be prescribed by the central government prior to the notification of codes of practice under the Bill.^{^[2]}
Directions: The DPA may issue directions to individual, regulated entities or their classes from time to time, provided these entities have been given the opportunity to be heard by the DPA before such directions are issued.^{^[3]}

However, the meaning of transparency and the process for engaging with sectoral regulators remains unspecified under the Bill. Furthermore, the central government has been provided vast discretion to formulate these procedures, as the Bill does not specify the principles or outcomes sought to be achieved via these procedures. The Bill also does not specify instances where such directions may be issued and in which form.

Thus, as per its last publicly available iteration, the Bill remains silent on the following:

The principles that may guide the DPA in its functioning.
The procedure to be followed for issuing regulations and other subordinate legislation under the Bill.
The relevant regulatory instruments, other than regulations and codes of practice – such as circulars, guidelines, FAQs, etc. – that may be issued by the DPA.
The specifics regarding the members and employees within the DPA who are empowered to make these regulations.

It is unclear whether the JPC will revise the DPA’s structure or recommend statutory guidance for the DPA in executing any of its functions. This is unlikely, given that parent statutes for other regulators typically omit such guidance. As a result, the DPA may be required to make intentional and proactive choices on these matters, much like their regulatory counterparts in India. These are discussed in the section below.

Envisaging a Proactive Role for the DPA

As the primary regulatory body in charge of the enforcement of the forthcoming data protection framework, what should be the role of the DPA in setting standards for data protection?

The complexity of the subject matter, and the DPA’s role as the frontline body to define day-to-day operational standards for data protection for the entire digital economy, necessitates that it develop transparent guiding principles and procedures. Furthermore, given that the DPA’s autonomy and capacity are currently unclear, the DPA will need to make deliberate choices regarding how it conducts itself. In this regard, the skeletal nature of the PDP Bill also allows the DPA to determine its own procedures to carry out its tasks effectively.

This is not uncommon in India: various regulators have devised frameworks to create benchmarks for themselves. The Airports Economic Regulatory Authority (AERA) is obligated to follow a dedicated consultation process as per an explicit transparency mandate under the parent statute. However, the Insolvency and Bankruptcy Board of India (IBBI) has, on its own initiative, formulated regulations to guide its regulation-making functions. In other cases, consultation processes have been integrated into the respective framework through judicial intervention: the Telecom Regulatory Authority of India (TRAI) has been mandated to undertake consultations through judicial interpretation of the requirement for transparency under the Telecom Regulatory Authority of India Act, 1997 (TRAI Act).

In this regard, we develop a list of considerations that the DPA should look to address while carrying out its standard-setting functions. We also draw on best practices by Indian regulators and abroad, which can help identify feasible solutions for an effective DPA for India.

The choice of regulatory instruments

The DPA is empowered to issue regulations, codes of practice, and directions under the Bill. At the same time, regulators in India routinely issue other regulatory instruments to assign obligations and clarify them. Some commonly used regulatory instruments are outlined below. The terms used for instruments are not standard across regulators, and the list and description set out below outline the main concepts and not fixed labels for the instruments.

Overview of regulatory instruments

	Circulars and Master Circulars	Guidelines	FAQs	Directions
Content	Circulars are used to prescribe detailed obligations and prohibitions for regulated entities and can mimic regulations. Master circulars consolidate circulars on a particular topic periodically.	These may be administrative or substantive, depending on the practice of the regulator in question.	Issued in public interest by regulators to clarify the regulatory framework administered by them. They cannot prescribe new standards or create obligations.	Issued to provide focused instructions to individual entities or class of entities in response to an adjudicatory action or in lieu of a current challenge.
Binding character	They are generally binding in the same manner as regulations and rules. However, if they go beyond the parent Act or existing rules and regulations, they may be struck down following a judicial review.	They may or may not be binding depending upon the language employed or the regulator’s practice.	Unclear whether these are binding and to what extent. However, crucial clarifications on important concepts sometimes emerge from FAQs.	Binding in respect of the class of regulated entities to whom this is issued.
Parliamentary scrutiny	Unlike regulations, these do not have to be laid before the Parliament.

Thus, all these instruments, to varying degrees, have been used to create binding obligations for regulated entities. The choice of regulatory instrument is not made systematically. Indeed, even a hierarchy of instruments and their functions are not clearly set out by most regulators. The rationale for deciding why a circular is issued as against a regulation is also unclear. A study on regulatory performance in India by Burman and Zaveri (2018) has highlighted an over-reliance on instruments such as circulars. As per their study, between 2014 and 2016, RBI and SEBI issued 1,016 and 122 circulars, as against 48 and 51 regulations, respectively. These circulars are not bound by the same pre-consultative mandate nor are they mandated to be laid before the Parliament. While circulars may have been intended for routine to routinely used to lay down administrative or procedural requirements, the study narrows its frame of reference to circulars which lay down substantive regulatory requirements. In this instance, it is unclear why parliamentary scrutiny is mandated for regulations alone, and not for instruments like circulars and directions, even though they lay down similarly substantive requirements. Furthermore, there have also been instances where certain instruments like FAQs have gone beyond their advisory scope to provide new directions or definitions that were not previously shared under binding instruments like regulations or circulars.

The DPA has been provided specific powers to issue regulations, codes of practice, and directions. However, the rationale for issuing one instead of the other has been absent from the PDP Bill so far. In such a scenario, it is important that the DPA transparently outlines the types of instruments it wishes to use, whether they are binding or advisory, and the procedure to be followed for issuing each.

Pre-legislative consultative rule-making

Participatory and consultative processes have emerged as core components of democratic rule-making by regulators. Transparent consultative mechanisms could also ameliorate capacity challenges in a new regulator (particularly for technical matters) and help enhance public confidence in the regulator.

In India, several regulators have adopted consultation mechanisms even when there is no specific statutory requirement. SEBI and IBBI routinely issue discussion papers and consultation papers. The RBI also issues draft instruments soliciting comments. As discussed previously, TRAI and AERA have distinct transparency mandates under which they carry out consultations before issuing regulations. However, these processes are not mandated all forms of subordinate legislation. Taking cognizance of this, the Financial Sector Legislative Reform Committee (FSLRC) has recommended transparency in the regulation-making process. This was carried forward by the Financial Stability and Development Council (FSDC), which recommended that consultation processes should be a prerequisite for all subordinate legislations, including circulars, guidelines, etc. A study on regulators’ adherence to these mandates, spanning TRAI, AERA, SEBI, and RBI, demonstrated that this pre-consultation mandate is followed inconsistently, if at all. Predictable consultation practices are therefore critical.

Furthermore, the study stated that it could not determine whether the consultation processes yielded meaningful participation, given that regulators are not obligated to disclose how public feedback was integrated into the rule-making process. Subordinate legislations issued in the form of circulars and guidelines also do not typically undergo the same rigorous consultation processes. Thus, an ideal consultation framework would comprise:

Publication of the draft subordinate legislation along with a detailed explanation of the policy objectives. Further, the regulator should publish the internal or external studies conducted to arrive at the proposed legislation to engender meaningful discussion.
Permitting sufficient time for the public and interested stakeholders to respond to the draft.
Publishing all feedback received for the public to assess, and allowing them to respond to the feedback.

However, beyond specifying the manner of conducting consultations, it will be important for the DPA to determine where they are mandatory and binding, and for which type of subordinate legislations. These are discussed in the next section.

Choice of consultation mandates for distinct regulatory instruments

While the Bill provides for consultation processes for issuing and approving codes of practice, no such mechanism has been set out for other instruments. Nevertheless, specifying consultation mandates for different regulatory instruments is important to ensure that decision-making is consistent and regulation-making remains bound by transparent and accountable processes. As discussed above, regulatory instruments such as circulars and FAQs are not necessarily bound by the same consultation mandates in India. This distinction has been clarified in more sophisticated administrative law frameworks abroad. For instance, under the Administrative Procedures Act in the United States (US), all substantive rules made by regulatory agencies are bound by a consultation process, which requires notice of the proposed rule-making and public feedback. This does not preclude the regulatory agency from issuing clarifications, guidelines, and supplemental information on the rules issued. These documents do not require the consultation process otherwise required for formal rules. However, they cannot be used to expand the scope of the rules, set new legal standards, or have the effect of amending the rules. Nevertheless, agencies are not precluded from choosing to seek public feedback on such documents.

Similarly, the Information Commissioner’s Office in the United Kingdom (UK) takes into consideration public consultations and surveys while issuing toolkits and guidance for regulated entities on how to comply with the data protection framework in the UK.

Here, the DPA may choose to subject strictly binding instruments like regulations and codes of practice to pre-legislative consultation mandates, while softer mechanisms like FAQs may be subject to the publication of a detailed outline of the policy objective or online surveys to invite non-binding, advisory feedback. For each of these, the DPA will nonetheless need to create specific criteria by which it classifies instruments as binding and advisory, and further outline specific pre-legislative mandates for each category.

Framework for issuing regulatory instruments and instructions

While the DPA is likely to issue several instruments, the system based on which these instruments will be issued is not yet clear. Without a clearly thought-out framework, different departments within the regulator typically issue a series of directions, circulars, regulations, and other instruments. This raises questions regarding the consistency between instruments. This also requires stakeholders to go through multiple instruments to find the position of law on a given issue. Older Indian regulators are now facing challenges in adapting their ad hoc system into a framework. For example, the RBI currently issues a series of circulars and guidelines that are periodically consolidated on a subject-matter basis as Master Circulars and Master Directions. These are then updated and published on their website. IBBI also publishes handbooks and information brochures that consolidate instruments in an accessible manner.

While these are useful improvements, these practices cannot keep pace with rapid changes in regulatory instructions and are not complete or user-friendly (for example, the subject-matter based consolidation does not allow for filtering regulatory instructions by entity). Other jurisdictions have developed different techniques such as formal codification processes to consolidate regulations issued by government agencies under one unified code, register, or handbook, websites that allow for searches based on different parameters (subject-matter, type of instrument, chronology, entity-based), and guides tailored to different types of entities. The DPA, as a new regulator, can learn from this experience and adopt a consistent framework right from the beginning.

Further, an ethos of responsive regulation also requires the DPA to evaluate and revise directions and regulations periodically, in response to market and technology trends. A commitment to periodic evaluation of subordinate legislations entrenched in the rules is critical to reducing the dependence on officials and leadership, which may change. For instance, the IBBI has set out a mandatory review of regulations issued by it every three years.

Dedicating capacity for drafting subordinate legislations

The DPA has been granted the discretion to appoint experts and staff its offices with the personnel it needs. A study of European data protection authorities shows that by the time the General Data Protection Regulation, 2016 became effective, most of the authorities increased the number of employees with some even reporting a 240% increase. The annual spending on the authorities also went up for most countries. While these authorities do not necessarily frame subordinate legislations, they nonetheless create guidance toolkits and codes of practice as part of their supervisory functions.

In this regard, the DPA will need to ensure it has dedicated capacity in-house to draft subordinate legislations. Since regulators are generally seen as enforcement authorities, there is inadequate investment in capacity-building for drafting legislations in India.

Moreover, considering the multiplicity of instruments and guidance documents the DPA is expected to issue, it may seek to create templates for these instruments, along with compulsory constituents of different types of instruments. For instance, the Office of the Australian Information Commissioner is required to include a mandatory set of components while issuing or approving binding industry codes of practice.

Conclusion

The Personal Data Protection Bill, 2019 (in the final form recommended by the JPC and accepted by the MeitY) will usher in a new chapter in India’s data protection timeline. While the Bill will finally effectuate a nearly comprehensive data protection framework for India, it will also establish a new regulatory framework that sets up a new regulator, the DPA, to oversee the new data protection law. This DPA will be empowered to regulate entities across sectors and is likely to determine the success of the data protection law in India.

Furthermore, the DPA must not only contend with the complexity of markets and the fast pace of technological change, but it must also address anticipated regulatory capacity deficits, low levels of user literacy, the number and diversity of enities within its regulatory ambit, and the need to secure individual privacy within and outside the digital realm.

Thus, looking ahead, we must account for the questions of governance that the forthcoming DPA is likely to face, as these will directly impact how entities and citizens engage with the DPA. In India, regulatory agencies adopt distinct choices to fulfil their functions. Regulators have also fared variably in ensuring transparent and accountable decision-making driven by demonstrable expertise. Even if the final form of the PDP Bill does not address these gaps, the DPA has the opportunity to integrate benchmarks and best practices as discussed above within its own governance framework from the get-go as it takes on its daunting responsibilities under the PDP Bill.

(The authors are Research Fellow, Law, Technology and Society Initiative and Project Lead, Regulatory Governance Project respectively at the National Law School of India University, Bangalore. Views are personal.)

This post was reviewed by Vipul Kharbanda and Shweta Mohandas

References

For a discussion on distinct regulatory choices, please see TV Somanathan, The Administrative and Regulatory State in Sujit Choudhary, Madhav Khosla, et al. (eds), Oxford Handbook of the Indian Constitution (2016).
On best practices for consultative law-making, see generally European Union Better Regulation Communication, Guidelines for Effective Regulatory Consultations (Canada), and OECD Best Practice Principles for Regulatory Policy: The Governance of Regulators, 2014.

^{^[1]} Personal Data Protection Bill 2019, § 50(3).

^{^[2]} Personal Data Protection Bill 2019, § 50(4).

^{^[3]} Personal Data Protection Bill 2019, § 51.

For more details visit https://cis-india.org/internet-governance/blog/trishi-jindal-and-s-vivek-beyond-the-pdp-bill

Comments on the Statistical Disclosure Control Report

Srinivs Kodali and Amber Sinha — 2019-03-13T00:28:44Z

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.

1. PRELIMINARY

CIS is thankful for the opportunity to put forth its views.
This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.

2. ABOUT CIS

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.

CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.

3. Comments

3.1 General Comments

As a non-profit organisation we recognize the importance of the efforts by the Ministry of Statistics and Programme Implementation (MoSPI) to make the data you collect available to the public in open formats with relevant information about reliability of statistical estimates.

We at CIS have recently released a report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. We encountered several central and state government departments collecting socioeconomic data from citizens, linking it with Aadhaar and even publishing them in exportable data formats like EXCEL and MS ACCESS Databases. While we understand this issue primarily concerns to Unique Identification Authority of India (UIDAI), the lack of standards around information/statistical disclosure are a general threat to transparency in a democracy and privacy of individuals. Going through the report we understand the committee is unable to prescribe a standard for other ministries and departments until they try and pilot these standards within Ministry of Statistics and Programme Implementation. This delay in prescribing the standards can be really dangerous in the current circumstances of massive data collection by government departments and linking all the databases with a unique identifier, Aadhaar Number. At the same time we understand the importance of data dissemination to be carried out and we recommend the following for improving the standards around data disclosure control.

3.2 Integrity of Information and Data

We agree with the committee that the error rates need to be kept in mind while designing practices to convert raw data. But we request the process of changes being made be actively measured and documented. In case of errors being computed, guidelines can be made to decrease the possibilities of misinterpretation of errors causing loss of integrity of information. Statistics are important for decision making in governance, errors in computations can be biased towards millions of people. Statistical biases are important to be looked into while converting data from its raw format to make sure there are no damage caused by information.

3.3 Data Security

One of the important issues around storage and publication of Aadhaar information is the lack of masking standards. With the availability of data from multiple departments, it is possible to reconstruct identification details by linking data from multiple databases. It is recommended to bring masking standards while personally identifiable micro data is being published. There is an urgent need for departments to also look at auditing access to information and tracking sharing of information. It is recommended the department digitally signs all the information and documents being published or shared by them to keep track of who had accessed the information and verifying the authenticity of information.

We request the department to define what exactly is “usage for statistical purposes only” and recommend standards to control and restrict usage of information for this purpose. It is important they design frameworks or mechanisms to allow others to report violations around this. This process should be transparent and documented heavily.

3.4 Anonymization of microdata

We recommend the data being collected be anonymized at source to evade the possibility of the accidental disclosure of personally identifiable information. While the current anonymization efforts have been helpful, with steady increase in data mining and classification algorithms and practices it is recommended to evolve the standards around this area.

3.5 Data Dissemination

Data dissemination is an important aspect for district statistics officers, we recommend they actively communicate their work through monthly newsletters, quarterly workshops to help improve the conversations around statistics and at the same time engage with the users who would benefit from the data.

We also recommend that data when being published includes metadata of collection, modification, storage and other important information. Also the information needs to be published in open formats which does not require proprietary software to be used to open them. At the same time data should be published in multiple formats like CSV, XLS, PDF,

The committee also recognizes the need for having data users part of discussions around important decisions and be part of committees. We would like the department to recognize our efforts and consider us for future committee representations.

Thank you for this opportunity and we look forward to work with you in future.

For more details visit https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report

The Wolf in Sheep's Clothing: Demanding your Data

Rekha Jain — 2020-11-10T17:44:13Z

This piece was originally published in The Economic Times Telecom, on 8 September, 2020.

The increasing digitalization of the economy and ubiquity of the Internet, coupled with developments in Artificial Intelligence (AI) and Machine Learning (ML) has given rise to transformational business models across several sectors. These developments have changed the very structure of existing sectors, with a few dominant firms straddling across many sectors. The position of these firms is entrenched due to the large amounts of data they have, and usage of sophisticated algorithms that deliver very targeted service/content and their global nature.

Such data based network businesses are generally multi-sided platforms subject to network effects and winner takes all phenomena, often, making traditional competition regulation inappropriate. In addition, there has been concern that such companies hurt competition as they are owners of large amounts of data collected globally, the very basis on which new services are predicated. Also since users have an inertia to share their data on multiple platforms, new companies find it very challenging to emerge. Several of the large companies are of US origin. Several regions/countries such as EU, UK, India are concerned that while these companies benefit from the data of their citizens or their devices, SMEs and other companies in their own countries find it increasingly difficult to remain viable or achieve scale. With the objective of supporting enterprises, including SMEs in their own countries, Europe, UK India are in different stages of data regulation initiatives.

In India, the Personal Data Protection (PDP) Bill, 2019 deals with the framework for collecting, managing and transferring of Personal Data of Indian citizens, including mandating sharing of anonymized data of individuals and non-personal data for better targeting of services or policy making. In addition, the Report by the Committee of Experts (CoE) on Non Personal Data (NPD) came up with a Framework for Regulating NPD. Since the NPD Report is a more recent phenomenon, this articles analyzes some aspects of it.

According to CoE, non-personal data could be of two types. First, data or information which was never about an individual (e.g. weather data). Second, data or information that once was related to an individual (e.g. mobile number) but has now ceased to be identifiable due to the removal of certain identifiers through the process of ‘anonymisation’. However, it may be possible to recover the personal data from such anonymized data and therefore, the distinction between personal and non-personal is not clean. In any case, the PDP bill 2019 deals with personal data. If the CoE felt that some aspect of personal data (including anonymized data) were not adequately dealt with, it should work to strengthen it. The current approach of the CoE is bound to create confusion and overlapping jurisdiction. Since anonymized data is required to be shared, there are disincentives to anonymization, causing greater risk to individual privacy.

A new class of business based on a “horizontal classification cutting across different industry sectors” is defined. This refers to any business that derives “new or additional economic value from data, by collecting, storing, processing, and managing data” based on a certain threshold of data collected/processed that will be defined by the regulatory authority that is outlined in the report. The CoE also recommends that “Data Businesses will provide, within India, open access to meta-data and regulated access to the underlying data” without any remuneration. Further, “By looking at the meta-data, potential users may identify opportunities for combining data from multiple Data Businesses and/or governments to develop innovative solutions, products and services. Subsequently, data requests may be made for the detailed underlying data”.

With increasing digitalization, today almost every business is a data business. The problem in such categorization will be with the definition of thresholds. It is likely that even a small video sharing app or an AR/VR app would store/collect/process/transmit more data than say a mid-sized bank in terms of data volumes. Further, with increasing embedding of IoT in various aspects of our lives and businesses (smart manufacturing, logistics, banking etc), the amount of data that is captured by even small entities can be huge.

The private sector, driven by profitability, identifies innovative business models, risks capital and finds unique ways of capturing and melding different data sets. In order to sustain economic growth, such innovation is necessary. The private sector would also like legal protection over these aspects of its businesses, including the unique IPR that may be embedded in the processing of data or its business processes. But mandating such onerous requirements on sharing by the CoE is going to kill any private initiative. Any regulatory regime must balance between the need to provide a secure environment for protecting data of incumbents and making it available to SMEs/businesses.

Meta data provides insights to the company’s databases and processes. These are source of competitive advantage for any company. Meta data is not without a context. The basis of demanding such disclosure is mandated with the proposed NPD Regulator who would evaluate such a purpose. In practice, purposes are open to interpretation and the structure of appeal mechanism etc is going to stall any such sharing. Would such mandates of sharing not interfere with the existing Intellectual Property Rights? Or the freedom to contract? Any innovation could easily be made available to a competitor that front-ends itself with a start-up. To mandate making such data available would not be fair. Further, how would the NPD regulator even ensure that such data is used for the purpose (which the proposed regulator is supposed to evaluate) that it is sought for? In Europe, where such data sharing mandates are being considered, the focus is on public data. For private entities, the sharing is largely based on voluntary contributions. Compulsory sharing is mandated only under restricted situations where market failure situations are not addressed through Competition Act and provided legitimate interest of the data holder and existing legal provisions are taken into account.

Further, the compliance requirements for such Data Businesses is very onerous and makes a mockery of “minimum government” framework of the government. The CoE recommends that all Data Businesses, whether government NGO, or private “to disclose data elements collected, stored and processed, and data-based services offered”. As if this was not enough, the CoE further recommends that “Every Data Business must declare what they do and what data they collect, process and use, in which manner, and for what purposes (like disclosure of data elements collected, where data is stored, standards adopted to store and secure data, nature of data processing and data services provided). This is similar to disclosures required by pharma industry and in food products”. Such disclosures are necessary in these industries as the companies in this sector deal with critical aspects of human life. But are such requirements necessary for all activities and businesses? As long as organizations collect and process data, in a legal manner, within the sectoral regulation, why should such information have to be “reported”? Further, such bureaucratic processes and reporting requirements are only going to be a burden to existing legitimate businesses and give rise to a thriving regulatory license raj.

Further questions that arise are: How is any compliance agency going to make sure that all the underlying metadata is made available in a timely manner? As companies respond to a dynamic environment, their analysis and analytical tools change and so does the metadata. This inherent aspect of businesses raises the question: At what point in time should companies make their meta-data available? How will the compliance be monitored?

Conclusion: The CoE needs to create an enabling and facilitating an environment for data sharing. The incentives for different types of entities to participate and contribute must be recognized. Adequate provisions for risks and liabilities arising out data sharing need to be thought through. National initiatives on data sharing should not create an onerous reporting regime, as envisaged by the CoE, even if digital.

DISCLAIMER: The views expressed are solely of the author and ETTelecom.com does not necessarily subscribe to it. ETTelecom.com shall not be responsible for any damage caused to any person/organisation directly or indirectly.

For more details visit https://cis-india.org/internet-governance/blog/the-wolf-in-sheeps-clothing-demanding-your-data

The PDP Bill 2019 Through the Lens of Privacy by Design

2020-11-13T07:51:03Z

This paper evaluates the PDP Bill based on the Privacy by Design approach. It examines the implications of Bill in terms of the data ecosystem it may lead to, and the visual interface design in digital platforms. This paper focuses on the notice and consent communication suggested by the Bill, and the role and accountability of design in its interpretation.

Background

The Personal Data Protection (PDP) Bill, 2019 was introduced in the Lok Sabha on December 11, 2019 by the Minister of Electronics and Information Technology. The Bill aims to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same [1]. The PDP Bill, 2019 contains several clauses that have implications on the visual design of digital products. These include the specific requirements for communication of notice and consent at various stages of the product. The Bill also introduces the Privacy by Design policy. Privacy by Design (PbD), as a concept, was proposed by Ann Cavoukian in the 1990s, with the purpose of approaching privacy from a design-thinking perspective [2]. She describes this perspective to be holistic, interdisciplinary, integrative, and innovative. The approach suggests that privacy must be incorporated into networked data systems and technologies, by default [3]. It challenges the practice of enhancing privacy as an afterthought. It expects privacy to be a default setting, and a proactive (not reactive) measure that would be embedded into a design in its initial stage and throughout the life cycle of the product [4]. While PbD is a conceptual framework, it’s application can change the way digital platforms are created and the way in which people interact with them. From devising a business model, to making technological decisions, PbD principles can make privacy integral to the processes and standards of a digital platform.

The PDP Bill states that data fiduciaries are required to prepare a Privacy by Design policy and have it certified by the Data Protection Authority. According to the Bill, the policy would contain the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal [5]. It would mention if the technology used in the processing of personal data is in accordance with the certified standards. It would also comprise of the ways in which privacy is being protected throughout the stages of processing of personal data, and that the interest of the individual is accounted for in each of these stages. Once certified by the Data Protection Authority, the data fiduciaries are also required to publish this policy on their website [6]. This forces the data fiduciaries to envision privacy as a fundamental requirement and not an afterthought. Such a policy would have a huge impact in the way digital platforms are conceptualised, both from the technological and the design point of view. The adoption of this policy by digital platforms would enable people to know if their privacy is protected by the companies, and what are the various steps being taken for this purpose. Besides the explicit Privacy by Design policy, the PDP Bill, 2019, also recommends the regulations for data minimisation, establishment of the Data Protection Authority (DPA), and the development of a consent framework. These steps are also part of the Privacy by Design approach.

This paper evaluates the PDP Bill based on the Privacy by Design approach. The Bill’s scope includes both the conceptual and technological aspects of a digital platform, as well as the interface aspect that the individual using the platform faces. The paper will hence analyse how PbD approach is reflected in both these aspects. At the conceptual level, it will look at the data ecosystem that the Bill unwittingly creates, and at the interface level, it will critically analyse the Bill’s implication on the notice and consent communication in the digital products. This includes the several points of communication or touchpoints between a company and an individual using their service, as dictated by the Bill, and how they would translate into visual design. Visual design forms an integral part of digital platforms. It is the way in which the platforms interact with the individuals. The choices made by individuals are largely driven by the visual structuring and presentation of information on these platforms. Presently, the interface design in several platforms is being used to perpetuate unethical data practices in the form of dark patterns. Dark Patterns are deceptive user interface interactions, designed to mislead or trick users to make them do something they don’t want to do [7]. The design of the notice and consent touchpoints can significantly influence the enforcement of this Bill, and how it benefits individuals. Moreover, digital platforms may technically follow the regulations but can still be manipulative through their interface design. Thus, the role and accountability of design becomes crucial in the interpretation of the data protection regulations.

The full paper can be read here.

[1] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[2] https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf

[3] https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf

[4] https://www.smashingmagazine.com/2019/04/privacy-ux-aware-design-framework/

[5] http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf

[6] https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft

[7] https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c

For more details visit https://cis-india.org/internet-governance/blog/the-pdp-bill-2019-through-the-lens-of-privacy-by-design

Comments to the Personal Data Protection Bill 2019

Amber Sinha, Elonnai Hickok, Pallavi Bedi, Shweta Mohandas, Tanaya Rajwade — 2020-02-21T10:13:35Z

The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019.

Please view our general comments below, or download as PDF here.

Our comments and recommendations can be downloaded as PDF here.

We have also prepared an annotated version of the Bill, where our detailed comments and recommendations can be viewed alongside the Bill, available as PDF here.

General Comments

1. Executive notification cannot abrogate fundamental rights

In 2017, the Supreme Court in K.S. Puttaswamy v Union of India [1] held the right to privacy to be a fundamental right. While this right is subject to reasonable restrictions, the restrictions have to meet a three fold requirement, namely (i) existence of a law; (ii) legitimate state aim; (iii) proportionality.Under the 2018 Bill, the exemption to government agencies for processing of personal data from the provisions of the Bill in the ‘interest of the security of the State’ [2] was subject to a law being passed by Parliament. However, under Clause 35 of the present Bill, the Central Government is merely required to pass a written order exempting the government agency from the provisions of the Bill.Any restriction on the right to privacy will have to comply with the conditions prescribed in Puttaswamy I. An executive order issued by the central government authorising any agency of the government to process personal data does not satisfy the first requirement laid down by the Supreme Court in Puttaswamy I — as it is not a law passed by Parliament. The Supreme Court while deciding upon the validity of Aadhar in K.S. Puttaswamy v Union of India [3] noted that “an executive notification does not satisfy the requirement of a valid law contemplated under Puttaswamy. A valid law in this case would mean a law passed by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right cannot be sustained by an executive notification.”

2. Exemptions under Clause 35 do not comply with the legitimacy and proportionality test

The lead judgement in Puttaswamy I while formulating the three fold test held that the restraint on privacy emanate from the procedural and content based mandate of Article 21 [4]. The Supreme Court in Maneka Gandhi v Union India [5] had clearly established that “mere prescription of some kind of procedure cannot ever meet the mandate of Article 21. The procedure prescribed by law has to be fair, just and reasonable, not fanciful, oppressive and arbitrary” [6]. The existence of a law is the first requirement; the second requirement is that of ‘legitimate state aim’. As per the lead judgement this requirement ensures that “the nature and content of the law which imposes the restriction falls within the zone of reasonableness mandated by Article 14, which is a guarantee against arbitrary state action” [7]. It is established that for a provision which confers upon the executive or administrative authority discretionary powers to be regarded as non-arbitrary, the provision should lay down clear and specific guidelines for the executive to exercise the power [8]. The third test to be complied with is that the restriction should be ‘proportionate,’ i.e. the means that are adopted by the legislature are proportional to the object and needs sought to be fulfilled by the law. The Supreme Court in Modern Dental College & Research Centre v State of Madhya Pradesh [9] specified the components of proportionality standards —

A measure restricting a right must have a legitimate goal;
It must be a suitable means of furthering this goal;
There must not be any less restrictive, but equally effective alternative; and
The measure must not have any disproportionate impact on the right holder

Clause 35 provides extensive grounds for the Central Government to exempt any agency from the requirements of the bill but does not specify the procedure to be followed by the agency while processing personal data under this provision. It merely states that the ‘procedure, safeguards and oversight mechanism to be followed’ will be prescribed in the rules.The wide powers conferred on the central government without clearly specifying the procedure may be contrary to the three fold test laid down in Puttaswamy I, as it is difficult to ascertain whether a legitimate or proportionate objective is being fulfilled [10].

3. Limited powers of Data Protection Authority in comparison with the Central Government

In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example:

In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so.
Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.

In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate and resources. The political nature of the personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Authority are independent of the Executive.

4. No clarity on data sandbox

The Bill contemplates a sandbox for “ innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” A Data Sandbox is a non-operational environment where the analyst can model and manipulate data inside the data management system. Data sandboxes have been envisioned as a secure area where only a copy of the company’s or participant companies’ data is located [11]. In essence, it refers to the scalable and creation platform which can be used to explore an enterprise’s information sets. On the other hand, regulatory sandboxes are controlled environments where firms can introduce innovations to a limited customer base within a relaxed regulatory framework, after which they may be allowed entry into the larger market after meeting certain conditions. This purportedly encourages innovation through the lowering of entry barriers by protecting newer entrants from unnecessary and burdensome regulation. Regulatory sandboxes can be interpreted as a form of responsive regulation by governments that seek to encourage innovation – they allow selected companies to experiment with solutions within an environment that is relatively free of most of the cumbersome regulations that they would ordinarily be subject to, while still subject to some appropriate safeguards and regulatory requirements. Sandboxes are regulatory tools which may be used to permit companies to innovate in the absence of heavy regulatory burdens. However, these ordinarily refer to burdens related to high barriers to entry (such as capital requirements for financial and banking companies), or regulatory costs. In this Bill, however, the relaxing of data protection provisions for data fiduciaries would lead to restrictions of the privacy of individuals. Limitations to a fundamental rights on grounds of ‘fostering innovation’ is not a constitutional tenable position, and contradict the primary objectives of a data protection law.

5. The primacy of ‘harm’ in the Bill ought to be reconsidered

While a harms based approach is necessary for data protection frameworks, such approaches should be restricted to the positive obligations, penal provisions and responsive regulation of the Authority. The Bill does not provide any guidance on either the interpretation of the term ‘harm,’ [12] or on the various activities covered within the definition of the term. Terms such as ‘loss of reputation or humiliation’ ‘any discriminatory treatment’ are a subjective standard and are open to varied interpretations. This ambiguity in the definition will make it difficult for the data principal to demonstrate harm and for the DPA to take necessary action as several provisions are based upon harm being caused or likely to be caused.Some of the significant provisions where ‘harm’ is a precondition for the provision to come into effect are —

Clause 25: Data Fiduciary is required to notify the Authority about the breach of personal data processed by the data fiduciary, if such breach is likely to cause harm to any data principal. The Authority after taking into account the severity of the harm that may be caused to the data principal will determine whether the data principal should be notified about the breach.
Clause 32 (2): A data principal can file a complaint with the data fiduciary for a contravention of any of the provisions of the Act, which has caused or is likely to cause ‘harm’ to the data principal.
Clause 64 (1): A data principal who has suffered harm as a result of any violation of the provision of the Act by a data fiduciary, has the right to seek compensation from the data fiduciary.

Clause 16 (5): The guardian data fiduciary is barred from profiling, tracking or undertaking targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.

6. Non personal data should be outside the scope of this Bill

Clause 91 (1) states that the Act does not prevent the Central Government from framing a policy for the digital economy, in so far as such policy does not govern personal data. The Central Government can, in consultation with the Authority, direct any data fiduciary to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence based policies in any manner as may be prescribed.It is concerning that the data protection bill has specifically carved out an exception for the Central Government to frame policies for the digital economy and seems to indicate that the government plans to freely use any and all anonymized and/or non-personal data that rests with any data fiduciary that falls under the ambit of the bill to support the digital economy including for its growth, security, integrity, and prevention of misuse. It is unclear how the government, in practice, will be able to compel organizations to share this data. Further, there is a lack of clarity on the contours of the definition of non-personal data and the Bill does not define the term. It is also unclear whether the Central Government can compel the data fiduciary to transfer/share all forms of non-personal data and the rights and obligations of the data fiduciaries and data principals over such forms of data. Anonymised data refers to data which has ‘ irreversibly’ been converted into a form in which the data principal cannot be identified. However, as several instances have shown ‘ irreversible’ anonymisation is not possible. In the United States, the home addresses of taxi drivers were uncovered and in Australia individual health records were mined from anonymised medical bills [13]. In September 2019, the Ministry of Electronics and Information Technology, constituted an expert committee under the chairmanship of Kris Gopalkrishnan to study various issues relating to non-personal data and to deliberate over a data governance framework for the regulation of such data.The provision should be deleted and the scope of the bill should be limited to protection of personal data and to provide a framework for the protection of individual privacy. Until the report of the expert committee is published, the Central Government should not frame any law/regulation on the access and monetisation of non-personal/ anonymised data nor can they create a blanket provision allowing them to request such data from any data fiduciary that falls within the ambit of the bill. If the government wishes to use data resting with a data fiduciary; it must do so on a case to case basis and under formal and legal agreements with each data fiduciary.

7. Steps towards greater decentralisation of power

We propose the following steps towards greater decentralisation of powers and devolved jurisdiction —

Creation of State Data Protection Authorities: A single centralised body may not be the appropriate form of such a regulator. We propose that on the lines of central and state commissions under the Right to Information Act, 2005, state data protection authorities are set up which are in a position to respond to local complaints and exercise jurisdiction over entities within their territorial jurisdictions.
More involvement of industry bodies and civil society actors: In order to lessen the burden on the data protection authorities it is necessary that there is active engagement with industry bodies, sectoral regulators and civil society bodies engaged in privacy research. Currently, the Bill provides for involvement of industry or trade association, association representing the interests of data principals, sectoral regulator or statutory Authority, or an departments or ministries of the Central or State Government in the formulation of codes of practice. However, it would be useful to also have a more active participation of industry associations and civil society bodies in activities such as promoting awareness among data fiduciaries of their obligations under this Act, promoting measures and undertaking research for innovation in the field of protection of personal data.

8. The Authority must be empowered to exercise responsive regulation

In a country like India, the challenge is to move rapidly from a state of little or no data protection law, and consequently an abysmal state of data privacy practices to a strong data protection regulation and a powerful regulator capable of enabling a state of robust data privacy practices. This requires a system of supportive mechanisms to the stakeholders in the data ecosystem, as well as systemic measures which enable the proactive detection of breaches. Further, keeping in mind the limited regulatory capacity in India, there is a need for the Authority to make use of different kinds of inexpensive and innovative strategies.We recommend the following additional powers for the Authority to be clearly spelt out in the Bill —

Informal Guidance: It would be useful for the Authority to set up a mechanism on the lines of the Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law. Given that this is the first omnibus data protection law in India, and there is very little jurisprudence on the subject from India, it would be extremely useful for regulated entities to get guidance from the regulator.
Power to name and shame: When a DPA makes public the names of organisations that have seriously contravened data protection legislation, this is a practice known as “naming and shaming.” The UK ICO and other DPAs recognise the power of publicity, as evidenced by their willingness to co-operate with the media. The ICO does not simply post monetary penalty notices (MPNs or fines) on its websites for journalists to find, but frequently issues press releases, briefs journalists and uses social media. The ICO’s publicity statement on communicating enforcement activities states that the “ICO aims to get media coverage for enforcement activities.”
Undertakings: The UK ICO has also leveraged the threats of fines into an alternative enforcement mechanism seeking contractual undertakings from data controllers to take certain remedial steps. Undertakings have significant advantages for the regulator. Since an undertaking is a more “co-operative”solution, it is less likely that a data controller will change it. An undertaking is simpler and easier to put in place. Furthermore, the Authority can put an undertaking in place quickly as opposed to legal proceedings which are longer.

9. No clear roadmap for the implementation of the Bill

The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified [14]. It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within within which the Authority shall be established and specific rules and regulations notified. Considering that 25 provisions have been deferred to rules that have to be framed by the Central Government and a further 19 provisions have been deferred to the regulations to be notified by the Authority the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill.The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Authority. This is important to give full and effective effect to the right of privacy of the
individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.For offences, we suggest a system of mail boxing where provisions and punishments are enforced in a staggered manner, for a period till the fiduciaries are aligned with the provisions of the Act. The Authority must ensure that data principals and fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment are brought into force. This will allow the data fiduciaries to align their practices with the provisions of this new legislation and the Authority will also have time to define and determine certain provisions that the Bill has left the Authority to define. Additionally enforcing penalties for offences initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders from paying a high price. This will relieve the fear of smaller companies and startups who might fear processing data for the fear of paying penalties for offences.

10. Lack of interoperability

In its current form, a number of the provisions in the Bill will make it difficult for India’s framework to be interoperable with other frameworks globally and in the region. For example, differences between the draft Bill and the GDPR can be found in the grounds for processing, data localization frameworks, the framework for cross border transfers, definitions of sensitive personal data, inclusion of the undefined category of ‘critical data’, and the roles of the authority and the central government.

11. Legal Uncertainty

In its current structure, there are a number of provisions in the Bill that, when implemented, run the risk of creating an environment of legal uncertainty. These include: lack of definition of critical data, lack of clarity in the interpretation of the terms ‘harm’ and ‘significant harm’, ability of the government to define further categories of sensitive personal data, inclusion of requirements for ‘social media intermediaries’, inclusion of ‘non-personal data’, framing of the requirements for data transfers, bar on processing of certain forms of biometric data as defined by the Central Government, the functioning between a consent manager and another data fiduciary, the inclusion of an AI sandbox and the definition of state. To ensure the greatest amount of protection of individual privacy rights and the protection of personal data while also enabling innovation, it is important that any data protection framework is structured and drafted in a way to provide as much legal certainty as possible.

Endnotes

1. (2017) 10 SCC 641 (“Puttaswamy I”).

2. Clause 42(1) of the 2018 Bill states that “Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to such interests being achieved.”

3. (2019) 1 SCC 1 (“Puttaswamy II”)

4. Puttaswamy I, supra, para 180.

5. (1978) 1 SCC 248.

6. Ibid para 48.

7. Puttaswamy I supra para 180.

8. State of W.B. v. Anwar Ali Sarkar, 1952 SCR 284; Satwant Singh Sawhney v A.P.O AIR 1967 SC1836.

9. (2016)7 SCC 353.

10. Dvara Research “Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill, 2019 introduced in Lok Sabha on 11 December 2019”, January 2020, https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/ (“Dvara Research”).

11. “A Data Sandbox for Your Company”, Terrific Data, last accessed on January 31, 2019, http://terrificdata.com/2016/12/02/3221/.

12. Clause 3(20) — “harm” includes (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (ii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of service,benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal.

13. Alex Hern “Anonymised data can never be totally anonymous, says study”, July 23, 2019 https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds.

14. Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6)The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f ) security safeguards under section 31; (g) research purposes under section 45; (h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019

A Compilation of Research on the PDP Bill

pranav — 2020-03-05T08:04:24Z

The most recent step in India’s initiative to create an effective and comprehensive Data Protection regime was the call for comments to the Personal Data Protection Bill, 2019, which closed last month. Leading up to the comments, CIS has published numerous research pieces with the goal of providing a comprehensive overview of how this legislation would place India within the global scheme, and how the local situation has developed, as well as analysing its impacts on citizens’ rights.

In addition to general and clause-by-clause comments and recommendations, we have compiled an annotated version of the Personal Data Protection Bill, which lays out our commentary in an easy-to-follow format.

Below, you can find our other recent research on Data Protection:

Pallavi Bedi has put together a note on the Divergence between EU’s General Data Protection Regulation (GDPR) and the Personal Data Protection Bill.

In addition, Pallavi has also contrasted the Personal Data Protection Bill with the GDPR and California Consumer Protection Act, in the contexts of jurisdiction and scope, rights of the data principal, obligations of data fiduciaries, exemptions, data protection authority, and breach of personal data.

On IAPP’s blog Privacy Perspectives, D. Shweta Reddy has assessed whether the Personal Data Protection Bill 2019 is sufficient for India to receive adequacy status from the EU.

Along with Justin Sherman, Arindrajit Basu has outlined the key global takeaways from the Personal Data Protection Bill 2019 on Lawfare.

On The Diplomat, Arindrajit has also traced the narrowing localization provisions in India, as well as Vietnam and Indonesia, and studied the actors and geopolitical tussle that has shaped these provisions.

Through a string of publicly available submissions, press statements, and other media reports, Arindrajit and Amber Sinha have tracked the political evolution of the data protection ecosystem in India, and how this has, and will continue to impact legislative and policy developments on EPW Engage.

Gurshabad Grover and Tanaya Rajwade have written on The Wire about how the Personal Data Protection Bill regulates social media.

Amber was also a guest on Suno India’s Cyber Democracy podcast, with Srinivas Kodali, to discuss how the latest version of the Personal Data Protection Bill will impact the right to privacy.

For more details visit https://cis-india.org/internet-governance/blog/compilation-of-research-on-data-protection

A Guide to Drafting Privacy Policy under the Personal Data Protection Bill, 2019

shwetar — 2021-09-20T10:34:40Z

The Personal Data Protection Bill, 2019, (PDP Bill) which is currently being deliberated by the Joint Parliamentary Committee, is likely to be tabled in the Parliament during the winter session of 2021.

The Bill in its current form, doesn’t have explicit transitory provisions i.e. a defined timeline for the enforcement of the provisions of the Bill post its notification as an enforceable legislation. Since the necessary subject matter expertise may be limited on short notice and out of budget for certain companies, we intend to release a series of guidance documents that will attempt to simplify the operational requirements of the legislation.

Certain news reports had earlier suggested that the Joint Parliamentary Committee reviewing the Bill has proposed 89 new amendments and a new clause. The nature and content of these amendments so far remain unclear. However, we intend to start the series by addressing some frequently asked questions around meeting the requirements of publishing a privacy notice and shall make the relevant changes post notification of the new Bill. The solutions provided in this guidance document are mostly based on international best practices and any changes in the solutions based on Indian guidelines and the revised PDP Bill will be redlined in the future.

The frequently asked questions and other specific examples on complying with the requirements of publishing a privacy policy have been compiled based on informal discussions with stakeholders, unsolicited queries from smaller organizations and publicly available details from conferences on the impact of the Bill. We intend to conduct extensive empirical analysis of additional queries or difficulties faced by smaller organizations towards achieving compliance post the notification of the new Bill. Regardless, any smaller organizations(NGOs, start-ups etc.) interested in discussing compliance related queries can get in touch with us.

Click to download the full report here. The report was reviewed by Pallavi Bedi and Amber Sinha.

For more details visit https://cis-india.org/internet-governance/blog/shweta-reddy-september-17-2021-a-guide-to-drafting-privacy-policy-under-personal-data-protection-bill

(Updated) Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information

Amber Sinha and Srinivas Kodali — 2019-03-13T00:29:01Z

Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, welfare exclusion, and security concerns. In this study, we document numerous instances of publicly available Aadhaar Numbers along with other personally identifiable information (PII) of individuals on government websites. This report highlights four government projects run by various government departments that have made sensitive personal financial information and Aadhaar numbers public on the project websites.

Read the updated report: Download (pdf)

Read the first statement of clarification (May 16, 2017): Download (pdf)

Read the second statement of clarification (November 05, 2018): Link to page (html)

We are grateful to Yesha Paul and VG Shreeram for research support.

In the last month, there have been various reports pointing out instances of the public disclosure of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these public disclosures reported contain personally identifiable information of beneficiaries or subjects of the non UIDAI databases containing Aadhaar numbers of individuals along with other personal identifiers. All of these public disclosures are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of such events, those that create a ripe opportunity for financial fraud. For this purpose, we identified benefits disbursement schemes which would require its databases to store financial information about its subjects. During our research, we encountered numerous instances of publicly available Aadhaar Numbers along with other PII of individuals on government websites. In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers. Our research is focussed largely on the data published by or pertaining to where Aadhaar data is linked with banking information. We chose major government programmes using Aadhaar for payments and banking transactions. We found sensitive and personal data and information very easily accessible on these portals.

For more details visit https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1

The Competition Law Case Against Whatsapp’s 2021 Privacy Policy Alteration

Aman Nair and Arindrajit Basu — 2021-03-24T16:12:09Z

Having examined the privacy implications of Whatsapp's changes to its privacy policy in 2021, this issue brief is the second output in our series examining the effects of those changes. This brief examines the changes in the context of data sharing between Whatsapp and Facebook as being an anticompetitive action in violation of the Indian Competition Act, 2002.

Executive Summary

On January 4, 2021, Whatsapp announced a revised privacy policy through an in-app notification. It highlighted that the new policy would impact user interactions with business accounts, including those which may be using Facebook's hosting services. The updated policy presented users with the option of either accepting greater data sharing between Whatsapp and Facebook or being unable to use the platform post 15th May, 2021. The updated policy resulted in temporarily slowed growth for Whatsapp and increased growth for other messaging apps like Signal and Telegram. While Whatsapp has chosen to delay the implementation of this policy due to consumer outrage, it is important for us to unpack and understand what this (and similar policies) mean for the digital economy, and its associated competition law concerns. Competition law is one of the sharpest tools available to policy-makers to fairly regulate and constrain the unbridled power of large technology companies.

While it is evident the Indian competition landscape will benefit from revisiting the existing law and policy framework to reign in Big technology companies, we argue that the change in Whatsapp’s privacy policy in 2021 can be held anti-competitive using legal provisions as they presently stand. Therefore, in this issue brief, we largely limit ourselves to evaluating the legality of Whatsapp’s privacy policy within the confines of the present legal system.

First, we dive into an articulation of the present abuse of dominance framework in Indian Competition Law. Second, we analyze whether there was abuse of dominance-bearing in mind an economic analysis of Whatsapp’s role in the relevant market by using tests laid out in previous rulings of the CCI

The framework for determining abuse of dominance as per The Competition Act is based on three factors:

1. Determination of relevant market

2. Determination of dominant position

3. Abuse of the dominant position

In two previous orders in 2016 and 2020, CCI has held that Whatsapp is dominant in its relevant market based on several factors which we explore. These include:

Advantage in user base, usage and reach,
Barriers to entry for other competitors
Power of acquisition over competitors.

However, in both orders, CCI held that Whatsapp did not abuse its dominance by arguing that the practices in question allowed for user choice. We critique these judgments for not reflecting the market structures and exploitative practices of large technology companies. We also argue that even if we use the test of user choice laid down by the CCI in its previous orders concerning Whatsapp and Facebook, the changes made to the privacy policy in 2021 did abuse dominance,and should be held guilty of violating competition law standards.

Our analysis revolves around examining the explicit and implicit standards of user choice laid out by the CCI in its 2016 and 2020 judgements as the standard for evaluating fairness in an Abuse of Dominance claim.We demonstrate how the 2021 changes failed to meet these standards.

Finally, we conclude by noting that the present case offers a crucial opportunity for India to take a giant step forward in its regulation of big tech companies and harmonise its rulings with regulatory developments around the world.

The full issue brief can be found here

For more details visit https://cis-india.org/internet-governance/blog/the-competition-law-case-against-whatsapp2019s-2021-privacy-policy-alteration

GDPR and India: A Comparative Analysis

Aditi Chaturvedi — 2017-11-28T15:17:39Z

At present, companies world over are in the process of assessing the impact that EU General Data Protection Regulations (“GDPR”) will have on their businesses.

The post is written by Aditi Chaturvedi and edited by Amber Sinha

High administrative fines in case of non-compliance with GDPR provisions are a driving force behind these concerns as they can lead to loss of business for various countries such as India.

To a large extent, future of business will depend on how well India responds to the changing regulatory changes unfolding globally. India will have to assess her preparedness and make convincing changes to retain the status as a dependable processing destination. This document gives a brief overview of data protection provisions of the Information Technology Act, 2000 followed by a comparative analysis of the key provisions of GDPR and Information Technology Act and the Rules notified under it.

Download the full blog post

For more details visit https://cis-india.org/internet-governance/blog/gdpr-and-india-a-comparative-analysis

Survey on Data Protection Regime

Aditi Chaturvedi and Elonnai Hickok — 2017-02-10T10:47:00Z

We request you to take part in this survey aimed at understanding how various organisations view the changes in the Data Protection Regime in the European Union. Recently the General Data Protection Regulation (EU) 2016/679 was passed, which shall replace the present Data Protection Directive DPD 95/46/EC. This step is likely to impact the way of working for many organisations. We are grateful for your voluntary contribution to our research, and all information shared by you will be used for the purpose of research only. Questions that personally identify you are not mandatory and will be kept strictly confidential.

The survey form below can also be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime

Developer team fixed vulnerabilities in Honorable PM's app and API

pranesh — 2016-12-04T19:08:56Z

The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.

This blog post has been authored by Bhavyanshu Parasher. The original post can be read here.

What were the issues?

The main issue was how the app was communicating with the API served by narendramodi.in.

I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.
There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.
The API was still being served over HTTP instead of HTTPS.

Fixed

The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.
A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.
Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.

Detailed Vulnerability Disclosure

Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app, I would suggest you to change your password immediately. Can’t leave out a possibility of it being compromised.

Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.

The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).

Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,

They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.

Disclosure to officials

The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.

Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM

After about 30 hours of reporting the vulnerabillity

Proposed Solution

Consulted @pranesh_prakash as well regarding the issue.

After this, I mailed them a solution regarding the issues.

Discussion with developer

Received phone call from a developer. Discussed possible solutions to fix it.

The solution that I proposed could not be implemented since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that people don’t upgrade to latest versions leaving themselves vulnerable to security flaws. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.

On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. I can now confirm they have fixed all three issues.

Update 12/02/2016

This vulnerability in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.

Comments on the Report of the Committee on Digital Payments (December 2016)

Sumandro Chattapadhyay and Amber Sinha — 2017-01-12T12:32:22Z

The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.

1. Preliminary

1.1. This submission presents comments by the Centre for Internet and Society (“CIS”) [1] in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) [2].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.

2.2. CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.

3. Comments

3.1. CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 [3], have generated unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.

3.2. While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services. Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.

3.3. The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.

3.4. The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice.

3.5. The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise. Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments.

3.6. The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.

3.7. CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities.

3.8. We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity [4]. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report. The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.

3.9. A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic.

3.10. The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment. A mandate for replacement of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.

3.11. The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud.

3.12. In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats.

3.13. The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.

3.14. CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities.

3.15. The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.

3.16. As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://finmin.nic.in/reports/Note-watal-report.pdf and http://finmin.nic.in/reports/watal_report271216.pdf.

[3] See: http://finmin.nic.in/cancellation_high_denomination_notes.pdf.

[4] Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: http://www.budapestopenaccessinitiative.org/read.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016

Personal Data Protection Bill must examine data collection practices that emerged during pandemic

Shweta Mohandas and Anamika Kundu — 2022-03-30T15:15:21Z

The PDP bill is speculated to be introduced during the winter session of the parliament soon. The PDP Bill in its current form provides wide-ranging exemptions which allow government agencies to process citizen’s data in order to fulfil its responsibilities. The bill could ensure that employers have some responsibility towards the data they collect from the employees.

The article by Shweta Mohandas and Anamika Kundu was originally published by news nine on November 29, 2021.

The Personal Data Protection Bill (PDP) is speculated to be introduced during the winter session of the parliament soon, and the report of the Joint Parliamentary Committee (JPC) has already been adopted by the committee on Monday. The Report of the JPC comes after almost two years of deliberation and secrecy over how the final version of the Personal Data Protection Bill will be. Since the publication of the 2019 version of the PDP Bill, the Covid 19 pandemic and the public safety measures have opened the way for a number of new organisations and reasons to collect personal data that was non-existent in 2019. Hence along with changes that have been suggested by multiple civil society organisations, the dissent notes submitted by the members of the JPC, the new version of the PDP Bill must also look at how data processing has changed over the span of two years.

Concerns with the bill

At the outset there are certain parts of the PDP Bill which need to be revised in order to uphold the spirit of privacy and individual autonomy laid out in the Puttaswamy judgement. The two sections that need to be in line with the privacy judgement are the ones that allow for non consensual processing of data by the government, and by employers. The PDP Bill in its current form provides wide-ranging exemptions which allow government agencies to process citizen's data in order to fulfil its responsibilities.

In the 2018 version of bill, drafted by the Justice Srikrishna Committee exemptions granted to the State with regard to processing of data was subject to a four pronged test which required the processing to be (i) authorised by law; (ii) in accordance with the procedure laid down by the law; (iii) necessary; and (iv) proportionate to the interests being achieved. This four pronged test was in line with the principles laid down by the Supreme Court in the Puttaswamy judgement. The 2019 version of the PDP Bill has diluted this principle by merely retaining the 'necessity principle' and removing the other requirements which is not in consonance with the test laid down by the Supreme Court in Puttaswamy.

Section 35 was also widely discussed in the panel meetings where members had argued the removal of 'public order' as a ground for exemption. The panel also insisted for 'judicial or parliamentary oversight' to grant such exemptions. The final report did not accept these suggestions stating a need to balance national security, liberty and privacy of an individual. There ought to be prior judicial review of the written order exempting the governmental agency from any provisions of the bill. Allowing the government to claim an exemption if it is satisfied to be "necessary or expedient" can be misused.

Another clause which gives the data principal a wide berth is with respect to employee data Section 13 of the current version of the bill provides the employer with a leeway into processing employee data (other than sensitive personal data) without consent based on two grounds: when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer.

The personal data so collected can only be collected for recruitment, termination, attendance, provision of any service or benefit, and assessing performance. This covers almost all of the activities that require data of the employee. Although the 2019 version of the bill excludes non-consensual collection of sensitive personal data (a provision that was missing in the 2018 version of the bill), there is still a lot of scope to improve this provision and provide employees further right to their data. At the outset the bill does not define employee and employer, which could result in confusion as there is no one definition of these terms across Indian Labour Laws.

Additionally, the bill distinguishes between employee and consumer, where the consumer of the same company or service has a greater right to their data than an employee. In the sense that the consumer as a data principal has the option to use any other product or service and also has the right to withdraw consent at any time, in the case of an employee the consequence of refusing consent or withdrawing consent would be being terminated from the employment. It is understood that there is a requirement for employee data to be collected, and that consent does not work the same way as it does in the case of a consumer.

The bill could ensure that employers have some responsibility towards the data they collect from the employees, such as ensuring that they are only used for the purpose for which they were collected, the employee knows how long their data will be retained, and know if the data is being processed by third parties. It is also worth mentioning that the Indian government is India's largest employer spanning a variety of agencies and public enterprises.

Concerns highlighted by JPC Members

Going back to the few members of the JPC who have moved dissent notes, specifically with regard to governmental exemptions. Jairam Ramesh filed a dissent note, to which many other opposition members followed suit. While Jairam Ramesh praised the JPC's functioning, he disagreed with certain aspects of the Report. According to him, the 2019 bill is designed in a manner where the right to privacy is given importance only in cases of private activities. He raised concerns regarding the unbridled powers given to the government to exempt itself from any of the provisions.

The amendment suggested by him would require parliamentary approval before exemption would take place. He also added that Section 12 of the bill which provided certain scenarios where consent was not needed for processing of personal data should have been made 'less sweeping'. Similarly, Gaurav Gogoi's note stated that the exemptions would create a surveillance state and similarly criticised Section 12 and 35 of the bill. He also mentioned that there ought to be parliamentary oversight for the exemptions provided in the bill.

On the same issue, Congress leader Manish Tiwari noted that the bill creates 'parallel universes' - one for the private sector which needs to be compliant and the other for the State which can exempt itself. He has opposed the entire bill stating there exists an "inherent design flaw". He has raised specific objections to 37 clauses and stated that any blanket exemptions to the state goes against the Puttaswamy Judgement.

In their joint dissent note, Derek O'Brien and Mahua Mitra have said that there is a lack of adequate safeguards to protect the data principals' privacy and the lack of time and opportunity for stakeholder consultations. They have also pointed out that the independence of the DPA will cease to exist with the present provision of allowing the government powers to choose members and the chairman. Amar Patnaik is to object to the lack of inclusion of state level authorities in the bill. Without such bodies, he says, there would be federal override.

Conclusion

While a number of issues were highlighted by civil society, the members of the JPC, and the media, the new version of the bill should also need to take into account the shifts that have taken place in view of the pandemic. The new version of the data protection bill should take into consideration the changes and new data collection practices that have emerged during the pandemic, be comprehensive and leave very little provisions to be decided later by the Rules.

For more details visit https://cis-india.org/internet-governance/blog/news-nine-shweta-mohandas-and-anamika-kundu-personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic

Marco Civil da Internet: Brazil’s ‘Internet Constitution’

geetha — 2014-06-19T10:38:10Z

On March 25, 2014, Brazil's lower house of parliament passed bill no. 2126/2011, popularly known as Marco Civil da Internet. The Marco Civil is a charter of Internet user-rights and service provider responsibilities, committed to freedom of speech and expression, privacy, and accessibility and openness of the Internet. In this post, the author looks at the pros and cons of the bill.

Introduction:

Ten months ago, Edward Snowden’s revelations of the U.S. National Security Agency’s extensive, warrantless spying dawned on us. Citizens and presidents alike expressed their outrage at this sweeping violation of their privacy. While India’s position remained carefully neutral, or indeed, supportive of NSA’s surveillance, Germany, France and Brazil cut the U.S. no slack. Indeed, at the 68th session of the United Nations General Assembly, Brazilian President Dilma Rousseff (whose office the NSA had placed under surveillance) stated, “Tampering in such a manner in the affairs of other countries is a breach of International Law and is an affront to the principles that must guide the relations among them, especially among friendly nations.” Brazil, she said, would “redouble its efforts to adopt legislation, technologies and mechanisms to protect us from the illegal interception of communications and data.”

Some may say that Brazil has lived up to its word. Later this month, Brazil will be host to NETmundial, the Global Multi-stakeholder Meeting on the Future of Internet Governance, jointly organized by the Brazilian Internet Steering Committee (CGI.br) and the organization /1Net. The elephantine invisible presence of Snowden vests NETmundial with the hope and responsibility of laying the ground for a truly multi-stakeholder model for governing various aspects of the Internet; a model where governments are an integral part, but not the only decision-makers. The global Internet community, comprising users, corporations, governments, the technical community, and NGOs and think-tanks, is hoping devise a workable method to divest the U.S. Government of its de facto control over the Internet, which it wields through its contracts to manage the domain name system and the root zone.

But as Internet governance expert Dr. Jeremy Malcolm put it, these technical aspects do not make or break the Internet. The real questions in Internet governance underpin the rights of users, corporations and netizens worldwide. Sir Tim Berners-Lee, when he called for an Internet Bill of Rights, meant much the same. For Sir Tim, an open, neutral Internet is imperative if we are to keep our governments open, and foster “good democracy, healthcare, connected communities and diversity of culture”. Some countries agree. The Philippines envisaged a Magna Carta for Internet Freedom, though the Bill is pending in the Philippine parliament.

Marco Civil da Internet:

Last week, on March 25, 2014, the Brazilian Chamber of Deputies (the lower house of parliament) passed the Marco Civil da Internet, bill 2126/2011, a charter of Internet rights. The Marco Civil is considered by the global Internet community as a one-of-a-kind bill, with Sir Tim Berners-Lee hailing the “groundbreaking, inclusive and participatory process has resulted in a policy that balances the rights and responsibilities of the individuals, governments and corporations who use the Internet”.

The Marco Civil’s journey began with a two-stage public consultation process in October 2009, under the aegis of the Brazilian Ministry of Justice’s Department of Legislative Affairs, jointly with the Getulio Vargas Foundation’s Center for Technology and Society of the Law School of Rio de Janeiro (CTS-FGV). The collaborative process involved a 45-day consultation process in which over 800 comments were received, following which a second consultation in May 2010 received over 1200 comments from individuals, civil society organizations and corporations involved in the telecom and technology industries. Based on comments, the initial draft of the bill was revamped to include issues of popular, public importance, such as intermediary liability and online freedom of speech.

An official English translation of the Marco Civil is as yet unavailable. But an unofficial translation (please note that the file is uploaded on Google Drive), triangulated against online commentary on the bill, reveals that the following issues were of primary importance:

The fundamentals:

The fundamental principles of the Marco Civil reveal a commitment to openness, accessibility neutrality and democratic collaboration on the Internet. Art. 2 (see unofficial translation) sets out the fundamental principles that form the basis of the law. It pledges to adhere to freedom of speech and expression, along with an acknowledgement of the global scale of the network, its openness and collaborative nature, its plurality and diversity. It aims to foster free enterprise and competition on the Internet, while ensuring consumer protection and upholding human rights, personality development and citizenship exercise in the digital media in line with the network’s social purposes. Not only this, but Art. 4 of the bill pledges to promote universal access to the Internet, as well as “to information, knowledge and participation in cultural life and public affairs”. It aims to promote innovation and open technology standards, while ensuring interoperability.

The Marco Civil expands on its commitment to human rights and accessibility by laying down a “discipline of Internet use in Brazil”. Art. 3 of the bill guarantees freedom of expression, communication and expression of thoughts, under the terms of the Federal Constitution of Brazil, while at the same time guaranteeing privacy and protection of personal data, and preserving network neutrality. It also focuses on preserving network stability and security, by emphasizing accountability and adopting “technical measures consistent with international standards and by encouraging the implementation of best practices”.

These principles, however, are buttressed by rights assured to Internet users and responsibilities of and exceptions provided to service providers.

Rights and responsibilities of users and service providers:

Net neutrality:

Brazil becomes one of the few countries in the world (joining the likes of the Netherlands, Chile and Israel in part) to preserve network neutrality by legislation. Art. 9 of the Marco Civil requires all Internet providers to “to treat any data package with isonomy, regardless of content, origin and destination, service, terminal or application”. Not only this, but Internet providers are enjoined from blocking, monitoring or filtering content during any stage of transmission or routing of data. Deep packet inspection is also forbidden. Exceptions may be made to discriminate among network traffic only on the basis of essential technical requirements for services-provision, and for emergency services prioritization. Even this requires the Internet provider to inform users in advance of such traffic discrimination, and to act proportionately, transparently and with equal protection.

Data retention, privacy and data protection:

The Marco Civil includes provisions for the retention of personal data and communications by service providers, and access to the same by law enforcement authorities. However, record, retention and access to Internet connection records and applications access-logs, as well as any personal data and communication, are required to meet the standards for “the conservation of intimacy, private life, honor and image of the parties directly or indirectly involved” (Art. 10). Specifically, access to identifying information and contents of personal communication may be obtained only upon judicial authorization.

Moreover, where data is collected within Brazilian territory, processes of collection, storage, custody and treatment of the abovementioned data are required to comply with Brazilian laws, especially the right to privacy and confidentiality of personal data and private communications and records (Art. 11). Interestingly, this compliance requirement is applicable also to entities incorporated in foreign jurisdictions, which offer services to Brazilians, or where a subsidiary or associate entity of the corporation in question has establishments in Brazil. While this is undoubtedly a laudable protection for Brazilians or service providers located in Brazil, it is possible that conflicts may arise (with penal consequences) between standards and terms of data retention and access by authorities in other jurisdictions. In the predictable absence of harmonization of such laws, perhaps rules of conflicts of law may prove helpful.

While data retention remained a point of contention (Brazil initially sought to ensure a 5-year data retention period), under the Marco Civil, Internet providers are required to retain connection records for 1 year under rules of strict confidentiality; this responsibility cannot be delegated to third parties (Art. 13). Providers providing the Internet connection (such as Reliance or Airtel in India) are forbidden from retaining records of access to applications on the Internet (Art. 14). While law enforcement authorities may request a longer retention period, a court order (filed for by the authority within 60 days from the date of such request) is required to access the records themselves. In the event the authority fails to file for such court order within the stipulated period, or if court order is denied, the service provider must protect the confidentiality of the connection records.

Though initially excluded from the Marco Civil, the current draft passed by the Chamber of Deputies requires Internet application providers (such as Google or Facebook) to retain access-logs for their applications for 6 months (Art. 15). Logs for other applications may not be retained without previous consent of the owner, and in any case, the provider cannot retain personal data that is in excess of the purpose for which consent was given by the owner. As for connection records, law enforcement authorities may request a greater retention period, but require a court order to access the data itself.

These requirements must be understood in light of the rights that the Marco Civil guarantees to users. Art. 7, which enumerates these user-rights, does not however set forth their content; this is probably left to judicial interpretation of rights enshrined in the Federal Constitution. In any event, Art. 7 guarantees to all Internet users the “inviolability of intimacy and privacy”, including the confidentiality of all Internet communications, along with “compensation for material or moral damages resulting from violation”. In this regard, it assures that users are entitled to a guarantee that no personal data or communication shall be shared with third parties in the absence of express consent, and to “clear and complete information on the collection, use, storage, treatment and protection of their personal data”. Indeed, where contracts violate the requirements of inviolability and secrecy of private communications, or where a dispute resolution clause does not permit the user to approach Brazilian courts as an alternative, Art. 8 renders such contracts null and void.

Most importantly, Art. 7 states that users are entitled to clear and complete information about how connection records and access logs shall be stored and protected, and to publicity of terms/policies of use of service providers. Additionally, Art. 7 emphasizes quality of service and accessibility to the Internet, and forbids suspension of Internet connections except for failure of payments. Read comprehensively, therefore, Arts. 7-15 of the Marco Civil prima facie set down robust protections for private and personal data and communications.

An initial draft of the Marco Civil sought to mandate local storage of all Brazilians’ data within Brazilian territory. This came in response to Snowden’s revelations of NSA surveillance, and President Rousseff, in her statement to the United Nations, declared that Brazil sought to protect itself from “illegal interception of communications and data”. However, the implications of this local storage requirement was the creation of a geographically isolated Brazilian Internet, with repercussions for the Internet’s openness and interoperability that the Marco Civil itself sought to protect. Moreover, there are implications for efficiency and business; for instance, small businesses may be unable to source the money or capacity to comply with local storage requirements. Also, they lead to mandating storage on political grounds, and not on the basis of effective storage. Amid widespread protest from corporations and civil society, this requirement was then withdrawn which, some say, propelled the quick passage of the bill in the Chamber of Deputies.

Intermediary liability:

Laws of many countries make service providers liable for third party content that infringes copyright or that is otherwise against the law (such as pornography or other offensive content). For instance, Section 79 of the Indian Information Technology Act, 2000 (as amended in 2008) is such a provision where intermediaries (i.e., those who host user-generated content, but do not create the content themselves) may be held liable. However, stringent intermediary liability regimes create the possibility of private censorship, where intermediaries resort to blocking or filtering user-generated content that they fear may violate laws, sometimes even without intimating the creator of the infringing content. The Marco Civil addresses this possibility of censorship by creating a restricted intermediary liability provision. Please note, however, that the bill expressly excludes from its ambit copyright violations, which a copyright reforms bill seeks to address.

At first instance, the Marco Civil exempts service providers from civil liability for third party content (Art. 18). Moreover, intermediaries are liable for damages arising out of third party content only where such intermediaries do not comply with court orders (which may require removal of content, etc.) (Art. 19). This leaves questions of infringement and censorship to the judiciary, which the author believes is the right forum to adjudicate such issues. Moreover, wherever identifying information is available, Art. 20 mandates the intermediary to appraise the creator of infringing content of the reasons for removal of his/her content, with information that enables the creator to defend him- or herself in court. This measure of transparency is particularly laudable; for instance, in India, no such intimation is required by law, and you or I as journalists, bloggers or other creators of content may never know why our content is taken down, or be equipped to defend ourselves in court against the plaintiff or petitioner who sought removal of our content. Finally, a due diligence requirement is placed on the intermediary in circumstances where third party content discloses, “without consent of its participants, of photos, videos or other materials containing nudity or sexual acts of private character”. As per Art. 21, where the intermediary does not take down such content upon being intimated by the concerned participant, it may be held secondarily liable for infringement of privacy.

This restricted intermediary liability regime is further strengthened by a requirement of specific identification of infringing content, which both the court order issued under Art. 20 and the take-down request under Art. 21 must fulfill. This requirement is missing, for instance, under Section 79 of the Indian Information Technology Act, which creates a diligence and liability regime without requiring idenfiability of infringing content.

Conclusion:

Brazil’s ‘Internet Constitution’ has done much to add to the ongoing discussion on the rights and responsibilities of users and providers. By expressly adopting protections for net neutrality and online privacy and freedom of expression, the Marco Civil may be considered to set itself up as a model for Internet rights at the municipal level, barring a Utopian bill of rights. Indeed, in an effusive statement of support for the bill, Sir Tim Berners-Lee stated: “If Marco Civil is passed, without further delay or amendment, this would be the best possible birthday gift for Brazilian and global Web users.”

Of course, the Marco Civil is not without its failings. Authors say that the data retention requirements by connection and application providers, with leeway provided for law enforcement authorities to lengthen retention periods, is problematic. Moreover, the discussions surrounding data localization and a ‘walled-off’ Internet that protects against surveillance ignores the interoperability and openness that forms the core of the Internet.

On the whole, though, the Marco Civil may be considered a victory, on many counts. It is possibly the first successful example of a national legislation that is the outcome of a broad, consultative process with civil society and other affected entities. It expressly affirms Brazil’s commitment to the protection of privacy and freedom of expression, as well as to Internet accessibility and the openness of the network. It aims to eliminate the possibility of private censorship online, while upholding privacy rights of users. It seeks to reduce the potential for abuse of personal data and communication by government authorities, by requiring judicial authorization for the same. In a world where warrantless government spying extends across national border, such a provision is novel and desirable. One hopes that, when the global Internet community sits down at its various fora to identify and enumerate principles for Internet governance, it will look to the Marco Civil as an example of standards that governments may adhere to, and not necessarily resort to the lowest common denominator standards of international rights and protections.

For more details visit https://cis-india.org/internet-governance/blog/marco-civil-da-internet