Call for Applications – Civil Liberties

Update: Deadline to apply extended to January 15, 2018! 

The Centre for Communication Governance at the National Law University Delhi (CCG) invites applications for research positions in its Civil Liberties team on a full time basis.

About the Centre

The Centre for Communication Governance is the only academic research centre dedicated to working on the information law and policy in India and in a short span of four years has become a leading centre on information policy in Asia. It seeks to embed human rights and good governance within communication policy and protect digital rights in India through rigorous academic research and capacity building.

The Centre routinely works with a range of international academic institutions and policy organizations. These include the Berkman Klein Center at Harvard University, the Programme in Comparative Media Law and Policy at the University of Oxford, the Center for Internet and Society at Stanford Law School, Hans Bredow Institute at the University of Hamburg and the Global Network of Interdisciplinary Internet & Society Research Centers. We engage regularly with government institutions and ministries such as the Law Commission of India, Ministry of Electronics & IT, Ministry of External Affairs, the Ministry of Law & Justice and the International Telecommunications Union. We work actively to provide the executive and judiciary with useful research in the course of their decision making on issues relating to civil liberties and technology.

CCG has also constituted two advisory boards, a faculty board within the University and one consisting of academic members of our international networks. These boards will oversee the functioning of the Centre and provide high level inputs on the work undertaken by CCG from time to time.

About Our Work

The work at CCG is designed to build competence and raise the quality of discourse in research and policy around issues concerning civil liberties and the Internet, cybersecurity and global Internet governance. The research and policy output is intended to catalyze effective, research-led policy making and informed public debate around issues in technology and Internet governance.

The work of our civil liberties team covers the following broad areas:

  1. Freedom of Speech & Expression: Research in this area focuses on human rights and civil liberties in the context of the Internet and emerging communication technology in India. Research on this track squarely addresses the research gaps around the architecture of the Internet and its impact on free expression.
  2. Access, Markets and Public Interest: The research under this area will consider questions of access, including how the human right to free speech could help to guarantee access to the Internet. It would identify areas where competition law would need to intervene to ensure free, fair and human rights-compatible access to the Internet, and opportunities to communicate using online services. Work in this area will consider how existing competition and consumer protection law could be applied to ensure that freedom of expression in new media, and particularly the internet, is protected given market realities on the supply side. We will under this track put out material regarding the net neutrality concerns that are closely associated to the competition, innovation, media diversity and protection of human rights especially rights to free expression and the right to receive information and particularly to substantive equality across media. It will also engage with existing theories of media pluralism in this context.
  3. Privacy, Surveillance & Big Data: Research in this area focuses on surveillance as well as data protection practices, laws and policies. The work may be directed either at the normative questions that arise in the context of surveillance or data protection, or at empirical work, including data gathering and analysis, with a view to enabling policy and law makers to better understand the pragmatic concerns in developing realistic and effective privacy frameworks. This work area extends to the right to be forgotten and data localization.


CCG is a young and continuously evolving organization and the members of the centre are expected to be active participants in building a collaborative, merit led institution and a lasting community of highly motivated young researchers.

Selected applicants will ordinarily be expected to design and produce units of publishable research with Director(s)/ senior staff members. They will also be recommending and assisting with designing and executing policy positions and external actions on a broad range of information policy issues.

Equally, they will also be expected to participate in other work, including writing opinion pieces, blog posts, press releases, memoranda, and help with outreach. The selected applicants will also represent CCG in the media and at other events, roundtables, and conferences and before relevant governmental, and other bodies. In addition, they will have organizational responsibilities such as providing inputs for grant applications, networking and designing and executing Centre events.


The Centre welcomes applications from candidates with advanced degrees in law, public policy and international relations.

  • All candidates must preferably be able to provide evidence of an interest in human rights / technology law and / or policy / Internet governance/ national security law as well. In addition, they must have a demonstrable capacity for high-quality, independent work.
  • In addition to written work, a project/ programme manager within CCG will be expected to play a significant leadership role. This ranges from proactive agenda-setting to administrative and team-building responsibilities.
  • Successful candidates for the project / programme manager position should show great initiative in managing both their own and their team’s workloads. They will also be expected to lead and motivate their team through high stress periods and in responding to pressing policy questions.

However, the length of your resume is less important than the other qualities we are looking for. As a young, rapidly-expanding organization, CCG anticipates that all members of the Centre will have to manage large burdens of substantive as well as administrative work in addition to research. We are looking for highly motivated candidates with a deep commitment to building information policy that supports and enables human rights and democracy.

At CCG, we aim very high and we demand a lot of each other in the workplace. We take great pride in high-quality outputs and value individuality and perfectionism. We like to maintain the highest ethical standards in our work and workplace, and love people who manage all of this while being as kind and generous as possible to colleagues, collaborators and everyone else within our networks. A sense of humour will be most welcome. Even if you do not necessarily fit requirements mentioned in the two bulleted points but bring to us the other qualities we look for, we will love to hear from you.

[The Centre reserves the right to not fill the position(s) if it does not find suitable candidates among the applicants.]


Based on experience and qualifications, successful applicants will be placed in the following positions. Please note that our interview panel has the discretion to determine which profile would be most suitable for each applicant.

  • Programme Officer (2-4 years’ work experience)
  • Project Manager (4-6 years’ work experience)
  • Programme Manager (6-8 years’ work experience)

A Master’s degree from a highly regarded programme might count towards work experience.

CCG staff work at the Centre’s offices at National Law University Delhi’s campus. The positions on offer are for duration of one year and we expect a commitment for two years.


The salaries will be competitive, and will usually range from ₹50,000 to ₹1,20,000 per month, depending on multiple factors including relevant experience, the position and the larger research project under which the candidate can be accommodated.

Where candidates demonstrate exceptional competence in the opinion of the interview panel, there is a possibility for greater remuneration.

Procedure for Application

Interested applicants are required to send the following information and materials by December 30, 2017 to

  1. Curriculum Vitae (maximum 2 double spaced pages)
  2. Expression of Interest in joining CCG (maximum 500 words).
  3. Contact details for two referees (at least one academic). Referees must be informed that they might be contacted for an oral reference or a brief written reference.
  4. One academic writing sample of between 1000 and 1200 words (essay or extract, published or unpublished).

Shortlisted applicants may be called for an interview.



Evaluating the Risks of the Internet of Things- II

by Dhruv Somayajula*

In this second part of our two post series on the Internet of Things, Dhruv examines the policy framework in India to analyse its applicability to the Internet of Things. 

In a previous post, we discussed the definition of the ‘Internet of Things’ (“IoT”), its uses and applications for smart cities and personal appliances as well as the security and privacy risks that it can come to pose. In light of the growing risks and security concerns this technology poses, it is essential to examine the existing legal framework to evaluate whether it can tackle the challenges emerging from the Internet of Things.

India’s Policy Framework on the Internet of Things

In recognition of the growing scope of the IoT-connected devices, the Ministry of Electronics and Information Technology released a Policy Document on the Internet of Things in October 2014. Following public comments, a revised draft policy(“Draft Policy”) was released in April 2015. The Draft Policy focuses in detail on the possible uses of IoT in India, which includes its use for infrastructure in creating smart cities, water and agriculture management, health and environment monitoring and traffic management. The Internet of Things, as conceived in India, is geared towards making life easier and ‘smarter’ for the consumer. The introduction of smart cities, smart energy, waste management, water management and other infrastructural development is part of the ambitious program that has been planned using the support of the Internet of Things. The Draft Policy also foresees major growth in the areas of providing wi-fi access, managing traffic, measuring CO2emissions, creating plans for a monitoring system of agriculture and healthcare. This post critically analyzes the existing legal and policy framework regarding the Internet of Things.

Lack of Uniform Global Standards

Paragraph 5.2 of the Draft Policy recognizes the necessity to stay on par with global standards for IoT devices. Further, it proposes the creation of a National Expert Committee to develop globally operable Internet of Things standards comprising of industry experts. However, the lack of a uniform global standard needs to be recognized by the Expert Committee, while framing India’s standards for IoT devices.

Data Security & Privacy

The Draft Policy fails to provide a governance framework for the Internet of Things. As discussed in our previous post, data security and privacy are critical concerns with respect to the Internet of Things. This is primarily on account of the extensive data being collected by these devices. India’s laws on data protection are codified in the Information Technology (Amendment) Act, 2011 (‘ITAA’). Section 43A obligates corporate entities to maintain reasonable security practices for safeguarding sensitive personal data. Accordingly, negligence in maintaining security measures invites liability to pay damages to the affected party. Further, Section 72A of the ITAA protects the right to confidentiality and privacy and makes disclosure of personal information without the consent of a person a punishable offence. The Information Technology (Reasonable Security Practices and Procedures) Rules, 2011 (“Rules”) have elaborated on the ITAA by defining key terms linked with data protection. The Rules define personal data, and elaborate on means to collect and retain such data. However, these Rules only protect data which can be used to identify a person, and don’t cover cases where other background data, such as location and activity, is collected. This loophole renders the Rules ineffective against a large portion of data collected by the IoT devices. Further, the data protection regime in India has also been criticized for the lack of a Data Protection Authority in India, and the low rate of action taken under these laws.

Another question of law that arise with the advent of the Internet of Things is the use of Standard Essential Patents (‘SEPs’) in India. When a company sets a market standard by way of an innovation and patents it, it may force the other players wishing to use the same standard in their devices to pay a huge royalty for a license to the patent. The other players in the market may restrict the standard-setting company from doing so. This is done by arguing that since the patent has set a market trend, the license to use that innovation must be given on fair, reasonable and non-discriminatory (‘FRAND’) terms. This practice is encouraged to avoid anti-competitive behavior by the company obtaining the SEP and to aid the consumer in having a wider choice in the market. The question of standard-setting is vital in the IoT sphere since the Internet of Things will rely on standardized technology, such as Wi-fi, Bluetooth, RFID chips. A large amount of IoT devices rely on data-sharing and interoperability of devices to create a smart sphere, and for doing so, a uniform standard is necessary to keep adding new devices on the common platform.The question of SEPs and their application to IoT devices will raise interesting questions in the coming days.

International Legal Frameworks

On October 2014, an Article 29 data Protection Working Paper analyzed Internet of Things and recommended that the laws on data protection be made stricter to prepare for this new technology. The solutions suggested included:

  • Privacy Impact Assessment report to be made before a new application is integrated into the IoT sphere [Paragraph 7.1].
  • Raw data collected from a device to be deletedonce the same is processed [Paragraph 7.1].
  • Certified standards to be used by standard setting bodies to prevent security threats to the IoT platform [Paragraph 6.5].
  • All actors who are a part of the Internet of Things, either as a device or a processor, to be accorded the status of ‘data controllers’, making them responsible for data protection [Paragraph 4.2].
  • Additional suggestions such as purpose limitation, minimal retention of data, and transparency in use.

Based on the recommendations of the Working Paper, the European Union passed the General Data Protection Regulation(‘GDPR’) which was adopted on April 2016 and shall come into force in May 2018. The GDPR lays down law on how data is to be collected, processed, used and stored, and the limits on saving such data.

  • Article 5 of the GDPR requires the collection of data to be fair, transparent, and lawful. It also provides for the data collected to be minimal and for a limited purpose, and that the data controller is accountable for the safety of the data.
  • The GDPR also provides for safeguards on data processing such as pseudonymization (or encryption), as per Article 25, which enforces data protection by design and default.
  • Article 26 is relevant in cases where two or more entities jointly determine the means and purposes of processing data If the recommendation to include all the people involved in the IoT chain as data controllers is accepted [Para 4.2 of the Working Paper], this Article would be very crucial in determining liability.
  • Article 44 lays down general principles for data transfer to a third country- stating that data can be transferred to a third country when the data protection laws of that country areconsidered adequate.

Similarly, the United States Federal Trade Commission (FTC)has alsoprepared a report that dealt with the benefits and risks of the Internet of Things. The report contains several recommendations towards ensuring security and privacy of consumers, including- data security to be verified, notice and consent to be provided, and security upgrades in installation. The recent TRENDnet case acts as an example of the vulnerability of IoT devices in the market and serves as a reminder that internet security must remain a priority for devices using the Internet of Things.

Several other countries have passed laws relating to data protection which could be applied to the Internet of Things. Canada, for example, passed the Personal Information Protection and Electronic Documents Act (‘PIPEDA’) in 2004. There have been major developments since then, and the Privacy Commissioner of Canada has admitted the need to relook the consent model in force with the advent of the Internet of Things. Australia has the Information Privacy Act, 2014 which lays down rules of keeping consumer data confidential.

Way ahead in India

With an estimated 451.5 million internet users by the end of 2016, India promises to be a significant player in the $300 billion Internet of Things market. India is on the threshold of an internet boom, and has tremendous potential in the Internet of Things, with the present estimate being around $15 billion. It is necessary to evolve legal and policy frameworks tailored to this technology, given the number of substantial benefits the Internet of Things provides for us. The government needs to promptly upgrade its existing data protection regime to match the global standards of privacy and data protection, and needs to take special cognizance of the security and privacy risks associated with the Internet of Things while doing so.

*Dhruv is a third year student at NALSAR University of Law, Hyderabad. Dhruv interned with CCG during November 2016.