I&B Ministry forms Committee to regulate content in Government Advertising

Written By Joshita Pai

Following the direction by the Supreme Court, the Ministry of Information and Broadcasting issued an order last month establishing a three member committee to effectuate the Supreme Court Guidelines on Content Regulation of Government Advertising. Government advertising refers to the use of public funds by ruling parties to project their achievements or make announcements about upcoming initiatives. These advertisements however, have occasionally been politically motivated, demonstrating the need for the guidelines issued by the Court in the Common Cause judgment. The guidelines were issued on the basis of a report submitted by a Court-appointed committee on the issue of use of public funds in government advertising.

According to the recent MIB order, the Supreme Court Guidelines will function as a stopgap arrangement until a legislation comes into force to regulate the content projected in government sponsored advertisements. The body set up by the Ministry will address complaints from the general public on violation of the guidelines prescribed by  the Court. The Committee will be assisted by a member secretary, and will be set up parallelly at the state level, appointed by the respective State Governments. The three member body will be responsible for implementation of the SC guidelines on regulating content in government advertising.

Government Advertising

Government advertising is often regarded as informative and in public interest since it facilitates circulation of necessary information with respect to upcoming welfare schemes or the progress of government initiatives. However, advertisements of this nature are often used gain political mileage. This practice has been criticized for several reasons, ranging from arbitrary use of public funds to non-objective presentation of information. Colourful presentation of information on the part of the government does not foster public interest. The right to freedom of speech and expression exercisable by the government is not dispensable but Article 19 also grants the right to information, and accurate information at that, which stands in equal measure. Balancing conflicting interests in this regard is a herculean task.

Government advertising, unlike political advertising which also often transcends permissible boundaries, is sponsored by the use of public funds that governments in power have access to. According to the Election Commission of India, the expenditure on government sponsored advertisements is incurred by the public exchequer and is contrary to the spirit of free and fair election, as the party in power gets an undue advantage over other parties and candidates. The practice has beckoned the need for an oversight authority and a set of workable standards to regulate such advertising, which have been recommended time and again, most recently in the Law Commission Report on Electoral Reforms. Moreover, the Election Commission too has assessed the mushrooming phenomenon of advertising by existing governments. In furtherance of these observations, the ECI recommended that advertisements for achievements of existing governments, either Central or State, in any manner, should be prohibited for a period of six months prior to the date of expiry of the term of the House.

The Guidelines issued by the Supreme Court     

The case that brought about the guidelines was set in motion when Common Cause and the Centre for Public Interest Litigation sought to restrain the Union of India and State Governments from using public funds on government advertising. The petitioners emphasized that the object of these advertisements is generally to promote functionaries and candidates of a political party. One of the primary objections raised in the case was that such advertising is generally politically motivated. The petition called for the Court to issue comprehensive guidelines on usage of public funds on such advertisements. Giving due weightage to the plea, the Court appointed a committee to examine best practices in order to demarcate permissible advertising during campaigning from politically motivated advertisements. The committee submitted its report to the Supreme Court in September 2014 which contained a set of guidelines on content regulation in government advertising. These guidelines will be implemented by the committee established by the MIB.  

According to the Guidelines, government advertising “includes any message, conveyed and paid for by the government for placement in media such as newspapers, television, radio, internet, cinema and such other media but does not include classified advertisements; and includes both copy (written text/audio) and creatives (visuals/video/multimedia) put out in print, electronic, outdoor or digital media.”

The guidelines further suggest that government advertisements should be politically neutral and should not include photographs of political leaders unless it is essential, in which case only the photographs of the Prime Minister/Chief Minister or President/Governor may be used.  The enforceability of the guidelines has been left to the three member body which shall recommend actions accordingly.

According to the Guidelines, regulation of content should be guided by five fundamental principles:

1.  Advertising Campaigns to be related to Government responsibilities: The content of the government advertisement should be relevant to the government’s obligations and the rights of the citizens. 
2. Advertisement materials should be presented in an objective, fair, and accessible manner and be designed to meet the objectives of the campaign: The content and the design of the advertisement should be executed after exercise of due care and should not present previous policies of the government as new ones.
3. Advertisement materials should be objective and not directed at promoting political interests of ruling party: The advertisement should steer clear of making political arguments and should be neutral in nature and should not seek to influence public support.
4. Advertisement Campaigns must be justified and undertaken in an efficient and cost-effective manner: Optimum use of public funds and cost-effective advertisements reflect a need-based advertising approach
5. Government advertising must comply with legal requirements and financial regulations and procedures: The advertisements must be compliant with existing laws such as election laws and ownership rights.

Government advertisements are issued on several occasions. They are issued to present the completion of a successful tenure, to commemorate anniversaries of people and to announce public welfare projects. In these instances, the object of the advertisement can be achieved with objective presentation of information. The committee set up singularly seeks to ensure that the right of the government to use funds to sponsor advertisements is not misused.  

The New Data Protection Regulation and its Impact on India

Written By Joshita Pai

The European Parliament  adopted  the new Rules on Data Protection on the 14^th of April, 2016. The new Regulation replaces the General Rules on Data Protection, 1995 and the 2008 framework decision on cross-border data processing in police and judicial cooperation within the EU. In January 2012, the EU Commission first presented a package of proposals in order to update and modernize the present EU legal framework which was accepted subsequently by the Council in December 2015. The new data protection package consists of a general regulation on personal data processing in the EU and a directive on data processed by the police and judicial authorities.

Highlights of the Regulation

The regulation, establishes a stronger regime for protection of personal data by giving more control to the users in the digital market. It enshrines provisions on the much awaited right to be forgotten in the virtual space,[i] provisions  on the need for clear and affirmative consent and the right of an individual to be informed. Profiling of an individual by collecting a person’s data is often presented in the name of customized service and commercial interest of the company. The new regulation allows for a right to object against profiling unless it is necessary for legal enforcement purposes or for scientific research. The Directive also envisages provisions on data portability which will enable users to shift from one service provider to another, without losing the data accumulated in the use of the former.      Aside from vesting a bundle of rights in the hands of the users, the regulation makes way for an array of provisions for companies to abide by. The crucial provisions affecting business companies include:

1. Sanctions on companies that breach data transfer of upto 4% of annual profits: This provision in the regulation holds heavy bearing since its application extends to companies established outside the European Union. organisations will additionally be required to carry out data protection impact assessmentswhere their plans to process personal data are “likely to result in a high risk for the rights and freedoms of individuals”.
2. Provision for appointing a data protection officer if the company engages in processing of sensitive data: For businesses in which the “core activities” consist of processing operations that “by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”; or if it involves processing sensitive data on a large scale, the new Directive recommends the mandatory appointment of a DPO.
3. The introduction of the new one-stop-shop concept in the Regulation: The Regulation states there will be a single supervisory authority who will be engaging with business houses, instead of one authority in each member state. The ‘one-stop-shop’ will streamline cooperation between the data protection authorities on issues with implications for all of Europe.

The Impact of the new EU Regulation on India

The cross-border flow of data from the EU states to other nations has been contentious, visibly so after the Schrems decision which rendered the EU-US safe harbour provision inadequate. The decision called for a new set of guidelines which resulted in the creation of the EU-US privacy shield.

The EU framework of 1995 as well as the enhanced edition of the Regulation, prescribes a mandatory adequacy decision to determine whether the country in question adequately protects personal data. The new Regulation, dedicates a chapter on transfer of personal data to third party countries, and India’s interest in the Directive lies here. It provides that:

“A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, or a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.”

The European Commission in 2015 produced a report on Data Protection in India to assess the measures and standards adopted for protection of data in India. The report highlighted the lacunae in Indian laws pertaining to personal data. According to a recent survey by NASSCOM-DSCI, there is an opportunity loss of USD 2.0 billion – 2.5 billion owing to data transfer related issues. The report notes that EU clients are hesitant to offshore work to Indian companies because of the dearth of data protection standards in India. With particular regard to data protection, institutionalizing a regulatory regime in India has become a herculean task with no comprehensive legislation on data protection in force. Statutory attempts to this effect have either been dissipated across the arena or have not been effectively executed so far. The penalty of a 4% of annual turnover of a company on account of data breach is one of the outstanding features of the new Regulation and pitching this against the backdrop of a staggered regime on data protection in India indicates a host of repercussions.

Joshita Pai was a Fellow at the Centre for Communication Governance  (2015-2016) 

[i] ‘The right to be forgotten’ stirred up as a concept after a Spanish national sued Google Spain and a Spanish newspaper for retaining information about him that was published several years ago.

An overview of the 1st Report of the Special Rapporteur on Privacy

Written By Joshita Pai

The office of the Special Rapporteur on the Right to Privacy in the Digital Age, was created last year by the UNHRC, and today, in the 33^rd session of the Human Rights Council, the Special Rapporteur, Joseph A. Cannataci submitted the Report on the Right to Privacy.   The mandate of the UNHRC requires the Special Rapporteur to present annual reports starting from this year. The pioneering report released today while preliminary in nature, identifies a range of issues related to privacy, observed across different nations. The report states that “The report to the March 2016 session of the HRC will not attempt to prioritise risks or landmark improvements in privacy protection but simply refer to a few cases which illustrate particular progress or difficulties.”

Highlights of the Report

The report revolves around the concept of informational privacy and seeks to address the issues without prioritizing them. The Report in several places notes the handicap of the lack of definition on privacy. There is no universally constructed or accepted definition of privacy and it varies from culture to culture. To add to the impairment, the report stresses, are the ever-changing dynamics of Time, Place, Economy and Technology (TPET), which are variables that blur the notion of a settled definition. The Special Rapporteur observed that privacy has been recognized as a negative right and not as a positively affirming one. The Report observed that various legislations have been introduced across the board over the past year to legitimize privacy-intrusive techniques and measures by citing security reasons. The submission lists out the most contentious issues around such rushed legislative measures:

1. the adequacy of oversight mechanisms;
2. the distinction between targeted surveillance and mass surveillance (or bulk surveillance as it is euphemistically called in some countries);
3. the proportionality of such measures in a democratic society;
4. the cost-effectiveness and the overall efficacy of such measures.

It builds on the aspects of privacy which has surfaced at a global level in the past year. It throws light on the controversial UK Investigatory Powers Bill which has, despite much resistance, only undergone cosmetic changes to its surveillance provisions. The report further ropes in the European Court’s finding on the US safe harbour provisions in the Schrems matter, the refusal by the Dutch government to engage in backdoor encryption, which Cannataci refers to as wise restraint. Listing out the highlights in the 2015-16 period, the report touches upon the back and forth efforts by US and China in a vision for cyberpeace. The Report states that “Cyberspace risks being ruined by Cyberwar and Cyber-surveillance” and that “Governments and other stakeholders should work towards Cyberpeace.”  The report notes the increasing trend in DNA databases and observes that ‘25% of the UN’s member states,  have implemented national criminal offender DNA database programs.’ The report urges that different stakeholders engage in a constructive discourse on building the most appropriate guidelines and safeguards in this regard.

The Special Rapporteur addresses the concern over the nexus between privacy and reputation, and states that he will be collaborating with the Special Rapporteur on Freedom of Expression to explore concrete safeguards and remedies for privacy, dignity and reputation on the internet. Proceeding to the wide use of biometric devices and techniques, the Rapporteur commits to evolving workable guidelines on the same, in congruence with vital stakeholders.

The Report carves out an outline for what it addresses as the ‘Ten point plan’ with the object of expanding on the dimension of right to privacy and its inter-relationship with other human rights. The agenda is generic in nature and is referred to as the ‘To do List’. It includes delving into a more comprehensive legal understanding of the concept of privacy, raising awareness on the need for privacy, creating dialogue spaces, a focused dialogue with corporate houses, and devising technical and legal safeguards. The outline also stresses on creating curiosity and dialogue on the issues in cyberspace.

The report flags the challenges applicable to and arising from Big Data and Open Data, and the difference between the two. In continuation to this, the report also throws light on the principles that generally govern regulations on data protection, such as purpose limitation, security of data, data destruction, access to data, and consent of the data subject. The Rapporteur  expressed concern over the existing provisions on anonymisation of data in the EU and its adequacy. The report states that “trading blocs including major nations or regional federations such as China, the European Union and the United States have adopted or are adopting Open Data and Big Data policies the far-reaching consequences of which may not as yet be properly understood and which may unintentionally put in peril long-standing social values as well as the fundamental rights to privacy, dignity and free development of one’s personality.”

The Report concludes with the Rapporteur emphasizing on the need for legislators, private actors and citizens to engage in a cordial dialogue process.

The New Dimension to the UIDAI Debate: The Aadhaar Bill, 2016

 

Written By Joshita Pai

The discourse around Aadhaar has only aggravated since its inception, and one of the primary contentions of the debate has been the lack of a statutory force behind the initiative. Amidst all the speculations, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 was introduced on 3^rd of March as a money bill, on the grounds that subsidies and other benefits will be drawn from the Consolidated Fund of India. The Bill seeks to resolve the contention of the lack of a legislation backing Aadhaar. The Bill also allows for more schemes to be attached to Aadhaar in future. Presently, there are a handful of schemes attached to the Aadhaar which have been approved by the Supreme Court. The Bill is an ambitious task to provide a framework for operationalization of Aadhaar.

A Cursory Glimpse

The Bill, establishing the Unique Identification Authority of India (UIDAI) as the authority for the functionality of the Aadhaar process, provides for the conferment of an Aadhaar number, to every resident who submits her identity information. The Bill, in this context defines a resident in clause 2(5). Clause 2(n) provides that identity information includes biometric information and demographic information. Biometric information includes photograph, finger print, Iris scan, or such other biological attribute of an individual as may be specified by regulations. The demographic information includes information relating to name, date of birth, address and other relevant information of an individual specified by regulations but significantly excludes information about race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

According to clause 9, an Aadhaar number shall not confer or be a proof of, citizenship or domicile The Bill also carries a provision which may require Aadhaar holders to update their biometric and geographic information. The inconsistency in predictability of biometric data of an individual has been a contentious issue but the object of the provision here is as mentioned, the continued accuracy of the information in the repository.

Dissecting the Clauses

The Bill elevates the existence of an Aadhaar number to a proof of identity by virtue of clause 4(3).

Chapter IV of the Bill establishes the UIDAI as a body corporate, consisting of a Chairperson, a CEO and two part-time members. The CEO of the Authority will not be below the rank of Additional Secretary to the Government and will be appointed by the Central Government. The chapter deals with functions of the members, grants by Central Government, accounts and audits, qualifications and enumerations of the members. The Authority is responsible for the establishment, operation and maintenance of the Central Identities Data Repository. Clause 49 provides that the members of the UIDAI will be deemed as public servants. Clause 50 provides that the Central Government is not empowered to issue directions pertaining to technical or administrative matters undertaken by the authority.

Clause 16 of the Bill places restrictions on the Chairperson and members of the UIDAI who have ceased to hold office. It bars them from accepting employment in any management or company, which has been associated with any work contracted by the UIDAI, for a period of three years after the expiry of their employment. Listing the functions of the UIDAI, clause 23 provides that the authority shall formulate policies, procedures for issuing Aadhaar numbers and for the performing authentication of the same. The Authority is designated to carve out regulations including process of collection of information, specify what includes biometric and geographic information. The specifications have been left open to the authority, including the appointment of an entity to operate the Central Identities Data Repository.

The Bill creates a Central Identities Data Repository [Clause 2(h)] which will be the centralized database containing all Aadhaar numbers and details thereto. It will also be responsible for authentication and verification of the information provided by Aadhaar holders, at the time of enrollment. The registration of Aadhaar, has been made voluntary by the force of the Court’s order in August, 2016.

In light of this, clause 7 of the Bill mandates that proof of Aadhaar number is  necessary for the receipt of certain subsidies, benefits and services. The clause carves out a potential exception to the effect that if an Aadhaar number is not assigned to an individual, an alternate means of identification shall be offered for delivery of benefits.

Enabling accessibility to the Aadhar process, clause 5 of the Bill provides for special measures for issuance of Aadhaar to senior citizens, children, persons with disability persons who do not have any permanent dwelling houses. The clause is inclusive in nature.

Chapter VII of the Bill deals with penalties and liabilities for several offences. Impersonation at the time of enrolment as well as impersonation for the purpose of changing the demographic information of an Aadhaar number holder, is punishable with imprisonment. Providing a heavy liability for companies, clause 43 states

Where an offence under this Act has been committed by a company, every person who at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

A provision which stands out in the chapter listing out penalties is Clause 44. It reads as follows:

(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person, irrespective of his nationality.

(2) For the purposes of sub-section (1), the provisions of this Act shall apply to any offence or contravention committed outside India by any person, if the act or conduct constituting the offence or contravention involves any data in the Central Identities Data Repository (5(f))

Privacy Provisions in the Bill

The statement of objects and reasons appended to the Bill states that it seeks to provide “for measures pertaining to security, privacy and confidentiality of information in possession or control of the Authority including information stored in the Central Identities Data Repository”. 

Chapter VI of the Bill is built around the protection of information by the Authority, collected through the enrolment process. The Bill qualifies biometric information collected and stored in electronic form, as “electronic record” and “sensitive personal data or information” within the meaning of the Information Technology Act, 2000. The distinction between core biometric information and biometric information has been visibly emphasized. Clause 29 imposes a restriction on sharing information and bars the use of core biometric information for any purpose other than for the generation of Aadhaar numbers and authentication.

Clause 28(3) reads

“The Authority shall take all necessary measures to ensure that the information in the possession or control of the Authority, including information stored in the Central Identities Data Repository, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.”

Clause 28(5) further provides that the Authority or its officers or employees or any agency which maintains the Central Identities Data Repository shall not, whether during his service or thereafter, reveal any information stored in the Central Identities Data Repository or authentication record to anyone.

The Bill provides for information privacy at the stage of enrollment. According to Clause 3(2), the enrolling agency, which is appointed by the UIDAI for collection of identity information is bound to inform the individual at the time of enrollment, details about (i) the manner in which information collected will be used, (ii) the right of accessibility of information at the hands of the individual and the (iii) the nature of recipients of the information.  The manner of communication of such information has been left open to specific regulations which will be prescribed by the UIDAI.

The Bill provides for authentication of Aadhaar number by a requesting entity in relation to his biometric information or demographic information. Clause 2(u) defines “requesting entity” to mean an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.

Clause 8(2) makes it mandatory for the entity requesting authentication to obtain consent from the person whose information is to be collected for such authentication. It requires the requesting entity to ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication. The clause further provides that the Authority shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information excluding any core biometric information.

With respect to identity information, clause 29(3) restricts the use of such information available with a requesting entity and states that the identity information will only be used for the purpose specified to the individual at the time of enrollment and only with the prior consent of the individual.  Clause 32 enables an Aadhar number holder to access her/his own information and also mandates that records of request of authentication of an individual, should be maintained.

The functions of the Authority include performing authentication of Aadhaar numbers, deactivation of Aadhaar numbers. Clause 23(m) empowers the Authority to specify, by regulations, various processes relating to data management, security protocols and other technology safeguards under this Act; The UIDAI, according to Clause 23(q) is also entrusted with the function of promoting research and development for advancement in biometrics and related areas, including usage of Aadhaar numbers through appropriate mechanisms;

Disclosure of Information

Envisaging an exception to the protection of information provisions, clause 33 allows for disclosure of information in certain instances. It provides that disclosure of information, including identity information or authentication records is permissible if made in pursuance of an order of a Court (at least District judge), or in the interest of National Security by an officer of the level of Joint Secretary or above. However, the Bill does not define national security and the term in itself is vague and overbroad. It provides that such a direction shall be reviewed by an oversight committee consisting of Cabinet Secretary and Secretaries of Legal Affairs and DeitY. The problems of third party independent oversight and the volume of requests remain as is the case with the oversight committee under the Blocking Rules and the Telegraph Rules. The provisio appended to clause further provides that the direction in the interest of national security shall lapse after the expiry of three months from the date of issue.

Clause 37 of the Bill enshrines a penal provision for unauthorized disclosure of any identity information collected in the course of enrollment or the authentication process. This provision speculates a penalty for individuals as well as companies who engage in unwarranted disclosure. The Bill imposes a penalty for unauthorized access to the repository (clause 38), for tampering with data on the repository (clause 39). Chapter VII further provides for punishment of a requesting entity for unauthorized use of identity information.

The Bill contains vital provisions in terms of requesting entity applying for authentication, access of identity information by an Aadhaar-number holder to introducing liabilities. However, a deeper glance shows that several regulations are yet to be prescribed and have been left open-ended. The actualization of a legislation should however, not be conceived as a satisfactory response to the yet to be heard struggle for determining privacy as a constitutional right.              

 Joshita Pai was a Fellow at the Centre for Communication Governance from 2015-2016

The EU-US Privacy Shield: The Safer Harbour?

Written By Joshita Pai

On 29^th February, 2016, the European Commission published details of the legal text which will be the building blocks for the EU-US Privacy Shield. The NSA’s bulk collection of the data EU users’ data has been a contentious issue since the Snowden revelations. The new agreement will replace the Safe Harbour agreement which had been struck down by the Court of Justice of the European Union in the Schrems judgment, where the Court rendered the existing provisions as inadequate and incapable of protecting data.

The European Commission today issued a Communication summarizing the actions taken to replace the data protection standards. The Commission announced a number of steps to restore trust in the flow of transatlantic data.  It finalised the reform of EU Data protection rules, which apply to all companies providing services on the EU market negotiated the EU-U.S. Umbrella Agreement ensuring high data protection standards for data transfers across the Atlantic for law enforcement purposes, and built a promising framework for commercial data exchange- the EU-U.S. Privacy Shield.

A preliminary dissection of the collective text indicates a commitment to build a stronger framework towards protecting transatlantic data. The European Commission in its draft adequacy decision published yesterday, provides for the establishment of an enhanced regime, stating that the EU-US Privacy Shield will continue to be based on a system of self-certification where U.S. organisations will commit to the EU-U.S. Privacy Shield Framework Principles.  Article 4 of the Draft Decision provides that:

“The Commission will continuously monitor the functioning of the EU-U.S. Privacy Shield with a view to assessing whether the United States continues to ensure an adequate level of protection of personal data transferred thereunder from the Union to organisations in the United States.”

Intricacies of the Agreement

Under the new agreement, American companies will have to register to be on the Privacy Shield List and self-certify that they meet the requirements set out. This process will be carried out each year with periodic reviews. The Privacy Shield includes the crucial principles of: consent of the user the choice of the user to opt out of divulging personal information; the security of the transmitted information, the purpose limitation principle to ensure that the information is not used for any other purpose but the one the user had consented to.

Aside from these guidelines, the draft decision lists out accountability and transparency provisions for the companies engaging in data transfers and carves out a redressal mechanism for aggrieved users. The FAQs accompanying the Privacy Shield framework, provides that the complaints have to be resolved by the companies within 45 days.

The framework also provides for an alternate dispute resolution process: “A free of charge alternative dispute resolution [ADR] solution will be available. EU citizens can also go to their national data protection authorities, who will work with the US department of commerce, and Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved.”  Roping in the recently passed U.S. Judicial Redress Act, the FAQ notes that the Privacy Shield will provide EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the US for law enforcement purposes. The Judicial Redressal Act however encompasses the last minute amendment which caters to US security interests as an exception to the safe harbour guarantee.

The Article 29 Working Party, in its statement issued recently, outlined on a four-part guideline whenever personal data is transferred from the EU to the United States, to other third countries, as well as to other EU Member States. The statement recommends the following:

“1. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;

2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
3. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
4. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.”

The new agreement factors in all the recommendations mentioned above. The 3^rd recommendation mentions the need for an independent oversight mechanism. This mechanism also resurfaces as an essential criteria in the communication from the Commission to the European parliament and the Council as well as in the draft adequacy decision, both of which were released yesterday. The new agreement creates an “Ombudsperson” to deal with complaints from the EU citizens on how their data has been used by the NSA, however, the autonomy of the oversight authority is debatable.

The draft also provides for suspension of adequacy decision “if the Commission concludes that there are clear indications that effective compliance with the Privacy Principles in the United States might no longer be ensured, or that the actions of U.S. public authorities responsible for national security or the prevention, investigation, detection or prosecution of criminal offenses do not ensure the required level of protection. Alternatively, the Commission may propose to amend this decision, for instance by limiting the scope of the adequacy finding only to data transfers subject to additional conditions.”

Conclusion

The protection of data has been treated as a paramount right in the EU unlike in the US set-up where pro-privacy norms are a rare delight. The Schrems judgment did stir up the status quo and the negotiation process has resulted in the revised agreement. However, The NSA has found its way into the new agreement, visibly so in the exception appended to bulk collection of data. The draft decision envisages six contingencies in the event of which US would be permitted to collect signals intelligence in bulk. These exceptions include detecting and countering certain activities of foreign powers; counter-terrorism; counter-proliferation; cyber-security; detecting and countering threats to U.S. or allied armed forces; and combating transnational criminal threats, including sanctions evasion. The New York Times had recently reported that the bulk collection of data by the NSA will be shared with other U.S. agencies including the FBI and the CIA without removing the identifying information. This marks the meeting point of data processing for commercial purposes and for the purpose of surveillance. In light of the recent FBI-Apple duel, such collision should be viewed cautiously.

 Joshita Pai was a Fellow at the Centre for Communication Governance from 2015-2016

Privacy in the Context of Data Protection

Written By Joshita Pai

The privacy debate surrounding the aadhaar proceedings has, in the recent past stirred debate on the constitutional perceptive on privacy. In addition to this, the disastrous National Draft Encryption Policy and the Human DNA Profiling Bill, 2015 have challenged the legal contours of privacy, particularly the understanding of data protection in India. Placing increasing reliance on results of consolidated databases of the processed data has posed glaring questions of accountability and transparency in data handling. The inherent potential for privacy violations through processing of data has brought to focus, the legal framework which monitor such databases. However, there is a dearth of such a framework and the notion of privacy stands on unstable grounds.

Data Protection in India

The ongoing battle on judicial determination of privacy as a constitutional right is scheduled to be taken up by the Supreme Court in the near future. This will in definite terms establish the position of the right to privacy within the ambit of the Constitution of India. Statutory conferment of privacy as a right could be parallelly ascertained but legislative attempts on privacy and on data protection are yet to materialize. The Expert Committee that was set up to review the Information Technology Act submitted its report in August, 2005 to the Department of Information Technology and called for an amendment to certain sections in tune with data protection and privacy standards. Following this, the Act was amended to include section 43A which imposes civil liability on account of failure to protect data. It is significant to note that the amendment paved way for self-regulation in terms of defining what constitutes “reasonable security practices and procedures” and “sensitive personal data or information”. However, while this is a workable attempt, it makes only for stopgap arrangement, and must yield to a more comprehensive regulation.

India’s legislative efforts to singularly respond to privacy as a concept, have been reluctant and disorganized. Sectoral efforts are however evident in a few areas. For communication records, the retention requirements of data, for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885. In the Health Sector, the Ministry of Health & Family Welfare released a set of recommendations for electronic health records in India.    

Taking cue from Other Nations

Article 25(1) of the EU Directive, 1995 which regulates the transfer of data from EU member states to third party country provides that transfer of personal data “may take place only if … the third country in question ensures an adequate level of protection.” To assess India’s framework on data protection,, the European Commission in 2015 brought forth a report on Data Protection in India which highlighted the lacunae in Indian laws pertaining to personal data.

The second edition of the EU-US safe harbour model which rolled into motion at the behest of the ruling in Schrems is eagerly awaited. The Court of Justice in 2015 declared that the existing provisions of the US on protection of data were inadequate and called for a revised version by the end of January, 2016, with better accountability measures for transatlantic flow of data.  The new framework will be based on a stronger regime for protecting data by imposing obligations on companies handling EU’s personal data and enshrining transparency provisions. In the midst of this, the European Union adopted a reformed Data Protection Framework in December 2015 which was proposed by the EU Commission in January 2012. In the backdrop of several such developments on data protection, India’s progress in this regard is dissipated and reluctant. Taking cue from South Africa, which until very recently dealt with data protection within its constitutional ambit of privacy, and in 2014 adopted a legislation on data protection, Indian provisions could be consolidated into a formal and binding statute.

C for Commercial, D for Data

Written By Joshita Pai

A visibly agitated man once entered the American retail giant Target to inquire why his teenage daughter had been receiving coupons of baby products. A few days later, when the manager of the store called up the man to apologize to him, the father replied that his daughter was infact pregnant. Following the incident,  New York Times reported that Target assigns each shopper a unique code, internally known as the Guest ID number which is connected to e-mails sent by the store to its customers, and the store further tracks website visits by its customers. Target, like several shopping portals customarily analyzes data, alongwith demographic information and maps out behaviour information of its customers. Customized services and tailormade offers to customers are  definitely a few benefits of  rigorous data mining mechanisms, and clicks with many as a successful marketing strategy.

Commercial Value in Transfer of Data

Neil Robinson describes personal data as the lifeblood of information economy. Collecting personal data of consumers and trading it for commercial purposes, is a common practice amongst  companies, as was observed by the Data Security Council of India. Uber, Google, Twitter, Facebook and Zomato, independently engage in customized data collection at the time of installation of these applications. These platforms have notoriously been in news for flouting data protection standards. Consumer privacy has been central to the debate on using information as a currency of exchange. Commercial relationships between Google and several companies such as Amazon, Flipkart exist in the name of tailoring better and personal services to customers. It is relevant to note that processing and collection of the data is admittedly easier when services are accessed through applications on mobile phones. Twitter  for instance, demands at the time of installation, information ranging from details of the contacts enlisted on the phone to permission to access photos/media/files saved on the external storage, the device id and call information.

 Jane Bambaueur refers to data as ‘speech‘ since it carries informational value, and on the basis of this notion, she argues that transfer of data should be protected under commercial speech. This notion has found favour with the Courts. The Supreme Court of the United States in 2011, held that the sale of personal data is protected within the ambit of first amendment, and is commercial speech. The Court invalidated a statute that prohibited pharmaceutical stores and companies from selling data obtained through prescriptions of individual doctors. Extending the First Amendment protection to such transfers, the Court reasoned that government agencies collect and store data and this practice cannot be deemed illegal when applied to pharmaceutical companies only on the grounds that the latter have vested commercial interests. The statute in question banned prescription drug companies from obtaining patients’ personal information for marketing purposes without the prescribing physician’s consent. What remained on either side of the battle was the right of the companies to privately sell the data against the State’s claim that data of such nature is not speech. The decision was a victorious one for first Amendment rights but disrupted the notion of medical and consumer privacy.

Commercial Transfer of Data in the India

In India, the judicial development of commercial speech under article 19(1), is yet to touch upon commercial transfer of data. The Delhi High Court dealt with disclosure and publication of confidential information while deciding on the Petronet case in 2009, however,  sale of personal information is yet to be explored in India.

That being said, the IT Act has made scattered but able attempts at securing data by formulation of rules on principles of consent and purpose limitation at the time of collection of data. Rule 4 of the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 provides that:

“The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract.”

Rule 3 enlists information which could be constituted as sensitive personal data and attaches an exception that it ceases to remain sensitive if the information in question is already in public domain or can be furnished under the Right to Information Act, 2005.

All privacy policies provide disclaimers stating that they will or will not extract personally identifiable information such as health records and sexual preferences or gender specific information, and a few provide disclaimers about dispatching cookies for collection of nuanced data. The policy statements are almost always drawn up on accepted privacy standards under the Information Technology Act, 2000 since there is no well laid regulatory framework to monitor the free flowing data.

Scattered provisions on data protection visibly exist in India and can be worked with temporarily. The issues on transfer of data however, do not necessarily end on commercial contours. Sharing of collected information with government agencies and procurement of data upon request by the government have found their way in the IT Act and are prescribed as clauses to be included in a company’s privacy policy. Such related concerns are by no means secondary, and the need of the hour dictates that concrete and formalized regulatory structures be put in place.

  Joshita Pai was a Fellow at the Centre for Communication Governance from 2015-2016

Do Not Invite Barbie Home

Written By Joshita Pai

Taking inspiration from Apple’s Siri, Mattel alongwith its technology partner ToyTalk, launched Hello Barbie this year. The Barbie, available through online purchase, is a wi-fi enabled, interactive doll, equipped to hold a conversation at the press of a button on its belt. The audio files processed over the internet makes the experience an interactive one. The doll has become a subject of controversy after a security expert based out of the U.S. declared that on hacking the Hello Barbie system, he managed to procure wi-fi network names, MP3 files and account IDs which could be traced back to someone’s home. Several consumer groups have protested the sales of the Barbie emphasizing on the eavesdropping nature of the doll indicating that Mattel’s innovation has not been well received.

 Distinct features of the Doll

Mattel is responsible for manufacturing the doll, and ToyTalk induces the technical nuances into Hello Barbie. The doll uses artificial intelligence and voice recognition software to process children’s questions over the internet to ToyTalk servers, and a pre-recorded response is selected that is generated as Barbie’s words. Downloading the Hello Barbie companion app facilitates the registration and activation of the doll on purchase. The press of a button makes the doll a responsive toy that is capable of interacting with the child. The responses given by Hello Barbie are pre-determined by the parents through a password enabled ToyTalk account, which requires an online registration. Alexandra Saddler in her investigation, reported that the conversations are recorded and stored in the cloud and could be used by the Company anonymously to create more pre-recorded messages.

Surrounding Privacy Concerns:

The interactive doll comes with a memory  because the communication between Barbie and the child is simultaneously recorded. The recorded conversations are accessible by parents and ToyTalk which implies that there are two levels of access to any communication made. The doll employs voice recognition techniques which enables online identification of the child. Such identifiers are protected as personal information under United States’ Children’s Online Privacy Protection Act (COPPA). The right to privacy is however, a subjective right and the extent of expectation of privacy, a child is likely to have, is debatable.

A wi-fi enabled doll with a companion app that requires online registration will generate  information in addition to the child’s conversations with the Barbie. The dolls are mostly purchased by placing an order online which is a definite means to handover a person’s address. Irrespective of the mode of purchase, the company has legitimate access to wi-fi name being used, the name of the user; the mobile number used for accessing the online companion application, and other information which can be traced back to one’s home in which Hello Barbie resides. The collected data is processed, stored and shared by the company with third parties and transferred to other countries, as indicated in ToyTalk’s privacy policy.

Protected data is increasingly losing ground in the name of commercial exchange of information by conglomerates. Transfer of data in the U.S., is seen as a necessity for fostering free flow of information. Obtaining access and transferring data through a child’s toy might however be taking it too far.

Mattel’s attempts to assuage privacy concerns:

Parents of the kids who own the Barbie are not only granted access to the conversations between their kid and the Barbie, they also have the option of deleting recorded conversations from ToyTalk’s database through the ToyTalk account. Hello Barbie uses an encryption security feature to protect consumers’ privacy and security at the time of processing communications over the Internet. Mattel claims that these safeguards are sufficient to ensure that the parents remain the sole gatekeepers of the communication and the recorded data. ToyTalk also assertively mentions in its privacy policy that the recordings will not be shared with Mattel.

Analyzing ToyTalk’s Privacy Policy:

A cursory reading of the  Privacy Policy attached to ToyTalk gives an insight into how the company intends to handle the collected data. ToyTalk admits that the communication may constitute personal information within the meaning of the Children’s Online Privacy and Protection Act:

“we cannot prevent children from providing personal information when they talk with Hello Barbie, and such information may be captured in the Recordings. However, it is our policy to delete such personal information where we become aware of it and we contractually require our service providers to do the same.”   

Further, the Policy explicitly states that: “we may store and process personal information in the United States and other countries”, and adds that subject to COPPA requirements, the information will be shared with third parties for a list of purposes. Commercial exchange of information is generally permitted in the name of customized services to customers and developing statistics for company’s review. The clause however, doesn’t restrict processing of data to within the country, which is a cause for concern since not all countries are equipped to handle and process data while safeguarding privacy.

With respect to flow of data transcending the U.S. borders, the privacy policy reads: “If information is shared in accordance with privacy policy, it may be disclosed to overseas recipients….including countries that do not have laws that protect personal information in the same manner as countries within the European Economic Area.”

With the recent ECJ ruling in Schrems, the safe harbour clauses guaranteed by the U.S. have been declared inadequate for ensuring protection of data. Against this backdrop, attempts to export data carries with it, possibilities of privacy breaches. COPPA in regard to Hello Barbie, stands as a thin piece of legislative buffer for trading information within the country. However, it cannot be overstated that since the doll can be purchased online, countries which do not have similar regulatory structures are bound to be at a more vulnerable state.

 Joshita Pai was a Fellow at the Centre for Communication Governance from 2015-2016

Public Safety and Private Phone Calls: The Recent Railway Order

Written By Joshita Pai

The Railway ministry recently issued a circular asking locomotive pilots (engine drivers) and assistant engine drivers to furnish details of their cell phones and phone numbers. It has demanded access to phone records to investigate whether the drivers were using their mobile phones during work, citing safety of passengers. The decision has not been well received by many officers and engine drivers since the order could affect privacy concerns.

It is important to note that the engine drivers and other assistants are issued cell phones and phone numbers in pursuit of a Closed User Group (CUG) plan, ‘Railtel’, which considerably reduces Ministry’s burden of executing the order. On the other hand, this would imply accessing a pre-generated database which would contain details of calls made and messages sent. In 2012, the Telecom Ministry, responding to the railway ministry’s concerns over growing numbers of rail accidents, issued a circular emphasizing the necessity to keep phones switched off. The guidelines instruct loco pilots to only use walkie-talkies or such communication sets and the guidelines provide that the railway administration is empowered to initiate steps to track or monitor calls originating from CUG or personal mobile phones. The order issued by the Railway Ministry on 10^th October, 2015 requires access to phone records which indicate calls originated/received on CUG mobile phones.

The concern underlying the Railway Ministry’s frequent orders as mentioned earlier, is public safety; but accessing phone records may be excessive in the absence of safeguards. Accessing details of call logs will go beyond merely satisfying safety norms if details of the calls made can also be procured. It is also important to note that Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 does not include private communication within the ambit of sensitive personal information which the Rules bar from interception or access. An order clarifying that monitoring of phones will be limited to checking if the phones remained switched off in the period of run, would suffice the purpose.

The order finds legal backing in the Telegraph Act which permits government agencies to intercept phones and calls in exigent circumstances including public safety. Having said that, accessibility of phone records at the behest of a circular may find legal permissibility but they may occasionally encroach upon private space., Section 26 of the India Post Office Act of 1888 confers powers of interception of postal communications for the purpose of public good and similar provisions are enshrined for telephonic calls in the Telegraph Act. Statutory encroachments of the right to privacy is therefore, not restricted to this order. Delivering the PUCL judgment, the Supreme Court laid down a string of guidelines to regulate the power vested in government agencies while exercising phone intercepting powers under Section 5 of the Indian Telegraph Act. The Court accepted the stated explanation of public safety  that: “the expression “public safety” means the state or condition of freedom from danger or risk for the people at large”. The railway order in question is undeniably based out of grave concerns, more so since there have been instances in the past of rail accidents owing to distracted drivers. Procedural safeguards such as the extent of access in the hands of the authorities and enabling warning provisions to keep such acts in check will enable a meeting point of two conflicting interests.

The loco pilots and other officers in the railway department have decided to stage a two day protest in which inter alia, the order in question will also be addressed. The concern cited by the officials with respect to this order is potential privacy violations. However, the turn of events in the Aadhaar proceedings, has left the question of existence of constitutional right to privacy to a larger bench, which is yet to be constituted. Arguably, even if the bench decidedly recognizes privacy as a fundamental right, it will still operate within legitimate constraints, and public safety is definitely one of them.

Aadhaar (the Larger Bench): Day I

Written By Joshita Pai

The 5 judge bench this afternoon commenced with the Aadhaar hearing after reference from the Supreme Court on the issues of existence of privacy as a constitutional right and on clarifications of the interim order issued on 11^th of August. The bench seemed determined to focus on the clarification issue and the as the beginning of the proceedings, the CJI stated with particular regard to the privacy issue that he has not concluded what bench can be constituted to determine the question.

Mr. Shyam Divan, Senior Advocate insisted on delivering preliminary findings concerning privacy and in the latter part of the hearing, he introduced the subject again and threw considerable light on the previous orders issued by the Court in the matter. The Attorney General’s arguments primarily were based on firstly, the authentic nature of Aadhaar cards; secondly, on the non-viability of procurement of other identity cards such as PAN cards and driving license by the poorest of the poor, thirdly, that 92 crores of the population has already enrolled for Aadhar; fourthly, that the Aadhaar project is centred around a social welfare scheme, finally, on the premise that the card does not contain the biometric information and only displays the unique identification number.

Referring to the Big Brother concerns, the AG asserted that communication on WhatsApp can be snooped into by Facebook. Whatsapp however, in the light of the recent encryption debacle had assured that the encryption keys loaded at the time of sending a message by a particular user can be read in readable format only by the targeted receiver. Certainly, doubts galore the credibility of such end to end encryption. Moreover, commercial use of data is a tangential concept to surveillance and maintenance of database by the Government.

Delving upon the 92 crores Aadhar card holders, the bench asked the AG if he ruled out the possibility that these many people volunteered for aadhar since that would be their only means to access the proposed schemes. The Court, referring to the interim orders sought clarification w.r.t. the voluntary nature of Aadhaar post those orders. The advocates for the string of defendants reinstated that for all schemes outside PDS and LPG, it has been voluntary and insisted that they wish to resume schemes since they are attached to Aadhar.

Arguing for the petitioners, Mr. Shyam Divan reintroduced privacy concerns and stressed upon how the issue can not be looked into in isolation since the basis for Aadhar is built on collection of biometric information and fingerprinting which has been conducted in the absence of any statutory backing or in the least, issuance of a circular. He also mentioned that the enrollment form does not contain the requirement of supplying biometric data. He read out the interim order issued by the Court on August 11^th and stated that there was no notice served to the petitioners from the Centre stating that its challenging the Court order.

The bench intermittently expressed concerns about how the order would be carried out since post clarifications by the constitutional bench of the 11^th August order, the same would be referred back to the 3 judge bench. The Court will begin by looking into the interim order issued by the court last week in the next hearing, which is scheduled for 2 pm tomorrow.