The Personal Data Protection Bill, 2019 vs. GDPR: Provisions for the rights of the child and its implications

This post is authored by Puja Nair

The debate on privacy rose to the forefront after the Supreme Court passed a judgement in the case of Justice K.S Puttaswamy (Retd.) v. Union of India, where the Court held that the right to privacy was an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution of India. In arriving at this conclusion, the Court examined a wide range of privacy-related issues and held that the right to privacy included the right to personal autonomy over a wide range of domains in a person’s life.

While the above decision seems obvious in its simplicity, complications arise when one considers that a child or adolescent may not understand the consequences of their individual choices. When taken in the context of online data privacy, it is safe to say that children may be unaware of the exact manner in which any data that they share online is put to use. The report submitted by the committee of experts under the chairmanship of Justice B.N Srikrishna clearly endorses this belief.

Clause 16 of the Indian Personal Data Protection Bill, 2019 (‘PDPB 2019’), which was tabled in parliament on December 11, 2019, deals with the processing of personal and sensitive personal data of children. It states categorically that every data fiduciary shall “process the personal data of a child in a manner that protects the rights of, and is in the best interests of, the child.” It further states that a data fiduciary shall only process the personal data of a child, after verifying their age and obtaining the consent of their parent or guardian, in the manner specified by future regulations.

Based on this provision, the primary question that arises is, who is a child as per the PDPB 2019? According to the provisions of the bill, a child is someone who “has not completed the age of 18 years.” This is distinct from the data protection statutes passed in other jurisdictions. The EU General Data Protection Rules (‘GDPR’) specifies that the age limit on the definition of ‘child’ may be up to the discretion of individual member states and can be anywhere between 13-16 years. The US Children’s Online Privacy Protection Act, 1998 on the other hand, puts the age limit at a firm 13 years. Notwithstanding the above, the PDPB 2019 specifies 18 as the age of majority. This was done to ensure that the provisions of the bill would be in conformity with the prevailing laws of the country.

The adoption of a singular age of majority serves to prevent confusion and conflict between the laws in the country, however, it also serves to underestimate the awareness and advancement of today’s youth. An example of this understanding was espoused by the Madras High Court in the case of Sabari Sabarinathan Sabarivasan v. State Commission for Protection of Child Rights and Ors. This judgment examines existing flaws in the Protection of Children from Sexual Offences (POCSO) Act, 2012 and recommends a change in the definition of the term ‘child,’ so that a consensual relationship between a girl above 16 years of age and a boy between 16 to 21 years of age, would not attract the draconian provisions of the law. The drafters of the PDPB 2019 could have taken a similar view, rather than conforming with the provisions of a statute like the Indian Contract Act or the Indian Majority Act, both of which were enacted in the late-1800’s. Furthermore, a 2019 study conducted among 630 adolescents across 8 schools in the nation’s capital, revealed that 60 per cent of the boys and 40 per cent of the girls, owned their own device while almost half reportedly used two or more devices to access the Internet. The numbers have no doubt increased since then and the COVID-19 crises has further accelerated the adoption of online services for both education and entertainment. This means that mandating a guardian’s consent for anyone below the age of 18 years could very well result in some data fiduciaries inadvertently being on the wrong side of the law.

Another question raised by Clause 16 of the PDPB 2019, is the determination of what constitutes the best interests of the child. The bill does not specify how this is to be determined; however, subclause 5 of Clause 16 categorizes certain types of data processing like behavioural monitoring, tracking, and targeted advertising as harmful for children.

We then come to the requirement for age verification and parental consent. The provisions of the bill do not explore this in detail. It merely states that the process of acquiring such consent and/or verification will be specified in further rules, after taking into account factors like the volume of personal data processed, the proportion of such personal data likely to be that of a child, the potential of harm that may occur to said child as a result of the processing of his/her personal data etc.

Regardless, one issue that may arise when it comes to consent is the question of capacity. Clause 11 of the PDPB 2019 states that among other things, consent must be free and informed. However, parents cannot provide such free and informed consent on behalf of their children, if they do not understand the terms and conditions provided in the policies of these websites. In many instances, we find that children possess a much greater awareness of current technology trends and their implications. Additional issues arise when we consider the concept of free choice. However, the fact of the matter is that if one wants to register with any of the popular online apps and services available, one inevitably has to agree with their terms and conditions, regardless of any reservations one might have. Therefore, the concept of consent being “freely given” is rendered pointless.

GDPR and the European Union

Article 8 of the GDPR states that where there is an offer of “information society service directly to a child” the processing of personal data of said child shall be lawful, where the child is at least 16 years old. If the child is below the age of 16 years, such processing shall be lawful only if consent has been obtained by the “holder of parental responsibility over the child.”Member States can provide for a lower age limit, provided it is not below 13 years of age. The provision further provides that “reasonable efforts” must be made to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

Article 8 is the principal provision relating to the protection of children’s personal data in the GDPR. There are other provisions that mandate the type of measures that must be taken for the protection of the personal data of a child. For example, when obtaining data from a child, data controllers must ensure that any information on the processing of such data, should be in clear and plain terms for a child to easily understand. The GDPR also provides for the ‘right of erasure’ for children’s personal data. This is particularly relevant in cases where the data subject may have provided their consent as a child, without being fully aware of the risks involved and now seek the erasure of such personal data. Clause 16 of the PDPB, which relates to the processing of personal data of children, closely mirrors Article 8 of the GDPR. To that end, this post will be limited to an examination of Article 8 of the GDPR to examine the potential pitfalls that await in the implementation of Clause 16 of PDPB 2019.

Article 8 applies only to information society services offered directly to a child. Information society services or ISS is any service that is provided at a distance, by electronic means, and at the individual request of a recipient of the services. The definition also includes the requirement that the service be one that is provided in exchange for “remuneration”. However, the majority of online services that teenagers have access to do not directly require remuneration from the users. Common examples of this include popular social media sites like Facebook, Instagram etc. For this reason, the phrase “remuneration” is interpreted broadly by the European Court of Justice (‘ECJ’). The Court has held that “the essential characteristic of remuneration […] lies in the fact that it constitutes consideration for the service in question and is normally agreed upon between the provider and the recipient of the service’’. It is not essential that the recipient of the services provide the consideration. It is only essential for the consideration to have been received by the service provider. Subsequent rulings specified that such services may also include services provided by a non-profit organization, services involving an element of chance, and services that are of a recreational or sporting nature.

Some confusion may arise in situations where the ISS has both online and offline components. In such cases one must determine whether or not the online component is integral to the nature of the service provided. If it is not integral, then such services cannot be categorized as an ISS. While these cases provide some clarity, it is clear that the definition and scope of what constitutes an ISS will continue to evolve with the evolution of technology. This is in direct contrast to the definition of a data fiduciary in the PDPB 2019, which is much more straightforward. The bill defines a data fiduciary as “any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.”

Further, much like Clause 16 of the PDPB 2019, the drafting of Article 8 raises questions on what constitutes proper consent and how such consent can be appropriately verified. Some of these questions have been delineated above in the Indian context and are also applicable here. The European Data Protection Board (‘EDPB’) have addressed these issues in its guidelines on consent under issued under the GDPR. The guidelines state that if a data subject consents because they feel they have no real choice, then the consent is not valid. The guidelines also specify certain situations where the existence of an imbalance of power between the data subject and the controller, would render consent invalid. It further provides that consent would not be considered to be “freely given” if the consent was bundled with the acceptance of the terms and conditions of a website. Additionally, when it comes to the issue of capacity, the guidelines provide that for the consent to be informed, the data subject, or the individual having parental responsibility over the data subject, must have knowledge of the controller’s identity, knowledge of the purpose of each of the processing operations for which consent is sought, knowledge of the type of data collected and used, and knowledge of the existence of the right to withdraw consent.

Finally, even if the validity of consent is established, there is no provision to determine whether the person providing such consent is qualified to do so. According to the provisions of Article 8, consent must be given by a holder of parental responsibility. Does this include even individuals who are acting in loco parenti? For example, in the US, schools may act on the parents’ behalf in an educational context, when personal data is collected from the students for the use and benefit of the school. Further, once this consent is obtained, how is it to be verified? The GDPR has merely required that the controller take “reasonable efforts” to verify said consent. This means that in situations where consent was not verifiable, the controller could still rely on the un-verified consent so long as they prove that “reasonable” efforts were made to verify the same. Fortunately, the EDPB Guidelines on consent fills this gap in Article 8 by recommending two types of verification mechanisms for high-risk and low-risk categories respectively. In the low-risk category, verification of parental consent via email was held to be sufficient. In the high-risk category, it was recommended that further proof of consent would need to be acquired. Trusted third-party verification services were also recommended, to minimise the amount of personal data the controller had to process itself.

Conclusion

The examination of the GDPR provisions clearly shows that numerous issues have arisen in the course of its implementation. These issues have been resolved on a case-by-case basis by courts and other authorities. However, these solutions are remedial and not preventative. One preventative approach is the implementation of principles like data protection by design and default as specified in Article 25 of the GDPR. Data protection by design ensures that privacy and data protection issues are considered at the design phase of any system, service or product and then implemented throughout the lifecycle of the same. Data protection by default limits the type of data collected. It requires controllers to collect and process only such data as is necessary to achieve their specific purpose.

Data protection by design is a principle that is already enshrined in Clause 22 of the PDPB, which provides that every data fiduciary shall submit a privacy by design policy to the proposed Data Protection Authority (DPA) for approval and certification. The manner in which this is to be implemented and the standards of protection required for certification would be subject to future regulations. However, by requiring data fiduciaries engaged in the collection and processing of children’s data to adhere to a higher standard of data protection, the DPA could probably ensure the protection of children’s data regardless of any pitfalls in the practical implementation of Clause 16.

The above measure might not effectively solve the issues specified with the implementation of Clause 16. Notwithstanding these drawbacks, the provisions of this Bill might be the very first step in bringing India’s data protection thresholds at par with the rest of the world.


Search Engines and the Right to be Forgotten

This post is authored by Thulasi K. Raj.

In January 2021, Indian Kanoon, the legal case law database argued before the Kerala High Court that requiring de-indexing of search results in the guise of privacy rights under Article 21 of the Constitution of India restricts the right to free speech. The petitioner in this case was aggrieved by the display of personal details including his name and address on Google, via Indian Kanoon. This has rekindled the debate on the right to be forgotten (“RTBF”) and its ambit in the Indian legal framework. 

When we walk down the street, various personal identifiers such as one’s skin colour, approximate height, weight and other physical features are unconsciously communicated to others. It would be strange indeed, if the right to privacy required us to erase these memories, which we involuntarily capture in normal social life.

What makes digital memory different, however is its relative permanency. A digital device can store data more or less permanently. Schönberger explores how human forgetfulness is problematically replaced by perfect memory in his aptly titled bookDelete: The virtue of forgetting in the digital age.’ He rightly remarks that the “balance of remembering and forgetting has become inverted.” Remembering is now the default, “and forgetting, the exception.” If a derogatory news report from several years ago emerges in search results, it can momentarily damage one’s reputation and infringe upon privacy. This is where RTBF becomes significant.

Recital 65 of the EU’s General Data Protection Regulation (GDPR) acknowledges a “right to be forgotten”, i.e., for the personal data to be erased on certain occasions. One, where the data is no longer necessary in relation to the purpose for which it was collected. Two, where the particular individual has withdrawn their consent or objects to their data being processed or three, where the personal data does not comply with the GDPR. Recital 66 strengthens this right as it requires the data controller that made the personal data public, to inform other controllers that may also be processing the same personal data to also remove links or copies. 

The privacy argument behind the RTBF is that firstly, one must have control over one’s personal information. This includes personal details, contact information or search engine queries. Moreover, the individual,  according to Mantelero, has a right not to be reminded of her previous acts, “without being perpetually or periodically stigmatized as a consequence of a specific action.” It enables her to regain control over her past, to decide as to which parts of her information should be accessible to others and which not.

The decision by the European Court of Justice (‘ECJ’) in Google Inc. v. AEPD in 2014 brought the discussion on the RTBF to mainstream political and academic debate. In this case, one Mario Costeja González in Spain, found that when his name was searched on Google, the results included a newspaper announcement of a real estate auction for recovery of his social security debts. He approached Agencia Española de Protección de Datos (AEDP), the Spanish Data Protection Agency seeking removal of the information from Google. The claims against Google were allowed and Google appealed to the high court in Spain. The matter was then referred to the ECJ. The court recognised the RTBF under the 1995 EU Data Protection Directive, for the first time, and held that search engines must remove ‘inadequate, irrelevant, or excessive’ personal information about users. 

In India, clause 20 of the Personal Data Protection Bill, 2019 recognises RTBF when any of the three conditions are satisfied: when retention of information is unnecessary, consent given for disclosure of personal data is withdrawn, or when retention of data is illegal. Unlike the EU, adjudicating officers have to determine whether these conditions are met before ordering for withholding of the information. The Supreme Court has made references to RTBF in the Puttaswamy judgment. Various High Courts also have discussed this right while considering pleas of removal of information from search engine results. Although such pleas are allowed in some cases, it is difficult to find an authoritative judicial pronouncement affirmatively and comprehensively locating a right to be forgotten in the Indian legal framework. 

An objection against recognition of the RTBF is its conflict with the right to free speech, especially in jurisdictions like the US where search engines claim the right to free speech. For example, while search engines are required to cease retaining personal information, they often argue that such requirement violates their right to freedom of speech. They claim that the right to display information is part of the right to free speech since it involves collection, selection, arrangement and display of information. For instance, in Langdon v. Google Inc. in the United States, Google has argued that the kind of function the search engine engages is not fundamentally different from that of a newspaper editor who collects, sorts and publishes information, and is therefore entitled to a comparable right to free speech. 

In India, free speech rights of search engine companies are not categorically adjudicated on so far. The right to free speech is available to citizens alone under Article 19 of the Constitution. But the Supreme Court in Chiranjit Lal  Chowdhuri held that fundamental rights are available not only to citizens, but “corporate bodies as well.” The Court has also held in Delhi Cloth and General Mills that the free speech rights of companies are co-extensive to that of shareholders and denial of one can lead to denial of the other. This jurisprudence might enable search engine companies, such as Indian Kanoon in India to make a free speech argument.  However, the courts will be confronted with the critical question of how far search engine companies that collate information can be treated in par with companies engaged in printing and publishing newspapers.

The determination of the Indian Kanoon case will depend among other things on two aspects, from a rights perspective: firstly, whether and to what extent the court will recognise a right to be forgotten under the Indian law. This argument could rely on an expansive understanding of the right to privacy, especially informational privacy under Article 21 in the light of the Puttaswamy judgment. Secondly, whether search engines will be entitled to a free speech claim under Article 19. It remains to be seen what the implications of such a recognition will be, for search engines as well as for users. 

(The author is a practising lawyer and a DIGITAL Fellow at the Centre for Communication Governance at National Law University, Delhi).

The Future of Democracy in the Shadow of Big and Emerging Tech: CCG Essay Series

By Shrutanjaya Bhardwaj and Sangh Rakshita

In the past few years, the interplay between technology and democracy has reached a critical juncture. The untrammelled optimism for technology has now been shadowed by rising concerns over the survival of a meaningful democratic society. With the expanding reach of technology platforms, there have been increasing concerns in democratic societies around the world on the impact of such platforms on democracy and human rights. In this context, increasingly there has been focus on policy issues like  the need for an antitrust framework for digital platforms, platform regulation and free speech, the challenges of fake news, impact of misinformation on elections, invasion of privacy of citizens due to the deployment of emerging tech,  and cybersecurity. This has intensified the quest for optimal policy solutions. We, at the Centre for Communication Governance at National Law University Delhi (CCG), believe that a detailed academic exploration of the relationship between democracy, and big and emerging tech will aid our understanding of the current problems, help contextualise them and highlight potential policy and regulatory responses.

Thus, we bring to you this series of essays—written by experts in the domain—in an attempt to collate contemporary scholarly thought on some of the issues that arise in the context of the interaction of democracy, and big and emerging tech. The essay series is publicly available on the CCG website. We have also announced the release of the essay series on Twitter

Our first essay addresses the basic but critical question: What is ‘Big Tech’? Urvashi Aneja & Angelina Chamuah present a conceptual understanding of the phrase. While ‘Big Tech’ refers to a set of companies, it is certainly not a fixed set; companies become part of this set by exhibiting four traits or “conceptual markers” and—as a corollary—would stop being identified in this category if they were to lose any of the four markers. The first marker is that the company runs a data-centric model and has massive access to consumer data which can be leveraged or exploited. The second marker is that ‘Big Tech’ companies have a vast user base and are “multi-sided platforms that demonstrate strong network effects”. The third and fourth markers are the infrastructural and civic roles of these companies respectively, i.e., they not only control critical societal infrastructure (which is often acquired through lobbying efforts and strategic mergers and acquisitions) but also operate “consumer-facing platforms” which enable them to generate consumer dependence and gain huge power over the flow of information among citizens. It is these four markers that collectively define ‘Big Tech’. [U. Aneja and A. Chamuah, What is Big Tech? Four Conceptual Markers]

Since the power held by Big Tech is not only immense but also self-reinforcing, it endangers market competition, often by hindering other players from entering the market. Should competition law respond to this threat? If yes, how? Alok P. Kumar & Manjushree R.M. explore the purpose behind competition law and find that competition law is concerned not only with consumer protection but also—as evident from a conjoint reading of Articles 14 & 39 of the Indian Constitution—with preventing the concentration of wealth and material resources in a few hands. Seen in this light, the law must strive to protect “the competitive process”. But the present legal framework is too obsolete to achieve that aim. Current understanding of concepts such as ‘relevant market’, ‘hypothetical monopolist’ and ‘abuse of dominance’ is hard to apply to Big Tech companies which operate more on data than on money. The solution, it is proposed, lies in having ex ante regulation of Big Tech rather than a system of only subsequent sanctions through a possible code of conduct created after extensive stakeholder consultations. [A.P. Kumar and Manjushree R.M., Data, Democracy and Dominance: Exploring a New Antitrust Framework for Digital Platforms]

Market dominance and data control give an even greater power to Big Tech companies, i.e., control over the flow of information among citizens. Given the vital link between democracy and flow of information, many have called for increased control over social media with a view to checking misinformation. Rahul Narayan explores what these demands might mean for free speech theory. Could it be (as some suggest) that these demands are “a sign that the erstwhile uncritical liberal devotion to free speech was just hypocrisy”? Traditional free speech theory, Narayan argues, is inadequate to deal with the misinformation problem for two reasons. First, it is premised on protecting individual liberty from the authoritarian actions by governments, “not to control a situation where baseless gossip and slander impact the very basis of society.” Second, the core assumption behind traditional theory—i.e., the possibility of an organic marketplace of ideas where falsehood can be exposed by true speech—breaks down in context of modern era misinformation campaigns. Therefore, some regulation is essential to ensure the prevalence of truth. [R. Narayan, Fake News, Free Speech and Democracy]

Jhalak M. Kakkar and Arpitha Desai examine the context of election misinformation and consider possible misinformation regulatory regimes. Appraising the ideas of self-regulation and state-imposed prohibitions, they suggest that the best way forward for democracy is to strike a balance between the two. This can be achieved if the State focuses on regulating algorithmic transparency rather than the content of the speech—social media companies must be asked to demonstrate that their algorithms do not facilitate amplification of propaganda, to move from behavioural advertising to contextual advertising, and to maintain transparency with respect to funding of political advertising on their platforms. [J.M. Kakkar and A. Desai, Voting out Election Misinformation in India: How should we regulate Big Tech?]

Much like fake news challenges the fundamentals of free speech theory, it also challenges the traditional concepts of international humanitarian law. While disinformation fuels aggression by state and non-state actors in myriad ways, it is often hard to establish liability. Shreya Bose formulates the problem as one of causation: “How could we measure the effect of psychological warfare or disinformation campaigns…?” E.g., the cause-effect relationship is critical in tackling the recruitment of youth by terrorist outfits and the ultimate execution of acts of terror. It is important also in determining liability of state actors that commit acts of aggression against other sovereign states, in exercise of what they perceive—based on received misinformation about an incoming attack—as self-defence. The author helps us make sense of this tricky terrain and argues that Big Tech could play an important role in countering propaganda warfare, just as it does in promoting it. [S. Bose, Disinformation Campaigns in the Age of Hybrid Warfare]

The last two pieces focus attention on real-life, concrete applications of technology by the state. Vrinda Bhandari highlights the use of facial recognition technology (‘FRT’) in law enforcement as another area where the state deploys Big Tech in the name of ‘efficiency’. Current deployment of FRT is constitutionally problematic. There is no legal framework governing the use of FRT in law enforcement. Profiling of citizens as ‘habitual protestors’ has no rational nexus to the aim of crime prevention; rather, it chills the exercise of free speech and assembly rights. Further, FRT deployment is wholly disproportionate, not only because of the well-documented inaccuracy and bias-related problems in the technology, but also because—more fundamentally—“[t]reating all citizens as potential criminals is disproportionate and arbitrary” and “creates a risk of stigmatisation”. The risk of mass real-time surveillance adds to the problem. In light of these concerns, the author suggests a complete moratorium on the use of FRT for the time being. [V. Bhandari, Facial Recognition: Why We Should Worry the Use of Big Tech for Law Enforcement

In the last essay of the series, Malavika Prasad presents a case study of the Pune Smart Sanitation Project, a first-of-its-kind urban sanitation programme which pursues the Smart City Mission (‘SCM’). According to the author, the structure of city governance (through Municipalities) that existed even prior to the advent of the SCM violated the constitutional principle of self-governance. This flaw was only aggravated by the SCM which effectively handed over key aspects of city governance to state corporations. The Pune Project is but a manifestation of the undemocratic nature of this governance structure—it assumes without any justification that ‘efficiency’ and ‘optimisation’ are neutral objectives that ought to be pursued. Prasad finds that in the hunt for efficiency, the design of the Pune Project provides only for collection of data pertaining to users/consumers, hence excluding the marginalised who may not get access to the system in the first place owing to existing barriers. “Efficiency is hardly a neutral objective,” says Prasad, and the state’s emphasis on efficiency over inclusion and participation reflects a problematic political choice. [M. Prasad, The IoT-loaded Smart City and its Democratic Discontents]

We hope that readers will find the essays insightful. As ever, we welcome feedback.

This series is supported by the Friedrich Naumann Foundation for Freedom (FNF) and has been published by the National Law University Delhi Press. We are thankful for their support. 

The Right to be Forgotten – Examining Approaches in Europe and India

This is a guest post authored by Aishwarya Giridhar.

How far does the right to control personal information about oneself extend online? Would it extend, for example, to having a person’s name erased from a court order on online searches, or to those who have been subjected to revenge pornography or sexual violence such that pictures or videos have non-consensually been shared online? These are some questions that have come up in Indian courts and are some of the issues that jurisprudence relating to the ‘right to be forgotten’ seeks to address. This right is derived from the concepts of personal autonomy and informational self-determination, which are core aspects of the right to privacy. They were integral to the Indian Supreme Court’s conception of privacy in Puttaswamy vs. Union of India which held that privacy was a fundamental right guaranteed by the Indian Constitution. However, privacy is not an absolute right and needs to be balanced with other rights such as freedom of expression and access to information, and the right to be forgotten tests the extent to which the right to privacy extends.

On a general level, the right to be forgotten enables individuals to have personal information about themselves removed from publicly available sources under certain circumstances. This post examines the right to be forgotten under the General Data Protection Regulation (GDPR) in Europe, and the draft Personal Data Protection Bill, 2019 (PDP Bill) in India.

What is the right to be forgotten?

The right to be forgotten was brought into prominence in 2014 when the European Court of Justice (ECJ) held that users can require search engines to remove personal data from search results, where the linked websites contain information that is “inadequate, irrelevant or no longer relevant, or excessive.” The Court recognised that search engines had the ability to significantly affect a person’s right to privacy since it allowed any Internet user to obtain a wide range of information on a person’s life, which would have been much harder or even impossible to find without the search engine. 

The GDPR provides statutory recognition to the right to be forgotten in the form of a ‘right to erasure’ (Article 17). It provides data subjects the right to request controllers to erase personal data in some circumstances, such as when the data is no longer needed for their original processing purpose, or when the data subject has withdrawn her consent or objected to data processing. In this context, the data subject is the person to whom the relevant personal data relates, and the controller is the entity which determines how and why the data would be processed. Under this provision, the controller would be required to assess whether to keep or remove information when it receives a request from data subjects.

In comparison, clause 20 of India’s Personal Data Protection Bill (PDP Bill), which proposes a right to be forgotten, allows data principals (similar to data subjects) to require data fiduciaries (similar to data controllers) to restrict or prevent the disclosure of personal information. This is possible where such disclosure is no longer necessary, was made on the basis of consent which has since been withdrawn, or was made contrary to law. Unlike the GDPR, the PDP Bill requires data subjects to approach Adjudicating Officers appointed under the legislation to request restricted disclosure of personal information. The rights provided under both the GDPR and PDP Bill are not absolute and are limited by the freedom of speech and information and other specified exceptions. In the PDP Bill, for example, some of the factors the Adjudicating Officer is required to account for are the sensitivity of the data, the scale of disclosure and how much it is sought to be restricted, the role of the data principal in public life, and the relevance of the data to the public. 

Although the PDP Bill, if passed, would be the first legislation to recognise this right in India, courts have provided remedies that allow for removing personal information in some circumstances. Petitioners have approached courts for removing information in cases ranging from matrimonial disputes to defamation and information affecting employment opportunities, and courts have sometimes granted the requested reliefs. Courts have also acknowledged the right to be forgotten in some cases, although there have been conflicting orders on whether a person can have personal information redacted from judicial decisions available on online repositories and other sources. In November last year, the Orissa High Court also highlighted the importance of the right to be forgotten for persons who’s photos and videos have been uploaded online, without  their consent, especially in the case of sexual violence. These cases also highlight why it is essential that this right is provided by statute, so that the extent of protections offered under this right, as well as the relevant safeguards can be clearly defined.

Intersections with access to information and free speech

The most significant criticisms of the right to be forgotten stem from its potential to restrict speech and access to information. Critics are concerned that this right will lead to widespread censorship and a whitewashing of personal histories when it comes to past crimes and information on public figures, and a less free and open Internet. There are also concerns that global takedowns of information, if required by national laws, can severely restrict speech and serve as a tool of censorship. Operationalising this right can also lead to other issues in practice.

For instance, the right framed under the GDPR requires private entities to balance the right to privacy with the larger public interest and the right to information. Two cases decided by the ECJ in 2019 provided some clarity on the obligations of search engines in this context. In the first, the Court clarified that controllers are not under an obligation to apply the right globally and that removing search results for domains in the EU would suffice. However, it left the option open for countries to enact laws that would require global delisting. In the second case, among other issues, the Court identified some factors that controllers would need to account for in considering requests for delisting. These included the nature of information, the public’s interest in having that information, and the role the data subject plays in public life, among others. Guidelines framed by the Article 29 Working Party, set up under the GDPR’s precursor also provide limited, non-binding guidance for controllers in assessing which requests for delisting are valid.

Nevertheless, the balance between the right to be forgotten and competing considerations can still be difficult to assess on a case-by-case basis. This issue is compounded by concerns that data controllers would be incentivised to over-remove content to shield themselves from liability, especially where they have limited resources. While larger entities like Google may have the resources to be able to invest in assessing claims under the right to be forgotten, this will not be possible for smaller platforms. There are also concerns that requiring private parties to make such assessments amounts to the ‘privatisation of regulation’, and the limited potential for transparency on erasures remove an important check against over-removal of information. 

As a result of some of this criticism, the right to be forgotten is framed differently under the PDP Bill in India. Unlike the GDPR, the PDP Bill requires Adjudicating Officers and not data fiduciaries to assess whether the rights and interests of the data principal in restricting disclosure overrides the others’ right to information and free speech. Adjudicating Officers are required to have special knowledge of or professional experience in areas relating to law and policy, and the terms of their appointment would have to ensure their independence. While they seem better suited to make this assessment than data fiduciaries, much of how this right is implemented will depend on whether the Adjudicating Officers are able to function truly independently and are adequately qualified. Additionally, this system is likely to lead to long delays in assessment, especially if the quantum of requests is similar to that in the EU. It will also not address the issues with transparency highlighted above. Moreover, the PDP Bill is not finalised and may change significantly, since the Joint Parliamentary Committee that is reviewing it is reportedly considering substantial changes to its scope.

What is clear is that there are no easy answers when it comes to providing the right to be forgotten. It can provide a remedy in some situations where people do not currently have recourse, such as with revenge pornography or other non-consensual use of data. However, when improperly implemented, it can significantly hamper access to information. Drawing lessons from how this right is evolving in the EU can prove instructive for India. Although the assessment of whether or not to delist information will always subjective to some extent, there are some steps that can be taken provide clarity on how such determinations are made. Clearly outlining the scope of the right in the relevant legislation, and developing substantive standards that are aimed at protecting access to information, that can be used in assessing whether to remove information are some measures that can help strike a better balance between privacy and competing considerations.

Addition of US Privacy Cases on the Privacy Law Library

This post is authored by Swati Punia.

We are excited to announce the addition of privacy jurisprudence from the United States’ Supreme Court on the Privacy Law Library. These cases cover a variety of subject areas from the right against intrusive search and seizure to the right to abortion and right to sexual intimacy/ relationships. You may access all the US cases on our database, here.

(The Privacy Law Library is our global database of privacy law and jurisprudence, currently containing cases from India, Europe (ECJ and ECtHR), the United States, and Canada.)

The Supreme Court of the US (SCOTUS) has carved out the right to privacy from various provisions of the US constitution, particularly the first, fourth, fifth, ninth and fourteenth amendments to the US constitution. The Court has included the right to privacy in varying contexts through an expansive interpretation of the constitutional provisions. For instance, the Court has read privacy rights into the first amendment for protecting private possession of obscene material from State intrusion; the fourth amendment for protecting privacy of the person and possessions from unreasonable State intrusion; and the fourteenth amendment which recognises an individual’s decisions about abortion and family planning as part of their right of liberty that encompasses aspects of privacy such as dignity and autonomy under the amendment’s due process clause.

The right to privacy is not expressly provided for in the US constitution. However, the Court identified an implicit right to privacy, for the very first time, in Griswold v. Connecticut(1965) in the context of the right to use contraceptives/ marital privacy. Since then, the Court has extended the scope to include, inter alia, reasonable expectation of privacy against State intrusion in Katz v. United States (1967), abortion rights of women in Roe v. Wade (1973), and right to sexual intimacy between consenting adults of the same-sex in Lawrence v. Texas (2003). 

The US privacy framework consists of several privacy laws and regulations developed at both the federal and state level. As of now, the US privacy laws are primarily sector specific, instead of a single comprehensive federal data protection law like the European Union’s General Data Protection Regulation (GDPR) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). However, there are certain states in the US like California that have enacted comprehensive privacy laws, comparable to the GDPR and PIPEDA. The California Consumer Privacy Act (CCPA) which came into effect on January 1, 2020 aims to protect consumers’ privacy across industry. It codifies certain rights and remedies for consumers, and obligations for entities/businesses. One of its main aims is to provide consumers more control over their data by obligating businesses to ensure transparency about how they collect, use, share and sell consumer data. 

To know more about the status of the right to privacy in the US, refer to our page here. Some of the key privacy cases from the SCOTUS on our database are – Griswold vs. Connecticut, Time INC vs. Hill, Roe vs. Wade, Katz vs. United States, and Stanley vs. Georgia.

A Brief Look at the Tamil Nadu Cyber Security Policy 2020

This post is authored by Sharngan Aravindakshan.

The Tamil Nadu State Government (State Government) released the Tamil Nadu Cyber Security Policy 2020 (TNCS Policy) on September 19, 2020. It has been prepared by the Electronics Corporation of Tamil Nadu (ELCOT), a public sector undertaking which operates under the aegis of the Information Technology Department of the Government of Tamil Nadu. This post takes a brief look at the TNCS Policy and its impact on India’s cybersecurity health.

The TNCS Policy is divided into five chapters –

  1. Outline of Cyber Security Policy;
  2. Security Architecture Framework – Tamil Nadu (SAF-TN);
  3. Best Practices – Governance, Risk Management and Compliance);
  4. Computer Emergency Response Team – Tamil Nadu (CERT-TN)); and
  5. Chapter-V (Cyber Crisis Management Plan).

Chapter-I, titled ‘Outline of Cyber Security Policy’, contains a preamble which highlights the need for the State Government to have a cyber security policy. Chapter-I also lays out the scope and applicability of the TNCS Policy, which is that it is applicable to ‘government departments and associated agencies’, and covers ‘Information Assets that may include Hardware, Applications and Services provided by these Agencies to other Government Departments, Industry or Citizens’. It also applies to ‘private agencies that are entrusted with State Government work’ (e.g. contractors, etc.), as well as ‘Central Infrastructure and Personnel’ who provide services to the State Government, which is likely a reference to Central Government agencies and personnel.

Notably, the TNCS Policy does not define ‘cyber security’, choosing to define ‘information security management’ (ISM)  instead. ISM is defined as involving the “planning, implementation and continuous Security controls and measures to protect the confidentiality, integrity and availability of Information Assets and its associated Information Systems”. Further, it states that Information security management also includes the following elements –

(a) Security Architecture Framework – SAF-TN;

(b) Best Practices for Governance, Risk Management and Compliance (GRC);

(c) Security Operations – SOC-TN;

(d) Incident Management – CERT-TN;

(e) Awareness Training and Capability Building;

(f) Situational awareness and information sharing.

The Information Technology Department, which is the nodal department for IT security in Tamil Nadu, has been assigned several duties with respect to cyber security including establishing and operating a ‘Cyber Security Architecture for Tamil Nadu’ (CSA-TN) as well as a Security Operations Centre (SOC-TN) and a state Computer Emergency Response Team (CERT-TN). Its other duties include providing safe hosting for Servers, Applications and Data of various Departments /Agencies, advising on government procurement of IT and ITES, conducting training programmes on cyber security as well as formulating cyber security related policies for the State Government. Importantly, the TNCS Policy also mentions the formulation of a ‘recommended statutory framework for ensuring legal backing of the policies’. While prima facie it seems that cyber security will have more Central control than State, given the nature of these documents, any direct conflict is in any case unlikely.

Chapter-II gives a break-up of the Cyber Security Architecture of Tamil Nadu (CSA-TN). The CSA-TN’s constituent components are (a) Security Architecture Framework (SAF-TN), (b) Security Operations Centre (SOC-TN), (c) Cyber Crisis Management Plan (CCMP-TN) and (d) the Computer Emergency Response Team (CERT-TN). It clarifies that the “Architecture” defines the overall scope of authority of the cyber security-related agencies in Tamil Nadu, and also that while the policy will remain consistent, the Architecture will be dynamic to meet evolving technological challenges.

Chapter-III deals with best practices in governance, risk management and compliance, and broadly covers procurement policies, e-mail retention policies, social media policies and password policies for government departments and entities. With respect to procurement policies, it highlights certain objectives, such as building trusted relationships with vendors for improving end-to-end supply chain security visibility and encouraging entities to adopt guidelines for the procurement of trustworthy ICT products. However, the TNCS Policy also specifies that it is not meant to infringe or supersede existing policies such as procurement policies.

On the subject of e-mails, it emphasizes standardizing e-mail retention periods on account of the “need to save space on e-mail server(s)” and the “need to stay in line with Federal and Industry Record e-Keeping Regulations”. E-mail hygiene has proved to be essential especially for government organizations, given that the malware discovered in one of the nuclear facilities situated in Tamil Nadu (nuclear facilities) is believed to have entered the systems through a phishing email. However, surprisingly, other than e-mail retention, the TNCS Policy does not deal with e-mail safety practices. For instance, the Information Security Best Practices released by the Ministry of Home Affairs provides a more comprehensive list of good practices for email communications which includes specific sections on email communications and social engineering. These do not find mention in the TNCS Policy.

On social media policies, the TNCS Policy makes it clear that it prioritizes the ‘online reputation’ of its departments. However, Employees are advised against reacting online and pass on this information to the official spokesperson for an appropriate response. The TNCS Policy also counsels proper disclosure where personal information is collected through online social media platforms. Some best practices for safe passwords are also detailed, such as password age (no reuse of any of the last ten passwords, etc.) and length (passwords may be required to have a minimum number of characters, etc.).

Chapter-IV highlights the roles and responsibilities of the Computer Emergency Response Team – Tamil Nadu (CERT-TN). It specifies that CERT-TN is the nodal agency responsible for implementing the Security Architecture Framework, and for monitoring, detecting, assessing and responding to cyber vulnerabilities, cyber threats, incidents and also demonstrate cyber resilience. The policy also recognizes that CERT-TN is the statutory body that is authorized to issue directives, guidelines and advisories to government departments. It will also establish, operate and maintain the Information Security Management systems for the State Government.

CERT-TN will also coordinate with the National or State Computer Security Incident Response Teams (CSIRTs), government agencies, law enforcement agencies, and research labs. However, the “Coordination Centre” (CoC) is the designated nodal intermediary between the CERT-TN and governmental departments, CERT-In, State CERTs, etc. under the TNCS Policy.  The CoC will also be responsible for monitoring responses to service requests, delivery timelines and other performance related issues for the CERT-TN. The TNCS Policy makes it clear that Incident Handling and Response (IHR) will be as per Standard Operation Process Manuals (prepared by CERT-TN) that will be regularly reviewed and updated. ‘Criticality of the affected resource” will determine the priority of the incident.

Significantly, Chapter-IV also deals with vulnerability disclosures and states that vulnerabilities in e-Governance services will only be reported to CERT-TN or the respective department if they relate to e-Governance services offered by the Government of Tamil Nadu, and will not be publicly disclosed until a resolution is found. Other vulnerabilities may be disclosed to the respective vendors as well. An upper limit of 30 days is prescribed for resolving reported vulnerabilities. An ‘Incident Reporter’ reporting in good faith will not be penalized “provided he cooperates with the stakeholders in resolving the vulnerability and minimizing the impact”, and the Incident Reporter’s contribution in vulnerability discovery and resolution will be publicly credited by CERT-TN.

Chapter-IV also mandates regular security assessments of the State Government’s departmental assets, a help-desk for reporting cyber incidents, training and awareness both for CERT-TN, as well as by CERT-TN for other departments. Departments will also be graded by “maturity of Cyber Security Practices and Resilience Strength by the Key Performance Indicators”. However, these indicators are not specified in the policy itself.

Chapter-V is titled ‘Cyber Crisis Management Plan’ (CCMP), meant for  countering cyber-attacks and cyber terrorism. It envisages establishing a strategic framework and actions to prepare for, respond to, and begin to coordinate recovery from a Cyber-Incident, in the form of guidelines. ‘Detect’(ing) cyber-incidents is noticeably absent in this list of verbs, especially considering the first chapter which laid emphasis on the CERT-TN’s role in “Monitoring, Detecting, Assessing and Responding” to cyber vulnerabilities and incidents.

In conformity with CERT-In’s Cyber Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism which requires ministries / departments of State governments and Union Territories to draw up their own sectoral Cyber Crisis Management Plans in line with CERT-In’s plan, the TNCS Policy establishes the institutional architecture for implementing such plan.  The TNCS Policy contemplates a ‘Crisis Management Group’ (CMG) for each department, constituted by the Secretary to the Government (Chairman), Heads of all organizations under the administrative control of the department and the Chief Information Security Officers (CISO)/Deputy CISOs within the department. It will be the task of the CMG to prepare a contingency plan in consultation with CERT-In, as well as coordinate with CERT-In in crisis situations. The TNCS Policy also envisions a ‘Crisis Management Cell’ (CMC), under the supervision of the CMG. The CMC will be constituted by the head of the organization, CISO, head of HR/admin and the person In-charge of the IT Section. The TNCS Policy also requires each organization to nominate a CISO, preferably a senior officer with adequate IT experience. The CMC’s priority is to prepare a plan that would ensure continuity of operations and speedy restoration of an acceptable level of service.

Observations

The TNCS Policy is a positive step, with a whole-of-government approach towards increasing governmental cyber security at the State government level. However, its applicability is restricted to governmental departments and their suppliers / vendors / contractors. It does not, therefore, view cyber security as a broader ecosystem that requires each of its stakeholders including the public sector, private sector, NGOs, academia, etc. to play a role in the maintenance of its security and recognize their mutual interdependence as a key feature of this domain.

Given the interconnected nature of cyberspace, cyber security cannot be achieved only through securing governmental assets. As both the ITU National Cybersecurity Strategy Guide and the NATO CCDCOE Guidelines recommend, it requires the creation and active participation of an equally robust private industry, and other stakeholders. The TNCS Policy does not concern itself with the private sector at large, beyond private entities working under governmental contracts. It does not set up any initiatives, nor does it create any incentives for its development. It also does not identify any major or prevalent cyber threats, specify budget allocation for implementing the policy or establish R&D initiatives at the state level. No capacity building measures are provided for, beyond CERT-In’s training and awareness programs.

Approaching cyber security as an ecosystem, whose maintenance requires the participation and growth of several stakeholders including the private sector and civil society organisations, and then using a combination of regulation and incentives, may be the better way.

CJEU sets limits on Mass Communications Surveillance – A Win for Privacy in the EU and Possibly Across the World

This post has been authored by Swati Punia

On 6th October, the European Court of Justice (ECJ/ Court) delivered its much anticipated judgments in the consolidated matter of C-623/17, Privacy International from the UK and joined cases from France, C-511/18, La Quadrature du Net and others, C-512/18, French Data Network and others, and Belgium, C-520/18, Ordre des barreaux francophones et germanophone and others (Collectively “Bulk Communications Surveillance Judgments”). 

In this post, I briefly discuss the Bulk Communication Surveillance Judgments, their significance for other countries and for India. 

Through these cases, the Court invalidated the disproportionate interference by Member States with the rights of their citizens, as provided by EU law, in particular the Directive on privacy and electronic communications (e-Privacy Directive) and European Union’s Charter of Fundamental Rights (EU Charter). The Court assessed the Member States’ bulk communications surveillance laws and practices relating to their access and use of telecommunications data. 

The Court recognised the importance of the State’s positive obligations towards conducting surveillance, although it noted that it was essential for surveillance systems to conform with the general principles of EU law and the rights guaranteed under the EU Charter. It laid down clear principles and measures as to when and how the national authorities could access and use telecommunications data (further discussed in the sections ‘The UK Judgment’ and ‘The French and Belgian Judgment’). It carved a few exceptions as well (in the joined cases of France and Belgium) for emergency situations, but held that such measures would have to pass the threshold of being serious and genuine (further discussed in the section ‘The French and Belgian Judgment’). 

The Cases in Brief 

The Court delivered two separate judgments, one in the UK case and one in the joined cases of France and Belgium. Since these cases had similar sets of issues, the proceedings were adjoined. The UK application challenged the bulk acquisition and use of telecommunications data by its Security and Intelligence Agencies (SIAs) in the interest of national security (as per the UK’s Telecommunication Act of 1984). The French and Belgian applications challenged the indiscriminate data retention and access by SIAs for combating crime. 

The French and Belgian applications questioned the legality of their respective data retention laws (numerous domestic surveillance laws which permitted bulk collection of telecommunication data) that imposed blanket obligations on Electronic Communications Service Providers (ECSP) to provide relevant data. The Belgian law required ECSPs to retain various kinds of traffic and location data for a period of 12 months. Whereas, the French law provided for automated analysis and real time data collection measures for preventing terrorism. The French application also raised the issue of providing a notification to the person under the surveillance. 

The Member States contended that such surveillance measures enabled them to inter alia, safeguard national security, prevent terrorism, and combat serious crimes. Hence, they claimed inapplicability of the e-Privacy Directive on their surveillance laws/ activities.

The UK Judgment

The ECJ found the UK surveillance regime unlawful and inconsistent with EU law, and specifically the e-Privacy Directive. The Court analysed the scope and scheme of the e-Privacy Directive with regard to exclusion of certain State purposes such as national and public security, defence, and criminal investigation. Noting the importance of such State purposes, it held that EU Member States could adopt legislative measures that restricted the scope of rights and obligations (Article 5, 6 and 9) provided in the e-Privacy Directive. However, this was allowed only if the Member States complied with the requirements laid down by the Court in Tele2 Sverige and Watson and Others (C-203/15 and C-698/15) (Tele2) and the e-Privacy Directive. In addition to these, the Court held that the EU Charter must be respected too. In Tele2, the ECJ held that legislative measures obligating ECSPs to retain data must be targeted and limited to what was strictly necessary. Such targeted retention had to be with regard to specific categories of persons and data for a limited time period. Also, the access to data must be subject to a prior review by an independent body.

The e-Privacy Directive ensures the confidentiality of electronic communications and the data relating to it (Article 5(1)). It allows ECSPs to retain metadata (context specific data relating to the users and subscribers, location and traffic) for various purposes such as billing, valued added services and security purposes. However, this data must be deleted or made anonymous, once the purpose is fulfilled unless a law allows for a derogation for State purposes. The e-Privacy Directive allows the Member States to derogate (Article 15(1)) from the principle of confidentiality and corresponding obligations (contained in Article 6 (traffic data) and 9 (location data other than traffic data)) for certain State purposes when it is appropriate, necessary and proportionate. 

The Court clarified that measures undertaken for the purpose of national security would not make EU law inapplicable and exempt the Member States from their obligation to ensure confidentiality of communications under the e-Privacy Directive. Hence, an independent review of surveillance activities such as data retention for indefinite time periods, or further processing or sharing, must be conducted for authorising such activities. It was noted that the domestic law at present did not provide for prior review, as a limit on the above mentioned surveillance activities. 

The French and Belgian Judgment

While assessing the joined cases, the Court arrived at a determination in similar terms as the UK case. It reiterated that the exception (Article 15(1) of the e-Privacy Directive) to the principle of confidentiality of communications (Article 5(1) of the e-Privacy Directive) should not become the norm. Hence, national measures that provided for general and indiscriminate data retention and access for State purposes were held to be incompatible with EU law, specifically the e-Privacy Directive.

The Court in the joined cases, unlike the UK case, allowed for specific derogations for State purposes such as safeguarding national security, combating serious crimes and preventing serious threats. It laid down certain requirements that the Member States had to comply with in case of derogations. The derogations should (1) be clear and precise to the stated objective (2) be limited to what is strictly necessary and for a limited time period (3) have a safeguards framework including substantive and procedural conditions to regulate such instances (4) include guarantees to protect the concerned individuals against abuse. They should also be subjected to an ‘effective review’ by a court or an independent body and must be in compliance of general rules and proportionality principles of EU law and the rights provided in the EU Charter. 

The Court held that in establishing a minimum threshold for a safeguards framework, the EU Charter must be interpreted along with the European Convention on Human Rights (ECHR). This would ensure consistency between the rights guaranteed under the EU Charter and the corresponding rights guaranteed in the ECHR (as per Article 52(3) of the EU Charter).

The Court, in particular, allowed for general and indiscriminate data retention in cases of serious threat to national security. Such a threat should be genuine, and present or foreseeable. Real-time data collection and automated analysis were allowed in such circumstances. But the real-time data collection of persons should be limited to those suspected of terrorist activities. Moreover, it should be limited to what was strictly necessary and subject to prior review. It even allowed for general and indiscriminate data retention of IP addresses for the purpose of national security, combating serious crimes and preventing serious threats to public security. Such retention must be for a limited time period to what was strictly necessary. For such purposes, the Court also permitted ECSPs to retain data relating to the identity particulars of their customers (such as name, postal and email/account addresses and payment details) in a general and indiscriminate manner, without specifying any time limitations. 

The Court allowed targeted data retention for the purpose of safeguarding national security and preventing crime, provided that it was for a limited time period and strictly necessary and was done on the basis of objective and non-discriminatory factors. It was held that such retention should be specific to certain categories of persons or geographical areas. The Court also allowed, subject to effective judicial review, expedited data retention after the initial retention period ended, to shed light on serious criminal offences or acts affecting national security. Lastly, in the context of criminal proceedings, the Court held that it was for the Member States to assess the admissibility of evidence resulting from general and indiscriminate data retention. However, the information and evidence must be excluded where it infringes on the right to a fair trial. 

Significance of the Bulk Communication Surveillance Judgments

With these cases, the ECJ decisively resolved a long-standing discord between the Member States and privacy activists in the EU. For a while now, the Court has been dealing with questions relating to surveillance programs for national security and law enforcement purposes. Though the Member States have largely considered these programs outside the ambit of EU privacy law, the Court has been expanding the scope of privacy rights. 

Placing limitations and controls on State powers in democratic societies was considered necessary by the Court in its ruling in Privacy International. This decision may act as a trigger for considering surveillance reforms in many parts of the world, and more specifically for those aspiring to attain an EU adequacy status. India could benefit immensely should it choose to pay heed. 

As of date, India does not have a comprehensive surveillance framework. Various provisions of the Personal Data Protection Bill, 2019 (Bill), Information Technology Act, 2000, Telegraph Act, 1885, and the Code of Criminal Procedure, 1973 provide for targeted surveillance measures. The Bill provides for wide powers to the executive (under Clause 35, 36 and 91 of the Bill) to access personal and non-personal data in the absence of proper and necessary safeguards. This may cause problems for achieving the EU adequacy status as per Article 45 of the EU General Data Protection Regulation (GDPR) that assesses the personal data management rules of third-party countries. 

Recent news reports suggest that the Bill, which is under legislative consideration, is likely to undergo a significant overhaul. India could use this as an opportunity to introduce meaningful changes in the Bill as well as its surveillance regime. India’s privacy framework could be strengthened by adhering to the principles outlined in the Justice K.S. Puttaswamy v. Union of Indiajudgment and the Bulk Communications Surveillance Judgments.

Building an AI Governance Framework for India, Part III

Embedding Principles of Privacy, Transparency and Accountability

This post has been authored by Jhalak M. Kakkar and Nidhi Singh

In July 2020, the NITI Aayog released a draft Working Document entitled “Towards Responsible AI for All” (hereafter ‘NITI Aayog Working Document’ or ‘Working Document’). This Working Document was initially prepared for an expert consultation that was held on 21 July 2020. It was later released for comments by stakeholders on the development of a ‘Responsible AI’ policy in India. CCG’s comments and analysis  on the Working Document can be accessed here.

In our first post in the series, ‘Building an AI governance framework for India’, we discussed the legal and regulatory implications of the Working Document and argued that India’s approach to regulating AI should be (1) firmly grounded in its constitutional framework, and (2) based on clearly articulated overarching ‘Principles for Responsible AI’. Part II of the series discussed specific Principles for Responsible AI – Safety and Reliability, Equality, and Inclusivity and Non-Discrimination. We explored the constituent elements of these principles and the avenues for incorporating them into the Indian regulatory framework. 

In this final post of the series, we will discuss the remaining principles of Privacy, Transparency and Accountability. 

Principle of Privacy 

Given the diversity of AI systems, the privacy risks which they pose to the individuals, and society as a whole are also varied. These may be be broadly related to : 

(i) Data protection and privacy: This relates to privacy implications of the use of data by AI systems and subsequent data protection considerations which arise from this use. There are two broad aspects to think about in terms of the privacy implications from the use of data by AI systems. Firstly, AI systems must be tailored to the legal frameworks for data protection. Secondly, given that AI systems can be used to re-identify anonymised data, the mere anonymisation of data for the training of AI systems may not provide adequate levels of protection for the privacy of an individual.

a) Data protection legal frameworks: Machine learning and AI technologies have existed for decades, however, it was the explosion in the availability of data, which accounts for the advancement of AI technologies in recent years. Machine Learning and AI systems depend upon data for their training. Generally, the more data the system is given, the more it learns and ultimately the more accurate it becomes. The application of existing data protection frameworks to the use of data by AI systems may raise challenges. 

In the Indian context, the Personal Data Protection Bill, 2019 (PDP Bill), currently being considered by Parliament, contains some provisions that may apply to some aspects of the use of data by AI systems. One such provision is Clause 22 of the PDP Bill, which requires data fiduciaries to incorporate the seven ‘privacy by design’ principles and embed privacy and security into the design and operation of their product and/or network. However, given that AI systems rely significantly on anonymised personal data, their use of data may not fall squarely within the regulatory domain of the PDP Bill. The PDP Bill does not apply to the regulation of anonymised data at large but the Data Protection Authority has the power to specify a code of practice for methods of de-identification and anonymisation, which will necessarily impact AI technologies’ use of data.

b) Use of AI to re-identify anonymised data: AI applications can be used to re-identify anonymised personal data. To safeguard the privacy of individuals, datasets composed of the personal data of individuals are often anonymised through a de-identification and sampling process, before they are shared for the purposes of training AI systems to address privacy concerns. However, current technology makes it possible for AI systems to reverse this process of anonymisation to re-identify people, having significant privacy implications for an individual’s personal data. 

(ii) Impact on society: The impact of the use of AI systems on society essentially relates to broader privacy considerations that arise at a societal level due to the deployment and use of AI, including mass surveillance, psychological profiling, and the use of data to manipulate public opinion. The use of AI in facial recognition surveillance technology is one such AI system that has significant privacy implications for society as a whole. Such AI technology enables individuals to be easily tracked and identified and has the potential to significantly transform expectations of privacy and anonymity in public spaces. 

Due to the varying nature of privacy risks and implications caused by AI systems, we will have to design various regulatory mechanisms to address these concerns. It is important to put in place a reporting and investigation mechanism that collects and analyses information on privacy impacts caused by the deployment of AI systems, and privacy incidents that occur in different contexts. The collection of this data would allow actors across the globe to identify common threads of failure and mitigate against potential privacy failures arising from the deployment of AI systems. 

To this end, we can draw on a mechanism that is currently in place in the context of reporting and investigating aircraft incidents, as detailed under Annexure 13 of the Convention on International Civil Aviation (Chicago Convention). It lays down the procedure for investigating aviation incidents and a reporting mechanism to share information between countries. The aim of this accident investigation report is not to apportion blame or liability from the investigation, but rather to extensively study the cause of the accident and prevent future incidents. 

A similar incident investigation mechanism may be employed for AI incidents involving privacy breaches. With many countries now widely developing and deploying AI systems, such a model of incident investigation would ensure that countries can learn from each other’s experiences and deploy more privacy-secure AI systems.

Principle of Transparency

The concept of transparency is a recognised prerequisite for the realisation of ‘trustworthy AI’. The goal of transparency in ethical AI is to make sure that the functioning of the AI system and resultant outcomes are non-discriminatory, fair, and bias mitigating, and that the AI system inspires public confidence in the delivery of safe and reliable AI innovation and development. Additionally, transparency is also important in ensuring better adoption of AI technology—the more users feel that they understand the overall AI system, the more inclined and better equipped they are to use it.

The level of transparency must be tailored to its intended audience. Information about the working of an AI system should be contextualised to the various stakeholder groups interacting and using the AI system. The Institute of Electrical and Electronics Engineers, a global professional organisation of electronic and electrical engineers,  suggested that different stakeholder groups may require varying levels of transparency in accordance with the target group. This means that groups such as users, incident investigators, and the general public would require different standards of transparency depending upon the nature of information relevant for their use of the AI system.

Presently, many AI algorithms are black boxes where automated decisions are taken, based on machine learning over training datasets, and the decision making process is not explainable. When such AI systems produce a decision, human end users don’t know how it arrived at its conclusions. This brings us to two major transparency problems, the public perception and understanding of how AI works, and how much developers actually understand about their own AI system’s decision making process. In many cases, developers may not know, or be able to explain how an AI system makes conclusions or how it has arrived at certain solutions.

This results in a lack of transparency. Some organisations have suggested opening up AI algorithms for scrutiny and ending reliance on opaque algorithms. On the other hand, the NITI Working Document is of the view that disclosing the algorithm is not the solution and instead, the focus should be on explaining how the decisions are taken by AI systems. Given the challenges around explainability discussed above, it will be important for NITI Aayog to discuss how such an approach will be operationalised in practice.

While many countries and organisations are researching different techniques which may be useful in increasing the transparency of an AI system, one of the common suggestions which have gained traction in the last few years is the introduction of labelling mechanisms in AI systems. An example of this is Google’s proposal to use ‘Model Cards’, which are intended to clarify the scope of the AI systems deployment and minimise their usage in contexts for which they may not be well suited. 

Model cards are short documents which accompany a trained machine learning model. They enumerate the benchmarked evaluation of the working of an AI system in a variety of conditions, across different cultural, demographic, and intersectional groups which may be relevant to the intended application of the AI system. They also contain clear information on an AI system’s capabilities including the intended purpose for which it is being deployed, conditions under which it has been designed to function, expected accuracy and limitations. Adopting model cards and other similar labelling requirements in the Indian context may be a useful step towards introducing transparency into AI systems. 

Principle of Accountability

The Principle of Accountability aims to recognise the responsibility of different organisations and individuals that develop, deploy and use the AI systems. Accountability is about responsibility, answerability and trust. There is no one standard form of accountability, rather this is dependent upon the context of the AI and the circumstances of its deployment.

Holding individuals and entities accountable for harm caused by AI systems has significant challenges as AI systems generally involve multiple parties at various stages of the development process. The regulation of the adverse impacts caused by AI systems often goes beyond the existing regimes of tort law, privacy law or consumer protection law. Some degree of accountability can be achieved by enabling greater human oversight. In order to foster trust in AI and appropriately determine the party who is accountable, it is necessary to build a set of shared principles that clarify responsibilities of each stakeholder involved with the research, development and implementation of an AI system ranging from the developers, service providers and end users.

Accountability has to be ensured at the following stages of an AI system: 

(i) Pre-deployment: It would be useful to implement an audit process before the AI system is deployed. A potential mechanism for implementing this could be a multi-stage audit process which is undertaken post design, but before the deployment of the AI system by the developer. This would involve scoping, mapping and testing a potential AI system before it is released to the public. This can include ensuring risk mitigation strategies for changing development environments and ensuring documentation of policies, processes and technologies used in the AI system.

Depending on the nature of the AI system and the potential for risk, regulatory guidelines can be developed prescribing the involvement of various categories of auditors such as internal, expert third party and from the relevant regulatory agency, at various stages of the audit. Such audits which are conducted pre-deployment are aimed at closing the accountability gap which exists currently.

(ii) During deployment: Once the AI system has been deployed, it is important to keep auditing the AI system to note the changes being made/evolution happening in the AI system in the course of its deployment. AI systems constantly learn from the data and evolve to become better and more accurate. It is important that the development team is continuously monitoring the system to capture any errors that may arise, including inconsistencies arising from input data or design features, and address them promptly.

(iii) Post-deployment: Ensuring accountability post-deployment in an AI system can be challenging. The NITI Working Document also recognised that assigning accountability for specific decisions becomes difficult in a scenario with multiple players in the development and deployment of an AI system. In the absence of any consequences for decisions harming others, no one party would feel obligated to take responsibility or take actions to mitigate the effect of the AI systems. Additionally, the lack of accountability also leads to difficulties in grievance redressal mechanisms which can be used to address scenarios where harm has arisen from the use of AI systems. 

The Council of Europe, in its guidelines on the human rights impacts of algorithmic systems, highlighted the need for effective remedies to ensure responsibility and accountability for the protection of human rights in the context of the deployment of AI systems. A potential model for grievance redressal is the redressal mechanism suggested in the AI4People’s Ethical Framework for a Good Society report by the Atomium – European Institute for Science, Media and Democracy. The report suggests that any grievance redressal mechanism for AI systems would have to be widely accessible and include redress for harms inflicted, costs incurred, and other grievances caused by the AI system. It must demarcate a clear system of accountability for both organisations and individuals. Of the various redressal mechanisms they have suggested, two significant mechanisms are: 

(a) AI ombudsperson: This would ensure the auditing of allegedly unfair or inequitable uses of AI reported by users of the public at large through an accessible judicial process. 

(b) Guided process for registering a complaint: This envisions laying down a simple process, similar to filing a Right to Information request, which can be used to bring discrepancies, or faults in an AI system to the notice of the authorities.

Such mechanisms can be evolved to address the human rights concerns and harms arising from the use of AI systems in India. 

Conclusion

In early October, the Government of India hosted the Responsible AI for Social Empowerment (RAISE) Summit which has involved discussions around India’s vision and a roadmap for social transformation, inclusion and empowerment through Responsible AI. At the RAISE Summit, speakers underlined the need for adopting AI ethics and a human centred approach to the deployment of AI systems. However, this conversation is still at a nascent stage and several rounds of consultations may be required to build these principles into an Indian AI governance and regulatory framework. 

As India enters into the next stage of developing and deploying AI systems, it is important to have multi-stakeholder consultations to discuss mechanisms for the adoption of principles for Responsible AI. This will enable the framing of an effective governance framework for AI in India that is firmly grounded in India’s constitutional framework. While the NITI Aayog Working Document has introduced the concept of ‘Responsible AI’ and the ethics around which AI systems may be designed, it lacks substantive discussion on these principles. Hence, in our analysis, we have explored global views and practices around these principles and suggested mechanisms appropriate for adoption in India’s governance framework for AI. Our detailed analysis of these principles can be accessed in our comments to the NITI Aayog’s Working Document Towards Responsible AI for All.

Experimenting With New Models of Data Governance – Data Trusts

This post has been authored by Shashank Mohan

India is in the midst of establishing a robust data governance framework, which will impact the rights and liabilities of all key stakeholders – the government, private entities, and citizens at large. As a parliamentary committee debates its first personal data protection legislation (‘PDPB 2019’), proposals for the regulation of non-personal data and a data empowerment and protection architecture are already underway. 

As data processing capabilities continue to evolve at a feverish pace, basic data protection regulations like the PDPB 2019 might not be sufficient to address new challenges. For example, big data analytics renders traditional notions of consent meaningless as users have no knowledge of how such algorithms behave and what determinations are made about them by such technology. 

Creative data governance models, which are aimed at reversing the power dynamics in the larger data economy are the need of the hour. Recognising these challenges policymakers are driving the conversation on data governance in the right direction. However, they might be missing out on crucial experiments being run in other parts of the world

As users of digital products and services increasingly lose control over data flows, various new models of data governance are being recommended for example, data trusts, data cooperatives, and data commons. Out of these, one of the most promising new models of data governance is – data trusts. 

(For the purposes of this blog post, I’ll be using the phrase data processors as an umbrella term to cover data fiduciaries/controllers and data processors in the legal sense. The word users is meant to include all data principals/subjects.)

What are data trusts?

Though there are various definitions of data trusts, one which is helpful in understanding the concept is – ‘data trusts are intermediaries that aggregate user interests and represent them more effectively vis-à-vis data processors.’ 

To solve the information asymmetries and power imbalances between users and data processors, data trusts will act as facilitators of data flow between the two parties, but on the terms of the users. Data trusts will act in fiduciary duty and in the best interests of its members. They will have the requisite legal and technical knowledge to act on behalf of users. Instead of users making potentially ill-informed decisions over data processing, data trusts will make such decisions on their behalf, based on pre-decided factors like a bar on third-party sharing, and in their best interests. For example, data trusts to users can be what mutual fund managers are to potential investors in capital markets. 

Currently, in a typical transaction in the data economy, if users wish to use a particular digital service, neither do they have the knowledge to understand the possible privacy risks nor the negotiation powers for change. Data trusts with a fiduciary responsibility towards users, specialised knowledge, and multiple members might be successful in tilting back the power dynamics in favour of users. Data trusts might be relevant from the perspective of both the protection and controlled sharing of personal as well as non-personal data. 

(MeitY’s Non-Personal Data Governance Framework introduces the concept of data trustees and data trusts in India’s larger data governance and regulatory framework. But, this applies only to the governance of ‘non-personal data’ and not personal data, as being recommended here. CCG’s comments on MeitY’s Non-Personal Data Governance Framework, can be accessed – here)

Challenges with data trusts

Though creative solutions like data trusts seem promising in theory, they must be thoroughly tested and experimented with before wide-scale implementation. Firstly, such a new form of trusts, where the subject matter of the trust is data, is not envisaged by Indian law (see section 8 of the Indian Trusts Act, 1882, which provides for only property to be the subject matter of a trust). Current and even proposed regulatory structures don’t account for the regulation of institutions like data trusts (the non-personal data governance framework proposes data trusts, but only as data sharing institutions and not as data managers or data stewards, as being suggested here). Thus, data trusts will need to be codified into Indian law to be an operative model. 

Secondly, data processors might not embrace the notion of data trusts, as it may result in loss of market power. Larger tech companies, who have existing stores of data on numerous users may not be sufficiently incentivised to engage with models of data trusts. Structures will need to be built in a way that data processors are incentivised to participate in such novel data governance models. 

Thirdly, the business or operational models for data trusts will need to be aligned to their members i.e. users. Data trusts will require money to operate – for profit entities may not have the best interests of users in mind. Subscription based models, whether for profit or not, might fail as users are habitual to free services. Donation based models might need to be monitored closely for added transparency and accountability. 

Lastly, other issues like creation of technical specifications for data sharing and security, contours of consent, and whether data trusts will help in data sharing with the government, will need to be accounted for. 

Privacy centric data governance models

At this early stage of developing data governance frameworks suited to Indian needs, policymakers are at a crucial juncture of experimenting with different models. These models must be centred around the protection and preservation of privacy rights of Indians, both from private and public entities. Privacy must also be read in its expansive definition as provided by the Supreme Court in Justice K.S. Puttaswamy vs. Union of India. The autonomy, choice, and control over informational privacy are crucial to the Supreme Court’s interpretation of privacy. 

(CCG’s privacy law database that tracks privacy jurisprudence globally and currently contains information from India and Europe, can be accessed – here

Building an AI Governance Framework for India, Part II

Embedding Principles of Safety, Equality and Non-Discrimination

This post has been authored by Jhalak M. Kakkar and Nidhi Singh

In July 2020, the NITI Aayog released a draft Working Document entitled “Towards Responsible AI for All” (hereafter ‘NITI Working Document’ or ‘Working Document’). This Working Document was initially prepared for an expert consultation held on 21 July 2020. It was later released for comments by stakeholders on the development of a ‘Responsible AI’ policy in India. CCG responded with comments to the Working Document, and our analysis can be accessed here.

In our previous post on building an AI governance framework for India, we discussed the legal and regulatory implications of the proposed Working Document and argued that India’s approach to regulating AI should be (1) firmly grounded in its Constitutional framework and (2) based on clearly articulated overarching principles. While the NITI Working Document introduces certain principles, it does not go into any substantive details on what the adoption of these principles into India’s regulatory framework would entail.

We will now examine these ‘Principles for Responsible AI’, their constituent elements and avenues for incorporating them into the Indian regulatory framework. The NITI Working Document proposed the following seven ‘Principles for Responsible AI’ to guide India’s regulatory framework for AI systems: 

  1. Safety and reliability
  2. Equality
  3. Inclusivity and Non-Discrimination
  4. Privacy and Security 
  5. Transparency
  6. Accountability
  7. Protection and Reinforcement of Positive Human Values. 

This post explores the principles of Safety and Reliability, Equality, and Inclusivity and Non-Discrimination. A subsequent post will discuss the principles of Privacy and Security, Transparency, Accountability and the Protection and Reinforcement of Positive Human Values.

Principle of Safety and Reliability

The Principle of Reliability and Safety aims to ensure that AI systems operate reliably in accordance with their intended purpose throughout their lifecycle and ensures the security, safety and robustness of an AI system. It requires that AI systems should not pose unreasonable safety risks, should adopt safety measures which are proportionate to the potential risks, should be continuously monitored and tested to ensure compliance with their intended purpose, and should have a continuous risk management system to address any identified problems. 

Here, it is important to note the distinction between safety and reliability. The reliability of a system relates to the ability of an AI system to behave exactly as its designers have intended and anticipated. A reliable system would adhere to the specifications it was programmed to carry out. Reliability is therefore, a measure of consistency and establishes confidence in the safety of a system. Whereas, safety refers to an AI system’s ability to do what it is supposed to do without harming users (human physical integrity), resources or the environment.

Human oversight: An important aspect of ensuring the safety and reliability of AI systems is the presence of human oversight over the system. Any regulatory framework that is developed in India to govern AI systems must incorporate norms that specify the circumstances and degree to which human oversight is required over various AI systems. 

The level of involvement of human oversight would depend upon the sensitivity of the function and potential for significant impact on an individual’s life which the AI system may have. For example, AI systems deployed in the context of the provision of government benefits should have a high level of human oversight. Decisions made by the AI system in this context should be reviewed by a human before being implemented. Other AI systems may be deployed in contexts that do not need constant human involvement. However, these systems should have a mechanism in place for human review if a question is subsequently raised for review by, say a user. An example of this may be vending machines which have simple algorithms. Hence, the purpose for which the system is deployed and the impact it could have on individuals would be relevant factors in determining if ‘human in the loop’, ‘human on the loop’, or any other oversight mechanism is appropriate. 

Principle of Equality

The principle of equality holds that everyone, irrespective of their status in the society, should get the same opportunities and protections with the development of AI systems. 

Implementing equality in the context of AI systems essentially requires three components: 

(i) Protection of human rights: AI instruments developed across the globe have highlighted that the implementation of AI would pose risks to the right to equality, and countries would have to take steps to mitigate such risks proactively. 

(ii) Access to technology: The AI systems should be designed in a way to ensure widespread access to technology, so that people may derive benefits from AI technology.

(iii) Guarantees of equal opportunities through technology: The guarantee of equal opportunity relies upon the transformative power of AI systems to “help eliminate relationships of domination between groups and people based on differences of power, wealth, or knowledge” and “produce social and economic benefits for all by reducing social inequalities and vulnerabilities.” AI systems will have to be designed and deployed such that they further the guarantees of equal opportunity and do not exacerbate and further entrench existing inequality.

The development, use and deployment of AI systems in society would pose the above-mentioned risks to the right to equality, and India’s regulatory framework for AI must take steps to mitigate such risks proactively.

Principle of Inclusivity and Non-Discrimination

The idea of non-discrimination mostly arises out of technical considerations in the context of AI. It holds that non-discrimination and the prevention of bias in AI should be mitigated in the training data, technical design choices, or the technology’s deployment to prevent discriminatory impacts. 

Examples of this can be seen in data collection in policing, where the disproportionate attention paid to neighbourhoods with minorities, would show higher incidences of crime in minority neighbourhoods, thereby skewing AI results. Use of AI systems becomes safer when they are trained on datasets that are sufficiently broad, and the datasets encompass the various scenarios in which the system is envisaged to be deployed. Additionally, datasets should be developed to be representative and hence avoid discriminatory outcomes from the use of the AI system. 

Another example of this can be semi-autonomous vehicles which experience higher accident rates among dark-skinned pedestrians due to the software’s poorer performance in recognising darker-skinned individuals. This can be traced back to training datasets, which contained mostly light-skinned people. The lack of diversity in the data set can lead to discrimination against specific groups in society. To ensure effective non-discrimination, AI policies must be truly representative of the society in its training data and ensure that no section of the populace is either over-represented or under-represented, which may skew the data sets. While designing the AI systems for deployment in India, the constitutional rights of individuals should be used as central values around which the AI systems are designed. 

In order to implement inclusivity in AI, the diversity of the team involved in design as well as the diversity of the training data set would have to be assessed. This would involve the creation of guidelines under India’s regulatory framework for AI to help researchers and programmers in designing inclusive data sets, measuring product performance on the parameter of inclusivity, selecting features to avoid exclusion and testing new systems through the lens of inclusivity.

Checklist Model: To address the challenges of non-discrimination and inclusivity a potential model which can be adopted in India’s regulatory framework for AI would be the ‘Checklist’. The European Network of Equality Bodies (EQUINET), in its recent report on ‘Meeting the new challenges to equality and non-discrimination from increased digitisation and the use of Artificial Intelligence’ provides a checklist to assess whether an AI system is complying with the principles of equality and non-discrimination. The checklist consists of several broad categories, with a focus on the deployment of AI technology in Europe. This includes heads such as direct discrimination, indirect discrimination, transparency, other types of equity claims, data protection, liability issues, and identification of the liable party. 

The list contains a series of questions which judges whether an AI system meets standards of equality, and identifies any potential biases it may have. For example, the question “Does the artificial intelligence system treat people differently because of a protected characteristic?” includes the parameters of both direct data and proxies. If the answer to the question is yes, the system would be identified as indulging in indirect bias. A similar checklist system, which has been contextualised for India, can be developed and employed in India’s regulatory framework for AI. 

Way forward

This post highlights some of the key aspects of the principles of Safety and Reliability, Equality, and Inclusivity and Non-Discrimination. Integration of these principles which have been identified in the NITI Working Document into India’s regulatory framework requires that we first clearly define their content, scope and ambit to identify the right mechanisms to operationalise them. Given the absence of any exploration of the content of these AI principles or the mechanism for their implementation in India in the NITI Working Document, we have examined the relevant international literature surrounding the adoption of AI ethics and suggested mechanisms for their adoption. The NITI Working Document has spurred discussion around designing an effective regulatory framework for AI. However, these discussions are at a preliminary stage and there is a need to develop a far more nuanced proposal for a regulatory framework for AI.

Over the last week, India has hosted the Responsible AI for Social Empowerment (RAISE) Summit which has involved discussions around India’s vision and roadmap for social transformation, inclusion and empowerment through Responsible AI. As we discuss mechanisms for India to effectively harness the economic potential of AI, we also need to design an effective framework to address the massive regulatory challenges emerging from the deployment of AI—simultaneously, and not as an afterthought post-deployment. While a few of the RAISE sessions engaged with certain aspects of regulating AI, there still remains a need for extensive, continued public consultations with a cross section of stakeholders to embed principles for Responsible AI in the design of an effective AI regulatory framework for India. 

For a more detailed discussion on these principles and their integration into the Indian context, refer to our comments to the NITI Aayog here.