The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 11 to 25.
The 2010 Special 301 Report Is More of the Same, Slightly Less Shrill
https://cis-india.org/a2k/blogs/2010-special-301
<b>Pranesh Prakash examines the numerous flaws in the Special 301 from the Indian perspective, to come to the conclusion that the Indian government should openly refuse to acknowledge such a flawed report. He notes that the Consumers International survey, to which CIS contributed the India report, serves as an effective counter to the Special 301 report.</b>
<h1>Special 301 Report: Unbalanced Hypocrisy</h1>
<p>The United States Trade Representative has put yet another edition of the Special 301 report which details the copyright law and policy wrongdoings of the US's trading partners. Jeremy Malcolm of Consumers International notes that the report this year claims to be "well-balanced assessment of intellectual property protection and enforcement ... taking into account diverse factors", but:</p>
<blockquote>
<p>[I]n fact, the report largely continues to be very one-sided. As in previous editions, it lambasts developing countries for failing to meet unrealistically stringent standards of IP protection that exceed their obligations under international law.</p>
</blockquote>
<p>More the report changes, <a href="http://cis-india.org/advocacy/ipr/blog/consumers-international-ip-watch-list-2009">the more it stays the same</a>. <a href="http://www.michaelgeist.ca/content/view/4684/195/">Despite having wider consultations</a> than just the International Intellectual Property Alliance (IIPA, consisting of US-based IP-maximalist lobbyists like the Motion Picture Association of America, Recording Industry Association of America, National Music Publishers Association, Association of American Publishers, and Business Software Alliance) and the Pharmaceutical Research and Manufacturers of America (PhRMA, consisting of US-based pharma multinationals), things haven't really changed much in terms of the shoddiness of the Special 301 report.</p>
<h1>India and the 2010 Special 301 Report</h1>
<p>The Special 301 report for 2010 contains the following assessment of India:</p>
<blockquote>
<p>India will remain on the Priority Watch List in 2010. India continues to make gradual progress on efforts to improve its legislative, administrative, and enforcement infrastructure for IPR. India has made incremental improvements on enforcement, and its IP offices continued to pursue promising modernization efforts. Among other steps, the United States is encouraged by the Indian government’s consideration of possible trademark law amendments that would facilitate India’s accession to the Madrid Protocol. The United States encourages the continuation of efforts to reduce patent application backlogs and streamline patent opposition proceedings. Some industries report improved engagement and commitment from enforcement officials on key enforcement challenges such as optical disc and book piracy. However, concerns remain over India’s inadequate legal framework and ineffective enforcement. Piracy and counterfeiting, including the counterfeiting of medicines, remains widespread and India’s enforcement regime remains ineffective at addressing this problem. Amendments are needed to bring India’s copyright law in line with international standards, including by implementing the provisions of the WIPO Internet Treaties. Additionally, a law designed to address the unauthorized manufacture and distribution of optical discs remains in draft form and should be enacted in the near term. The United States continues to urge India to improve its IPR regime by providing stronger protection for patents. One concern in this regard is a provision in India’s Patent Law that prohibits patents on certain chemical forms absent a showing of increased efficacy. While the full import of this provision remains unclear, it appears to limit the patentability of potentially beneficial innovations, such as temperature-stable forms of a drug or new means of drug delivery. The United States also encourages India to provide protection against unfair commercial use, as well as unauthorized disclosure, of undisclosed test or other data generated to obtain marketing approval for pharmaceutical and agricultural chemical products. The United States encourages India to improve its criminal enforcement regime by providing for expeditious judicial disposition of IPR infringement cases as well as deterrent sentences, and to change the perception that IPR offenses are low priority crimes. The United States urges India to strengthen its IPR regime and will continue to work with India on these issues in the coming year. </p>
</blockquote>
<p>This short dismissal of the Indian IPR regime, and subsequent classification of India as a "Priority Watch List" country reveals the great many problems with the Special 301.</p>
<h2>On Copyrights</h2>
<ol>
<li>
<p>The report notes that there are "concerns over India's inadequate legal framework and ineffective enforcement". However, nowhere does it bother to point out precisely <em>how</em> India's legal framework is inadequate, and how this is negatively affecting authors and creators, consumers, or even the industry groups (MPAA, RIAA, BSA, etc.) that give input to the USTR via the IPAA. Nor does it acknowledge the well-publicised fact that the statistics put out by these bodies have time and again <a href="http://www.cis-india.org/a2k/blog/fallacies-lies-and-video-pirates">proven to be wrong</a>:</p>
</li>
<li>
<p>Apart from this bald allegation which has not backing, there is a bald statement about India needing to bring its copyright law "in line with international standards" including "the WIPO Internet Treaties". The WIPO Internet Treaties given that more than half the countries of the world are not signatories to either of the WIPO Internet Treaties (namely the WIPO Copyright Treaty and the WIPO Performance and Phonograms Treaty), calling them 'international standards' is suspect. That apart, both those treaties are TRIPS-plus treaties (requiring protections greater than the already-high standards of the TRIPS Agreement). India has not signed either of them. It should not be obligated to do so. Indeed, Ruth Okediji, a noted copyright scholar, <a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1433848">states</a>:</p>
</li>
</ol>
<blockquote>
<p>Consistent with their predecessors, the WIPO Internet Treaties marginalize collaborative forms of creative engagement with which citizens in the global South have long identified and continue in the tradition of assuming that copyright’s most enduring cannons are culturally neutral. [...] The Treaties do not provide a meaningful basis for a harmonized approach to encourage new creative forms in much the same way the Berne Convention fell short of embracing diversity in patterns and modes of authorial expression.</p>
</blockquote>
<ol>
<li>
<p>Some of the of the 'problems' noted in the report are actually seen as being beneficial by many researchers and scholars such as Lawrence Liang, Achal Prabhala, Perihan Abou Zeid <a href="https://sites.google.com/site/iipenforcement/bibliography">and others</a>, who argue that <a href="http://www.altlawforum.org/intellectual-property/publications/articles-on-the-social-life-of-media-piracy/reconsidering-the-pirate-nation">lax enforcement has enabled access to knowledge and promotion of innovation</a>. In a panel on 'Access to Knowledge' at the Internet Governance Forum, <a href="http://a2knetwork.org/access-knowledge-internet-governance-forum">Lea Shaver, Jeremy Malcolm and others</a> who have been involved in that Access to Knowledge movement noted that lack of strict enforcement played a positive role in many developing countries. However, they also noted, with a fair bit of trepidation, that this was sought to be changed at the international level through treaties such as the Anti-Counterfeiting Treaty Agreement (ACTA).</p>
</li>
<li>
<p>The scope of an optical disc law are quite different from copyright law. The report condemns "unauthorized manufacture and distribution of optical discs", however it does not make it clear that what it is talking about is not just unlicensed copying of films (which is already prohibited under the Copyright Act) but the manufacture and distribution of blank CDs and DVDs as well. The need for such a law is assumed, but never demonstrated. It is onerous for CD and DVD manufacturers (such as the Indian company Moserbaer), and is an overbearing means of attacking piracy.</p>
</li>
<li>
<p>The report calls for "improve[ment] [of India's] criminal enforcement regime" and for "deterrent" sentences and expeditious judicial disposition of IPR infringement cases. While we agree with the last suggestion, the first two are most unacceptable. Increased criminal enforcement of a what is essentially a private monopoly right is undesirable. Copyright infringment on non-commercial scales should not be criminal offences at all. What would deter people from infringing copyright laws are not "deterrent sentences" but more convenient and affordable access to the copyright work being infringed.</p>
</li>
</ol>
<h2>On Patents</h2>
<p>Thankfully, this year the Special 301 report does not criticise the Indian Patent Act for providing for post-grant opposition to patent filings, as it has in previous years. However, it still criticises section 3(d) of the Patent Act which ensures that 'evergreening' of drug patents is not allowed by requiring for new forms of known substances to be patented only if "the enhancement of the known efficacy of [the known] substance" is shown. Thus, the US wishes India to change its domestic law to enable large pharma companies to patent new forms of known substances that aren't even better ("enhancement of the known efficacy"). For instance, "new means of drug delivery" will not, contrary to the assertions of the Special 301 report and the worries of PhRMA, be deemed unpatentable.</p>
<p>The United States has been going through much turmoil over its patent system. Reform of the patent system is currently underway in the US through administrative means, judicial means, as well as legislative means. One of the main reasons for this crumbling of the patent system has been the low bar for patentability (most notably the 'obviousness' test) in the United States and the subsequent over-patenting. An <a href="http://supreme.justia.com/us/447/303/case.html">American judgment</a> even noted that "anything under the sun that is made by man" is patentable subject matter. It is well-nigh impossible to take American concerns regarding our high patent standards seriously, given this context.</p>
<h2>Miscellanea</h2>
<p>The harms of counterfeit medicine, as <a href="http://www.cis-india.org/a2k/blog/fallacies-lies-and-video-pirates">we have noted earlier</a>, are separate issues that are best dealt under health safety regulations and consumer laws, rather than trademark law.</p>
<p>Data exclusivity has been noted to be harmful to the progress of generics, and seeks to extend proprietary rights over government-mandated test data. It is [clear from the TRIPS Agreement][de-trips] that data exclusivity is not mandatory. There are clear rationale against it, and the Indian pharmaceutical industry [is dead-set against it][de-india]. Still, the United States Trade Representative persists in acting as a corporate shill, calling on countries such as India to implement such detrimental laws.</p>
<h2>Conclusion</h2>
<p>Michael Geist, professor at University of Ottowa <a href="http://www.michaelgeist.ca/content/view/4997/125">astutely notes</a>:</p>
<blockquote>
<p>Looking beyond just Canada, the list [of countries condemned by the Special 301 report] is so large, that it is rendered meaningless. According to the report, approximately 4.3 billion people live in countries without effective intellectual property protection. Since the report does not include any African countries outside of North Africa, the U.S. is effectively saying that only a small percentage of the world meet its standard for IP protection. Canada is not outlier, it's in good company with the fastest growing economies in the world (the BRIC countries are there) and European countries like Norway, Italy, and Spain.
In other words, the embarrassment is not Canadian law. Rather, the embarrassment falls on the U.S. for promoting this bullying exercise and on the Canadian copyright lobby groups who seemingly welcome the chance to criticize their own country. </p>
</blockquote>
<p>His comments apply equally well for India as well.</p>
<h1>IIPA's Recommendation for the Special 301 Report</h1>
<p>Thankfully, this year <a href="http://www.iipa.com/rbc/2010/2010SPEC301INDIA.pdf">IIPA's recommendations</a> have not been directly copied into the Special 301 report. (They couldn't be incorporated, as seen below.) For instance, the IIPA report notes:</p>
<blockquote>
<p>The industry is also concerned about moves by the government to consider mandating the use of open source software and software of only domestic origin. Though such policies have not yet been implemented, IIPA and BSA urge that this area be carefully monitored.</p>
</blockquote>
<p>Breaking that into two bit:</p>
<h2>Open Source</h2>
<p>Firstly, it is curious to see industry object to legal non-pirated software. Secondly, many of BSA's members (if not most) use open source software, and a great many of them also produce open source software. <a href="http://hp.sourceforge.net/">HP</a> and <a href="http://www-03.ibm.com/linux/ossstds/">IBM</a> have been huge supporters of open source software. Even <a href="http://www.microsoft.com/opensource/">Microsoft has an open source software division</a>. [Intel][intel], <a href="http://www.sap.com/usa/about/newsroom/press.epx?pressid=11410">SAP</a>, <a href="http://www.cisco.com/web/about/doing_business/open_source/index.html">Cisco</a>, <a href="http://linux.dell.com/projects.shtml">Dell</a>, <a href="http://www.sybase.com/developer/opensource">Sybase</a>, <a href="http://www.entrust.com/news/index.php?s=43&item=702">Entrust</a>, <a href="http://about.intuit.com/about_intuit/press_room/press_release/articles/2009/IntuitPartnerPlatformAddsOpenSourceCommunity.html">Intuit</a>, <a href="http://www.synopsys.com/community/interoperability/pages/libertylibmodel.aspx">Synopsys</a>, <a href="http://www.apple.com/opensource/">Apple</a>, <a href="http://www.theregister.co.uk/2005/04/22/jbuilder_eclipse/">Borland</a>, <a href="http://w2.cadence.com/webforms/squeak/">Cadence</a>, <a href="http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=6153839">Autodesk</a>, and <a href="http://news.cnet.com/8301-13505_3-9967593-16.html">Siemens</a> are all members of BSA which support open source software / produce at least some open source software. And <em>all</em> BSA members rely on open source software (as part of their core products, their web-server, their content management system, etc.) to a lesser or greater extent. BSA's left hand doesn't seem to know what its right hand -- its members -- are doing. Indeed, the IIPA does not seem to realise that the United States' government itself uses [open source software], and has been urged to <a href="http://news.bbc.co.uk/2/hi/7841486.stm">look at FOSS very seriously</a> and is doing so, especially under CIO Vivek Kundra. And that may well be the reason why the USTR could not include this cautionary message in the Special 301 report.</p>
<h2>Domestic Software</h2>
<p>As <a href="http://arstechnica.com/tech-policy/news/2010/04/indias-copyright-proposals-are-un-american-and-thats-bad.ars">this insightful article by Nate Anderson in Ars Technica</a> notes:</p>
<blockquote>
<p>Open source is bad enough, but a "buy Indian" law? That would be <a href="http://www.canadainternational.gc.ca/sell2usgov-vendreaugouvusa/procurement-marches/buyamerica.aspx?lang=eng">an outrage</a> and surely something the US government would not itself engage in <a href="http://www.canadainternational.gc.ca/sell2usgov-vendreaugouvusa/procurement-marches/ARRA.aspx?lang=eng">as recently as last year</a>. Err, right?</p>
</blockquote>
<p>Furthermore, the IIPA submission do not provide any reference for their claim that "domestic origin" software is being thought of being made a mandatory requirement in governmental software procurement.<br />
</p>
<h2>WCT, WPPT, Camcording, and Statutory Damages</h2>
<p>The IIPA submission also wish that India would:</p>
<ol>
<li>Adopt a system of statutory damages in civil cases; allow compensation to be awarded in criminal cases;</li>
<li>Adopt an optical disc law;</li>
<li>Enact Copyright Law amendments consistent with the WCT and WPPT;</li>
<li>Adopt an anti-camcording criminal provision.</li>
</ol>
<p>Quick counters:</p>
<ol>
<li>Statutory damages (that is, an amount based on statute rather than actual loss) would result in ridiculousness such as the $1.92 million damages that the jury (based on the statutory damages) slapped on Jammie Thomas. The judge in that case <a href="http://arstechnica.com/tech-policy/news/2010/01/judge-slashes-monstrous-jammie-thomas-p2p-award-by-35x.ars">called the damage award</a> "monstrous and shocking" and said that veered into "the realm of gross injustice."</li>
<li>The reasons against an optical disc law are given above. Quick recap: it is a) unnecessary and b) harmful.</li>
<li>India has not signed the WCT and the WPPT. Indian law satisfies all our international obligations. Thus enacting amendments consistent with the WCT and the WPPT is not required.</li>
<li>Camcording of a film is in any case a violation of the Copyright Act, 1957, and one would be hard-pressed to find a single theatre that allows for / does not prohibit camcorders. Given this, the reason for an additional law is, quite frankly, puzzling. At any rate, IIPA in its submission does not go into such nuances.</li>
</ol>
<h2>Further conclusions</h2>
<p><a href="http://spicyipindia.blogspot.com/2010/05/us-special-301-report-and-not-so.html">Shamnad Basheer</a>, an IP professor at NUJS, offer the following as a response:</p>
<blockquote>
<p>"Dear USA,</p>
<p>India encourages you to mind your own business. We respect your sovereignty to frame IP laws according to your national priorities and suggest that you show us the same courtesy. If your grouse is that we haven't complied with TRIPS, please feel free to take us to the WTO dispute panel. Our guess is that panel members familiar with the English language will ultimately inform you that section 3(d) is perfectly compatible with TRIPS. And that Article 39.3 does not mandate pharmaceutical data exclusivity, as you suggest!
More importantly, at that point, we might even think of hauling you up before the very same body for rampant violations, including your refusal to grant TRIPS mandated copyright protection to our record companies, despite a WTO ruling (Irish music case) against you.</p>
<p>Yours sincerely,</p>
<p>India."</p>
</blockquote>
<p>Basheer's suggestion seems to be in line with that Michael Geist who believes that other countries should join Canada and Israel in openly refusing to acknowledge the validity of the Special 301 Reports because they lack ['reliable and objective analysis'][geist-reliable]. And that thought serves as a good coda.</p>
<p>
For more details visit <a href='https://cis-india.org/a2k/blogs/2010-special-301'>https://cis-india.org/a2k/blogs/2010-special-301</a>
</p>
No publisherpraneshDevelopmentConsumer RightsAccess to KnowledgeCopyrightPiracyAccess to MedicineIntellectual Property RightsData ProtectionFLOSSTechnological Protection MeasuresPublications2011-10-03T05:37:27ZBlog EntrySurvey on Data Protection Regime
https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime
<b>We request you to take part in this survey aimed at understanding how various organisations view the changes in the Data Protection Regime in the European Union. Recently the General Data Protection Regulation (EU) 2016/679 was passed, which shall replace the present Data Protection Directive DPD 95/46/EC. This step is likely to impact the way of working for many organisations. We are grateful for your voluntary contribution to our research, and all information shared by you will be used for the purpose of research only. Questions that personally identify you are not mandatory and will be kept strictly confidential. </b>
<p> </p>
<h4>The survey form below can also be accessed <a href="https://goo.gl/forms/61d4W0kPQ8SqNaMO2" target="_blank">here</a>.</h4>
<hr />
<iframe src="https://docs.google.com/forms/d/e/1FAIpQLSepvhTUkkc7s3jFDfJZ90wFJAIuVexrbVSO5icV4kW0-1uyNA/viewform?embedded=true" frameborder="0" marginwidth="0" marginheight="0" height="800" width="600">Loading...</iframe>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime'>https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime</a>
</p>
No publisherAditi Chaturvedi and Elonnai HickokGeneral Data Protection RegulationInternet GovernanceFeaturedData ProtectionHomepage2017-02-10T10:47:00ZBlog EntrySubmission to the Committee of Experts on a Data Protection Framework for India
https://cis-india.org/internet-governance/submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india
<b>This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ (“White Paper”) released by the Ministry of Electronics and Information Technology. The White paper was drafted by a Committee of Expert (“Committee”) constituted by the Ministry. CIS has conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. The submission was made on January 31, 2018.</b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india'>https://cis-india.org/internet-governance/submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india</a>
</p>
No publisheramberData GovernanceInternet GovernanceData ProtectionPrivacy2018-02-05T13:39:00ZFileSFLC Round Table Discussion on Personal Data Protection Bill
https://cis-india.org/internet-governance/news/sflc-round-table-discussion-on-personal-data-protection-bill
<b>Shweta Mohandas participated in a Round Table Discussion on Personal Data Protection Bill, orgnanised by SFLC on September 25, 2018 in Bangalore. She also moderated the first session - Data Protection Principles (Rights and Obligations).</b>
<p>See the agenda of the <a class="external-link" href="http://cis-india.org/internet-governance/files/agenda-for-round-table-for-data-protection">event here</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/sflc-round-table-discussion-on-personal-data-protection-bill'>https://cis-india.org/internet-governance/news/sflc-round-table-discussion-on-personal-data-protection-bill</a>
</p>
No publisherAdminInternet GovernanceData ProtectionPrivacy2018-10-02T03:16:19ZNews ItemResponse Submission on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector
https://cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector
<b>CIS submitted its comments on the consultation paper on privacy, security and ownership of data in telecom sector which was published by the Telecom Regulatory Authority of India on August 9, 2017.
</b>
<p style="text-align: justify;">The submission is divided in four parts. The first part introduces the document, the second part gives an overview of CIS and its work, the third part contains general comments on the consultation paper and the fourth part contains specific comments on questions posed in the consultation paper. Click to read the <strong><a class="external-link" href="http://cis-india.org/telecom/files/submission-to-trai-november-6-2017">full submission</a></strong> made to the Telecom Regulatory Authority of India on November 6, 2017.<br /><br /><br /><br /></p>
<p>
For more details visit <a href='https://cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector'>https://cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector</a>
</p>
No publisherAmber Sinha, Elonnai Hickok and Udbhav TiwariTelecomData ProtectionData ManagementPrivacy2019-03-13T00:27:30ZBlog EntryReconfiguring Data Governance: Insights from India and the EU
https://cis-india.org/internet-governance/blog/reconfiguring-data-governance-insights-from-india-and-eu
<b>This policy paper is the result of a workshop organised jointly by the Tilburg Institute of Law, Technology and Society, Netherlands, the Centre for Communication Governance at the National Law University Delhi, India and the Centre for Internet & Society, India in January, 2023. The workshop brought together a number of academics, researchers, and industry representatives in Delhi to discuss a range of issues at the core of data governance theory and practice. </b>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/ReconfiguringDataGovernance.png/@@images/70165fe1-cc66-4cac-9f99-b7485c87218a.png" alt="Reconfiguring Data Governance" class="image-inline" title="Reconfiguring Data Governance" /></p>
<p style="text-align: justify; ">The workshop aimed to compare and assess lessons from data governance from India and the European Union, and to make recommendations on how to design fit-for-purpose institutions for governing data and AI in the European Union and India.</p>
<p style="text-align: justify; ">This policy paper collates key takeaways from the workshop by grounding them across three key themes: how we conceptualise data; how institutional mechanisms as well as community-centric mechanisms can work to empower individuals, and what notions of justice these embody; and finally a case study of enforcement of data governance in India to illustrate and evaluate the claims in the first two sections.</p>
<p style="text-align: justify; ">This report was a collaborative effort between researchers Siddharth Peter De Souza, Linnet Taylor, and Anushka Mittal at the Tilburg Institute for Law, Technology and Society (Netherlands), Swati Punia, Sristhti Joshi, and Jhalak M. Kakkar at the Centre for Communication Governance at the National Law University Delhi (India) and Isha Suri, and Arindrajit Basu at the Centre for Internet & Society, India.</p>
<hr />
<p>Click to download the <a class="external-link" href="http://cis-india.org/internet-governance/files/reconfiguring-data-governance.pdf"><b>report</b></a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/reconfiguring-data-governance-insights-from-india-and-eu'>https://cis-india.org/internet-governance/blog/reconfiguring-data-governance-insights-from-india-and-eu</a>
</p>
No publisherSwati Punia, Srishti Joshi, Siddharth Peter De Souza, Linnet Taylor, Jhalak M. Kakkar, Isha Suri, Arindrajit Basu, and Anushka MittalInternet GovernanceData GovernanceData ProtectionData Management2024-02-20T00:30:00ZBlog EntryReading the Fine Script: Service Providers, Terms and Conditions and Consumer Rights
https://cis-india.org/internet-governance/blog/reading-between-the-lines-service-providers-terms-and-conditions-and-consumer-rights
<b>This year, an increasing number of incidents, related to consumer rights and service providers, have come to light. This blog illustrates the facts of the cases, and discusses the main issues at stake, namely, the role and responsibilities of providers of platforms for user-created content with regard to consumer rights.</b>
<p style="text-align: justify; "><span>On 1st July, 2014 the Federal Trade Commission (FTC) filed a complaint against T-Mobile USA,</span><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn1">[1]</a><span> accusing the service provider of 'cramming' customers bills, with millions of dollars of unauthorized charges. Recently, another service provider, received flak from regulators and users worldwide, after it published a paper, 'Experimental evidence of massive-scale emotional contagion through social networks'.</span><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn2">[2]</a><span> The paper described Facebook's experiment on more than 600,000 users, to determine whether manipulating user-generated content, would affect the emotions of its users.</span></p>
<p style="text-align: justify; ">In both incidents the terms that should ensure the protection of their user's legal rights, were used to gain consent for actions on behalf of the service providers, that were not anticipated at the time of agreeing to the terms and conditions (T&Cs) by the consumer. More precisely, both cases point to the underlying issue of how users are bound by T&Cs, and in a mediated online landscape—highlight, the need to pay attention to the regulations that govern the online engagement of users.</p>
<p style="text-align: justify; "><b>I have read and agree to the terms</b></p>
<p style="text-align: justify; ">In his statement, Chief Executive Officer, John Legere might have referred to T-Mobile as "the most pro-consumer company in the industry",<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn3">[3]</a> however the FTC investigation revelations, that many customers never authorized the charges, suggest otherwise. The FTC investigation also found that, T-Mobile received 35-40 per cent of the amount charged for subscriptions, that were made largely through innocuous services, that customers had been signed up to, without their knowledge or consent. Last month news broke, that just under 700,000 users 'unknowingly' participated in the Facebook study, and while the legality and ethics of the experiment are being debated, what is clear is that Facebook violated consumer rights by not providing the choice to opt in or out, or even the knowledge of such social or psychological experiments to its users.</p>
<p style="text-align: justify; ">Both incidents boil down to the sensitive question of consent. While binding agreements around the world work on the condition of consent, how do we define it and what are the implications of agreeing to the terms?</p>
<p style="text-align: justify; "><b>Terms of Service: Conditions are subject to change </b></p>
<p style="text-align: justify; ">A legal necessity, the existing terms of service (TOS)—as they are also known—as an acceptance mechanism are deeply broken. The policies of online service providers are often, too long, and with no shorter or multilingual versions, require substantial effort on part of the user to go through in detail. A 2008 Carnegie Mellon study estimated it would take an average user 244 hours every year to go through the policies they agree to online.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn4">[4]</a> Based on the study, Atlantic's Alexis C. Madrigal derived that reading all of the privacy policies an average Internet user encounters in a year, would take 76 working days.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn5">[5]</a></p>
<p style="text-align: justify; ">The costs of time are multiplied by the fact that terms of services change with technology, making it very hard for a user to keep track of all of the changes over time. Moreover, many services providers do not even commit to the obligation of notifying the users of any changes in the TOS. Microsoft, Skype, Amazon, YouTube are examples of some of the service providers that have not committed to any obligations of notification of changes and often, there are no mechanisms in place to ensure that service providers are keeping users updated.</p>
<p style="text-align: justify; ">Facebook has said that the recent social experiment is perfectly legal under its TOS,<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn6">[6]</a> the question of fairness of the conditions of users consent remain debatable. Facebook has a broad copyright license that goes beyond its operating requirements, such as the right to 'sublicense'. The copyright also does not end when users stop using the service, unless the content has been deleted by everyone else.</p>
<p style="text-align: justify; ">More importantly, since 2007, Facebook has brought major changes to their lengthy TOS about every year.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn7">[7]</a> And while many point that Facebook is transparent, as it solicits feedback preceding changes to their terms, the accountability remains questionable, as the results are not binding unless 30% of the actual users vote. Facebook can and does, track users and shares their data across websites, and has no obligation or mechanism to inform users of the takedown requests.</p>
<p style="text-align: justify; ">Courts in different jurisdictions under different laws may come to different conclusions regarding these practices, especially about whether changing terms without notifying users is acceptable or not. Living in a society more protective of consumer rights is however, no safeguard, as TOS often include a clause of choice of law which allow companies to select jurisdictions whose laws govern the terms.</p>
<p style="text-align: justify; ">The recent experiment bypassed the need for informed user consent due to Facebook's Data Use Policy<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn8">[8]</a>, which states that once an account has been created, user data can be used for 'internal operations, including troubleshooting, data analysis, testing, research and service improvement.' While the users worldwide may be outraged, legally, Facebook acted within its rights as the decision fell within the scope of T&Cs that users consented to. The incident's most positive impact might be in taking the questions of Facebook responsibilities towards protecting users, including informing them of the usage of their data and changes in data privacy terms, to a worldwide audience.</p>
<p style="text-align: justify; "><b>My right is bigger than yours</b></p>
<p style="text-align: justify; ">Most TOS agreements, written by lawyers to protect the interests of the companies add to the complexities of privacy, in an increasingly user-generated digital world. Often, intentionally complicated agreements, conflict with existing data and user rights across jurisdictions and chip away at rights like ownership, privacy and even the ability to sue. With conditions that that allow for change in terms at anytime, existing users do not have ownership or control over their data.</p>
<p style="text-align: justify; ">In April New York Times, reported of updates to the legal policy of General Mills (GM), the multibillion-dollar food company.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn9">[9]</a> The update broadly asserted that consumers interacting with the company in a variety of ways and venues no longer can sue GM, but must instead, submit any complaint to “informal negotiation” or arbitration. Since then, GM has backtracked and clarified that “online communities” mentioned in the policy referred only to those online communities hosted by the company on its own websites.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn10">[10]</a> Clarification aside, as Julia Duncan, Director of Federal programs at American Association for Justice points out, the update in the terms were so broad, that they were open to wide interpretation and anything that consumers purchase from the company could have been held to this clause. <a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn11">[11]</a></p>
<p style="text-align: justify; "><b>Data and whose rights?</b></p>
<p style="text-align: justify; ">Following Snowden revelations, data privacy has become a contentious issue in the EU, and TOS, that allow the service providers to unilaterally alter terms of the contract, will face many challenges in the future. In March Edward Snowden sent his testimony to the European Parliament calling for greater accountability and highlighted that in "a global, interconnected world where, when national laws fail like this, our international laws provide for another level of accountability."<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn12">[12]</a> Following the testimony came the European Parliament's vote in favor of new safeguards on the personal data of EU citizens, when it’s transferred to non-EU.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn13">[13]</a> The new regulations seek to give users more control over their personal data including the right to ask for data from companies that control it and seek to place the burden of proof on the service providers.</p>
<p style="text-align: justify; ">The regulation places responsibility on companies, including third-parties involved in data collection, transfer and storing and greater transparency on concerned requests for information. The amendment reinforces data subject right to seek erasure of data and obliges concerned parties to communicate data rectification. Also, earlier this year, the European Court of Justice (ECJ) ruled in favor of the 'right to be forgotten'<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn14">[14]</a>. The ECJ ruling recognised data subject's rights override the interest of internet users, however, with exceptions pertaining to nature of information, its sensitivity for the data subject's private life and the role of the data subject in public life.</p>
<p style="text-align: justify; ">In May, the Norwegian Consumer Council filed a complaint with the Norwegian Consumer Ombudsman, “… based on the discrepancies between Norwegian Law and the standard terms and conditions applicable to the Apple iCloud service...”, and, “...in breach of the law regarding control of marketing and standard agreements.”<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn15">[15]</a> The council based its complaint on the results of a study, published earlier this year, that found terms were hazy and varied across services including iCloud, Drop Box, Google Drive, Jotta Cloud, and Microsoft OneDrive. The Norwegian Council study found that Google TOS, allow for users content to be used for other purposes than storage, including by partners and that it has rights of usage even after the service is cancelled. None of the providers provide a guarantee that data is safe from loss, while many, have the ability to terminate an account without notice. All of the service providers can change the terms of service but only Google and Microsoft give an advance notice.</p>
<p style="text-align: justify; ">The study also found service providers lacking with respect to European privacy standards, with many allowing for browsing of user content. Tellingly, Google had received a fine in January by the French Data Protection Authority, that stated regarding Google's TOS, "permits itself to combine all the data it collects about its users across all of its services without any legal basis."</p>
<p style="text-align: justify; "><b>To blame or not to blame</b></p>
<p style="text-align: justify; ">Facebook is facing a probe by the UK Information Commissioner's Office, to assess if the experiment conducted in 2012 was a violation of data privacy laws.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn16">[16]</a> The FTC asked the court to order T-Mobile USA, to stop mobile cramming, provide refunds and give up any revenues from the practice. The existing mechanisms of online consent, do not simplify the task of agreeing to multiple documents and services at once, a complexity which manifolds, with the involvement of third parties.</p>
<p style="text-align: justify; ">Unsurprisingly, T-Mobile's Legere termed the FTC lawsuit misdirected and blamed the companies providing the text services for the cramming.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn17">[17]</a> He felt those providers should be held accountable, despite allegations that T-Mobile's billing practices made it difficult for consumers to detect that they were being charged for unauthorized services and having shared revenues with third-party providers. Interestingly, this is the first action against a wireless carrier for cramming and the FTC has a precedent of going after smaller companies that provide the services.</p>
<p style="text-align: justify; ">The FTC charged T-Mobile USA with deceptive billing practices in putting the crammed charges under a total for 'use charges' and 'premium services' and failure to highlight that portion of the charge was towards third-party charges. Further, the company urged customers to take complaints to vendors and was not forthcoming with refunds. For now, T-Mobile may be able to share the blame, the incident brings to question its accountability, especially as going forward it has entered a pact along with other carriers in USA including Verizon and AT&T, agreeing to stop billing customers for third-party services. Even when practices such as cramming are deemed illegal, it does not necessarily mean that harm has been prevented. Often users bear the burden of claiming refunds and litigation comes at a cost while even after being fined companies could have succeeded in profiting from their actions.</p>
<p style="text-align: justify; "><b>Conclusion </b></p>
<p style="text-align: justify; ">Unfair terms and conditions may arise when service providers include terms that are difficult to understand or vague in their scope. TOS that prevent users from taking legal action, negate liability for service providers actions despite the companies actions that may have a direct bearing on users, are also considered unfair. More importantly, any term that is hidden till after signing the contract, or a term giving the provider the right to change the contract to their benefit including wider rights for service provider wide in comparison to users such as a term that that makes it very difficult for users to end a contract create an imbalance. These issues get further complicated when the companies control and profiting from data are doing so with user generated data provided free to the platform.</p>
<p style="text-align: justify; ">In the knowledge economy, web companies play a decisive role as even though they work for profit, the profit is derived out of the knowledge held by individuals and groups. In their function of aggregating human knowledge, they collect and provide opportunities for feedback of the outcomes of individual choices. The significance of consent becomes a critical part of the equation when harnessing individual information. In France, consent is part of the four conditions necessary to be forming a valid contract (article 1108 of the Code Civil).</p>
<p style="text-align: justify; ">The cases highlight the complexities that are inherent in the existing mechanisms of online consent. The question of consent has many underlying layers such as reasonable notice and contractual obligations related to consent such as those explored in the case in Canada, which looked at whether clauses of TOS were communicated reasonably to the user, a topic for another blog. For now, we must remember that by creating and organising social knowledge that further human activity, service providers, serve a powerful function. And as the saying goes, with great power comes great responsibility.</p>
<hr size="1" style="text-align: justify; " width="33%" />
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref1">[1]</a> 'FTC Alleges T-Mobile Crammed Bogus Charges onto Customers’ Phone Bills', published 1 July, 2014. See: http://www.ftc.gov/news-events/press-releases/2014/07/ftc-alleges-t-mobile-crammed-bogus-charges-customers-phone-bills</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref2">[2]</a> 'Experimental evidence of massive-scale emotional contagion through social networks', Adam D. I. Kramera,1, Jamie E. Guilloryb, and Jeffrey T. Hancock, published March 25, 2014. See:http://www.pnas.org/content/111/24/8788.full.pdf+html?sid=2610b655-db67-453d-bcb6-da4efeebf534</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref3">[3]</a> 'U.S. sues T-Mobile USA, alleges bogus charges on phone bills, Reuters published 1st July, 2014 See: http://www.reuters.com/article/2014/07/01/us-tmobile-ftc-idUSKBN0F656E20140701</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref4">[4]</a> 'The Cost of Reading Privacy Policies', Aleecia M. McDonald and Lorrie Faith Cranor, published I/S: A Journal of Law and Policy for the Information Society 2008 Privacy Year in Review issue. See: http://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref5">[5]</a> 'Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days', Alexis C. Madrigal, published The Atlantic, March 2012 See: http://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref6">[6]</a> Facebook Legal Terms. See: https://www.facebook.com/legal/terms</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref7">[7]</a> 'Facebook's Eroding Privacy Policy: A Timeline', Kurt Opsahl, Published Electronic Frontier Foundation , April 28, 2010 See:https://www.eff.org/deeplinks/2010/04/facebook-timeline</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref8">[8]</a> Facebook Data Use Policy. See: https://www.facebook.com/about/privacy/</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref9">[9]</a> 'When ‘Liking’ a Brand Online Voids the Right to Sue', Stephanie Strom, published in New York Times on April 16, 2014 See: http://www.nytimes.com/2014/04/17/business/when-liking-a-brand-online-voids-the-right-to-sue.html?ref=business</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref10">[10]</a> Explaining our website privacy policy and legal terms, published April 17, 2014 See:http://www.blog.generalmills.com/2014/04/explaining-our-website-privacy-policy-and-legal-terms/#sthash.B5URM3et.dpufhttp://www.blog.generalmills.com/2014/04/explaining-our-website-privacy-policy-and-legal-terms/</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref11">[11]</a> General Mills Amends New Legal Policies, Stephanie Strom, published in New York Times on 1http://www.nytimes.com/2014/04/18/business/general-mills-amends-new-legal-policies.html?_r=0</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref12">[12]</a> Edward Snowden Statement to European Parliament published March 7, 2014. See: http://www.europarl.europa.eu/document/activities/cont/201403/20140307ATT80674/20140307ATT80674EN.pdf</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref13">[13]</a> Progress on EU data protection reform now irreversible following European Parliament vote, published 12 March 201 See: http://europa.eu/rapid/press-release_MEMO-14-186_en.htm</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref14">[14]</a> European Court of Justice rules Internet Search Engine Operator responsible for Processing Personal Data Published by Third Parties, Jyoti Panday, published on CIS blog on May 14, 2014. See: http://cis-india.org/internet-governance/blog/ecj-rules-internet-search-engine-operator-responsible-for-processing-personal-data-published-by-third-parties</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref15">[15]</a> Complaint regarding Apple iCloud’s terms and conditions , published on 13 May 2014 See:http://www.forbrukerradet.no/_attachment/1175090/binary/29927</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref16">[16]</a> 'Facebook faces UK probe over emotion study' See: http://www.bbc.co.uk/news/technology-28102550</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref17">[17]</a> Our Reaction to the FTC Lawsuit See: http://newsroom.t-mobile.com/news/our-reaction-to-the-ftc-lawsuit.htm</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/reading-between-the-lines-service-providers-terms-and-conditions-and-consumer-rights'>https://cis-india.org/internet-governance/blog/reading-between-the-lines-service-providers-terms-and-conditions-and-consumer-rights</a>
</p>
No publisherjyotiSocial MediaConsumer RightsGoogleinternet and societyPrivacyTransparency and AccountabilityIntermediary LiabilityAccountabilityFacebookData ProtectionPoliciesSafety2014-07-04T06:31:37ZBlog EntryRBI Consultation Paper on P2P Lending: Data Security and Privacy Concerns
https://cis-india.org/raw/rbi-consultation-paper-on-p2p-lending
<b>On April 28, 2016 the Reserve Bank of India published a consultation paper on P2P Lending and invited comments from the public on the same. The Paper discusses what P2P lending is, the various regulatory practices that govern P2P lending in different jurisdictions and lists our arguments for and against regulating P2P lending platforms.</b>
<p> </p>
<h2>Arguments against Regulation</h2>
<p>The arguments against regulation of P2p lending companies as set out in the paper are (briefly):</p>
<ol><li>Regulating an exempt or nascent sector may be perceived as rubber stamping the industry through regulation, thus lending credibility to the P2P lending which could attract ill informed lenders to the sector who may not understand all the risks associated with the industry. In this way Regulation may cause more harm than good.</li>
<li>Regulations may also be perceived as too stringent, thus stifling the growth of an innovative, efficient and accessible industry.</li>
<li>The P2P lending market is currently in a nascent stage and does not pose an immediate systemic risk meriting regulation.</li></ol>
<p> </p>
<h2>Arguments in favour of Regulation</h2>
<p style="text-align: justify;">The arguments for regulating the market on the other hand are:</p>
<ol><li>Considering the significance of the online industry and the impact which it can have on the traditional banking channels/NBFC sector, it would be prudent to regulate this emerging industry.</li>
<li>The, the importance of these methods of financing, specially in sectors where formal lending cannot reach, needs to be acknowledged.</li>
<li>If the sector is left unregulated altogether, there is the risk of unhealthy practices being adopted by one or more players, which may have deleterious consequences.</li>
<li>Section 45S of RBI Act prohibits an individual or a firm or an unincorporated association of individuals from accepting deposits “if its business wholly or partly includes any of the activities specified in clause (c) of section 45-I (i.e. activities of a financial institution); or if his or its principal business is that of receiving of deposits under any scheme or arrangement or in any other manner, or lending in any manner. Contravention of Section 45S is an offence punishable under section 58B (5A) of RBI Act. As per the Act, ‘‘deposit’’ includes and shall be deemed always to have included any receipt of money by way of deposit or loan or in any other form, but does not include any amount received from an individual or a firm or an association of individuals not being a body corporate, registered under any enactment relating to money lending which is for the time being in force in any State. Since the borrowers and lenders brought together by a P2P platform could fall within these prohibitions, absence of regulation may lead to perpetrating an illegality.”</li></ol>
<p>After listing out the arguments, the paper adopts the approach of regulating this industry and proposes to bring P2P lending platforms under the purview of RBI’s regulation by defining them as Non Banking Financial Companies (NBFCs) under section 45-I(f)(iii) of the RBI Act. Once notified as NBFCs, RBI can issue regulations under sections 45JA and 45L. Though there is scope to comment on many aspects of the consultation paper our comments here will be limited to the data security and privacy aspects of the recommendations.</p>
<p> </p>
<h2>Data Security and Privacy Concerns</h2>
<p>While the understanding of potential borrowers, specially those who have had experiences with commercial financial institutions, is that the more amount of information they provide, the better their chances become of getting a loan. This perception emanates from the fact that any potential borrower is asked for a myriad of documents, including personally identifying documents before a request for a loan is considered, infact for almost all financial institutions it is part of their core prudential norms to ask for identity documents before disbursing a loan. Getting as much information as possible from the borrower is not just a quirk of the financial institutions but it makes business sense for them, since it is those institutions who bear the risk of recovery of their money. There is no reason why the same logic or allowing creditors all the information about the borrower should not be applicable to P2P lending platforms, as far as the principle of prudential business practices is concerned. However, the key difference between disclosing information to P2P lending platforms as opposed to financial institutions is that whilst the information supplied to financial institutions stays limited to the institution and its employees, a large amount of the information (though not necessarily all) given to P2P platforms is made available to all potential creditors, which in P2P lending translates to any internet user who registers as a potential creditor. In this way the potential for the information to reach a wider group of people is much higher and therefore privacy and data security risks require special attention in P2P lending.</p>
<p>In section 5.3(v) of the Paper it is recommended that “Confidentiality of the customer data and data security would be the responsibility of the Platform. Transparency in operations, adequate measures for data confidentiality and minimum disclosures to borrowers and lenders would also be mandated through a fair practices code.” Whilst the fair practices code has not yet been developed or at least not yet made publicly available, as companies in the P2P lending industry are body corporates, these fair practice codes should be in line with and satisfy the requirements of section 43A of the Information Technology Act, 2000 (“<strong>IT Act</strong>”) as well as the Guidelines issued by the RBI’s Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds <strong>[1]</strong>.</p>
<p>The minimum standards for data protection in Indian law have been laid down by section 43A of the IT Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“<strong>Rules</strong>”) issued under section 43A. As per Rule 4 of the Rules P2P platforms would be required to have a privacy policy to deal with sensitive personal data, which includes any details regarding financial information such bank account, credit/debit cards, etc <strong>[2]</strong>.</p>
<p>This policy would have to be published on the website of the platforms and would provide for a number of things such as (i) Clear and easily accessible statements of its practices and policies; (ii) type of personal or sensitive personal data or information collected; (iii) purpose of collection and usage of such information; (iv) disclosure of information including sensitive personal data or information; (v) reasonable security practices and procedures for the data. The other requirements of the Rules as regards consent before usage of the information, collection limitations, imparting information/notice to the consumer (information provider), retention limitation, purpose limitation, opt-out option, disclosure, etc. will also be applicable to P2P platforms and the fair practices code that the RBI would issue for this purpose will have to take all these issues into account.</p>
<p style="text-align: justify;">The Rules also provide that body corporates will be considered to have complied with reasonable security practices if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Although there are no such practices which have been endorsed by any governmental body for P2P lending platforms, however the Department of Banking Supervision, Reserve Bank of India, has issued guidelines on “Information security, Electronic Banking, Technology risk management and cyber frauds" <strong>[3]</strong>. which could be relied upon until a fair practices code is put into place. The major privacy and data security provisions of these guidelines are given below:</p>
<ul>
<li><strong>Security Baselines</strong>: The guidelines require banks to be proactive in identifying and specifying the minimum security baselines to be adhered to by the service providers to ensure confidentiality and security of data;</li>
<li><strong>Back up records</strong>: A cloud computing system must ensure backup of all its clients' information;</li>
<li><strong>Security steps</strong>: An institution may take the following steps to ensure that risks with respect to confidentiality and security of data are adequately mitigated: (i) Address, agree, and document specific responsibilities of the respective parties in outsourcing; (ii) Discuss and agree on the instances where customer data shall be accessed; (iii) Ensure that service provider employees are adequately aware and informed on the security and privacy policies.</li>
<li><strong>Confidentiality</strong>: Agreements should provide for maintaining confidentiality of customer's information even after the contract expires or is terminated by either party and specify the liability in case of security breach or leakage.</li>
<li><strong>Encryption</strong>: Normally, a minimum of 128-bit SSL encryption is expected. Banks should only select encryption algorithms which are well established international standards.</li>
<li><strong>Fraud Risk Management</strong>: It is also necessary that customer confidential information and other data/information available with banks is secured adequately to ensure that fraudsters do not access it to perpetrate fraudulent transactions.</li></ul>
<p>Although inclusion of the above principles in the fair practices code would be helpful, however since the workings of P2P platforms are quite unique, therefore it would be counterproductive to restrict the security and privacy protocols to only those applied to regular banking transactions and the fair practices code should take into account these unique problems of P2P lending rather than seek to apply the existing norms blindly.</p>
<p> </p>
<h2>Endnotes</h2>
<p><strong>[1]</strong> See: <a href="https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf">https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf</a>.</p>
<p><strong>[2]</strong> The Rules define “sensitive personal data or information” as information relating to: "(i) password, (ii) financial information such as Bank account or credit card or debit card or other payment instrument details, (iii) physical, physiological and mental health condition, (iv) sexual orientation, (v) medical records and history, (vi) Biometric information, (vii) any detail relating to the above clauses as provided to body corporate for providing service, and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise."</p>
<p><strong>[3]</strong> See: <a href="http://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf">http://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf</a>.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/raw/rbi-consultation-paper-on-p2p-lending'>https://cis-india.org/raw/rbi-consultation-paper-on-p2p-lending</a>
</p>
No publishervipulPrivacyReserve Bank of IndiaData ProtectionResearchNetwork EconomiesP2P LendingResearchers at Work2016-06-01T11:41:17ZBlog EntryPrivacy is not a unidimensional concept
https://cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept
<b>Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all citizens in India to defend their individual autonomy in the face of invasive state actions purportedly for the public good. The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all.</b>
<div>This article, written by Amber Sinha was published in the <a class="external-link" href="http://economictimes.indiatimes.com/news/politics-and-nation/aadhar-privacy-is-not-a-unidimensional-concept/articleshow/59716562.cms">Economic Times</a> on July 23, 2017. </div>
<div>
<br /></div>
<div>In a disappointing case of judicial evasion by the apex court,
it has taken over 600 days since a reference order passed in
August 11, 2015, for this bench to be constituted. Over two days
of arguments, the counsels for the petitioners have presented
before the court why the right to privacy, despite not finding a
mention in the Constitution of India, is a fundamental right
essential to a person’s dignity and liberty, and must be read into
not one but multiple articles of the Constitution. The government
will make its arguments in the coming week.</div>
<div>One must wonder why we are debating the contours of the right
to privacy, which 40 years of jurisprudence had lulled us into
believing we already had. The answer to that can be found in a
series of hearings in the Aadhaar case that began in 2012. Justice
KS Puttaswamy, a former Karnataka High Court judge, filed a
petition before the Supreme Court, questioning the validity of the
Aadhaar project due its lack of legislative basis (since then the
Aadhaar Act was passed in 2016) and its transgressions on our
fundamental rights. Over time, a number of other petitions also
made their way to the apex court, challenging different aspects of
the Aadhaar project. Since then, five different interim orders by
the Supreme Court have stated that no person should suffer because
they do not have an Aadhaar number. Aadhaar, according to the
court, could not be made mandatory to avail benefits and services
from government schemes. Further, the court has limited the use of
Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social
Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.<br />
<br /></div>
<div>The real spanner in the works in the progress of this case was
the stand taken by Mukul Rohatgi, then attorney general of India
who, in a hearing before the court in July 2015, stated that there
is no constitutionally guaranteed right to privacy. His reliance
was on two Supreme Court judgments in MP Sharma v Satish Chandra
(1954) and Kharak Singh v State of Uttar Pradesh (1962): both
cases, decided by eight- and six-judge benches respectively,
denied the existence of a constitutional right to privacy. As the
subsequent judgments which upheld the right to privacy were by
smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh
still prevailed over them, until they were overruled by a larger
bench.</div>
<div>The reference to a larger bench has since delayed the entire
matter, even as a number of government schemes have made Aadhaar
mandatory. This reading of privacy as a unidimensional concept by
the courts is, with due respect, erroneous. Privacy, as a concept,
includes within its scope, spatial, familial, informational and
decisional aspects. We all have a legitimate expectation of
privacy in our private spaces, such as our homes, and in our
personal relationships. Similarly, we must be able to exercise
some control over how personal data, like our financial
information, are disseminated. Most importantly, privacy gives us
the space to make autonomous choices and decisions without
external interference. All these dimensions of privacy must stand
as distinct rights. In MP Sharma, the court rejected a certain
aspect of the right of privacy by refusing to acknowledge a right
against search and seizure. This, in no way prevented the court,
even in the form of a smaller bench, from ruling on any other
aspects of privacy, including those that are relevant to the
Aadhaar case.</div>
<div> </div>
<div>The limited referral to this bench means that the court will
have to rule on the status of privacy and its possible limitations
in isolation, without even going into the details of the Aadhaar
case (based on the nature of protection that this bench accords to
privacy, the petitioners and defendants in the Aadhaar case will
have to argue afresh on whether the project does impede on this
most fundamental right). There are no facts of the case to ground
the legal principles in, and defining the contours of a right can
be a difficult exercise. The court must be wary of how any limits
they put on the right may be used in future. Equally, it is
important to articulate that any limitations on the right to
privacy due to competing interests such as national security and
public interest must be imposed only when necessary and always be
proportionate. <br />
<br /></div>
<p>
It will not be enough for the court to merely state that we have a
constitutional right to privacy. They would be well advised to cut
through the muddle of existing privacy jurisprudence, and
unequivocally establish the various facets of the right. Without
that, we may not be able to withstand the modern dangers of
surveillance, denial of bodily integrity and self-determination
through forcible collection of information. The nine judges, in
their collective wisdom, must not only ensure that we have a right
to privacy, but also clearly articulate a robust reading of this
right capable of withstanding the growing interferences with our
autonomy.</p>
<div> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept'>https://cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept</a>
</p>
No publisheramberInternet GovernanceAadhaarData ProtectionPrivacy2017-08-07T08:02:20ZBlog EntryPrivacy after Big Data: Compilation of Early Research
https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research
<b>Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This is a growing body of research that we are exploring and
is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.</b>
<p> </p>
<h4><a href="https://github.com/cis-india/website/raw/master/docs/CIS_PrivacyAfterBigData_CompilationOfEarlyResearch_2016.11.pdf">Download the Compilation</a> (PDF)</h4>
<hr />
<h3><strong>Privacy after Big Data</strong></h3>
<p>Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.</p>
<p>These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.</p>
<p>These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.</p>
<p>Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.</p>
<p>Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.</p>
<p>In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.</p>
<p><em>Elonnai Hickok</em><br />Director - Internet Governance</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research'>https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research</a>
</p>
No publisherSaumyaa NaiduHuman RightsIT ActBig DataPrivacyInternet GovernanceSmart CitiesData ProtectionInformation TechnologyPublications2016-11-12T01:37:03ZBlog EntryPersonal Data Protection Bill must examine data collection practices that emerged during pandemic
https://cis-india.org/internet-governance/blog/news-nine-shweta-mohandas-and-anamika-kundu-personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic
<b>The PDP bill is speculated to be introduced during the winter session of the parliament soon. The PDP Bill in its current form provides wide-ranging exemptions which allow government agencies to process citizen’s data in order to fulfil its responsibilities. The bill could ensure that employers have some responsibility towards the data they collect from the employees.
</b>
<p>The article by Shweta Mohandas and Anamika Kundu was <a class="external-link" href="https://www.news9live.com/technology/personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic-137031?infinitescroll=1">originally published by <strong>news nine</strong></a> on November 29, 2021.</p>
<hr />
<p style="text-align: justify; ">The Personal Data Protection Bill (PDP) is speculated to be introduced during the winter session of the parliament soon, and the report of the Joint Parliamentary Committee (JPC) has already been <a class="external-link" href="https://www.thehindu.com/news/national/parliamentary-panel-retains-controversial-exemption-clause-in-personal-data-protection-bill/article37633344.ece">adopted</a> by the committee on Monday. The Report of the JPC comes after almost two years of deliberation and secrecy over how the final version of the Personal Data Protection Bill will be. Since the publication of the <a class="external-link" href="https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf">2019 version</a> of the PDP Bill, the Covid 19 pandemic and the public safety measures have opened the way for a number of new organisations and reasons to collect personal data that was non-existent in 2019. Hence along with changes that have been suggested by multiple civil society organisations, the dissent notes submitted by the members of the JPC, the new version of the PDP Bill must also look at how data processing has changed over the span of two years.</p>
<h3 style="text-align: justify; ">Concerns with the bill</h3>
<p style="text-align: justify; ">At the outset there are certain parts of the PDP Bill which need to be revised in order to uphold the spirit of privacy and individual autonomy laid out in the Puttaswamy judgement. The two sections that need to be in line with the privacy judgement are the ones that allow for non consensual processing of data by the government, and by employers. The PDP Bill in its current form provides wide-ranging exemptions which allow government agencies to process citizen's data in order to fulfil its <a class="external-link" href="https://www.livemint.com/news/india/big-brother-on-top-in-data-protection-bill-11576164271430.html">responsibilities</a>.</p>
<p style="text-align: justify; ">In the <a class="external-link" href="https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf">2018 version</a> of bill, drafted by the Justice Srikrishna Committee exemptions granted to the State with regard to processing of data was subject to a four pronged test which required the processing to be (i) authorised by law; (ii) in accordance with the procedure laid down by the law; (iii) necessary; and (iv) proportionate to the interests being achieved. This four pronged test was in line with the principles laid down by the Supreme Court in the Puttaswamy judgement. The 2019 version of the PDP Bill has diluted this principle by merely retaining the 'necessity principle' and removing the other requirements which is not in consonance with the test laid down by the Supreme Court in Puttaswamy.</p>
<p style="text-align: justify; ">Section 35 was also widely discussed in the panel meetings where members had <a class="external-link" href="https://www.thehindu.com/news/national/parliamentary-panel-retains-controversial-exemption-clause-in-personal-data-protection-bill/article37633344.ece">argued</a> the removal of 'public order' as a ground for exemption. The panel also insisted for '<a class="external-link" href="https://www.thehindu.com/news/national/parliamentary-panel-retains-controversial-exemption-clause-in-personal-data-protection-bill/article37633344.ece">judicial or parliamentary oversight</a>' to grant such exemptions. The final report did not accept these suggestions stating a need to balance <a class="external-link" href="https://www.thehindu.com/news/national/parliamentary-panel-retains-controversial-exemption-clause-in-personal-data-protection-bill/article37633344.ece">national security, liberty and privacy</a> of an individual. There ought to be prior judicial review of the written order exempting the governmental agency from any provisions of the bill. Allowing the government to claim an exemption if it is satisfied to be "necessary or expedient" can be misused.</p>
<p style="text-align: justify; ">Another clause which gives the data principal a wide berth is with respect to employee data Section 13 of the current version of the bill provides the employer with a leeway into processing employee data (other than sensitive personal data) without consent based on two grounds: when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer.</p>
<p style="text-align: justify; ">The personal data so collected can only be collected for recruitment, termination, attendance, provision of any service or benefit, and assessing performance. This covers almost all of the activities that require data of the employee. Although the 2019 version of the bill excludes non-consensual collection of sensitive personal data (a provision that was missing in the 2018 version of the bill), there is still a lot of scope to improve this provision and provide employees further right to their data. At the outset the bill does not define employee and employer, which could result in confusion as there is no one definition of these terms across Indian Labour Laws.</p>
<p style="text-align: justify; ">Additionally, the bill distinguishes between employee and consumer, where the consumer of the same company or service has a greater right to their data than an employee. In the sense that the consumer as a data principal has the option to use any other product or service and also has the right to withdraw consent at any time, in the case of an employee the consequence of refusing consent or withdrawing consent would be being terminated from the employment. It is understood that there is a requirement for employee data to be collected, and that consent does not work the same way as it does in the case of a consumer.</p>
<p style="text-align: justify; ">The bill could ensure that employers have some responsibility towards the data they collect from the employees, such as ensuring that they are only used for the purpose for which they were collected, the employee knows how long their data will be retained, and know if the data is being processed by third parties. It is also worth mentioning that the Indian government is India's largest employer spanning a variety of agencies and public enterprises.</p>
<h3 style="text-align: justify; ">Concerns highlighted by JPC Members</h3>
<p style="text-align: justify; ">Going back to the few members of the JPC who have moved dissent notes, specifically with regard to governmental exemptions. Jairam Ramesh filed a <a href="https://www.news9live.com/india/parliament-panel-adopts-report-on-data-protection-amid-dissent-by-opposition-135591">dissent note</a>, to which many other opposition members followed suit. While Jairam Ramesh praised the JPC's functioning, he disagreed with certain aspects of the Report. According to him, the 2019 bill is designed in a manner where the right to privacy is given importance only in cases of private activities. He raised concerns regarding the unbridled powers given to the government to exempt itself from any of the provisions.</p>
<p style="text-align: justify; ">The amendment suggested by him would require parliamentary approval before exemption would take place. He also added that Section 12 of the bill which provided certain scenarios where consent was not needed for processing of personal data should have been made '<a href="https://www.hindustantimes.com/india-news/mps-file-dissent-notes-over-glaring-lacunae-in-report-on-data-protection-bill-101637566365637.html">less sweeping</a>'. Similarly, Gaurav Gogoi's <a href="https://www.hindustantimes.com/india-news/mps-file-dissent-notes-over-glaring-lacunae-in-report-on-data-protection-bill-101637566365637.html">note</a> stated that the exemptions would create a surveillance state and similarly criticised Section 12 and 35 of the bill. He also mentioned that there ought to be parliamentary oversight for the exemptions provided in the bill.</p>
<p style="text-align: justify; ">On the same issue, Congress leader Manish Tiwari noted that the bill creates '<a href="https://timesofindia.indiatimes.com/business/india-business/personal-data-protection-bill-what-is-it-and-why-is-the-opposition-so-unhappy-with-it/articleshow/87869391.cms">parallel universes</a>' - one for the private sector which needs to be compliant and the other for the State which can exempt itself. He has opposed the entire bill stating there exists an "inherent design flaw". He has raised specific objections to 37 clauses and stated that any blanket exemptions to the state goes against the Puttaswamy Judgement.</p>
<p style="text-align: justify; ">In their joint <a href="https://www.news9live.com/india/tmc-congress-mps-submit-dissent-notes-to-joint-panel-on-personal-data-protection-bill-135491">dissent note</a>, Derek O'Brien and Mahua Mitra have said that there is a lack of adequate safeguards to protect the data principals' privacy and the lack of time and opportunity for stakeholder consultations. They have also pointed out that the independence of the DPA will cease to exist with the present provision of allowing the government powers to choose members and the chairman. Amar Patnaik is to object to the lack of inclusion of state level authorities in the bill. Without such bodies, he says, there would be federal override.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">While a number of issues were highlighted by civil society, the members of the JPC, and the media, the new version of the bill should also need to take into account the shifts that have taken place in view of the pandemic. The new version of the data protection bill should take into consideration the changes and new data collection practices that have emerged during the pandemic, be comprehensive and leave very little provisions to be decided later by the Rules.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/news-nine-shweta-mohandas-and-anamika-kundu-personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic'>https://cis-india.org/internet-governance/blog/news-nine-shweta-mohandas-and-anamika-kundu-personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic</a>
</p>
No publisherShweta Mohandas and Anamika KunduInternet GovernanceData ProtectionPrivacy2022-03-30T15:15:21ZBlog EntryNothing to Kid About – Children's Data Under the New Data Protection Bill
https://cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill
<b>The pandemic has forced policymakers to adapt their approach to people's changing practices, from looking at contactless ways of payment to the shifting of educational institutions online.</b>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The article was originally <a class="external-link" href="https://www.ijlt.in/post/nothing-to-kid-about-children-s-data-under-the-new-data-protection-bill">published in the Indian Journal of Law and Technology</a></p>
<hr />
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">For children, the internet has shifted from being a form of entertainment to a medium to connect with friends and seek knowledge and education. However, each time they access the internet, data about them and their choices are inadvertently recorded by companies and unknown third parties. The growth of EdTech apps in India has led to growing concerns regarding children's data privacy. This has led to the creation of a <a class="_1lsz7 _3Bkfb" href="https://economictimes.indiatimes.com/tech/startups/edtech-firms-work-to-get-communication-right-with-the-asci/articleshow/89082308.cms" rel="noopener noreferrer" target="_blank">self-regulatory</a> body, the Indian EdTech Consortium. More recently, the <a class="_1lsz7 _3Bkfb" href="https://economictimes.indiatimes.com/tech/startups/edtech-firms-work-to-get-communication-right-with-the-asci/articleshow/89082308.cms" rel="noopener noreferrer" target="_blank">Advertising Standard Council of India</a><span class="_3zM-5"> has </span>also started looking at passing a draft regulation to keep a check on EdTech advertisements.</p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The Joint Parliamentary Committee (JPC), tasked with drafting and revising the Data Protection Bill, had to consider the number of changes that had happened after the release of the 2019 version of the Bill. While the most significant change was the removal of the term “personal data” from the title of the Bill, in a move to create a comprehensive Data Protection Bill that includes both personal and non personal data. Certain other provisions of the Bill also featured additions and removals. The JPC, in its revised version of the Bill has removed an entire class of <a class="_1lsz7 _3Bkfb" href="https://prsindia.org/billtrack/the-personal-data-protection-bill-2019#:~:text=Obligations%20of%20data%20fiduciary%3A%20A,specific%2C%20clear%20and%20lawful%20purpose" rel="noopener noreferrer" target="_blank">data fiduciaries</a> – guardian data fiduciary – which was tasked with greater responsibility for managing children's data. While the JPC justified the removal of the guardian data fiduciary stating that consent from the guardian of the child is enough to meet the end for which personal data of children are processed by the data fiduciary. While thought has been given to looking at how consent is given by the guardian on behalf of the child, there was no change in the age of children in the Bill. Keeping the age of consent under the Bill as the same as the age of majority to enter into a contract under the 1872 Indian Contract Act – 18 years – reveals the disconnect the law has with the ground reality of how children interact with the internet.</p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">In the current state of affairs where Indian children are navigating the digital world on their own there is a need to look deeply at the processing of children’s data as well as ways to ensure that children have information about consent and informational privacy. By placing the onus of granting consent on parents, the PDP Bill fails to look at how consent works in a privacy policy–based consent model and how this, in turn, harms children in the long run.</p>
<h3 class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d aujbK _3M0Fe _1FoOD iWv3d _1j-51 mm8Nw">1. Age of Consent</h3>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">By setting the age of consent as 18 years under the Data Protection Bill, 2021, it brings all individuals under 18 years of age under one umbrella without making a distinction between the internet usage of a 5-year-old child and a 16-year-old teenager. There is a need to look at the current internet usage habits of children and assess whether requiring parental consent is reasonable or even practical. It is also pertinent to note that the law in the offline world does make the distinction between age and maturity. For example, it has been <a class="_1lsz7 _3Bkfb" href="https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill" rel="noopener noreferrer" target="_blank">highlighted</a> that Section 82 of the Indian Penal Code, read with Section 83, states that any act by a child under the age of 12 years shall not be considered an offence, while the maturity of those aged between 12–18 years will be decided by the court (individuals between the age of 16–18 years can also be tried as adults for heinous crimes). Similarly, child labour laws in the country allow children above the age of 14 years to work in non-hazardous industries, which would qualify them to fall under Section 13 of the Bill, which deals with employee data.</p>
<p style="text-align: justify; "><span>A 2019 </span><a class="_1lsz7 _3Bkfb" href="https://reverieinc.com/wp-content/uploads/2020/09/IAMAI-Digital-in-India-2019-Round-2-Report.pdf" rel="noopener noreferrer" target="_blank">report</a><span> suggests that two-thirds of India’s internet users are in the 12–29 years age group, accounting for about 21.5% of the total internet usage in metro cities. With the emergence of cheaper phones equipped with faster processing and low internet data costs, children are no longer passive consumers of the internet. They have social media accounts and use several applications to interact with others and make purchases. There is a need to examine how children and teenagers interact with the internet as well as the practicality of requiring parental consent for the usage of applications.</span></p>
<p style="text-align: justify; "><span>Most applications that require age data request users to type in their date of birth; it is not difficult for a child to input a suitable date that would make it appear that they are </span><a class="_1lsz7 _3Bkfb" href="https://www.theguardian.com/media/2013/jul/26/children-lie-age-facebook-asa" rel="noopener noreferrer" target="_blank">over 18</a><span>. In this case they are still children but the content that will be presented to them would be those that are meant for adults including content that might be disturbing or those involving use of </span><a class="_1lsz7 _3Bkfb" href="https://www.theguardian.com/media/2013/jul/26/children-lie-age-facebook-asa" rel="noopener noreferrer" target="_blank">alcohol and gambling. </a><span>Additionally, in their privacy policies, applications sometimes state that they are not suited for and restricted from users under 18. Here, data fiduciaries avoid liability by placing the onus on the user to declare their age and properly read and understand the privacy policy.</span></p>
<p style="text-align: justify; "><span>Reservations about the age of consent under the Bill have also been highlighted by some members of the JPC through their dissenting opinions. </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf#page=221" rel="noopener noreferrer" target="_blank">MP Ritesh Pandey </a><span>suggested that the age of consent should be reduced to 14 years keeping the best interest of the children in mind as well as to support children in benefiting from technological advances. Similarly, </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf#page=221" rel="noopener noreferrer" target="_blank">MP Manish Tiwari </a><span>in his dissenting opinion suggested regulating data fiduciaries based on the type of content they provide or data they collect.</span></p>
<h3><span>2. How is the 2021 Bill Different from the 2019 Bill?</span></h3>
<p style="text-align: justify; "><span>The </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf" rel="noopener noreferrer" target="_blank">2019 </a><span>draft of the Bill consisted of a class of data fiduciaries called guardian data fiduciaries – entities that operate commercial websites or online services directed at children or which process large volumes of children’s personal data. This class of fiduciaries was barred from profiling, tracking, behavioural monitoring, and running targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child. In the previous draft, such data fiduciaries were not allowed to engage in ‘profiling, tracking, behavioural monitoring of children, or direct targeted advertising at children’. There was also a prohibition on conducting any activities that might significantly harm the child. As per Chapter IV, any violation could attract a penalty of up to INR 15 crore of the worldwide turnover of the data fiduciary for the preceding financial year, whichever is higher. However, this separate class of data fiduciaries do not have any additional responsibilities. It is also unclear as to whether a data fiduciary that does not by definition fall within such a category would be allowed to engage in activities that could cause ‘significant harm’ to children.</span></p>
<p style="text-align: justify; "><span>The new Bill also does not provide any mechanisms for age verification and only lays down considerations that verification processes should be undertaken. Furthermore, the JPC has suggested that consent options available to the child when they attain the age of majority i.e. 18 years should be included within the rule frame by the Data Protection Authority instead of being an amendment in the Bill.</span></p>
<h3><span>3. In the Absence of a Guardian Data Fiduciary</span></h3>
<p style="text-align: justify; "><span>The 2018 and 2019 drafts of the PDP Bill consider a child to be any person below the age of 18 years. For a child to access online services, the data fiduciary must first verify the age of the child and obtain consent from their guardian. The Bill does not provide an explicit process for age verification apart from stating that regulations shall be drafted in this regard. The 2019 Bill states that the Data Protection Authority shall specify codes of practice in this matter. Taking best practices into account, there is a need for ‘</span><a class="_1lsz7 _3Bkfb" href="https://cuts-ccier.org/pdf/project-brief-highlighting-inclusive-and-practical-mechanisms-to-protect-childrens-data.pdf" rel="noopener noreferrer" target="_blank">user-friendly and privacy-protecting age verification techniques</a><span>’ to encourage safe navigation across the internet. This will require </span><a class="_1lsz7 _3Bkfb" href="https://cuts-ccier.org/pdf/bp-global-technological-developments-in-age-verification-and-age-estimation.pdf" rel="noopener noreferrer" target="_blank">looking at </a><span>technological developments and different standards worldwide. There is a need to hold companies </span><a class="_1lsz7 _3Bkfb" href="https://www.livemint.com/opinion/columns/theres-a-better-way-to-protect-the-online-privacy-of-kids-11615306723478.html" rel="noopener noreferrer" target="_blank">accountable</a><span> for the protection of children’s online privacy and the harm that their algorithms cause children and to make sure that they are not continued.</span></p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The JPC in the 2021 version of the Bill removed provisions about guardian data fiduciaries, stating that there was no advantage in creating a different class of data fiduciary. As per the JPC, even those data fiduciaries that did not fall within the said classification would also need to comply with rules pertaining to the personal data of children i.e. with Section 16 of the Bill. Section 16 of the Bill requires the data fiduciary to verify the child’s age and obtain consent from the parent/guardian. The manner of age verification has also een spelt out. Furthermore, since ‘significant data fiduciaries’ is an existing class, there is still a need to comply with rules related to data processing. The JPC also removed the phrase “in the best interests of, the child” and “is in the best interests of, the child” under sub-clause 16(1), implying that the entire Bill concerned the rights of the data principal and the use of such terms dilutes the purpose of the legislation and could give way to manipulation by the data fiduciary.</p>
<h3><span>Conclusion</span></h3>
<p style="text-align: justify; "><span>Over the past two years, there has been a significant increase in applications that are targeted at children. There has been a proliferation of EduTech apps, which ideally should have more responsibility as they are processing children's data. We recommend that instead of creating a separate category, such fiduciaries collecting children's data or providing services to children be seen as ‘significant data fiduciaries’ that need to take up additional compliance measures.</span></p>
<p style="text-align: justify; "><span>Furthermore, any blanket prohibition on tracking children may obstruct safety measures that could be implemented by data fiduciaries. These fears are also increasing in other jurisdictions as there is a likelihood to restrict data fiduciaries from using software that looks out for such as </span><a class="_1lsz7 _3Bkfb" href="https://www.unodc.org/e4j/en/cybercrime/module-12/key-issues/online-child-sexual-exploitation-and-abuse.html" rel="noopener noreferrer" target="_blank">Child Sexual Abuse Material</a><span> as well as online predatory behaviour. Additionally, concerning the age of consent under the Bill, the JPC could look at international best practices and come up with ways to make sure that children can use the internet and have rights over their data, which would enable them to grow up with more awareness about data protection and privacy. One such example to look at could be the Children's Online Privacy Protection Rule (COPPA) in the US, where the rules apply to operators of websites and online services that collect personal information from kids </span><a class="_1lsz7 _3Bkfb" href="https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance" rel="noopener noreferrer" target="_blank">under 13 </a><span>or provide services to children that are directed at a general audience, but have actual knowledge that they collect personal information from such children. A form of combination of this system and the significant data fiduciary classification could be one possible way to ensure that children’s data and privacy are preserved online.</span></p>
<hr />
<p>The authors are researchers at the Centre for Internet and Society and thank their colleague Arindrajit Basu for his inputs.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill'>https://cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill</a>
</p>
No publisherShweta Mohandas and Anamika KunduDigitalisationDigital KnowledgeInternet GovernanceData ProtectionData Management2022-03-10T13:19:52ZBlog EntryNHA Data Sharing Guidelines – Yet Another Policy in the Absence of a Data Protection Act
https://cis-india.org/internet-governance/blog/nha-data-sharing-guidelines
<b>In July this year, the National Health Authority (NHA) released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) just two months after publishing the draft Health Data Management Policy.</b>
<p>Reviewed and edited by Anubha Sinha</p>
<hr />
<p style="text-align: justify; ">Launched in 2018, PM-JAY is a public health insurance scheme set to cover 10 crore poor and vulnerable families across the country for secondary and tertiary care hospitalisation. Eligible candidates can use the scheme to avail of cashless benefits at any public/private hospital falling under this scheme. Considering the scale and sensitivity of the data, the creation of a well-thought-out data-sharing document is a much-needed step. However, the document – though only a draft – has certain portions that need to be reconsidered, including parts that are not aligned with other healthcare policy documents. In addition, the guidelines should be able to work in tandem with the Personal Data Protection Act whenever it comes into force. With no prior intimation of the publication of the guidelines, and the provision of a mere 10 days for consultation, there was very little scope for stakeholders to submit their comments and participate in the consultation. While the guidelines pertain to the PM-JAY scheme, it is an important document to understand the government’s concerns and stance on the sharing of health data, especially by insurance companies.</p>
<h3 style="text-align: justify; ">Definitions: Ambiguous and incompatible with similar policy documents</h3>
<p style="text-align: justify; ">The draft guidelines add to the list of health data–related policies that have been published since the beginning of the pandemic. These include three draft health data management policies published within two years, which have already covered the sharing and management of health data. The draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; in this case, the guidelines fail to refer to the draft National Digital Health Data Management Policy (published in April 2022). To add to this, the document – by placing the definitions at the end – is difficult to read and understand, especially when terms such as ‘beneficiary’, ‘data principal’, and ‘individual’ are used interchangeably. In the same vein, the document uses the terms ‘data principal’ and ‘data fiduciary’, and the definitions of health data and personal data, from the 2019 PDP Bill, while also referring to the IT Act SDPI Rules and its definition of ‘sensitive personal data’. While the guidelines state that the IT Act and Rules will be the legislation to refer to for these guidelines, it is to be noted that the IT Act under the SPDI Rules covers ‘body corporates’, which under Section 43A(1), is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;”. It is difficult to add responsibility and accountability to the organisations under the guidelines when they might not even be covered under this definition.</p>
<p style="text-align: justify; ">With each new policy, civil society organisations have been pointing out the need to have a data protection act before introducing policies and guidelines that deal with the processing and sharing of the data of individuals. Ideally, these policies – even in draft form – should have been published after the Personal Data Protection Bill was enacted, to ensure consistency with the provisions of the law. For example, the guidelines introduce a new category of governance mechanisms under the data-sharing committee headed by a data-sharing officer (DSO). The responsibilities and powers of the DSO are similar to that of the data protection officer under the draft PDP Bill as well as the National Data Health Management Policy (NHDMP). This, in turn, raises the question of whether the DSO and the DPOs under both the PDP Bill and the draft NDMP will have the same responsibilities. Clarity in terms of which of the policies are in force and how they intersect is needed to ensure a smooth implementation. Ideally, having multiple sources of definitions should be addressed at the drafting stage itself.</p>
<h3 style="text-align: justify; ">Guiding Principles: Need to look beyond privacy</h3>
<p style="text-align: justify; ">The guidelines enumerate certain principles to govern the use, collection, processing, and transmission of the personal or sensitive personal data of beneficiaries. These principles are accountability, privacy by design, choice and consent, openness/transparency, etc. While these provisions are much needed, their explanation at times misses the mark of why these principles were added. For example, in the case of accountability, the guidelines state that the ‘data fiduciary’ shall be accountable for complying with measures based on the guiding principles However, it does not specify who the fiduciaries would be accountable to and what the steps are to ensure accountability. Similarly, in the case of openness and transparency, the guidelines state that the policies and practices relating to the management of personal data will be available to all stakeholders. However, openness and transparency need to go beyond policies and practices and should consider other aspects of openness, including open data and the use of open-source software and open standards. This again will add to transparency, in that it would specify the rights of the data principal, as the current draft looks at the rights of the data principal merely from a privacy perspective. In the case of purpose limitation as well, the guidelines are tied to the privacy notice, which again puts the burden on the individual (in this case, beneficiary) when the onus should actually be on the data fiduciary. Lastly, under the empowerment of beneficiaries, the guidelines state that the “data principal shall be able to seek correction, amendments, or deletion of such data where it is inaccurate;”. The right to deletion should not be conditional on inaccuracy, especially when entering the scheme is optional and consent-based.</p>
<h3 style="text-align: justify; ">Data sharing with third parties without adequate safeguards</h3>
<p style="text-align: justify; ">The guidelines outline certain cases where personal data can be collected, used, or disclosed without the consent of the individual. One of these cases is when the data is anonymised. However, the guidelines do not detail how this anonymisation would be achieved and ensured through the life cycle of the data, especially when the clause states that the data will also be collected without consent. The guidelines also state that the anonymised data could be used for public health management, clinical research, or academic research. The guidelines should have limited the scope of academic research or added certain criteria to gain access to the data; the use of vague terminology could lead to this data (sometimes collected without consent) being de-anonymised or used for studies that could cause harm to the data principal or even a particular community. The guidelines state that the data can be shared as ‘protected health information’ with a government agency for oversight activities authorised by law, epidemic control, or in response to court orders. With the sharing of data, care should be taken to ensure data minimisation and purpose limitations that go beyond the explanations added in the body of the guidelines. In addition, the guidelines also introduce the concept of a ‘clean room’, which is defined as “a secure sandboxed area with access controls, where aggregated and anonymised or de-identified data may be shared for the purposes of developing inference or training models”. The definition does not state who will be developing these training models; it could be a cause of worry if AI companies or even insurance companies have the potential to use this data to train models that could eventually make decisions based on the results. The term ‘sandbox’ is explained under the now revoked DP Bill 2021 as “such live testing of new products or services in a controlled or test regulatory environment for which the Authority may or may not permit certain regulatory relaxations for a<br />specified period for the limited purpose of the testing”. Neither the 2019 Bill nor the IT Act/Rules defines ‘sandbox’; the guidelines should have ideally spent more time explaining how the sandbox system in the ‘Clean Room’ works.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The draft Data Sharing Guidelines are a welcome step in ensuring that the entities sharing and processing data have guidelines to adhere to, especially since the Data Protection Bill has not been passed yet. The mention of the best practices for data sharing in annexures, including practices for people who have access to the data, is a step in the right direction, which could be made better with regular training and sensitisation. While the guidelines are a good starting point, they still suffer from the issues that have been highlighted in similar health data policies, including not referring to older policies, adding new entities, and the reliance on digital and mobile technology. The guidelines could have added more nuance to the consent and privacy by design sections to ensure other forms of notice, e.g., notice in audio form in different Indian languages. While PM-JAY aims to reach 10 crore poor and vulnerable families, there is a need to look at how to ensure that consent is given according to the guidelines that are “free, informed, clear, and specific”.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/nha-data-sharing-guidelines'>https://cis-india.org/internet-governance/blog/nha-data-sharing-guidelines</a>
</p>
No publisherShweta Mohandas and Pallavi BediIT ActInternet GovernanceData ProtectionPrivacy2022-09-29T15:17:24ZBlog EntryMediaNama - #NAMAprivacy: The Future of User Data (Delhi, Sep 6)
https://cis-india.org/internet-governance/news/medianama-namaprivacy-the-future-of-user-data-delhi-sep-6
<b>MediaNama is hosting a full day conference on "the future of user data in India", on the 6th of September 2017, which is particularly significant given the recent Supreme Court ruling on the fundamental right to privacy, and two government consultations: one at the TRAI, and another at MEITY. This discussion is supported by Facebook, Google, and Microsoft. Sumandro Chattapadhyay, Research Director, will participate as a speaker in the session titled "regulating storage, sharing and transfer of data."</b>
<p> </p>
<h4>Details</h4>
<p>Time: September 6th 2017, 9 am to 4:30 pm</p>
<p>Venue: Gulmohar Hall, India Habitat Centre, Lodhi Road (please enter from Gate #3)</p>
<p>Agenda: <a href="https://www.medianama.com/2017/08/223-agenda-namaprivacy-future-of-user-data/">https://www.medianama.com/2017/08/223-agenda-namaprivacy-future-of-user-data/</a></p>
<h4>Announced Speakers</h4>
<ul><li>Chinmayi Arun, Centre for Communication Governance at NLU Delhi</li>
<li>Malavika Raghavan, IFMR Finance Foundation</li>
<li>Renuka Sane, NIPFP</li>
<li>Smitha Krishna Prasad, Centre for Communication Governance at NLU Delhi</li>
<li>Ananth Padmanabhan, Carnegie India</li>
<li>Avinash Ramachandra, Amazon</li>
<li>Hitesh Oberoi, Naukri</li>
<li>Jochai Ben-Avie, Mozilla</li>
<li>Mrinal Sinha, Mobikwik</li>
<li>Murari Sreedharan, Bankbazaar</li>
<li>Sumandro Chattapadhyay, Centre for Internet and Society</li></ul>
<h4>Facilitators</h4>
<ul><li>Saikat Datta, Asia Times Online</li>
<li>Shashidar KJ, MediaNama</li>
<li>Nikhil Pahwa, MediaNama</li></ul>
<h4>Attendees</h4>
<p>We have confirmed 140+ attendees from: Adobe, Amber Health, Amazon, APCO Worldwide, Bank Bazaar, Bloomberg-Quint, Blume Ventures, Broadband India Forum, Business Standard, BuzzFeed News, CCOAI, CEIP, Change Alliance, Chase India, CIS, CNN News18, DEF, Deloitte, DNA, DSCI, E2E Networks, British High Commission, Eurus Network Services, FICCI, Firefly Networks, Flipkart, Forrester Research, Fortumo, DoT, MEITY, IAMAI, IBM, ICRIER, IFMR Finance Foundation, IIMC, Indian Law Institute, Indic Project, Info Edge, ISPAI, IT for Change, ITU-APT, Jamia Millia Islamia, Jindal Global Law School, Mimir Technologies, Mozilla, Newslaundry, NIPFP, Nishith Desai Associates, NIXI, NLU-Delhi, ORF, Paytm, PLR Chambers, PRS Legislative Research, Publicis Groupe, Quartz India, Reliance Jio, Reuters, Saikrishna & Associates, Scroll.in, SFLC.in, Spectranet, The Economics Times, The Indian Express, The Times of India, The Wire, Times Internet, Twitter, and more.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/medianama-namaprivacy-the-future-of-user-data-delhi-sep-6'>https://cis-india.org/internet-governance/news/medianama-namaprivacy-the-future-of-user-data-delhi-sep-6</a>
</p>
No publishersumandroBig DataDigital EconomyPrivacyInternet GovernanceData GovernanceData ProtectionDigital Rights2017-09-05T10:22:12ZBlog EntryMarco Civil da Internet: Brazil’s ‘Internet Constitution’
https://cis-india.org/internet-governance/blog/marco-civil-da-internet
<b>On March 25, 2014, Brazil's lower house of parliament passed bill no. 2126/2011, popularly known as Marco Civil da Internet. The Marco Civil is a charter of Internet user-rights and service provider responsibilities, committed to freedom of speech and expression, privacy, and accessibility and openness of the Internet. In this post, the author looks at the pros and cons of the bill.</b>
<h3><em><strong>Introduction:</strong></em></h3>
<div style="text-align: justify; ">
<div>
<div style="text-align: justify; ">Ten months ago, Edward Snowden’s revelations of the U.S. National Security Agency’s extensive, warrantless spying dawned on us. Citizens and presidents alike expressed their outrage at this sweeping violation of their privacy. While India’s position remained carefully neutral, or indeed, supportive of NSA’s surveillance, Germany, France and Brazil cut the U.S. no slack. Indeed, at the 68th session of the United Nations General Assembly, Brazilian President Dilma Rousseff (whose office the NSA had placed under surveillance) stated, “<em>Tampering in such a manner in the affairs of other countries is a breach of International Law and is an affront to the principles that must guide the relations among them, especially among friendly nations.</em>” Brazil, she said, would “<em>redouble its efforts to adopt legislation, technologies and mechanisms to protect us from the illegal interception of communications and data.</em>”</div>
<div style="text-align: justify; "></div>
<div style="text-align: justify; "></div>
<div>Some may say that Brazil has lived up to its word. Later this month, Brazil will be host to <em>NETmundial</em>, the Global Multi-stakeholder Meeting on the Future of Internet Governance, jointly organized by the Brazilian Internet Steering Committee (CGI.br) and the organization /1Net. The elephantine invisible presence of Snowden vests NETmundial with the hope and responsibility of laying the ground for a truly multi-stakeholder model for governing various aspects of the Internet; a model where governments are an integral part, but not the only decision-makers. The global Internet community, comprising users, corporations, governments, the technical community, and NGOs and think-tanks, is hoping devise a workable method to divest the U.S. Government of its <em>de facto</em> control over the Internet, which it wields through its contracts to manage the domain name system and the root zone.</div>
<div></div>
<div><span> </span></div>
<div>But as Internet governance expert Dr. Jeremy Malcolm put it, these technical aspects do not make or break the Internet. The real questions in Internet governance underpin the rights of users, corporations and netizens worldwide. Sir Tim Berners-Lee, when he <a class="external-link" href="http://www.theguardian.com/technology/2014/mar/12/online-magna-carta-berners-lee-web">called for</a> an Internet Bill of Rights, meant much the same. For Sir Tim, an open, neutral Internet is imperative if we are to keep our governments open, and foster “<em>good democracy, healthcare, connected communities and diversity of culture</em>”. Some countries agree. The Philippines envisaged a <em>Magna Carta</em> for Internet Freedom, though the Bill is pending in the Philippine parliament.</div>
<div></div>
<div><span> </span></div>
<h3><strong><em>Marco Civil da Internet:</em></strong></h3>
<div>Last week, on March 25, 2014, the Brazilian Chamber of Deputies (the lower house of parliament) passed the <em>Marco Civil da Internet</em>, bill 2126/2011, a charter of Internet rights. The <em>Marco Civi</em>l is considered by the global Internet community as a one-of-a-kind bill, with Sir Tim Berners-Lee <a class="external-link" href="http://www.webfoundation.org/2014/03/marco-civil-statement-of-support-from-sir-tim-berners-lee/?utm_source=hootsuite&utm_campaign=hootsuite">hailing</a> the “<em>groundbreaking, inclusive and participatory process has resulted in a policy that balances the rights and responsibilities of the individuals, governments and corporations who use the Internet</em>”.</div>
<div></div>
<div></div>
<div>The <em>Marco Civil</em>’s journey began with a two-stage public consultation process in October 2009, under the aegis of the Brazilian Ministry of Justice’s Department of Legislative Affairs, jointly with the Getulio Vargas Foundation’s Center for Technology and Society of the Law School of Rio de Janeiro (CTS-FGV). The collaborative process <a class="external-link" href="http://observatoriodainternet.br/wp-content/uploads/2012/11/Internet-Policy-Report-Brazil-2011.pdf">involved</a> a 45-day consultation process in which over 800 comments were received, following which a second consultation in May 2010 received over 1200 comments from individuals, civil society organizations and corporations involved in the telecom and technology industries. Based on comments, the initial draft of the bill was revamped to include issues of popular, public importance, such as intermediary liability and online freedom of speech.</div>
<div></div>
<div></div>
<div>An official English translation of the <em>Marco Civil</em> is as yet unavailable. But an <a class="external-link" href="https://docs.google.com/document/d/1kJYQx-l_BVa9-3FZX23Vk9IfibH9x6E9uQfFT4e4V9I/pub">unofficial translation</a> (please note that the file is uploaded on Google Drive), triangulated against <a class="external-link" href="http://infojustice.org/archives/32527">online</a> <a class="external-link" href="http://www.zdnet.com/brazil-passes-groundbreaking-internet-governance-bill-7000027740http://www.zdnet.com/brazil-passes-groundbreaking-internet-governance-bill-7000027740/">commentary</a> on <a class="external-link" href="http://www.zdnet.com/all-you-need-to-know-about-brazils-internet-constitution-7000022726/">the bill</a>, reveals that the following issues were of primary importance:</div>
<div></div>
<div></div>
<h3><strong><em>The fundamentals:</em></strong></h3>
<div>The fundamental principles of the <em>Marco Civil</em> reveal a commitment to openness, accessibility neutrality and democratic collaboration on the Internet. Art. 2 (see unofficial translation) sets out the fundamental principles that form the basis of the law. It pledges to adhere to freedom of speech and expression, along with an acknowledgement of the global scale of the network, its openness and collaborative nature, its plurality and diversity. It aims to foster free enterprise and competition on the Internet, while ensuring consumer protection and upholding human rights, personality development and citizenship exercise in the digital media in line with the network’s social purposes. Not only this, but Art. 4 of the bill pledges to promote universal access to the Internet, as well as “<em>to information, knowledge and participation in cultural life and public affairs</em>”. It aims to promote innovation and open technology standards, while ensuring interoperability.</div>
<div></div>
<div><span> </span></div>
<div>The <em>Marco Civil</em> expands on its commitment to human rights and accessibility by laying down a “<em>discipline of Internet use in Brazil</em>”. Art. 3 of the bill guarantees freedom of expression, communication and expression of thoughts, under the terms of the Federal Constitution of Brazil, while at the same time guaranteeing privacy and protection of personal data, and preserving network neutrality. It also focuses on preserving network stability and security, by emphasizing accountability and adopting “<em>technical measures consistent with international standards and by encouraging the implementation of best practices</em>”.</div>
<div></div>
<div></div>
<div>These principles, however, are buttressed by rights assured to Internet users and responsibilities of and exceptions provided to service providers.</div>
<div></div>
<div></div>
</div>
<h3><strong><em>Rights and responsibilities of users and service providers:</em></strong></h3>
<div><strong><span style="text-decoration: underline;">Net neutrality:</span></strong></div>
<div>Brazil becomes one of the few countries in the world (joining the likes of the Netherlands, Chile and Israel in part) to preserve network neutrality by legislation. Art. 9 of the <em>Marco Civil</em> requires all Internet providers to “<em>to treat any data package with isonomy, regardless of content, origin and destination, service, terminal or application</em>”. Not only this, but Internet providers are enjoined from blocking, monitoring or filtering content during any stage of transmission or routing of data. Deep packet inspection is also forbidden. Exceptions may be made to discriminate among network traffic <em>only</em> on the basis of essential technical requirements for services-provision, and for emergency services prioritization. Even this requires the Internet provider to inform users in advance of such traffic discrimination, and to act proportionately, transparently and with equal protection.</div>
<div></div>
<div></div>
<div><strong><span style="text-decoration: underline;">Data retention, privacy and data protection:</span></strong></div>
<div>The <em>Marco Civil</em> includes provisions for the retention of personal data and communications by service providers, and access to the same by law enforcement authorities. However, record, retention and access to Internet connection records and applications access-logs, as well as any personal data and communication, are required to meet the standards for “<em>the conservation of intimacy, private life, honor and image of the parties directly or indirectly involved</em>” (Art. 10). Specifically, access to identifying information and contents of personal communication may be obtained <em>only</em> upon judicial authorization.</div>
<div></div>
<div></div>
<div>Moreover, where data is collected within Brazilian territory, processes of collection, storage, custody and treatment of the abovementioned data are required to comply with Brazilian laws, especially the right to privacy and confidentiality of personal data and private communications and records (Art. 11). Interestingly, this compliance requirement is applicable also to entities incorporated in foreign jurisdictions, which offer services to Brazilians, or where a subsidiary or associate entity of the corporation in question has establishments in Brazil. While this is undoubtedly a laudable protection for Brazilians or service providers located in Brazil, it is possible that conflicts may arise (<a class="external-link" href="http://www.economist.com/news/americas/21599781-brazils-magna-carta-web-net-closes?frsc=dg%7Ca&fsrc=scn/tw_app_ipad">with penal consequences</a>) between standards and terms of data retention and access by authorities in other jurisdictions. In the predictable absence of harmonization of such laws, perhaps rules of conflicts of law may prove helpful.</div>
<div></div>
<div></div>
<div>While data retention remained a point of contention (Brazil initially sought to ensure a 5-year data retention period), under the <em>Marco Civil</em><span>, Internet providers are required to retain connection records for 1 year under rules of strict confidentiality; this responsibility cannot be delegated to third parties (Art. 13). Providers providing the Internet connection (such as Reliance or Airtel in India) are forbidden from retaining records of access to applications on the Internet (Art. 14). While law enforcement authorities may request a longer retention period, a court order (filed for by the authority within 60 days from the date of such request) is required to access the records themselves. In the event the authority fails to file for such court order within the stipulated period, or if court order is denied, the service provider must protect the confidentiality of the connection records.</span></div>
<div><span><br /></span></div>
<div><span> </span></div>
<div>Though initially excluded from the <em>Marco Civil</em>, the current draft passed by the Chamber of Deputies requires Internet application providers (such as Google or Facebook) to retain access-logs for their applications for 6 months (Art. 15). Logs for other applications may not be retained without previous consent of the owner, and in any case, the provider cannot retain personal data that is in excess of the purpose for which consent was given by the owner. As for connection records, law enforcement authorities may request a greater retention period, but require a court order to access the data itself.</div>
<div></div>
<div></div>
<div>These requirements must be understood in light of the rights that the <em>Marco Civil</em> guarantees to users. Art. 7, which enumerates these user-rights, does not however set forth their <em>content</em>; this is probably left to judicial interpretation of rights enshrined in the Federal Constitution. In any event, Art. 7 guarantees to all Internet users the “<em>inviolability of intimacy and privacy</em>”, including the confidentiality of all Internet communications, along with “<em>compensation for material or moral damages resulting from violation</em>”. In this regard, it assures that users are entitled to a guarantee that no personal data or communication shall be shared with third parties in the absence of express consent, and to “<em>clear and complete information on the collection, use, storage, treatment and protection of their personal data</em>”. Indeed, where contracts violate the requirements of inviolability and secrecy of private communications, or where a dispute resolution clause does not permit the user to approach Brazilian courts as an alternative, Art. 8 renders such contracts null and void.</div>
<div></div>
<div></div>
<div>Most importantly, Art. 7 states that users are entitled to clear and complete information about how connection records and access logs shall be stored and protected, and to publicity of terms/policies of use of service providers. Additionally, Art. 7 emphasizes quality of service and accessibility to the Internet, and forbids suspension of Internet connections except for failure of payments. Read comprehensively, therefore, Arts. 7-15 of the <em>Marco Civil prima facie</em> set down robust protections for private and personal data and communications.</div>
<div></div>
<div></div>
<div>An initial draft of the <em>Marco Civil</em> <a class="external-link" href="http://www.zdnet.com/companies-brace-for-brazil-local-data-storage-requirements-7000027092/">sought to mandate</a> local storage of all Brazilians’ data within Brazilian territory. This came in response to Snowden’s revelations of NSA surveillance, and President Rousseff, in her <a class="external-link" href="http://gadebate.un.org/sites/default/files/gastatements/68/BR_en.pdf">statement</a> to the United Nations, declared that Brazil sought to protect itself from “<em>illegal interception of communications and data</em>”. However, the implications of this local storage requirement was the creation of a <a class="external-link" href="http://bigstory.ap.org/article/brazil-looks-break-us-centric-internet">geographically isolated</a> Brazilian Internet, with repercussions for the Internet’s openness and interoperability that the <em>Marco Civil</em> itself sought to protect. Moreover, there are <a class="external-link" href="http://www.gp-digital.org/gpd-update/data-retention-provisions-in-the-marco-civil/">implications</a> for efficiency and business; for instance, small businesses may be unable to source the money or capacity to comply with local storage requirements. Also, they lead to mandating storage on political grounds, and not on the basis of effective storage. Amid widespread protest from corporations and civil society, this requirement was then <a class="external-link" href="http://www.zdnet.com/brazil-gives-up-on-local-data-storage-demands-net-neutrality-7000027493/">withdrawn</a> which, some say, propelled the quick passage of the bill in the Chamber of Deputies.</div>
<div></div>
<div></div>
</div>
<div style="text-align: justify; ">
<div><strong><span style="text-decoration: underline;">Intermediary liability:</span></strong></div>
<div>Laws of many countries make service providers liable for third party content that infringes copyright or that is otherwise against the law (such as pornography or other offensive content). For instance, Section 79 of the Indian Information Technology Act, 2000 (as amended in 2008) is such a provision where intermediaries (i.e., those who host user-generated content, but do not create the content themselves) may be held liable. However, stringent intermediary liability regimes create the possibility of private censorship, where intermediaries resort to blocking or filtering user-generated content that they fear may violate laws, sometimes even without intimating the creator of the infringing content. The <em>Marco Civil</em> addresses this possibility of censorship by creating a restricted intermediary liability provision. Please note, however, that the bill expressly excludes from its ambit copyright violations, which a <a class="external-link" href="http://infojustice.org/archives/31993">copyright reforms bill</a> seeks to address.</div>
<div></div>
<div></div>
<div>At first instance, the <em>Marco Civil</em> exempts service providers from civil liability for third party content (Art. 18). Moreover, intermediaries are liable for damages arising out of third party content <em>only</em> where such intermediaries do not comply with court orders (which may require removal of content, etc.) (Art. 19). This leaves questions of infringement and censorship to the judiciary, which the author believes is the right forum to adjudicate such issues. Moreover, wherever identifying information is available, Art. 20 mandates the intermediary to appraise the creator of infringing content of the reasons for removal of his/her content, with information that enables the creator to defend him- or herself in court. This measure of transparency is particularly laudable; for instance, in India, no such intimation is required by law, and you or I as journalists, bloggers or other creators of content may never know why our content is taken down, or be equipped to defend ourselves in court against the plaintiff or petitioner who sought removal of our content. Finally, a due diligence requirement is placed on the intermediary in circumstances where third party content discloses, “<em>without consent of its participants, of photos, videos or other materials containing nudity or sexual acts of private character</em>”. As per Art. 21, where the intermediary does not take down such content upon being intimated by the concerned participant, it may be held secondarily liable for infringement of privacy.</div>
<div></div>
<div></div>
<div>This restricted intermediary liability regime is further strengthened by a requirement of specific identification of infringing content, which both the court order issued under Art. 20 and the take-down request under Art. 21 must fulfill. This requirement is missing, for instance, under Section 79 of the Indian Information Technology Act, which creates a diligence and liability regime without requiring idenfiability of infringing content.</div>
<div></div>
<div></div>
<h3><strong><em>Conclusion:</em></strong></h3>
<div>Brazil’s ‘Internet Constitution’ has done much to add to the ongoing discussion on the rights and responsibilities of users and providers. By expressly adopting protections for net neutrality and online privacy and freedom of expression, the Marco Civil may be considered to set itself up as a model for Internet rights at the municipal level, barring a Utopian bill of rights. Indeed, in an effusive statement of support for the bill, Sir Tim Berners-Lee stated: “<em>If Marco Civil is passed, without further delay or amendment, this would be the best possible birthday gift for Brazilian and global Web users.</em>”</div>
<div></div>
<div></div>
<div>Of course, the <em>Marco Civil</em> is not without its failings. Authors <a class="external-link" href="http://infojustice.org/archives/32527">say</a> that the data retention requirements by connection and application providers, with leeway provided for law enforcement authorities to lengthen retention periods, is problematic. Moreover, the discussions surrounding data localization and a ‘walled-off’ Internet that protects against surveillance ignores the interoperability and openness that forms the core of the Internet.</div>
<div></div>
<div></div>
<div>On the whole, though, the <em>Marco Civil</em> may be considered a victory, on many counts. It is possibly the first successful example of a national legislation that is the outcome of a broad, consultative process with civil society and other affected entities. It expressly affirms Brazil’s commitment to the protection of privacy and freedom of expression, as well as to Internet accessibility and the openness of the network. It aims to eliminate the possibility of private censorship online, while upholding privacy rights of users. It seeks to reduce the potential for abuse of personal data and communication by government authorities, by requiring judicial authorization for the same. In a world where warrantless government spying extends across national border, such a provision is novel and desirable. One hopes that, when the global Internet community sits down at its various fora to identify and enumerate principles for Internet governance, it will look to the <em>Marco Civil</em> as an example of standards that governments may adhere to, and not necessarily resort to the lowest common denominator standards of international rights and protections.</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/marco-civil-da-internet'>https://cis-india.org/internet-governance/blog/marco-civil-da-internet</a>
</p>
No publishergeethaPrivacyFreedom of Speech and ExpressionData ProtectionNet NeutralityInternet Governance2014-06-19T10:38:10ZBlog Entry