The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 21 to 35.
Making Voices Heard
https://cis-india.org/internet-governance/blog/making-voices-heard
<b>We are happy to announce the launch of our final report on the study ‘Making Voices Heard: Privacy, Inclusivity, and Accessibility of Voice Interfaces in India. The study was undertaken with support from the Mozilla Corporation.</b>
<p style="text-align: center; "><img src="https://cis-india.org/home-images/WebsiteHeader.jpg/@@images/8d8ed2a0-f0e4-44d7-8938-493b186402c5.jpeg" alt="Making Voices Heard" class="image-inline" title="Making Voices Heard" /></p>
<p style="text-align: justify; ">We believe that voice interfaces have the potential to democratise the use of the internet by addressing limitations related to reading and writing on digital text-only platforms and devices. This report examines the current landscape of voice interfaces in India, with a focus on concerns related to privacy and data protection, linguistic barriers, and accessibility for persons with disabilities (PwDs).</p>
<p style="text-align: justify; ">The report features a visual mapping of 23 voice interfaces and technologies publicly available in India, along with a literature survey, a policy brief towards development and use of voice interfaces and a design brief documenting best practices and users’ needs, both with a focus on privacy, languages, and accessibility considerations, and a set of case studies on three voice technology platforms. <span>Read and download the full report <a class="external-link" href="http://voice.cis-india.org/">here</a></span></p>
<hr />
<h3>Credits</h3>
<p><strong>Research</strong>: Shweta Mohandas, Saumyaa Naidu, Deepika Nandagudi Srinivasa, Divya Pinheiro, and Sweta Bisht.</p>
<p><strong>Conceptualisation, Planning, and Research Inputs</strong>: Sumandro Chattapadhyay, and Puthiya Purayil Sneha.</p>
<p><strong>Illustration</strong>: Kruthika NS (Instagram @theworkplacedoodler). Website Design Saumyaa Naidu. Website Development Sumandro Chattapadhyay, and Pranav M Bidare.</p>
<p><strong>Review and Editing</strong>: Puthiya Purayil Sneha, Divyank Katira, Pranav M Bidare, Torsha Sarkar, Pallavi Bedi, and Divya Pinheiro.</p>
<p><strong>Copy Editing</strong>: The Clean Copy</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/making-voices-heard'>https://cis-india.org/internet-governance/blog/making-voices-heard</a>
</p>
No publishershwetaVoice User InterfacePrivacyAccessibilityInternet GovernanceResearchFeaturedHomepage2022-06-27T16:18:36ZBlog EntryComments to the Draft National Health Data Management Policy 2.0
https://cis-india.org/internet-governance/blog/comments-to-the-draft-national-health-data-management-policy-2.0
<b>Anamika Kundu, Shweta Mohandas and Pallavi Bedi along with 9 other organizations / individuals drafted comments to the Draft National Health Data Management Policy 2.0. </b>
<p style="text-align: justify; ">This is a joint submission on behalf of (i) Access Now, (ii) Article 21, (iii) Centre for New Economic Studies, (iv) Center for Internet and Society, (v) Internet Freedom Foundation, (vi) Centre for Justice, Law and Society at Jindal Global Law School, (vii) Priyam Lizmary Cherian, Advocate, High Court of Delhi (ix) Swasti-Health Catalyst, (x) Population Fund of India.</p>
<p style="text-align: justify; ">At the outset, we would like to thank the National Health Authority (NHA) for inviting public comments on the draft version of the National Health Data Management Policy 2.0 (NDHMPolicy 2.0) (Policy) We have not provided comments to each section/clause, but have instead highlighted specific broad concerns which we believe are essential to be addressed prior tothe launch of NDHM Policy 2.0.</p>
<hr />
<p style="text-align: justify; ">Read on to <a href="https://cis-india.org/internet-governance/draft-national-health-management-policy" class="internal-link">view the full submission here</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-to-the-draft-national-health-data-management-policy-2.0'>https://cis-india.org/internet-governance/blog/comments-to-the-draft-national-health-data-management-policy-2.0</a>
</p>
No publisherAnamika Kundu, Shweta Mohandas and Pallavi BediHealth TechHealth ManagementInternet GovernanceHealthcare2022-05-24T16:06:15ZBlog EntryCCTVs in Public Spaces and the Data Protection Bill, 2021
https://cis-india.org/internet-governance/blog/rssr-anamika-kundu-digvijay-s-chaudhary-april-20-2022-cctvs-in-public-spaces-and-data-protection-bill-2021
<b>This article has been authored by Ms. Anamika Kundu, Research Assistant at the Centre for Internet and Society, and Digvijay S. Chaudhary, Researcher at the Centre for Internet and Society. This blog is a part of RSRR’s Blog Series on the Right to Privacy and the Legality of Surveillance, in collaboration with the Centre for Internet & Society.</b>
<p><span>The article by Anamika Kundu and Digvijay S. Chaudhary was originally </span><a class="external-link" href="https://rsrr.in/2022/04/20/cctv-surveillance-privacy/">published by RGNUL Student Research Review</a><span> on April 20, 2022</span></p>
<p><span><img src="https://cis-india.org/home-images/Surveillance.jpg/@@images/f8fad564-44ab-46e2-bd44-29607ea7fd19.jpeg" alt="Surveillance" class="image-inline" title="Surveillance" /></span></p>
<hr />
<h2>Introduction</h2>
<p style="text-align: justify; ">In recent times, Indian cities have seen an expansion of state deployed CCTV cameras. According to a recent report, in terms of CCTVs deployed, Delhi was considered as the most surveilled city in the world, surpassing even the most surveilled cities in China. Delhi was not the only Indian city in that list, Chennai and Mumbai also made it to the list. In Hyderabad as well, the development of a Command and Control Centre aims to link the city’s surveillance infrastructure in real-time. Even though studies have shown that there is little correlation between CCTVs and crime control, deployment of CCTV cameras has been justified on the basis of national security and crime deterrence. Such an activity brings about the collection and retention of audio-visual/visual information of all individuals frequenting spaces where CCTV cameras are deployed. This information could be used to identify them (directly or indirectly) based on their looks or other attributes. Potential risks associated with the misuse, and processing of such personal data also arise. These risks include large scale profiling, criminal abuse (law enforcement misusing CCTV information for personal gains), and discriminatory targeting (law enforcement disproportionately focusing on a particular group of people). As these devices capture personal data of individuals, this article seeks data protection safeguards available to data principals against CCTV surveillance employed by the State in a public space under the proposed Data Protection Bill, 2021 (the “DPB”).</p>
<h2>Safeguards Available Under the Data Protection Bill, 2021</h2>
<p style="text-align: justify; ">To use CCTV surveillance, the measures and compliance listed under the DPB have to be followed. Obligations of data fiduciaries available under Chapter II, such as consent (clause 11), notice requirement (clause 7), and fair and reasonable processing (clause 5) are common to all data processing entities for a variety of activities. Similarly, as the DPB follows the principles of data minimisation (clause 6), storage limitation (clause 9), purpose limitation (clause 5), lawful and fair processing (clause 4), transparency (clause 23), and privacy by design (clause 22), these safeguards too are common to all data processing entities/activities. If a data fiduciary processes personal data of children, it has to comply with the standards stated under clause 16.</p>
<p style="text-align: justify; ">Under the DPB, compliance differs on the basis of grounds and purpose of data processing. As such, if compliance standards differ, so do the availability of safeguards under the DPB. Of relevance to this article, there are three standards of compliance under the DPB wherein the standards of safeguards available to a data principal differ. First, cases which would fall under Chapter III and hence, not require consent. Chapter III lists grounds for processing of personal data without consent. Second, cases which would fall under exemption clauses in Chapter VIII. In such cases, the DPB or some of its provisions would be inapplicable. Clause 35 under Chapter VIII gives power to the Central Government to exempt any agency from the application of the DPB. Similarly, Clause 36 under Chapter VIII, exempts certain provisions for certain processing of personal data. Third, cases which would not fall under either of the above Chapters. In such cases, all safeguards available under the DPB would be available to the data principals. Consequently, safeguards available to data principals in each of these standards are different. We will go through each of these separately.</p>
<p style="text-align: justify; ">First, if the grounds of processing of CCTV information is such that it falls under the scope of Chapter III of the DPB, wherein the consent requirement is done away with, then in those cases, the notice requirement has to reflect such purpose, meaning that even if consent is not necessary for certain cases, other requirements under the DPB would still apply. Here, we must note that CCTV deployment by the state on such a large scale may be justified on the basis of conditions stated under clauses 12 and 14 of DPB – specifically, the condition for the performance of state function authorised by law, and public interest. The requirement under clause 12 of “authorised by law” simply means that the state function should have legal backing. Deployment of CCTVs is most likely to fall under clause 12 as various states have enacted legislations providing for CCTV deployment in the name of public safety. As a result, even if section 12 takes away the requirement of consent for certain cases, data principals should be able to exercise all rights accorded to them under the DPB (chapter V) except the right to data portability under clause 19.</p>
<p style="text-align: justify; ">Second, processing of personal data via CCTVs by government agencies could be exempted from DPB under clause 35 for certain cases under the clause. Another exemption that is particularly concerning with regard to the use of CCTVs is the exemption provided under clause 36(a). Section 36(a) says that the provisions of chapters II-VII would not apply where the data is processed in the interest of prevention, detection, investigation, and prosecution of any offence under the law. Chapters II-VII govern the obligations of data fiduciaries, grounds where consent would not be required, personal data of children, rights of data principals, transparency and accountability measures, and restrictions on transfer of personal data outside India respectively. In these cases, the requirement of fair and reasonable processing under clause 5 would also not apply. As a broad justification provided for CCTVs deployment by the government is crime control, it is possible that section 36(a) justification can be used to exempt the processing of CCTV footage from the above-mentioned safeguards.</p>
<p style="text-align: justify; ">From the above discussion, the following can be concluded. First, if the grounds of processing fall under Chapter III, then standards of fair and reasonable processing, notice requirement, and all rights except the right to data portability u/s 19 would be available to data principals. Second, if the grounds of processing fall under clause 36, then, in that case, consent requirement, notice requirement, and the rights under DPB would be unavailable as that section mandates the non-application of those chapters. In such a case, even the processing requirements of a fair and reasonable manner stand suspended. Third, if the grounds of processing of CCTV information doesn’t fall under Chapter III, then all obligations listed under Chapter II would have to be followed. Moreover, the data principal would be able to exercise all the rights available under Chapter V of the DPB.</p>
<h2>Constitutional Standards</h2>
<p style="text-align: justify; ">When the Supreme Court recognised privacy as a fundamental right in the case of Puttaswamy v. Union of India (“Puttaswamy”), it located the principles of informed consent and purpose limitation as central to informational privacy. It recognised that privacy inheres not in spaces but in an individual. It also recognised that privacy is not an absolute right and certain restrictions may be imposed on the exercise of the right. Before listing the constitutional standards that activities infringing privacy must adhere to, it’s important to answer whether there exists a reasonable expectation of privacy in CCTV footage deployed in a public space by the State?</p>
<p style="text-align: justify; ">In Puttaswamy, the court recognised that privacy is not denuded in public spaces. Writing for the plurality judgement, Chandrachud J. recognised that the notion of a reasonable expectation of privacy has elements both of a subjective and objective nature. Defining these concepts, he writes, “Privacy at a subjective level is a reflection of those areas where an individual desire to be left alone. On an objective plane, privacy is defined by those constitutional values which shape the content of the protected zone where the individual ought to be left alone…hence while the individual is entitled to a zone of privacy, its extent is based not only on the subjective expectation of the individual but on an objective principle which defines a reasonable expectation.” Note how in the above sentences, the plurality judgement recognises “a reasonable expectation” to be inherent in “constitutional values”. This is important as the meaning of what’s reasonable is to be constituted according to constitutional values and not societal norms. A second consideration that the phrase “reasonable expectation of privacy” requires is that an individual’s reasonable expectation is allied to the purpose for which the information is provided, as held in the case of Hyderabad v. Canara Bank (“Canara Bank”). Finally, the third consideration in defining the phrase is that it is context dependent. For example, in the case of In the matter of an application by JR38 for Judicial Review (Northern Ireland) 242 (2015) (link here), the UK Supreme Court was faced with a scenario where the police published the CCTV footage of the appellant involved in riotous behaviour. The question before the court was: “Whether the publication of photographs by the police to identify a young person suspected of being involved in riotous behaviour and attempted criminal damage can ever be a necessary and proportionate interference with that person’s article 8 [privacy] rights?” The majority held that there was no reasonable expectation of privacy in the case because of the nature of the criminal activity the appellant was involved in. However, the majority’s formulation of this conclusion was based on the reasoning that “expectation of privacy” was dependent on the “identification” purpose of the police. The court stated, “Thus, if the photographs had been published for some reason other than identification, the position would have been different and might well have engaged his rights to respect for his private life within article 8.1”. Therefore, as the purpose of publishing the footage was “identification” of the wrongdoer, the reasonable expectation of privacy stood excluded. The Canara Bank case was relied on by the SC in Puttaswamy. The plurality judgement in Puttaswamy also quoted the above paragraphs from the UK Supreme Court judgement.</p>
<p style="text-align: justify; ">Finally, the SC in the Aadhaar case, laid down the factors of “reasonable expectation of privacy.” Relying on those factors, the Supreme Court observed that demographic information and photographs do not raise a reasonable expectation of privacy. It further held that face photographs for the purpose of identification are not covered by a reasonable expectation of privacy. As this author has recognised, the majority in the Aadhaar case misconstrued the “reasonable expectation of privacy” to lie not in constitutional values as held in Puttaswamy but in societal norms. Even with the misapplication of the Puttaswamy principles by the majority in Aadhaar, it is clear that the exclusion of a “reasonable expectation of privacy” in face photographs is valid only for the purpose of “identification”. For purposes other than “identification”, there should exist a reasonable expectation of privacy in CCTV footage. Having recognised the existence of “reasonable expectation of privacy” in CCTV footage, let’s see how the safeguards mentioned under the DPB stand the constitutional standards of privacy laid down in Puttaswamy.</p>
<p style="text-align: justify; ">The bench in Puttaswamy located privacy not only in Article 21 but the entirety of part III of the Indian Constitution. Where transgression to privacy relates to different provisions under Part III, the tests evolved under those Articles would apply. Puttaswamy recognised that national security and crime control are legitimate state objectives. However, it also recognised that any limitation on the right must satisfy the proportionality test. The proportionality test requires a legitimate state aim, rational nexus, necessity, and balancing of interests. Infringement on the right to privacy occurs under the first and second standard. The first requirement of proportionality stands justified as national security and crime control have been recognised to be legitimate state objectives. However, it must be noted that the EU Guidelines on Processing of Personal Data through video devices state that the mere purpose of “safety” or “for your safety” is not sufficiently specific and is contrary to the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The second requirement is a rational nexus. As stated above, there is little correlation between crime control and surveillance measures. Even if the state justifies a rational nexus between state aim and the action employed, it is the necessity part of the proportionality test where the CCTV surveillance measures fail (as explained by this author). Necessity requires us to draw a list of alternatives and their impact on an individual, and then do a balancing analysis with regard to the alternatives. Here, judicial scrutiny of the exemption order under clause 35 is a viable alternative that respects individual rights while at the same time, not interfering with the state’s aim.</p>
<h2>Conclusion</h2>
<p style="text-align: justify; ">Informed consent and purpose limitation were stated to be central principles of informational privacy in Puttaswamy. Among the three standards we identified, the principles of informed consent and purpose limitation remain available only in the third standard. In the first standard, even though the requirement of consent has become unavailable, the principle of purpose limitation would still be applicable to the processing of such data. The second standard is of particular concern wherein neither of those principles is available to data principals. It is worth mentioning here that in large scale monitoring activities such as CCTV surveillance, the safeguards which the DPB lists out would inevitably have an implementation flaw. The reason is that in scenarios where individuals refuse consent for large scale CCTV monitoring, what alternatives would the government offer to those individuals? Practically, CCTV surveillance would fall under clause 12 standards where consent would not be required. Even in those cases, would the notice requirement safeguard be diminished to “you are under surveillance” notices? When we talk about exercise of rights available under the DPB, how would an individual effectively exercise their right when the data processing is not limited to a particular individual? These questions arise because the safeguards under the DPB (and data protection laws in general) are based on individualistic notions of privacy. Interestingly, individual use cases of CCTVs have also increased with an increase in state use of CCTVs. Deployment of CCTVs for personal or domestic purposes would be exempt from the above-mentioned compliances as that would fall under the exemption provision of clause 36(d). Two additional concerns arise in relation to processing of data concerning CCTVs – the JPC report’s inclusion of Non-Personal Data (“NPD”) within the ambit of DPB, and the government’s plan to develop a National Automated Facial Recognition System (“AFRS”). A significant part of the data collected by CCTVs would fall within the ambit of NPD.With the JPC’s recommendation, it will be interesting to follow the processing standards for NPD under the DPB. AFRS has been imagined as a national database of photographs gathered from various agencies to be used in conjunction with facial recognition technology. The use of facial recognition technology with CCTV cameras raises concerns surrounding biometric data, and risks of large scale profiling. Indeed, section 27 of the DPB reflects this risk and mandates a data protection impact assessment to be undertaken by the data fiduciary with respect to processing involving new technologies or large scale profiling or use of biometric data by such technologies, however the DPB does not define what “new technology” means. Concerns around biometric data are outside the scope of the present article, however, it would be interesting to look at how the use of facial recognition technology with CCTVs could impact the safeguards under DPB.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/rssr-anamika-kundu-digvijay-s-chaudhary-april-20-2022-cctvs-in-public-spaces-and-data-protection-bill-2021'>https://cis-india.org/internet-governance/blog/rssr-anamika-kundu-digvijay-s-chaudhary-april-20-2022-cctvs-in-public-spaces-and-data-protection-bill-2021</a>
</p>
No publisherAnamika Kundu and Digvijay S ChaudharyInternet GovernanceData ProtectionPrivacy2022-04-28T02:29:42ZBlog EntryRethinking Acquisition of Digital Devices by Law Enforcement Agencies
https://cis-india.org/internet-governance/blog/rethinking-acquisition-of-digital-devices-by-law-enforcement-agencies
<b>This article has been selected as a part of The Right to Privacy and the Legality of Surveillance series organized in collaboration with the RGNUL Student Research Review (RSRR) Journal.</b>
<p>Read the article originally published in <a class="external-link" href="https://rsrr.in/blog/">RGNUL Student Research Review (RSRR) Journal </a></p>
<hr />
<p><strong>Abstract</strong></p>
<p style="text-align: justify;">The Criminal Procedure Code was created in the 1970s when the concept of the right to privacy was highly unacknowledged. Following the <em>Puttuswamy</em> <em>I </em>(2017) judgement of the Supreme Court affirming the right to privacy, these antiquated codes must be re-evaluated. Today, the police can acquire digital devices through summons and gain direct access to a person’s life, despite the summons mechanism having been intended for targeted, narrow enquiries. Once in possession of a device, the police attempt to circumvent the right against self-incrimination by demanding biometric passwords, arguing that the right does not cover biometric information . However, due to the extent of information available on digital devices, courts ought to be cautious and strive to limit the power of the police to compel such disclosures, taking into consideration the <em>right to privacy</em> judgement.</p>
<p><strong>Keywords: </strong>Privacy, Criminal Procedural Law, CrPc, Constitutional Law</p>
<p><strong>Introduction<em></em></strong></p>
<p style="text-align: justify;">New challenges confront the Indian criminal investigation framework, particularly in the context of law enforcement agencies (LEAs) acquiring digital devices and their passwords. Criminal procedure codes delimiting police authority and procedures were created before the widespread use of digital devices and are no longer pertinent to the modern age due to the magnitude of information available on a single device. A single device could provide more information to LEAs than a complete search of a person’s home; yet, the acquisition of a digital device is not treated with the severity and caution it deserves. Following the affirmation of the right to privacy in <em>Puttuswamy I </em>(2017), criminal procedure codes must be revamped, taking into consideration that the acquisition of a person’s digital device constitutes a major infringement on their right to privacy.</p>
<p><strong>Acquisition of digital devices by LEAs through summons</strong></p>
<p style="text-align: justify;"><a href="https://www.indiacode.nic.in/bitstream/123456789/15272/1/the_code_of_criminal_procedure%2C_1973.pdf">Section 91 of the Criminal Procedure Code</a> (CrPc) grants powers to a court or police officer in charge of a police station to compel a person to produce any form of document or ‘thing’ necessary and desirable to a criminal investigation. In <a href="https://indiankanoon.org/doc/1395576/"><em>Rama Krishna v State</em></a>,<em> </em>‘necessary’ and ‘desirable’ have been interpreted as any piece of evidence relevant to the investigation or a link in the chain of evidence. <a href="https://deliverypdf.ssrn.com/delivery.php?ID=040088020003014069081068085012117023096031065012091090091115088031084097097081123000002033027047006112028087095120074083084003037094022080065067076089116106115025106025062083007085091067067124080091064096069093075026018100087109120024076084123086119022&EXT=pdf&INDEX=TRUE">Abhinav Sekhri</a>, a criminal law litigator and writer, has argued that the wide wording of this section allows summons to be directed towards the retrieval of specific digital devices.</p>
<p style="text-align: justify;">As summons are target-specific, the section has minimal safeguards. However, several issues arise in the context of summons regarding digital devices. In the current day, access to a user’s personal device can provide comprehensive insight into their life and personality due to the vast amounts of private and personal information stored on it. In <a href="https://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf"><em>Riley v California</em></a>, the Supreme Court of the United States (SCOTUS) observed that due to the nature of the content present on digital devices, summons for them are equivalent to a roving search, i.e., demanding the simultaneous production of all contents of the home, bank records, call records, and lockers. The <em>Riley</em> decision correctly highlights the need for courts to recognise that digital devices ought to be treated distinctly compared to other forms of physical evidence due to the repository of information stored on digital devices.</p>
<p style="text-align: justify;">The burden the state must surpass in order to issue summons is low as the relevancy requirement is easily provable. As noted in <a href="https://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf"><em>Riley</em></a>, police must identify which evidence on a device is relevant. Due to the sheer amount of data on phones, it is very easy for police to claim that there will surely be some form of connection between the content on the device and the case. Due to the wide range of offences available for Indian LEAs to cite, it is easy for them to argue that the content on the device is relevant to any number of possible offences. LEAs rarely face consequences for slamming the accused with a huge roster of charges – even if many of them are baseless – leading to the system being prone to abuse. The Indian Supreme Court in its judgement in <a href="https://indiankanoon.org/doc/1068532/"><em>Canara Bank</em></a> noted that the burden of proof must be higher for LEAs when investigations violate the right to privacy. <a href="https://www.ijlt.in/_files/ugd/066049_03e4a2b28a5e49f6a59b861aa4554ede.pdf">Tarun Krishnakumar</a> notes that the trickle-down effect of <em>Puttuswamy I</em> will lead to new privacy challenges with regards to a summons to appear in court. <em>Puttuswamy I</em>, will provide the bedrock and constitutional framework, within which future challenges to the criminal process will be undertaken. It is important for the court to recognise the transformative potential within the <a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf"><em>Puttuswamy</em></a> judgement to help ensure that the right to privacy of citizens is safeguarded. The colonial logic of policing – wherein criminal procedure law was merely a tool to maximise the interest of the state at the cost of the people – must be abandoned. Courts ought to devise a framework under Section 91 to ensure that summons are narrowly framed to target specific information or content within digital devices. Additionally, the digital device must be collected following a judicial authority issuing the summons and not a police authority. Prior judicial warrants will require LEAs to demonstrate their requirement for the digital device; on estimating the impact on privacy, the authority can issue a suitable summons. Currently, the only consideration is if the item will furnish evidence relevant to the investigation; however, judges ought to balance the need for the digital device in the LEA’s investigation with the users’ right to privacy, dignity, and autonomy.</p>
<p style="text-align: justify;"><a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf"><em>Puttuswamy I</em></a><em> </em>provides a triple test encompassing legality, necessity, and proportionality to test privacy claims. Legality requires that the measure be prescribed by law, necessity analyses if it is the least restrictive means being adopted by the state, and proportionality checks if the objective pursued by the measure is proportional to the degree of infringement of the right. The relevance standard, as mentioned before, is inadequate as it does not provide enough safeguards against abuse. The police can issue summons based on the slightest of suspicions and thus get access to a digital device, following which they can conduct a roving enquiry of the device to find evidence of any other offence, unrelated to the original cause of suspicion.</p>
<p style="text-align: justify;">Unilateral police summons of digital devices cannot pass the triple test as it is grossly disproportionate and lacks any form of safeguard against the police. The current system has no mechanism for overseeing the LEAs; as long as LEAs themselves are of the view that they require the device, they can acquire it. In <a href="https://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf"><em>Riley</em></a>, SCOTUS has already held that warrantless seizure of digital devices constitutes a violation of the right to privacy. India ought to also adopt a requirement of a prior judicial warrant for the procurement of devices by LEAs. A re-imagined criminal process would have to abide by the triple test in particular proportionality wherein the benefit claimed by the state ought not to be disproportionate to the impact on the fundamental right to privacy; and further, a framework must be proposed to provide safeguards against abuse.</p>
<p><strong>Compelling the production of passwords of devices</strong></p>
<p style="text-align: justify;">In police investigations, gaining possession of a physical device is merely the first step in acquiring the data on the device, as the LEAs still require the passcodes needed to unlock the device. LEAs compelling the production of passcodes to gain access to potentially incriminating data raises obvious questions regarding the right against self-incrimination; however, in the context of digital devices, several privacy issues may crop up as well.</p>
<p style="text-align: justify;">In <a href="https://main.sci.gov.in/judgment/judis/4157.pdf"><em>Kathi Kalu Oghad</em></a>, the SC held that compelling the production of fingerprints of an accused person to compare them with fingerprints discovered by the LEA in the course of their investigation does not violate the right to protection against self-incrimination of the accused. <a href="https://lawschoolpolicyreview.com/2019/10/16/biometrics-as-passwords-the-slippery-scope-of-self-incrimination/">It has been argued</a> that the ratio in the judgement prohibits the compelling of disclosure of passwords and biometrics for unlocking devices because <a href="https://main.sci.gov.in/judgment/judis/4157.pdf"><em>Kathi Kalu Oghad</em></a> only dealt with the production of fingerprints in order to compare the fingerprints with pre-existing evidence, as opposed to unlocking new evidence by utilising the fingerprint. However, the judgement deals with self-incrimination and does not address any privacy issues.</p>
<p style="text-align: justify;">The right against self-incrimination approach alone may not be enough to resolve all concerns. Firstly, there may be varying levels of protection provided to different forms of password protections on digital devices; text- and pattern-based passcodes are inarguably protected under Art. 20(3) of the Constitution. However, the protection of biometrics-based passcodes relies upon the correct interpretation of the <a href="https://main.sci.gov.in/judgment/judis/4157.pdf"><em>Kathi Kalu Oghad</em></a> precedent. Secondly, Art. 20(3) only protects the accused in investigations and not when non-accused digital devices are acquired by LEAs and the passcodes of the devices demanded.</p>
<p style="text-align: justify;">Therefore, considering the aforementioned points, it is pertinent to remember that the right against self-incrimination does not exist in a vacuum separate from privacy. It originates from the concept of decisional autonomy – the right of individuals to make decisions about matters intimate to their life without interference from the state and society. <a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf"><em>Puttuswamy I</em></a> observed that decisional autonomy is the bedrock of the right to privacy, as privacy allows an individual to make these intimate decisions away from the glare of society and/or the state. This has heightened importance in this context as interference with such autonomy could lead to the person in question facing criminal prosecution. The SC in <a href="https://main.sci.gov.in/jonew/judis/36303.pdf"><em>Selvi v Karnataka</em></a><em> </em>and <a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf"><em>Puttuswamy I</em></a> has repeatedly affirmed that the right against self-incrimination and the right to privacy are linked concepts, with the court observing that the right to remain silent is an integral aspect of decisional autonomy.</p>
<p style="text-align: justify;">In <a href="http://karnatakajudiciary.kar.nic.in:8080/repository/rep_judgmentcase.php"><em>Virendra Khanna</em></a>, the Karnataka High Court (HC) dealt with the privacy and self-incrimination concerns caused by LEAs compelling the disclosure of passwords. The HC brushes aside concerns related to privacy by noting that the right to privacy is not absolute and that an exception to the right to privacy is state interest and protection of law and order (para 5.11), and that unlawful disclosure of material to third parties could be an actionable wrong (para 15). The court’s interpretation of privacy effectively provides a free pass for the police to interfere with the right to privacy under the pretext of a criminal investigation. This conception of privacy is inadequate as the issue of proportionality is avoided, and the court does not attempt to ensure that the interference is proportionate with the outcome.</p>
<p style="text-align: justify;">US courts also see the compelling of production of passcodes as an issue of self-incrimination as well as privacy. In its judgement in <a href="https://casetext.com/case/in-re-application-for-a-search-warrant?__cf_chl_f_tk=lTxiJpZIvKfkIBtGQJtMObSmqhdRUZdjGk5hXeMfprQ-1642253001-0-gaNycGzNCJE"><em>Application for a Search Warrant</em></a>, a US court observed that compelling the disclosure of passcodes existed at an intersection of the right to privacy and self-incrimination; the right against self-incrimination serves to protect the privacy interests of suspects.</p>
<p style="text-align: justify;">Disclosure of passwords to digital devices amounts to an intrusion of the privacy of the suspect as the collective contents on the digital device effectively amount to providing LEAs with a method to observe a person’s mind and identity. Police investigative techniques cannot override fundamental rights and must respect the personal autonomy of suspects – particularly, the choice between silence and speech. Through the production of passwords, LEAs can effectively get a snapshot of a suspect’s mind. This is analogous to the polygraph and narco-analysis test struck down as unconstitutional by the SC in <a href="https://main.sci.gov.in/jonew/judis/36303.pdf"><em>Selvi</em></a> as it violates decisional autonomy.</p>
<p style="text-align: justify;">As <a href="https://theproofofguilt.blogspot.com/2021/03/mobile-phones-and-criminal.html">Sekhri</a> noted, a criminal process that reflects the aspirations of the <em>Puttuswamy </em>judgement would require LEAs to first explain with reasonable detail the material which they wish to find in the digital devices. Secondly, they must provide a timeline for the investigation to ensure that individuals are not subjected to inexhaustible investigations with police roving through their devices indefinitely. Thirdly, such a criminal process must demand, a higher burden to be discharged from the state if the privacy of the individual is infringed upon. These aspirations should form the bedrock of a system of judicial warrants that LEAs ought to be required to comply with if they wish to compel the disclosure of passwords from individuals. The framework proposed above is similar to the <a href="http://karnatakajudiciary.kar.nic.in:8080/repository/rep_judgmentcase.php"><em>Virendra Khanna</em></a><em> </em>guidelines, as they provide a system of checks and balances that ensure that the intrusion on privacy is carried out proportionately; additionally, it would require LEAs to show a real requirement to demand access to the device. The independent eyes of a judicial magistrate provide a mechanism of oversight and a check against abuse of power by LEAs.</p>
<p><strong>Conclusion</strong></p>
<p style="text-align: justify;">The criminal law apparatus is the most coercive power available to the state, and, therefore, privacy rights will become meaningless unless they can withstand it. Several criminal procedures in the country are rooted in colonial statutes, where the rights of the populace being policed were never a consideration; hence, a radical shift is required. However, post-1947 and <em>Puttuswamy</em>, the ignorance and refusal to submit to the rights of the population can no longer be justified and significant reformulation is necessary to guarantee meaningful protections to device owners. There is a need to ensure that the rights of individuals are protected, especially when the motivation for their infringement is the supposed noble intentions of the criminal justice system. Failing to defend the right to privacy in these moments would be an invitation for allowing the power of the state to increase and inevitably become absolute.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/rethinking-acquisition-of-digital-devices-by-law-enforcement-agencies'>https://cis-india.org/internet-governance/blog/rethinking-acquisition-of-digital-devices-by-law-enforcement-agencies</a>
</p>
No publisherHarikartik RameshSurveillanceInternet GovernancePrivacy2022-05-02T09:27:54ZBlog EntryComments to the draft Motor Vehicle Aggregators Scheme, 2021
https://cis-india.org/internet-governance/blog/comments-to-the-draft-motor-vehicle-aggregators-scheme-2021
<b>This submission presents a response by researchers at the Centre for Internet and Society, India (CIS) to the draft Motor Vehicle Aggregators Scheme, 2021 published by the Transport Department, Government of National Capital Territory of Delhi, (hereafter “draft Scheme”).</b>
<p style="text-align: justify; "><span>CIS, established in Bengaluru in 2008 as a non-profit organisation, undertakes interdisciplinary research on internet and digital technologies from public policy andacademic perspectives. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and regulatory practices around internet, technology,and society in India, and elsewhere.</span></p>
<p style="text-align: justify; "><span>CIS is grateful for the opportunity to submit its comments to the draft Scheme. Please find below our thematically organised comments.</span></p>
<hr />
<p><a style="text-align: justify; " href="https://cis-india.org/internet-governance/comments-draft-motor-vehicle-aggregators-scheme.pdf" class="internal-link"><strong>Click here</strong></a><span style="text-align: justify; "> to read more.</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-to-the-draft-motor-vehicle-aggregators-scheme-2021'>https://cis-india.org/internet-governance/blog/comments-to-the-draft-motor-vehicle-aggregators-scheme-2021</a>
</p>
No publisherChiara Furtado, Aayush Rathi and Abhishek SekharanMotor VehicleInternet GovernancePrivacy2022-04-01T15:25:06ZBlog EntryPersonal Data Protection Bill must examine data collection practices that emerged during pandemic
https://cis-india.org/internet-governance/blog/news-nine-shweta-mohandas-and-anamika-kundu-personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic
<b>The PDP bill is speculated to be introduced during the winter session of the parliament soon. The PDP Bill in its current form provides wide-ranging exemptions which allow government agencies to process citizen’s data in order to fulfil its responsibilities. The bill could ensure that employers have some responsibility towards the data they collect from the employees.
</b>
<p>The article by Shweta Mohandas and Anamika Kundu was <a class="external-link" href="https://www.news9live.com/technology/personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic-137031?infinitescroll=1">originally published by <strong>news nine</strong></a> on November 29, 2021.</p>
<hr />
<p style="text-align: justify; ">The Personal Data Protection Bill (PDP) is speculated to be introduced during the winter session of the parliament soon, and the report of the Joint Parliamentary Committee (JPC) has already been <a class="external-link" href="https://www.thehindu.com/news/national/parliamentary-panel-retains-controversial-exemption-clause-in-personal-data-protection-bill/article37633344.ece">adopted</a> by the committee on Monday. The Report of the JPC comes after almost two years of deliberation and secrecy over how the final version of the Personal Data Protection Bill will be. Since the publication of the <a class="external-link" href="https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf">2019 version</a> of the PDP Bill, the Covid 19 pandemic and the public safety measures have opened the way for a number of new organisations and reasons to collect personal data that was non-existent in 2019. Hence along with changes that have been suggested by multiple civil society organisations, the dissent notes submitted by the members of the JPC, the new version of the PDP Bill must also look at how data processing has changed over the span of two years.</p>
<h3 style="text-align: justify; ">Concerns with the bill</h3>
<p style="text-align: justify; ">At the outset there are certain parts of the PDP Bill which need to be revised in order to uphold the spirit of privacy and individual autonomy laid out in the Puttaswamy judgement. The two sections that need to be in line with the privacy judgement are the ones that allow for non consensual processing of data by the government, and by employers. The PDP Bill in its current form provides wide-ranging exemptions which allow government agencies to process citizen's data in order to fulfil its <a class="external-link" href="https://www.livemint.com/news/india/big-brother-on-top-in-data-protection-bill-11576164271430.html">responsibilities</a>.</p>
<p style="text-align: justify; ">In the <a class="external-link" href="https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf">2018 version</a> of bill, drafted by the Justice Srikrishna Committee exemptions granted to the State with regard to processing of data was subject to a four pronged test which required the processing to be (i) authorised by law; (ii) in accordance with the procedure laid down by the law; (iii) necessary; and (iv) proportionate to the interests being achieved. This four pronged test was in line with the principles laid down by the Supreme Court in the Puttaswamy judgement. The 2019 version of the PDP Bill has diluted this principle by merely retaining the 'necessity principle' and removing the other requirements which is not in consonance with the test laid down by the Supreme Court in Puttaswamy.</p>
<p style="text-align: justify; ">Section 35 was also widely discussed in the panel meetings where members had <a class="external-link" href="https://www.thehindu.com/news/national/parliamentary-panel-retains-controversial-exemption-clause-in-personal-data-protection-bill/article37633344.ece">argued</a> the removal of 'public order' as a ground for exemption. The panel also insisted for '<a class="external-link" href="https://www.thehindu.com/news/national/parliamentary-panel-retains-controversial-exemption-clause-in-personal-data-protection-bill/article37633344.ece">judicial or parliamentary oversight</a>' to grant such exemptions. The final report did not accept these suggestions stating a need to balance <a class="external-link" href="https://www.thehindu.com/news/national/parliamentary-panel-retains-controversial-exemption-clause-in-personal-data-protection-bill/article37633344.ece">national security, liberty and privacy</a> of an individual. There ought to be prior judicial review of the written order exempting the governmental agency from any provisions of the bill. Allowing the government to claim an exemption if it is satisfied to be "necessary or expedient" can be misused.</p>
<p style="text-align: justify; ">Another clause which gives the data principal a wide berth is with respect to employee data Section 13 of the current version of the bill provides the employer with a leeway into processing employee data (other than sensitive personal data) without consent based on two grounds: when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer.</p>
<p style="text-align: justify; ">The personal data so collected can only be collected for recruitment, termination, attendance, provision of any service or benefit, and assessing performance. This covers almost all of the activities that require data of the employee. Although the 2019 version of the bill excludes non-consensual collection of sensitive personal data (a provision that was missing in the 2018 version of the bill), there is still a lot of scope to improve this provision and provide employees further right to their data. At the outset the bill does not define employee and employer, which could result in confusion as there is no one definition of these terms across Indian Labour Laws.</p>
<p style="text-align: justify; ">Additionally, the bill distinguishes between employee and consumer, where the consumer of the same company or service has a greater right to their data than an employee. In the sense that the consumer as a data principal has the option to use any other product or service and also has the right to withdraw consent at any time, in the case of an employee the consequence of refusing consent or withdrawing consent would be being terminated from the employment. It is understood that there is a requirement for employee data to be collected, and that consent does not work the same way as it does in the case of a consumer.</p>
<p style="text-align: justify; ">The bill could ensure that employers have some responsibility towards the data they collect from the employees, such as ensuring that they are only used for the purpose for which they were collected, the employee knows how long their data will be retained, and know if the data is being processed by third parties. It is also worth mentioning that the Indian government is India's largest employer spanning a variety of agencies and public enterprises.</p>
<h3 style="text-align: justify; ">Concerns highlighted by JPC Members</h3>
<p style="text-align: justify; ">Going back to the few members of the JPC who have moved dissent notes, specifically with regard to governmental exemptions. Jairam Ramesh filed a <a href="https://www.news9live.com/india/parliament-panel-adopts-report-on-data-protection-amid-dissent-by-opposition-135591">dissent note</a>, to which many other opposition members followed suit. While Jairam Ramesh praised the JPC's functioning, he disagreed with certain aspects of the Report. According to him, the 2019 bill is designed in a manner where the right to privacy is given importance only in cases of private activities. He raised concerns regarding the unbridled powers given to the government to exempt itself from any of the provisions.</p>
<p style="text-align: justify; ">The amendment suggested by him would require parliamentary approval before exemption would take place. He also added that Section 12 of the bill which provided certain scenarios where consent was not needed for processing of personal data should have been made '<a href="https://www.hindustantimes.com/india-news/mps-file-dissent-notes-over-glaring-lacunae-in-report-on-data-protection-bill-101637566365637.html">less sweeping</a>'. Similarly, Gaurav Gogoi's <a href="https://www.hindustantimes.com/india-news/mps-file-dissent-notes-over-glaring-lacunae-in-report-on-data-protection-bill-101637566365637.html">note</a> stated that the exemptions would create a surveillance state and similarly criticised Section 12 and 35 of the bill. He also mentioned that there ought to be parliamentary oversight for the exemptions provided in the bill.</p>
<p style="text-align: justify; ">On the same issue, Congress leader Manish Tiwari noted that the bill creates '<a href="https://timesofindia.indiatimes.com/business/india-business/personal-data-protection-bill-what-is-it-and-why-is-the-opposition-so-unhappy-with-it/articleshow/87869391.cms">parallel universes</a>' - one for the private sector which needs to be compliant and the other for the State which can exempt itself. He has opposed the entire bill stating there exists an "inherent design flaw". He has raised specific objections to 37 clauses and stated that any blanket exemptions to the state goes against the Puttaswamy Judgement.</p>
<p style="text-align: justify; ">In their joint <a href="https://www.news9live.com/india/tmc-congress-mps-submit-dissent-notes-to-joint-panel-on-personal-data-protection-bill-135491">dissent note</a>, Derek O'Brien and Mahua Mitra have said that there is a lack of adequate safeguards to protect the data principals' privacy and the lack of time and opportunity for stakeholder consultations. They have also pointed out that the independence of the DPA will cease to exist with the present provision of allowing the government powers to choose members and the chairman. Amar Patnaik is to object to the lack of inclusion of state level authorities in the bill. Without such bodies, he says, there would be federal override.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">While a number of issues were highlighted by civil society, the members of the JPC, and the media, the new version of the bill should also need to take into account the shifts that have taken place in view of the pandemic. The new version of the data protection bill should take into consideration the changes and new data collection practices that have emerged during the pandemic, be comprehensive and leave very little provisions to be decided later by the Rules.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/news-nine-shweta-mohandas-and-anamika-kundu-personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic'>https://cis-india.org/internet-governance/blog/news-nine-shweta-mohandas-and-anamika-kundu-personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic</a>
</p>
No publisherShweta Mohandas and Anamika KunduInternet GovernanceData ProtectionPrivacy2022-03-30T15:15:21ZBlog EntryNothing to Kid About – Children's Data Under the New Data Protection Bill
https://cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill
<b>The pandemic has forced policymakers to adapt their approach to people's changing practices, from looking at contactless ways of payment to the shifting of educational institutions online.</b>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The article was originally <a class="external-link" href="https://www.ijlt.in/post/nothing-to-kid-about-children-s-data-under-the-new-data-protection-bill">published in the Indian Journal of Law and Technology</a></p>
<hr />
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">For children, the internet has shifted from being a form of entertainment to a medium to connect with friends and seek knowledge and education. However, each time they access the internet, data about them and their choices are inadvertently recorded by companies and unknown third parties. The growth of EdTech apps in India has led to growing concerns regarding children's data privacy. This has led to the creation of a <a class="_1lsz7 _3Bkfb" href="https://economictimes.indiatimes.com/tech/startups/edtech-firms-work-to-get-communication-right-with-the-asci/articleshow/89082308.cms" rel="noopener noreferrer" target="_blank">self-regulatory</a> body, the Indian EdTech Consortium. More recently, the <a class="_1lsz7 _3Bkfb" href="https://economictimes.indiatimes.com/tech/startups/edtech-firms-work-to-get-communication-right-with-the-asci/articleshow/89082308.cms" rel="noopener noreferrer" target="_blank">Advertising Standard Council of India</a><span class="_3zM-5"> has </span>also started looking at passing a draft regulation to keep a check on EdTech advertisements.</p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The Joint Parliamentary Committee (JPC), tasked with drafting and revising the Data Protection Bill, had to consider the number of changes that had happened after the release of the 2019 version of the Bill. While the most significant change was the removal of the term “personal data” from the title of the Bill, in a move to create a comprehensive Data Protection Bill that includes both personal and non personal data. Certain other provisions of the Bill also featured additions and removals. The JPC, in its revised version of the Bill has removed an entire class of <a class="_1lsz7 _3Bkfb" href="https://prsindia.org/billtrack/the-personal-data-protection-bill-2019#:~:text=Obligations%20of%20data%20fiduciary%3A%20A,specific%2C%20clear%20and%20lawful%20purpose" rel="noopener noreferrer" target="_blank">data fiduciaries</a> – guardian data fiduciary – which was tasked with greater responsibility for managing children's data. While the JPC justified the removal of the guardian data fiduciary stating that consent from the guardian of the child is enough to meet the end for which personal data of children are processed by the data fiduciary. While thought has been given to looking at how consent is given by the guardian on behalf of the child, there was no change in the age of children in the Bill. Keeping the age of consent under the Bill as the same as the age of majority to enter into a contract under the 1872 Indian Contract Act – 18 years – reveals the disconnect the law has with the ground reality of how children interact with the internet.</p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">In the current state of affairs where Indian children are navigating the digital world on their own there is a need to look deeply at the processing of children’s data as well as ways to ensure that children have information about consent and informational privacy. By placing the onus of granting consent on parents, the PDP Bill fails to look at how consent works in a privacy policy–based consent model and how this, in turn, harms children in the long run.</p>
<h3 class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d aujbK _3M0Fe _1FoOD iWv3d _1j-51 mm8Nw">1. Age of Consent</h3>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">By setting the age of consent as 18 years under the Data Protection Bill, 2021, it brings all individuals under 18 years of age under one umbrella without making a distinction between the internet usage of a 5-year-old child and a 16-year-old teenager. There is a need to look at the current internet usage habits of children and assess whether requiring parental consent is reasonable or even practical. It is also pertinent to note that the law in the offline world does make the distinction between age and maturity. For example, it has been <a class="_1lsz7 _3Bkfb" href="https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill" rel="noopener noreferrer" target="_blank">highlighted</a> that Section 82 of the Indian Penal Code, read with Section 83, states that any act by a child under the age of 12 years shall not be considered an offence, while the maturity of those aged between 12–18 years will be decided by the court (individuals between the age of 16–18 years can also be tried as adults for heinous crimes). Similarly, child labour laws in the country allow children above the age of 14 years to work in non-hazardous industries, which would qualify them to fall under Section 13 of the Bill, which deals with employee data.</p>
<p style="text-align: justify; "><span>A 2019 </span><a class="_1lsz7 _3Bkfb" href="https://reverieinc.com/wp-content/uploads/2020/09/IAMAI-Digital-in-India-2019-Round-2-Report.pdf" rel="noopener noreferrer" target="_blank">report</a><span> suggests that two-thirds of India’s internet users are in the 12–29 years age group, accounting for about 21.5% of the total internet usage in metro cities. With the emergence of cheaper phones equipped with faster processing and low internet data costs, children are no longer passive consumers of the internet. They have social media accounts and use several applications to interact with others and make purchases. There is a need to examine how children and teenagers interact with the internet as well as the practicality of requiring parental consent for the usage of applications.</span></p>
<p style="text-align: justify; "><span>Most applications that require age data request users to type in their date of birth; it is not difficult for a child to input a suitable date that would make it appear that they are </span><a class="_1lsz7 _3Bkfb" href="https://www.theguardian.com/media/2013/jul/26/children-lie-age-facebook-asa" rel="noopener noreferrer" target="_blank">over 18</a><span>. In this case they are still children but the content that will be presented to them would be those that are meant for adults including content that might be disturbing or those involving use of </span><a class="_1lsz7 _3Bkfb" href="https://www.theguardian.com/media/2013/jul/26/children-lie-age-facebook-asa" rel="noopener noreferrer" target="_blank">alcohol and gambling. </a><span>Additionally, in their privacy policies, applications sometimes state that they are not suited for and restricted from users under 18. Here, data fiduciaries avoid liability by placing the onus on the user to declare their age and properly read and understand the privacy policy.</span></p>
<p style="text-align: justify; "><span>Reservations about the age of consent under the Bill have also been highlighted by some members of the JPC through their dissenting opinions. </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf#page=221" rel="noopener noreferrer" target="_blank">MP Ritesh Pandey </a><span>suggested that the age of consent should be reduced to 14 years keeping the best interest of the children in mind as well as to support children in benefiting from technological advances. Similarly, </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf#page=221" rel="noopener noreferrer" target="_blank">MP Manish Tiwari </a><span>in his dissenting opinion suggested regulating data fiduciaries based on the type of content they provide or data they collect.</span></p>
<h3><span>2. How is the 2021 Bill Different from the 2019 Bill?</span></h3>
<p style="text-align: justify; "><span>The </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf" rel="noopener noreferrer" target="_blank">2019 </a><span>draft of the Bill consisted of a class of data fiduciaries called guardian data fiduciaries – entities that operate commercial websites or online services directed at children or which process large volumes of children’s personal data. This class of fiduciaries was barred from profiling, tracking, behavioural monitoring, and running targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child. In the previous draft, such data fiduciaries were not allowed to engage in ‘profiling, tracking, behavioural monitoring of children, or direct targeted advertising at children’. There was also a prohibition on conducting any activities that might significantly harm the child. As per Chapter IV, any violation could attract a penalty of up to INR 15 crore of the worldwide turnover of the data fiduciary for the preceding financial year, whichever is higher. However, this separate class of data fiduciaries do not have any additional responsibilities. It is also unclear as to whether a data fiduciary that does not by definition fall within such a category would be allowed to engage in activities that could cause ‘significant harm’ to children.</span></p>
<p style="text-align: justify; "><span>The new Bill also does not provide any mechanisms for age verification and only lays down considerations that verification processes should be undertaken. Furthermore, the JPC has suggested that consent options available to the child when they attain the age of majority i.e. 18 years should be included within the rule frame by the Data Protection Authority instead of being an amendment in the Bill.</span></p>
<h3><span>3. In the Absence of a Guardian Data Fiduciary</span></h3>
<p style="text-align: justify; "><span>The 2018 and 2019 drafts of the PDP Bill consider a child to be any person below the age of 18 years. For a child to access online services, the data fiduciary must first verify the age of the child and obtain consent from their guardian. The Bill does not provide an explicit process for age verification apart from stating that regulations shall be drafted in this regard. The 2019 Bill states that the Data Protection Authority shall specify codes of practice in this matter. Taking best practices into account, there is a need for ‘</span><a class="_1lsz7 _3Bkfb" href="https://cuts-ccier.org/pdf/project-brief-highlighting-inclusive-and-practical-mechanisms-to-protect-childrens-data.pdf" rel="noopener noreferrer" target="_blank">user-friendly and privacy-protecting age verification techniques</a><span>’ to encourage safe navigation across the internet. This will require </span><a class="_1lsz7 _3Bkfb" href="https://cuts-ccier.org/pdf/bp-global-technological-developments-in-age-verification-and-age-estimation.pdf" rel="noopener noreferrer" target="_blank">looking at </a><span>technological developments and different standards worldwide. There is a need to hold companies </span><a class="_1lsz7 _3Bkfb" href="https://www.livemint.com/opinion/columns/theres-a-better-way-to-protect-the-online-privacy-of-kids-11615306723478.html" rel="noopener noreferrer" target="_blank">accountable</a><span> for the protection of children’s online privacy and the harm that their algorithms cause children and to make sure that they are not continued.</span></p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The JPC in the 2021 version of the Bill removed provisions about guardian data fiduciaries, stating that there was no advantage in creating a different class of data fiduciary. As per the JPC, even those data fiduciaries that did not fall within the said classification would also need to comply with rules pertaining to the personal data of children i.e. with Section 16 of the Bill. Section 16 of the Bill requires the data fiduciary to verify the child’s age and obtain consent from the parent/guardian. The manner of age verification has also een spelt out. Furthermore, since ‘significant data fiduciaries’ is an existing class, there is still a need to comply with rules related to data processing. The JPC also removed the phrase “in the best interests of, the child” and “is in the best interests of, the child” under sub-clause 16(1), implying that the entire Bill concerned the rights of the data principal and the use of such terms dilutes the purpose of the legislation and could give way to manipulation by the data fiduciary.</p>
<h3><span>Conclusion</span></h3>
<p style="text-align: justify; "><span>Over the past two years, there has been a significant increase in applications that are targeted at children. There has been a proliferation of EduTech apps, which ideally should have more responsibility as they are processing children's data. We recommend that instead of creating a separate category, such fiduciaries collecting children's data or providing services to children be seen as ‘significant data fiduciaries’ that need to take up additional compliance measures.</span></p>
<p style="text-align: justify; "><span>Furthermore, any blanket prohibition on tracking children may obstruct safety measures that could be implemented by data fiduciaries. These fears are also increasing in other jurisdictions as there is a likelihood to restrict data fiduciaries from using software that looks out for such as </span><a class="_1lsz7 _3Bkfb" href="https://www.unodc.org/e4j/en/cybercrime/module-12/key-issues/online-child-sexual-exploitation-and-abuse.html" rel="noopener noreferrer" target="_blank">Child Sexual Abuse Material</a><span> as well as online predatory behaviour. Additionally, concerning the age of consent under the Bill, the JPC could look at international best practices and come up with ways to make sure that children can use the internet and have rights over their data, which would enable them to grow up with more awareness about data protection and privacy. One such example to look at could be the Children's Online Privacy Protection Rule (COPPA) in the US, where the rules apply to operators of websites and online services that collect personal information from kids </span><a class="_1lsz7 _3Bkfb" href="https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance" rel="noopener noreferrer" target="_blank">under 13 </a><span>or provide services to children that are directed at a general audience, but have actual knowledge that they collect personal information from such children. A form of combination of this system and the significant data fiduciary classification could be one possible way to ensure that children’s data and privacy are preserved online.</span></p>
<hr />
<p>The authors are researchers at the Centre for Internet and Society and thank their colleague Arindrajit Basu for his inputs.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill'>https://cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill</a>
</p>
No publisherShweta Mohandas and Anamika KunduDigitalisationDigital KnowledgeInternet GovernanceData ProtectionData Management2022-03-10T13:19:52ZBlog EntryClause 12 Of The Data Protection Bill And Digital Healthcare: A Case Study
https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study
<b>In light of the state’s emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?</b>
<p>The blog post was <a class="external-link" href="https://www.medianama.com/2022/02/223-data-protection-bill-digital-healthcare-case-study/">published in Medianama</a> on February 21, 2022. This is the second in a two-part series by Amber Sinha.</p>
<hr />
<p style="text-align: justify; ">In the <a href="https://www.medianama.com/2022/02/223-data-protection-bill-consent-clause-state-function/">previous post</a>, I looked at provisions on non-consensual data processing for state functions under the most recent version of recommendations by the Joint Parliamentary Committee on India’s Data Protection Bill (DPB). The true impact of these provisions can only be appreciated in light of ongoing policy developments and real-life implications.</p>
<p style="text-align: justify; ">To appreciate the significance of the dilutions in Clause 12, let us consider the Indian state’s range of schemes promoting digital healthcare. In July 2018, NITI Aayog, a central government policy think tank in India released a strategy and approach paper (Strategy Paper) on the formulation of the National Health Stack which envisions the creation of a federated application programming interface (API)-enabled health information ecosystem. While the Ministry of Health and Family Welfare has focused on the creation of Electronic Health Records (EHR) Standards for India during the last few years and also identified a contractor for the creation of a centralised health information platform (IHIP), this Strategy Paper advocates a completely different approach, which is described as a Personal Health Records (PHR) framework. In 2021, the National Digital Health Mission (NDHM) was launched under which a citizen shall have the option to obtain a digital health ID. A digital health ID is a unique ID and will carry all health records of a person.</p>
<h2 style="text-align: justify; ">A Stack Model for Big Data Ecosystem in Healthcare</h2>
<p style="text-align: justify; ">A stack model as envisaged in the Strategy Paper, consists of several layers of open APIs connected to each other, often tied together by a unique health identifier. The open nature of APIs has the advantage that it allows public and private actors to build solutions on top of it, which are interoperable with all parts of the stack. It is however worth considering both the ‘openness’ and the role that the state plays in it.</p>
<p style="text-align: justify; ">Even though the APIs are themselves open, they are a part of a pre-decided technological paradigm, built by private actors and blessed by the state. Even though innovators can build on it, the options available to them are limited by the information architecture created by the stack model. When such a technological paradigm is created for healthcare reform and health data, the stack model poses additional challenges. By tying the stack model to the unique identity, without appropriate processes in place for access control, siloed information, and encrypted communication, the stack model poses tremendous privacy and security concerns. The broad language under Clause 12 of the DPB needs to be looked at in this context.</p>
<p>Clause 12 allows non-consensual processing of personal data where it is necessary “for the performance of any function of the state authorised by law” in order to provide a service or benefit from the State. In the previous post, I had highlighted the import of the use of only ‘necessity’ to the exclusion of ‘proportionality’. Now, we need to consider its significance in light of the emerging digital healthcare apparatus being created by the state.</p>
<p style="text-align: justify; ">The National Health Stack and National Digital Health Mission together envision an intricate system of data collection and exchange which in a regulatory vacuum would ensure unfettered access to sensitive healthcare data for both the state and private actors registered with the platforms. The Stack framework relies on repositories where data may be accessed from multiple nodes within the system. Importantly, the Strategy Paper also envisions health data fiduciaries to facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the health records for delivering services to the individual. The cast of characters involve the National Health Authority, health care providers and insurers who access the National Health Electronic Registries, unified data from different programmes such as National Health Resource Repository (NHRR), NIN database, NIC and the Registry of Hospitals in Network of Insurance (ROHINI), private actors such as Swasth, iSpirt who assist the Mission as volunteers. The currency that government and private actors are interested in is data.</p>
<p style="text-align: justify; ">The promised benefits of healthcare data in an anonymised and aggregate form range from Disease Surveillance to Pharmacovigilance as well as Health Schemes Management Systems and Nutrition Management, benefits which have only been more acutely emphasised during the pandemic. However, the pandemic has also normalised the sharing of sensitive healthcare data with a variety of actors, without much thinking on much-needed data minimisation practises.</p>
<p style="text-align: justify; ">The potential misuses of healthcare data include greater state surveillance and control, predatory and discriminatory practices by private actors which rely on Clause 12 to do away with even the pretense of informed consent so long as the processing of data is deemed necessary by the state and its private sector partners to provide any service or benefit.</p>
<p style="text-align: justify; ">Subclause (e) in Clause 12, which was added in the last version of the Bill drafted by MeitY and has been retained by the JPC, allows processing wherever it is necessary for ‘any measures’ to provide medical treatment or health services during an epidemic, outbreak or threat to public health. Yet again, the overly-broad language used here is designed to ensure that any annoyances of informed consent can be easily brushed aside wherever the state intends to take any measures under any scheme related to public health.</p>
<p style="text-align: justify; ">Effectively, how does the framework under Clause 12 alter the consent and purpose limitation model? Data protection laws introduce an element of control by tying purpose limitation to consent. Individuals provide consent to specified purposes, and data processors are required to respect that choice. Where there is no consent, the purposes of data processing are sought to be limited by the necessity principle in Clause 12. The state (or authorised parties) must be able to demonstrate necessity to the exercise of state function, and data must only be processed for those purposes which flow out of this necessity. However, unlike the consent model, this provides an opportunity to keep reinventing purposes for different state functions.</p>
<p style="text-align: justify; ">In the absence of a data protection law, data collected by one agency is shared indiscriminately with other agencies and used for multiple purposes beyond the purpose for which it was collected. The consent and purpose limitation model would have addressed this issue. But, by having a low threshold for non-consensual processing under Clause 12, this form of data processing is effectively being legitimised.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study'>https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study</a>
</p>
No publisheramberData GovernanceInternet GovernanceData ProtectionPrivacy2022-03-01T15:07:44ZBlog EntryHow Function Of State May Limit Informed Consent: Examining Clause 12 Of The Data Protection Bill
https://cis-india.org/internet-governance/blog/medianama-february-18-2021-amber-sinha-data-protection-bill-consent-clause-state-function
<b>The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.</b>
<p>The blog post was <a class="external-link" href="https://www.medianama.com/2022/02/223-data-protection-bill-consent-clause-state-function/">published in Medianama</a> on February 18, 2022. This is the first of a two-part series by Amber Sinha.</p>
<hr />
<p style="text-align: justify; ">In 2018, hours after the Committee of Experts led by Justice Srikrishna Committee released their report and draft bill, I wrote <a href="https://www.livemint.com/Opinion/zY8NPWoWWZw8AfI5JQhjmL/Draft-privacy-bill-and-its-loopholes.html">an opinion piece</a> providing my quick take on what was good and bad about the bill. A section of my analysis focused on Clause 12 (then Clause 13) which provides for non-consensual processing of personal data for state functions. I called this provision a ‘carte-blanche’ which effectively allowed the state to process a citizen’s data for practically all interactions between them without having to deal with the inconvenience of seeking consent. My former colleague, Pranesh Prakash <a href="https://twitter.com/pranesh/status/1023116679440621568">pointed out</a> that this was not a correct interpretation of the provision as I had missed the significance of the word ‘necessary’ which was inserted to act as a check on the powers of the state. He also pointed out, correctly, that in its construction, this provision is equivalent to the position in European General Data Protection Regulation (Article 6 (i) (e)), and is perhaps even more restrictive.</p>
<p style="text-align: justify; ">While I agree with what Pranesh says above (his claims are largely factual, and there can be no basis for disagreement), my view of Clause 12 has not changed. While Clause 35 has been a focus of considerable discourse and analysis, for good reason, I continue to believe that Clause 12 remains among the most dangerous provisions of this bill, and I will try to unpack here, why.</p>
<p style="text-align: justify; ">The Data Protection Bill 2021 has a chapter on the grounds for processing personal data, and one of those grounds is consent by the individual. The rest of the grounds deal with various situations in which personal data can be processed without seeking consent from the individual. Clause 12 lays down one of the grounds. It allows the state to process data without the consent of the individual in the following cases —</p>
<p>a) where it is necessary to respond to a medical emergency<br />b) where it is necessary for state to provide a service or benefit to the individual<br />c) where it is necessary for the state to issue any certification, licence or permit<br />d) where it is necessary under any central or state legislation, or to comply with a judicial order<br />e) where it is necessary for any measures during an epidemic, outbreak or public health<br />f) where it is necessary for safety procedures during disaster or breakdown of public order</p>
<p>In order to carry out (b) and (c), there is also the added requirement that the state function must be authorised by law.</p>
<h2>Twin restrictions in Clause 12</h2>
<p style="text-align: justify; ">The use of the words ‘necessary’ and ‘authorised by law’ is intended to pose checks on the powers of the state. The first restriction seeks to limit actions to only those cases where the processing of personal data would be necessary for the exercise of the state function. This should mean that if the state function can be exercised without non-consensual processing of personal data, then it must be done so. Therefore, while acting under this provision, the state should only process my data if it needs to do so, to provide me with the service or benefit. The second restriction means that this would apply to only those state functions which are authorised by law, meaning only those functions which are supported by validly enacted legislation.</p>
<p style="text-align: justify; ">What we need to keep in mind regarding Clause 12 is that the requirement of ‘authorised by law’ does not mean that legislation must provide for that specific kind of data processing. It simply means that the larger state function must have legal backing. The danger is how these provisions may be used with broad mandates. If the activity in question is non-consensual collection and processing of, say, demographic data of citizens to create state resident hubs which will assist in the provision of services such as healthcare, housing, and other welfare functions; all that may be required is that the welfare functions are authorised by law.</p>
<h2 style="text-align: justify; ">Scope of privacy under Puttaswamy</h2>
<p style="text-align: justify; ">It would be worthwhile, at this point, to delve into the nature of restrictions that the landmark Puttaswamy judgement discussed that the state can impose on privacy. The judgement clearly identifies the principles of informed consent and purpose limitation as central to informational privacy. As discussed repeatedly during the course of the hearings and in the judgement, privacy, like any other fundamental right, is not absolute. However, restrictions on the right must be reasonable in nature. In the case of Clause 12, the restrictions on privacy in the form of denial of informed consent need to be tested against a constitutional standard. In Puttaswamy, the bench was not required to provide a legal test to determine the extent and scope of the right to privacy, but they do provide sufficient guidance for us to contemplate how the limits and scope of the constitutional right to privacy could be determined in future cases.</p>
<p style="text-align: justify; ">The Puttaswamy judgement clearly states that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” By locating the right not just in Article 21 but also in the entirety of Part III, the bench clearly requires that “the drill of various Articles to which the right relates must be scrupulously followed.” This means that where transgressions on privacy relate to different provisions in Part III, the different tests under those provisions will apply along with those in Article 21. For instance, where the restrictions relate to personal freedoms, the tests under both Article 19 (right to freedoms) and Article 21 (right to life and liberty) will apply.</p>
<p style="text-align: justify; ">In the case of Clause 12, the three tests laid down by Justice Chandrachud are most operative —<br />a) the existence of a “law”<br />b) a “legitimate State interest”<br />c) the requirement of “proportionality”.</p>
<p style="text-align: justify; ">The first test is already reflected in the use of the phrase ‘authorised by law’ in Clause 12. The test under Article 21 would imply that the function of the state should not merely be authorised by law, but that the law, in both its substance and procedure, must be ‘fair, just and reasonable.’ The next test is that of ‘legitimate state interest’. In its report, the Joint Parliamentary Committee places emphasis on Justice Chandrachud’s use of “allocation of resources for human development” in an illustrative list of legitimate state interests. The report claims that the ground, functions of the state, thus satisfies the legitimate state interest. We do not dispute this claim.</p>
<h2 style="text-align: justify; ">Proportionality and Clause 12</h2>
<p style="text-align: justify; ">It is the final test of ‘proportionality’ articulated by the Puttaswamy judgement, which is most operative in this context. Unlike Clauses 42 and 43 which include the twin tests of necessity and proportionality, the committee has chosen to only employ one ground in Clause 12. Proportionality is a commonly employed ground in European jurisprudence and common law countries such as Canada and South Africa, and it is also an integral part of Indian jurisprudence. As commonly understood, the proportionality test consists of three parts —</p>
<p>a) the limiting measures must be carefully designed, or rationally connected, to the objective<br />b) they must impair the right as little as possible<br />c) the effects of the limiting measures must not be so severe on individual or group rights that the legitimate state interest, albeit important, is outweighed by the abridgement of rights.</p>
<p style="text-align: justify; ">The first test is similar to the test of proximity under Article 19. The test of ‘necessity’ in Clause 12 must be viewed in this context. It must be remembered that the test of necessity is not limited to only situations where it may not be possible to obtain consent while providing benefits. My reservations with the sufficiency of this standard stem from observations made in the report, as well as the relatively small amount of jurisprudence on this term in Indian law.</p>
<p style="text-align: justify; ">The Srikrishna Report interestingly mentions three kinds of scenarios where consent should not be required — where it is not appropriate, necessary, or relevant for processing. The report goes on to give an example of inappropriateness. In cases where data is being gathered to provide welfare services, there is an imbalance in power between the citizen and the state. Having made that observation, the committee inexplicably arrives at a conclusion that the response to this problem is to further erode the power available to citizens by removing the need for consent altogether under Clause 12. There is limited jurisprudence on the standard of ‘necessity’ under Indian law. The Supreme Court has articulated this test as ‘having reasonable relation to the object the legislation has in view.’ If we look elsewhere for guidance on how to read ‘necessity’, the ECHR in Handyside v United Kingdom held it to be neither “synonymous with indispensable” nor does it have the “flexibility of such expressions as admissible, ordinary, useful, reasonable or desirable.” In short, there must be a pressing social need to satisfy this ground.</p>
<p style="text-align: justify; ">However, the other two tests of proportionality do not find a mention in Clause 12 at all. There is no requirement of ‘narrow tailoring’, that the scope of non-consensual processing must impair the right as little as possible. It is doubly unfortunate that this test does not find a place, as unlike necessity, ‘narrow tailoring’ is a test well understood in Indian law. This means that while there is a requirement to show that processing personal data was necessary to provide a service or benefit, there is no requirement to process data in a way that there is minimal non-consensual processing. The fear is that as long as there is a reasonable relation between processing data and the object of the function of state, state authorities and other bodies authorised by it, do not need to bother with obtaining consent.</p>
<p style="text-align: justify; ">Similarly, the third test of proportionality is also not represented in this provision. It provides a test between the abridgement of individual rights and legitimate state interest in question, and it requires that the first must not outweigh the second. The absence of the proportionality test leaves Clause 12 devoid of any such consideration. Therefore, as long as the test of necessity is met under this law, it need not evaluate the denial of consent against the service or benefit that is being provided.</p>
<p style="text-align: justify; ">The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state, by setting the threshold to circumvent informed consent extremely low. In the next post, I will demonstrate the ease with which Clause 12 can allow indiscriminate data sharing by focusing on the Indian government’s digital healthcare schemes.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/medianama-february-18-2021-amber-sinha-data-protection-bill-consent-clause-state-function'>https://cis-india.org/internet-governance/blog/medianama-february-18-2021-amber-sinha-data-protection-bill-consent-clause-state-function</a>
</p>
No publisheramberData GovernanceInternet GovernanceData ProtectionPrivacy2022-03-01T14:56:49ZBlog EntryCIS Comments and Recommendations on the Data Protection Bill, 2021
https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill
<b>This document is a revised version of the comments we provided on the 2019 Bill on 20 February 2020, with updates based on the amendments in the 2021 Bill.</b>
<p style="text-align: justify; ">After nearly two years of deliberations and a few changes in its composition, the Joint Parliamentary Committee (JPC), on 17 December 2021, submitted its report on the Personal Data Protection Bill, 2019 (2019 Bill). The report also contains a new version of the law titled the Data Protection Bill, 2021 (2021 Bill). Although there were no major revisions from the previous version other than the inclusion of all data under the ambit of the bill, some provisions were amended.</p>
<p style="text-align: justify; ">This document is a revised version of the<a href="https://cis-india.org/accessibility/blog/cis-comments-pdp-bill-2019"> comments</a> we provided on the 2019 Bill on 20 February 2020, with updates based on the amendments in the 2021 Bill. Through this document we aim to shed light on the issues that we highlighted in our previous comments that have not yet been addressed, along with additional comments on sections that have become more relevant since the pandemic began. In several instances our previous comments have either not been addressed or only partially been addressed; in such instances, we reiterate them.</p>
<p style="text-align: justify; ">These general comments should be read in conjunction with our previous recommendations for the reader to get a comprehensive overview of what has changed from the previous version and what has remained the same. This document can also be read while referencing the new Data Protection Bill 2021 and the JPC’s report to understand some of the significant provisions of the bill.</p>
<hr />
<p style="text-align: justify; "><strong><a href="https://cis-india.org/internet-governance/general-comments-data-protection-bill.pdf" class="internal-link">Read on to access the comments</a> | </strong><span>Review and editing by Arindrajit Basu. Copy editing: The Clean Copy; Shared under Creative Commons Attribution 4.0 International license</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill'>https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill</a>
</p>
No publisherPallavi Bedi and Shweta MohandasInternet GovernanceData ProtectionPrivacy2022-02-14T16:07:44ZBlog EntryNotes for India as the digital trade juggernaut rolls on
https://cis-india.org/internet-governance/blog/the-hindu-arindrajit-basu-february-8-2022-notes-for-india-as-the-digital-trade-juggernaut-rolls-on
<b>Sitting out trade negotiations could result in the country losing out on opportunities to shape the rules.</b>
<p>The article by Arindrajit Basu was <a class="external-link" href="https://www.thehindu.com/opinion/op-ed/notes-for-india-as-the-digital-trade-juggernaut-rolls-on/article38393921.ece">published in the Hindu</a> on February 8, 2022</p>
<hr />
<p style="text-align: justify; ">Despite the cancellation of the Twelfth Ministerial Conference (MC12) of the World Trade Organization (WTO) late last year (scheduled date, November 30, 2021-December 3, 2021) due to COVID-19, digital trade negotiations continue their ambitious march forward. On December 14, Australia, Japan, and Singapore, co-convenors of the plurilateral Joint Statement Initiative (JSI) on e-commerce, welcomed the ‘substantial progress’ made at the talks over the past three years and stated that they expected a convergence on more issues by the end of 2022.</p>
<h3>Holding out</h3>
<p style="text-align: justify; ">But therein lies the rub: even though JSI members account for over 90% of global trade, and the initiative welcomes newer entrants, over half of WTO members (largely from the developing world) continue to opt out of these negotiations. They fear being arm-twisted into accepting global rules that could etiolate domestic policymaking and economic growth. India and South Africa have led the resistance and been the JSI’s most vocal critics. India has thus far resisted pressures from the developed world to jump onto the JSI bandwagon, largely through coherent legal argumentation against the JSI and a long-term developmental vision. Yet, given the increasingly fragmented global trading landscape and the rising importance of the global digital economy, can India tailor its engagement with the WTO to better accommodate its economic and geopolitical interests?</p>
<h3><strong>Global rules on digital trade</strong></h3>
<p style="text-align: justify; ">The WTO emerged in a largely analogue world in 1994. It was only at the Second Ministerial Conference (1998) that members agreed on core rules for e-commerce regulation. A temporary moratorium was imposed on customs duties relating to the electronic transmission of goods and services. This moratorium has been renewed continuously, to consistent opposition from India and South Africa. They argue that the moratorium imposes significant costs on developing countries as they are unable to benefit from the revenue customs duties would bring.</p>
<p style="text-align: justify; ">The members also agreed to set up a work programme on e-commerce across four issue areas at the General Council: goods, services, intellectual property, and development. Frustrated by a lack of progress in the two decades that followed, 70 members brokered the JSI in December 2017 to initiate exploratory work on the trade-related aspects of e-commerce. Several countries, including developing countries, signed up in 2019 despite holding contrary views to most JSI members on key issues. Surprise entrants, China and Indonesia, argued that they sought to shape the rules from within the initiative rather than sitting on the sidelines.</p>
<p style="text-align: justify; ">India and South Africa have rightly pointed out that the JSI contravenes the WTO’s consensus-based framework, where every member has a voice and vote regardless of economic standing. Unlike the General Council Work Programme, which India and South Africa have attempted to revitalise in the past year, the JSI does not include all WTO members. For the process to be legally valid, the initiative must either build consensus or negotiate a plurilateral agreement outside the aegis of the WTO.</p>
<p style="text-align: justify; ">India and South Africa’s positioning strikes a chord at the heart of the global trading regime: how to balance the sovereign right of states to shape domestic policy with international obligations that would enable them to reap the benefits of a global trading system.</p>
<h3><strong>A contested regime</strong></h3>
<p style="text-align: justify; ">There are several issues upon which the developed and developing worlds disagree. One such issue concerns international rules relating to the free flow of data across borders. Several countries, both within and outside the JSI, have imposed data localisation mandates that compel corporations to store and process data within territorial borders. This is a key policy priority for India. Several payment card companies, including Mastercard and American Express, were prohibited from issuing new cards for failure to comply with a 2018 financial data localisation directive from the Reserve Bank of India. The Joint Parliamentary Committee (JPC) on data protection has recommended stringent localisation measures for sensitive personal data and critical personal data in India’s data protection legislation. However, for nations and industries in the developed world looking to access new digital markets, these restrictions impose unnecessary compliance costs, thus arguably hampering innovation and supposedly amounting to unfair protectionism.</p>
<p style="text-align: justify; ">There is a similar disagreement regarding domestic laws that mandate the disclosure of source codes. Developed countries believe that this hampers innovation, whereas developing countries believe it is essential for algorithmic transparency and fairness — which was another key recommendation of the JPC report in December 2021.</p>
<h3><strong>India’s choices</strong></h3>
<p style="text-align: justify; ">India’s global position is reinforced through narrative building by political and industrial leaders alike. Data sovereignty is championed as a means of resisting ‘data colonialism’, the exploitative economic practices and intensive lobbying of Silicon Valley companies. Policymaking for India’s digital economy is at a critical juncture. Surveillance reform, personal data protection, algorithmic governance, and non-personal data regulation must be galvanised through evidenced insights,and work for individuals, communities, and aspiring local businesses — not just established larger players.</p>
<p style="text-align: justify; ">Hastily signing trading obligations could reduce the space available to frame appropriate policy. But sitting out trade negotiations will mean that the digital trade juggernaut will continue unchecked, through mega-regional trading agreements such as the Regional Comprehensive Economic Partnership (RCEP) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). India could risk becoming an unwitting standard-taker in an already fragmented trading regime and lose out on opportunities to shape these rules instead.</p>
<p style="text-align: justify; ">Alternatives exist; negotiations need not mean compromise. For example, exceptions to digital trade rules, such as ‘legitimate public policy objective’ or ‘essential security interests’, could be negotiated to preserve policymaking where needed while still acquiescing to the larger agreement. Further, any outcome need not be an all-or-nothing arrangement. Taking a cue from the Digital Economy Partnership Agreement (DEPA) between Singapore, Chile, and New Zealand, India can push for a framework where countries can pick and choose modules with which they wish to comply. These combinations can be amassed incrementally as emerging economies such as India work through domestic regulations.</p>
<p style="text-align: justify; ">Despite its failings, the WTO plays a critical role in global governance and is vital to India’s strategic interests. Negotiating without surrendering domestic policy-making holds the key to India’s digital future.</p>
<hr />
<p style="text-align: justify; "><i>Arindrajit Basu is Research Lead at the Centre for Internet and Society, India. The views expressed are personal. The author would like to thank The Clean Copy for edits on a draft of this article.</i></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-hindu-arindrajit-basu-february-8-2022-notes-for-india-as-the-digital-trade-juggernaut-rolls-on'>https://cis-india.org/internet-governance/blog/the-hindu-arindrajit-basu-february-8-2022-notes-for-india-as-the-digital-trade-juggernaut-rolls-on</a>
</p>
No publisherbasuDigitalisationDigital KnowledgeInternet GovernanceE-CommerceDigital India2022-02-09T15:04:36ZBlog EntrySubmission to the Facebook Oversight Board: Policy on Cross-checks
https://cis-india.org/internet-governance/blog/submission-to-the-facebook-oversight-board-policy-on-cross-checks
<b>The Centre for Internet & Society (CIS) submitted public comments to the Facebook Oversight Board on a policy consultation.</b>
<h2>Whether a cross-check system is needed?</h2>
<p style="text-align: justify;"><strong>Recommendation for the Board</strong>: The Board should investigate the cross-check system as part of Meta’s larger problems with algorithmically amplified speech, and how such speech gets moderated.</p>
<p style="text-align: justify;"><strong>Explanation</strong>: The issues surrounding Meta’s cross-check system are not an isolated phenomena, but rather a reflection of the problems of algorithmically amplified speech, as well the lack of transparency in the company’s content moderation processes at large. At the outset, it must be stated that the majority of information on the cross-check system only became available after the media <a href="https://www.wsj.com/articles/facebook-files-xcheck-zuckerberg-elite-rules-11631541353?mod=article_inline">reports</a> published by the Wall Street Journal. While these reports have been extensive in documenting various aspects of the system, there is no guarantee that the disclosures obtained by them provides the complete picture regarding the system. Further, given that Meta has been found to purposely mislead the Board and the public on how the cross-check system operates, it is worth investigating the incentives that necessitate the cross-check system in the first place.</p>
<p style="text-align: justify;">Meta claims that the cross-check system works as a check for false positives: they “employ additional reviews for high-visibility content that may violate our policies.” Essentially they want to make sure that content that stays up on the platform and reaches a large audience, is following their content guidelines. However, previous disclosures have <a href="https://www.wsj.com/articles/facebook-hate-speech-india-politics-muslim-hindu-modi-zuckerberg-11597423346">proven</a> policy executives have prioritized the company’s ‘business interests’ over removing content that violates their policies; and have <a href="https://www.theguardian.com/technology/2021/apr/12/facebook-fake-engagement-whistleblower-sophie-zhang">waited to act on known problematic content</a> until significant external pressure was built up, including in India. In this context, the cross-check system seems less like a measure designed to protect users who might be exposed to problematic content, and more as a measure for managing public perception of the company.</p>
<p style="text-align: justify;">Thus the Board should investigate both how content gains an audience on the platform, and how it gets moderated. Previous <a href="https://www.theguardian.com/technology/2021/apr/12/facebook-fake-engagement-whistleblower-sophie-zhang">whistleblower disclosures</a> have shown that the mechanics of algorithmically amplified speech, which prioritizes <a href="https://www.technologyreview.com/2021/03/11/1020600/facebook-responsible-ai-misinformation/">engagement and growth over safety</a>, are easily taken advantage of by bad actors to promote their viewpoints through artificially induced virality. The cross-check system and other measures of content moderation at scale would not be needed if it was harder to spread problematic content on the platform in the first place. Instead of focusing only on one specific system, the Board needs to urge Meta to re-evaluate the incentives that drive content sharing on the platform and come up with ways that make the platform safer.</p>
<h2 style="text-align: justify;">Meta’s Obligations under Human Rights Law</h2>
<p style="text-align: justify;"><strong>Recommendation for the Board: </strong>The Board must consider the cross-check system to be violative of Meta’s obligations under the International Covenant of Civil and Political Rights (ICCPR). Additionally, the cross-check ranker must be incorporated with Meta’s commitments towards human rights, as outlined in its Corporate Human Rights Policy.</p>
<p style="text-align: justify;">Explanation: Meta’s content moderation, and by extension, its cross-check system, is bound by both international human rights law as well as the Board’s past decisions. At the outset, The system fails the three-pronged test of legality, legitimacy and necessity and proportionality, as delineated under Article 19(3) of the International Covenant of Civil and Political Rights (ICCPR). Firstly, this system has been “<a href="https://www.wsj.com/articles/facebook-files-xcheck-zuckerberg-elite-rules-11631541353?mod=article_inline">scattered throughout the company, without clear governance or ownership</a>”, which violates the legality principle, since there is no clear guidance on what sort of speech, or which classes of users, would deserve the treatment of this system. Secondly, there is no understanding about the legitimacy of aims with which this system had been set up in the first place, beyond Meta’s own assertions, which have been <a href="https://www.oversightboard.com/news/215139350722703-oversight-board-demands-more-transparency-from-facebook/">countered</a> by evidence to the contrary. Thirdly, the necessity and proportionality of the restriction has to be <a href="https://www.oversightboard.com/decision/FB-691QAMHJ">read along</a> with the <a href="https://www.ohchr.org/en/issues/freedomopinion/articles19-20/pages/index.aspx">Rabat Plan of Action</a>, which requires that for a statement to become a criminal offense, a six-pronged test of threshold is to be applied: a) the social and political context, b) the speaker’s position or status in the society, c) intent to incite the audience against a target group, d) content and form of the speech, e) extent of its dissemination and f) likelihood of harm. As news reports have indicated, Meta has been utilizing the cross-check system to privilege speech from influential users, and in the process, have shielded inflammatory, inciting speech that would have otherwise qualified the Rabat threshold. As such, the third requirement is not fulfilled either.</p>
<p style="text-align: justify;">Additionally, Meta’s own <a href="https://about.fb.com/wp-content/uploads/2021/03/Facebooks-Corporate-Human-Rights-Policy.pdf">Corporate Human Rights Policy</a> commits to respecting human rights in line with the UN Guiding Principles on Business and Human Rights (UNGPs). Therefore, the cross-check ranker must incorporate these existing commitments to human rights, including:</p>
<ul>
<li style="text-align: justify;">The right to freedom of expression:, UN Special Rapporteur on freedom of opinion and expression report <a href="https://ap.ohchr.org/documents/dpage_e.aspx?si=A/HRC/38/35">A/HRC/38/35</a> (2018); <a href="https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=25729&LangID=E">Joint Statement of international freedom of expression monitors on COVID-19 (March, 2020)</a>.</li></ul>
<p style="text-align: justify;">The Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression addresses the regulation of user-generated online content.</p>
<p>The Joint Statement issued regarding Governmental promotion and protection of access to and free flow of information during the pandemic.</p>
<ul>
<li>The right to non-discrimination: International Convention on the Elimination of All Forms of Racial Discrimination (<a href="https://www.ohchr.org/EN/ProfessionalInterest/Pages/CERD.aspx">ICERD</a>), Articles 1 and 4.</li></ul>
<p>Article 1 of the ICERD defines racial discrimination.</p>
<p>Article 4 of the ICERD condemns propaganda and organisations that attempt to justify discrimination or are based on the idea of racial supremacism.</p>
<ul>
<li>Participation in public affairs and the right to vote: ICCPR Article 25.</li>
<li>The right to remedy: General Comment No. 31, Human Rights Committee (2004) (<a href="https://tbinternet.ohchr.org/_layouts/15/treatybodyexternal/Download.aspx?symbolno=CCPR%2fC%2f21%2fRev.1%2fAdd.13&Lang=en">General Comment 31</a>); UNGPs, Principle 22.</li></ul>
<p>The General Comment discusses the nature of the general legal obligation imposed on State Parties to the Covenant.</p>
<p style="text-align: justify;">Guiding Principle 22 states that where business enterprises identify that they have caused or contributed to adverse impacts, they should provide for or cooperate in their remediation through legitimate processes.</p>
<h2>Meta’s obligations to avoid political bias and false positives in its cross-check system</h2>
<p style="text-align: justify;"><strong>Recommendation for the Board: </strong>The Board must urge Meta to adopt and implement the Santa Clara Principles on Transparency and Accountability to ensure that it is open about risks to user rights when there is involvement from the State in content moderation. Additionally, the Board must ask Meta to undertake a diversity and human rights audit of its existing policy teams, and commit to regular cultural training for its staff. Finally, the Board must investigate the potential conflicts of interest that arise when Meta’s policy team has any sort of nexus with political parties, and how that might impact content moderation.</p>
<p style="text-align: justify;">Explanation: For the cross-check system to be free from biases, it is important for Meta to come clear to the Board regarding the rationale, standards and processes of the cross check review, and report on the relative error rates of determinations made through cross check compared with ordinary enforcement procedures. It also needs to disclose to the Board in which particular situations it uses the system and in which it does not. Principle 4 under the Foundational Principles of the <a href="https://santaclaraprinciples.org/">Santa Clara Principles on Transparency and Accountability in Content Moderation</a> encourage companies to realize the risk to user rights when there is involvement from the State in processes of content moderation and asks companies to makes users aware that: a) a state actor has requested/participated in an action on their content/account, and b) the company believes that the action was needed as per the relevant law. Users should be allowed access to any rules or policies, formal or informal work relationships that the company holds with state actors in terms of content regulation, the process of flagging accounts/content and state requests to action.</p>
<p style="text-align: justify;">The Board must consider that erroneous lack of action (false positives) might not always be a system's flaw, but a larger, structural issue regarding how policy teams at Meta functions. As previous disclosures have <a href="https://www.wsj.com/articles/facebook-hate-speech-india-politics-muslim-hindu-modi-zuckerberg-11597423346">proven</a>, the contours of what sort of violating content gets to stay up on the platform has been ideologically and politically coloured, as policy executives have prioritized the company’s ‘business interests’ over social harmony. In such light, it is not sufficient to simply propose better transparency and accountability measures for Meta to adopt within its content moderation processes to avoid political bias. Rather, the Board’s recommendations must focus on the structural aspect of the human moderator and policy team that is behind these processes. The Board must ask Meta to a) urgently undertake a diversity and human rights audit of its existing team and its hiring processes, b) commit to regular training to ensure that their policy staffs are culturally literate in the socio-political regions they work in. Further, the Board must seriously investigate the potential <a href="https://time.com/5883993/india-facebook-hate-speech-bjp/">conflicts of interest</a> that happen when regional policy teams of Meta, with nexus to political parties, are also tasked with regulating content from representatives of these parties, and how that impacts the moderation processes at large.</p>
<p style="text-align: justify;">Finally, in case decision <a href="https://www.oversightboard.com/decision/FB-691QAMHJ">2021-001-FB-FBR</a>, the Board made a number of recommendations to Meta which must be implemented in the current situation, including: a) considering the political context while looking at potential risks, b) employment of specialized staff in content moderation while evaluating political speech from influential users, c) familiarity with the political and linguistic context d) absence of any interference and undue influence, e) public explanation regarding the rules Meta uses when imposing sanctions against influential users and f) the sanctions being time-bound.</p>
<h2 style="text-align: justify;">Transparency of the cross-check system</h2>
<p style="text-align: justify;"><strong>Recommendation for the Board: </strong>The Board must urge Meta to adopt and implement the Santa Clara Principles on Transparency and Accountability to increase the transparency of its cross-check system.</p>
<p style="text-align: justify;"><strong>Explanation: </strong>There are ways in which Meta can increase the transparency of not only the cross-check system, but the content moderation process in general. The following recommendations draw from <a href="https://santaclaraprinciples.org/">The Santa Clara Principles</a> and the Board’s own previous decisions:</p>
<p style="text-align: justify;">Considering Principle 2 of the Santa Clara Principles: Understandable Rules and Policies, Meta should ensure that the policies and rules governing moderation of content and user behaviors on Facebook are<strong> clear, easily understandable, and available in the languages</strong> in which the user operates.</p>
<p style="text-align: justify;">Drawing from Principle 5 on Integrity and Explainability and from the Board’s recommendations in case decision <a href="https://www.oversightboard.com/decision/FB-691QAMHJ">2021-001-FB-FBR</a> which advises Meta to“<em>Provide users with accessible information on how many violations, strikes and penalties have been assessed against them, and the consequences that will follow future violations</em>”, Meta should be able to <strong>explain the content moderation decisions to users in all cases</strong>: when under review, when the decision has been made to leave the content up, or take it down. We recommend that Meta keeps a publicly accessible running tally of the number of moderation decisions made on a piece of content till date with their explanations. This would allow third parties (like journalists, activists, researchers and the OSB) to keep Facebook accountable when it does not follow its own policies, as has previously been the case.</p>
<p style="text-align: justify;">In the same case decision, the Board has also previously recommended that Meta “<em>Produce more information to help users understand and evaluate the process and criteria for applying the newsworthiness allowance, including how it applies to influential accounts. The company should also clearly explain the rationale, standards and processes of the cross-check review, and report on the relative error rates of determinations made through cross-checking compared with ordinary enforcement procedures.</em>” Thus, Meta should <strong>publicly explain the cross check system </strong>in detail with examples, and make public the list of attributes that qualify a piece of content for secondary review.</p>
<p style="text-align: justify;">The Operational Principles further provide actionable steps that Meta can take to improve the transparency of their content moderation systems. Drawing from Principle 2: Notice and Principle 3: Appeals, Meta should make a satisfactory <strong>appeals process available </strong>to users - whether they be decisions to leave up or takedown content. The appeals process should be handled by context aware teams. Meta should then <strong>publish the results</strong> of the cross check system and the appeals processes as part of their transparency reports including data like total content actioned, rate of success in appeals and cross check process, decisions overturned and preserved etc, which would also satisfy the first Operational Principle: Numbers.</p>
<h2 style="text-align: justify;">Resources needed to improve the system for users and entities who do not post in English</h2>
<p style="text-align: justify;"><strong>Recommendations for the Board: </strong>The Board must urge Meta to urgently invest in resources to expand Meta’s content moderation services into the local contexts in which the company operates and invest in training data for local languages.</p>
<p style="text-align: justify;"><strong>Explanation: </strong>The cross-check system is not a fundamentally different problem than content moderation. It has been shown time and time again that Meta’s handling of content from non-Western, non-English language contexts is severely lacking. It has been shown how content hosted on the platform has been used to<a href="https://www.theguardian.com/technology/2021/apr/12/facebook-fake-engagement-whistleblower-sophie-zhang"> inflame existing tensions in developing countries</a>, <a href="https://www.wsj.com/articles/facebook-services-are-used-to-spread-religious-hatred-in-india-internal-documents-show-11635016354?mod=article_inline">promote religious hatred in India</a>, <a href="https://www.wsj.com/articles/burn-the-houses-rohingya-survivors-recount-the-day-soldiers-killed-hundreds-1526048545?mod=article_inline">genocide in Mynmar</a>, and continue to support <a href="https://www.wsj.com/articles/facebook-drug-cartels-human-traffickers-response-is-weak-documents-11631812953?mod=article_inline">human traffickers and drug cartels</a> on the platform even when these issues have been identified.</p>
<p style="text-align: justify;">There is an urgent need to invest resources to expand Meta’s content moderation services into the local contexts in which the company operates. The company should make all policies and rule documents available in the languages of its users; invest in creating automated tools that are capable of flagging content that is not posted in English; and add people familiar with the local contexts to provide context aware second level reviews. The Facebook Files show that even according to company engineering, <a href="https://www.wsj.com/articles/facebook-ai-enforce-rules-engineers-doubtful-artificial-intelligence-11634338184?mod=article_inline">automated content moderation</a> is still not very effective in identifying hate speech and other harmful content. Meta should focus on hiring, training and retaining human moderators who have knowledge of local contexts. Bias training of all content moderators, but especially those who will participate in the second level reviews in the cross check system is also extremely important to ensure acceptable decisions.</p>
<p style="text-align: justify;">Additionally, in keeping with Meta’s human rights commitments, the company should develop and publish a policy for responding to human rights violations when they are pointed out by activists, researchers, journalists and employees as a matter of due process. It should not wait for a negative news cycle to stir them into action <a href="https://www.theguardian.com/technology/2021/apr/12/facebook-fake-engagement-whistleblower-sophie-zhang">as it seems to have done in previous cases</a>.</p>
<h2 style="text-align: justify;">Benefits and limitations of automated technologies</h2>
<p style="text-align: justify;">Meta <a href="https://www.theverge.com/2020/11/13/21562596/facebook-ai-moderation%5C">recently changed</a> its moderation practice wherein it uses technology to prioritize content for human reviewers based on their severity index. Facebook <a href="https://transparency.fb.com/policies/improving/prioritizing-content-review/">has not specified</a> the technology it uses to prioritize high-severity content but its research record shows that it <a href="https://ai.facebook.com/blog/the-shift-to-generalized-ai-to-better-identify-violating-content">uses</a> a host of automated <a href="https://ai.facebook.com/tools#frameworks-and-tools">frameworks and tools</a> to detect violating content, including image recognition tools, object detection tools, natural language processing models, speech models and reasoning models. One such model is the <a href="https://ai.facebook.com/blog/community-standards-report/">Whole Post Integrity Embeddings</a> (“WPIE”) which can judge various elements in a given post (caption, comments, OCR, image etc.) to work out the context and the content of the post. Facebook also uses image matching models (SimSearchNet++) that are trained to match variations of an image with a high degree of precision and improved recall; multi-lingual masked language models on cross-lingual understanding such as <a href="https://ai.facebook.com/blog/-xlm-r-state-of-the-art-cross-lingual-understanding-through-self-supervision/">XLM-R</a> that can accurately identify hate-speech and other policy-violating content across a wide range of languages. More recently, Facebook introduced its machine translation model called the <a href="https://analyticsindiamag.com/facebooks-new-machine-translation-model-works-without-help-of-english-data/">M2M-100</a> whose goal is to perform bidirectional translation between 7000 languages.</p>
<p style="text-align: justify;">Despite the advances in this field, there are inherent <a href="https://www.ofcom.org.uk/__data/assets/pdf_file/0028/157249/cambridge-consultants-ai-content-moderation.pdf">limitations</a> of such automated tools. <a href="https://www.theverge.com/2019/2/27/18242724/facebook-moderation-ai-artificial-intelligence-platforms">Experts</a> have repeatedly maintained that AI will get better at understanding context but it will not replace human moderators for the foreseeable future. One such instance where these limitations were <a href="https://www.politico.eu/article/facebook-content-moderation-automation/">exposed</a> was during the COVID-19 pandemic, when Facebook sent its human moderators home - the number of removals flagged as hate speech on its platform more than doubled to 22.5 million in the second quarter of 2020 but the number of successful content appeals was dropped to 12,600 from the 2.3 million figure for the first three months of 2020.</p>
<p style="text-align: justify;"><a href="https://www.wsj.com/articles/facebook-ai-enforce-rules-engineers-doubtful-artificial-intelligence-11634338184?mod=article_inline">The Facebook Files</a> show that Meta’s AI cannot consistently identify first-person shooting videos, racist rants and even the difference between cockfighting and car crashes. Its automated systems are only capable of removing posts that generate just 3% to 5% of the views of hate speech on the platform and 0.6% of all content that violates Meta’s policies against violence and incitement. As such, it is difficult to accept the company’s claim that nearly all of the hate speech it takes down was discovered by AI before it was reported by users.</p>
<p style="text-align: justify;">However, the benefits of such technology cannot be discounted, especially when one considers automated technology as a way of reducing <a href="https://www.theverge.com/2019/2/25/18229714/cognizant-facebook-content-moderator-interviews-trauma-working-conditions-arizona">trauma</a> for human moderators. Using AI for prioritizing content for review can turn out to be effective for human moderators as it can increase their efficiency and reduce harmful effects of content moderation on them. Additionally, it can also limit the exposure of harmful content to internet users. Moreover, AI can also reduce the impact of harmful content on human moderators by allocating content to moderators on the basis of their exposure history. Theoretically, if the company’s claims are to be believed, using automated technology for prioritizing content for review can help to improve the mental health of Facebook’s human moderators.</p>
<hr />
<p>Click to download the file <a class="external-link" href="https://cis-india.org/internet-governance/policy-on-cross-checks">here</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/submission-to-the-facebook-oversight-board-policy-on-cross-checks'>https://cis-india.org/internet-governance/blog/submission-to-the-facebook-oversight-board-policy-on-cross-checks</a>
</p>
No publisher[in alphabetical order] Anamika Kundu, Digvijay Singh, Divyansha Sehgal and Torsha SarkarFreedom of Speech and ExpressionInternet FreedomFacebookInternet Governance2022-02-09T05:31:32ZBlog EntryTransference: Reimagining Data Systems: Beyond the Gender Binary
https://cis-india.org/internet-governance/events/transference-reimagining-data-systems-beyond-the-gender-binary
<b>The Centre for Internet and Society (CIS) invites you to participate in a day-long convening on the rights of transgender persons, specifically right to privacy and digital rights. Through this convening, we hope to highlight the concerns of transgender persons in accessing digital data systems and the privacy challenges faced by the community. These challenges include access to their rights — their right to self-identify their gender and welfare services offered by the State and the privacy challenges faced by transgender and intersex persons in revealing their identity.</b>
<p dir="ltr" style="text-align: justify; ">As the meaning of the word ‘Transference’ goes, through this convening, as a learning, we hope to capture and transfer the realities of transgender persons with engaging and being a part of digital data systems in India. Given the rapid digitisation of different public and private data systems in India, we hope to initiate a conversation that understands their struggles and challenges to realistically initiate the re-imagination of data systems — digital and otherwise — one that is mindful about their everyday struggles with privacy and access.</p>
<p dir="ltr" style="text-align: justify; ">Owing to the history of systemic exclusions faced by transgender persons, it is important to highlight their difficulties in accessing technological systems and the impact on their privacy, as central issues that require serious consideration. Presently, their realities seem to be ignored by the State while designing most technology laws and policies governing digital systems.</p>
<h3 dir="ltr" style="text-align: justify; ">Background</h3>
<p><span id="docs-internal-guid-491cb7c5-7fff-049a-e44a-d55b71b690d7"> </span></p>
<p dir="ltr" style="text-align: justify; "><span>In the landmark verdict in 2014, NALSA Vs Union of India, the Supreme Court of India for the first time recognised the right of an individual to self-identify their gender as male, female or transgender. This verdict detailed nine directives to be implemented by the central and state governments in India for the inclusion of transgender persons.</span></p>
<p dir="ltr" style="text-align: justify; "><span>Similarly, 2017 was a watershed moment in India’s constitutional history when the Supreme Court held the right to privacy to be a fundamental right. More importantly, the Court expounded on this right and held that the protection of an individual’s gender identity is an essential component of the right to privacy and that privacy at its core includes the preservation of personal intimacies, autonomy, the sanctity of family life, marriage, procreation, the home and sexual orientation.</span></p>
<p dir="ltr" style="text-align: justify; "><span>The 2017 privacy judgement led to the Supreme Court pronouncing the </span><span>Navtej Johar v Union of India in 2018</span><span>, striking down the </span><span>Koushal </span><span>judgement and decriminalising acts of consensual non-hetrosexual acts of intimacy. In 2019, the Personal Data Protection Bill, 2019 was introduced in Parliament for the regulation and protection of personal data. The PDP Bill classifies data into two categories as (i) personal data; and (ii) sensitive personal data. As per the PDP Bill, data identifying the transgender status and intersex status falls within the ambit of sensitive personal data. Around the time of the PDP Bill being tabled in Parliament, the Transgender Persons (Protection of Rights) Act 2019 was passed by the Parliament despite </span><a href="https://scroll.in/article/944943/explainer-despite-criticism-the-transgender-persons-bill-was-just-passed-whats-next"><span>severe opposition</span></a><span> to the Bill from civil society members as well as members of Parliament.</span></p>
<p dir="ltr" style="text-align: justify; "><span>There is a lack of clarity on the interplay between the PDP Bill and the Transgender Act and the challenges the PDP Bill may pose to the transgender community. Moving beyond mere mentions in the definition of the law through a cisgendered heteronormative lens, it is important for the discourse on data and privacy to broaden its scope to realistically include people of different sexual orientations, gender and sexual identities, gender expressions and sex characteristics.</span></p>
<h3><span>About the Event</span></h3>
<p dir="ltr" style="text-align: justify; ">Through these panel discussions, we propose to highlight the concerns of transgender persons with accessing digital data systems and the privacy challenges faced by them . These challenges include access to their rights — their right to self-identify their gender and access welfare services offered by the State and the privacy challenges faced by transgender persons in revealing their identity.</p>
<p dir="ltr" style="text-align: justify; ">The objective of these discussions is to initiate more conversations about the technological and data exclusions faced by this historically marginalised community in India. The intent is to better understand the realities of transgender persons and contribute to the larger advocacy on privacy, intersectionality and (digital) systems design.</p>
<hr />
<p>Click to register for the event <a class="external-link" href="https://us06web.zoom.us/meeting/register/tZUpcOiqrD8uG9X_4L6EIzXI-QFCipmFqqDV"><b>here</b></a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/transference-reimagining-data-systems-beyond-the-gender-binary'>https://cis-india.org/internet-governance/events/transference-reimagining-data-systems-beyond-the-gender-binary</a>
</p>
No publishertorshaGender, Welfare, and PrivacyEventInternet Governance2021-12-15T12:58:31ZEventLaunching CIS’s Flagship Report on Private Crypto-Assets
https://cis-india.org/internet-governance/blog/launching-flagship-cis-report-on-private-crypto-assets
<b>The Centre for Internet & Society is launching its flagship report on regulating private crypto-assets in India, as part of its newly formed Financial Technology (or Fintech) research agenda. The event will be held on Zoom, at 17:30 IST on Wednesday, 15th December, 2021
</b>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;">This event will serve as a venue to bring together the various stakeholders involved in the crypto-asset space to discuss the state of crypto-asset regulation in India from a multitude of perspectives.</p>
<p style="text-align: justify;">This event will serve as a venue to bring together the various stakeholders involved in the crypto-asset space to discuss the state of crypto-asset regulation in India from a multitude of perspectives.</p>
<h3 style="text-align: justify;">About the private crypto-assets report</h3>
<p style="text-align: justify;">The first output under this agenda is our report on regulating private cryptocurrencies in India. This report aims to act as an introductory resource for policymakers who are looking to implement a regulatory framework for private crypto-assets. The report covers the technical elements of crypto-assets, their history, proposed use cases as well as its benefits and limitations. It also examines how crypto-assets fit within India’s current regulatory and legislative frameworks and makes clear recommendations for the same.</p>
<h3 style="text-align: justify;">About the Event</h3>
<p style="text-align: justify;">The launch event will feature an initial presentation by researchers at CIS on the various findings and recommendations of its flagship report. This will be followed by a moderated discussion with 5 panelists who represent the space in policy, academia and industry. The discussion will be centered around the current status of crypto-assets in India, the government’s new proposed regulations and what the future holds for the Indian crypto market.</p>
<p dir="ltr">The confirmed panelists are as follows:</p>
<ol>
<li>Tanvi Ratna - Founder, Policy 4.0 and expert on blockchain and cryptocurrencies</li>
<li>Shehnaz Ahmed - Senior Resident Fellow and Fintech Lead at Vidhi Centre for Legal Policy</li>
<li>Nithya R. - Chief Executive Officer, Unos.Finace</li>
<li>Prashanth Irudayaraj - Head of R&D, Zebpay</li>
<li>Vipul Kharbanda - Non resident Fellow specialising in Fintech at CIS</li>
<li>Aman Nair - Policy Offer, CIS (Moderator)</li></ol>
<p>Registration link: <a class="external-link" href="https://us06web.zoom.us/webinar/register/WN_TdY-EPLoRvGY2rfsq4CENw">https://us06web.zoom.us/webinar/register/WN_TdY-EPLoRvGY2rfsq4CENw</a></p>
<h3>Agenda</h3>
<table class="grid listing">
<tbody>
<tr>
<td>17.30 - 17.35</td>
<td>Welcome Note</td>
</tr>
<tr>
<td>17.35 - 18.35</td>
<td>
<p>The status of private crypto assets in India</p>
<ul>
<li>Presentation on CIS’ flagship Report on regulating private crypto-assets in India</li>
<li style="text-align: justify;">Moderated discussion with panelists across industry, government, journalism and academia providing their insight as to the current and future state of private crypto-assets, and their regulation, in India.</li></ul>
</td>
</tr>
<tr>
<td>18.35 - 19.00</td>
<td>Audience questions and discussion</td>
</tr>
</tbody>
</table>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/launching-flagship-cis-report-on-private-crypto-assets'>https://cis-india.org/internet-governance/blog/launching-flagship-cis-report-on-private-crypto-assets</a>
</p>
No publisherAman NairInternet GovernanceCryptocurrencies2021-12-13T09:11:18ZBlog EntryLaunching CIS’s Flagship Report on Private Crypto-Assets
https://cis-india.org/internet-governance/events/launching-cis-flagship-report-on-private-crypto-assets
<b>The Centre for Internet & Society is launching its flagship report on regulating private crypto-assets in India, as part of its newly formed Financial Technology (or Fintech) research agenda. This event will serve as a venue to bring together the various stakeholders involved in the crypto-asset space to discuss the state of crypto-asset regulation in India from a multitude of perspectives.</b>
<h3>About the private crypto-assets report</h3>
<p style="text-align: justify; ">The first output under this agenda is our report on regulating private cryptocurrencies in India. This report aims to act as an introductory resource for policymakers who are looking to implement a regulatory framework for private crypto-assets. The report covers the technical elements of crypto-assets, their history, proposed use cases as well as its benefits and limitations. It also examines how crypto-assets fit within India’s current regulatory and legislative frameworks and makes clear recommendations for the same.</p>
<h3 style="text-align: justify; ">About the Event</h3>
<p dir="ltr" style="text-align: justify; ">The launch event will feature an initial presentation by researchers at CIS on the various findings and recommendations of its flagship report. This will be followed by a moderated discussion with 5 panelists who represent the space in policy, academia and industry. The discussion will be centered around the current status of crypto-assets in India, the government’s new proposed regulations and what the future holds for the Indian crypto market.</p>
<p dir="ltr" style="text-align: justify; ">The confirmed panelists are as follows:</p>
<ol>
<li>Tanvi Ratna - Founder, Policy 4.0 and expert on blockchain and cryptocurrencies </li>
<li>Shehnaz Ahmed - Senior Resident Fellow and Fintech Lead at Vidhi Centre for Legal Policy </li>
<li>Nithya R. - Chief Executive Officer, Unos.Finace </li>
<li>Prashanth Irudayaraj - Head of R&D, Zebpay </li>
<li>Vipul Kharbanda - Non resident Fellow specialising in Fintech at CIS </li>
<li>Aman Nair - Policy Offer, CIS (Moderator) </li>
</ol>
<p>Registration link: <a class="external-link" href="https://us06web.zoom.us/webinar/register/WN_TdY-EPLoRvGY2rfsq4CENw">https://us06web.zoom.us/webinar/register/WN_TdY-EPLoRvGY2rfsq4CENw</a></p>
<h3>Agenda</h3>
<table class="plain">
<tbody>
<tr>
<td>17.30 - 17.35</td>
<td>Welcome Note</td>
</tr>
<tr>
<td>17.35 - 18.35</td>
<td>
<p>The status of private crypto-assets in India</p>
<ul>
<li>Presentation on CIS’ flagship Report on regulating private crypto-assets in India</li>
<li>Moderated discussion with panelists across industry, government, journalism and academia providing their insight as to the current and future state of private crypto-assets, and their regulation, in India.</li>
</ul>
</td>
</tr>
<tr>
<td>18.35 - 19.00</td>
<td>Audience questions and discussion</td>
</tr>
</tbody>
</table>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/launching-cis-flagship-report-on-private-crypto-assets'>https://cis-india.org/internet-governance/events/launching-cis-flagship-report-on-private-crypto-assets</a>
</p>
No publisherAdminInternet GovernanceEventCryptocurrenciesWebinar2021-12-03T15:16:27ZEvent