[July 8-15] CCG’s Week in Review: Curated News in Information Law and Policy

The Parliament passed the Aadhaar Amendment Bill, expected to have a far-reaching impact on data sharing with private companies and State Governments; France rolled out a new “digital tax” for Big Tech, Facebook slapped with a massive $5bn fine by the US FTC, while uncertainty over Huawei’s inclusion in India’s 5G trials deepens  — presenting this week’s most important developments in law and tech.

In focus this week: opinions and analyses of the Defence Budget for 2019-20.

Aadhaar

  • [July 8] Parliament passes Aadhaar amendment bill, The Hindu Business Line report.
  • [July 8] RS clears bill on voluntary use of Aadhaar as ID proof, Live Mint report.
  • [July 8] Techie moves Madras High Court assailing compulsory linking of Aadhaar with Universal Account Number (UAN) to avail EPFO pension, The Economic Times report.
  • [July 9] You are not bound to share Aadhaar data with schools, banks and telcos, DNA India report.
  • [July 9] ‘Ordinance on Aadhaar use doesn’t survive as House has cleared the Bill’: Centre tells SC, The Hindu report.
  • [July 10] Aadhaar Bill passage in Parliament: New clause helps secure non-NDA votes, The Economic Times report.
  • [July 11] PAN not linked to Aadhaar will become invalid from September, Business Standard report.
  • [July 11] Aadhaar amendments: New clause to allow use of Aadhaar data for state schemes, Live Mint report.
  • [July 11] Amendment: no Aadhaar for mobile wallet firms, The Economic Times report.
  • [July 11] All your Aadhaar fears are coming true in Assam, HuffPost India report.
  • [July 13] Rajya Sabha passes Aadhaar amendment Bill, allows to file complaint in case of security breach, India Today report.
  • [July 14] You may soon have to pay Rs. 10,000 as fine for entering wrong Aadhaar number for transactions, New 18 report.

Free Speech

  • [July 9] Twitter backs off broad limits on ‘Dehumanizing Speech’, The New York Times report.
  • [July 10] TikTok influencers charged for hate speech and attempting to incite communal violence, Business Insider report.
  • [July 13] White House Social Media recap, National Public Radio report, CNN report, The New York Times report, Engadget report. The Verge report.
  • [July 13] FIRs against 10 for poems that try to ‘hinder NRC’ in Assam, Times of India report.
  • [July 15] RSS wing calls for TikTok, Helo ban, The Economic Times report.

Data Protection

  • [July 8] Indian parliament members call for Data Protection Bill and TikTok ban, Inc42 report.
  • [July 8] British Airways fined record 183 million for data breach involving 500,000 customers: report, Medianama report, BBC report.
  • [July 9] Digital data protection to be a fundamental right in Brazil as amendment to constitution is approved, Medianama report.
  • [July 12] Not ‘Okay Google’: Firms admits that workers listen to audio from Assistant, Home, Medianama report, Fox News report, VRT News report.
  • [July 12] Google data breach faces review by Irish privacy watchdog, Bloomberg report.
  • [July 13] Facebook fined $ 5 billion by US regulators over privacy and data protection lapses, News 18 report, The Hindu Business Line report.
  • [July 13] Indian Govt is selling vehicle owner data to companies and citizens don’t have a clue, Inc42 report, Entrackr report.
  • [July 15] Data protection law must be the same for both private and government players, The New Indian Express report.

Digital India

  • [July 15] PMO panel seeks multinational companies’ inputs on making India electronics hub, ET Telecom report.

Data Localisation and E-Commerce

  • [July 11] Gautam Adani woos Amazon and Google with Indian data hubs, ET Telecom report.
  • [July 9] A tug of war hots the draft e-commerce policy. US tech giants want leeway in data localisation, ET Prime report. [paywall]
  • [July 15] Delhi and Bengaluru customs stop clearing ‘gifts’, Economic Times report, Medianama report.

Telecom/5G

  • [July 15] Inter-ministerial panel clears draft RFP to select auctioneer for 2019 spectrum sale, ET Telecom report.

More on Huawei

  • [July 10] Huawei makes Monaco world’s fully 5G country, Live Mint report.
  • [July 10] Huawei ban eased but tech can’t relax, Financial Times report.
  • [July 11] NSAB members, Chinese diplomat cross swords over Huawei, Indian Express report.
  • [July 12] Doubts over Huawei’s participation in India’s 5G rollout deepen, Live Mint report, NDTV Gadgets 360 report.
  • [July 14] Huawei plans extensive layoffs at its US operations, Live Mint report, The Economic Times report.
  • [July 13] US tells Britain: Fall in line over China and Huawei, or no trade deal, The Telegraph report
  • [July 14] US seeks to discredit UK spies in war against Huawei, The Times UK report.

Big Tech: Regulation

  • [July 11] France passes law taxing digital giants in defiance of US anger, Agence France Presse report.
  • [July 10] US Announces Inquiry of French Digital Tax that may end in tariffs, The New York Times report.

Cryptocurrencies

  • [July 9] Indian govt to educate top cops on cryptocurrencies, aiming to investigate crypto matters, CrytpoNewZ report.
  • [July 9] Facebook to Senators: Libra crypto will respect privacy, Coin Desk report.
  • [July 11] Winklevoss-backed crypto self-regulatory group prepares to woo congress, Coin Desk report.
  • [July 12] Japanese crypto exchange hacked, loses $ 32 million, The Hindu Business Line report, Coin Telegraph report.
  • [July 13] Study exposes how Russia, Iran and China are weaponizing crypto, CNN report.
  • [July 13] China’s illegal crypto mining crackdown could ignite a bitcoin price rally, CNN report.
  • [July 15] IRS confirms it trained staff to find crypto wallets, Coin Desk report.

Emerging Tech

  • [July 9] AI in cybersecurity expected to surpass $38 billion, Security Boulevard report.
  • [July 14] How aritifical intelligence is solving different business problems, Financial Express report.
  • [July 14] Why AI is the future of cybersecurity, Forbes report.

Cybersecurity

  • [July 8] Chinese hackers demonstrate their global cyber espionage reach with breach at 10 of the world’s biggest telecoms, CPO Magazine report.
  • [July 12] Businesses in India tapping AI to improve cybersecurity, The Economic Times report, Fortune India report.
  • [July 15] Indian IT managers facing budget crunch for cybersecurity, The Economic Times report.

Tech and Law Enforcement: Surveillance and Cyber Crime

  • [July 8] NCRB invites bids to implement Automated Facial Recognition System, Medianama report.
  • [July 9]  The chase gets a lot easier for tech-wielding cops now, The Economic Times report.
  • [July 9] Delhi government begins installing CCTV cameras inside classrooms to prevent crime: report, Medianama report. Times now News report.
  • [July 10] Instagram announces two new anti-bullying features, Instagram’s announcement, Thw Wall Street Journal report, Medianama report.
  • [July 11] WhatsApp messages can be traced without diluting encryption, Zee News report.
  • [July 12] New POCSO bill to expand child porn definition to include anime, adults posing depicting children, Medianma report, Hindustan Times report.
  • [July 12] SC refuses to stay installation of CCTV cameras in Delhi Government schools, Medianama report, Bar & Bench report.

Tech and Military

  • [July 8] Japan-India security cooperation: Asian giants to expand their relations to Space, Financial Express report.
  • [July 8] Bill to tag individuals as ‘terrorist’ introduced in LS, Opposition protests: The Unlawful Activities (Prevention) Act Amendment Bill, 2019, Business Standard report
  • [July 8] Government introduces Bill in Lok Sabha to amend National Investigation Agency Act, The Economic Times report.
  • [July 8] Govt to procure 1.86 lakh bullet proof jackets by April next, The Hindu Business Line report.
  • [July 8] India, Russia agree on new payment mode for S-400 deal to get around US sanctions, The Print report.
  • [July 9] National e-Governance Division to revamp management app for the army, The Week report.
  • [July 9] Amazon, Microsoft wage war over the Pentagon’s ‘war cloud’,  NDTV Gadgets 360 report
  • [July 10] Last chance to get tech: Navy says negotiating next 6 subs to take years, Business Standard report.
  • [July 10] Tactical communications market size in the US region is projected to experience substantial proceeds by 2024, Tech Mag report.
  • [July 11] Govt says looking at tech to seal northern and eastern borders, Live Mint report.
  • [July 11] Army man arrested for leaking info on national security, The Tribune report.
  • [July 12] Wait for sniper rifles gets longer, MoD retracts the RFP issued last year, Financial Express report.
  • [July 12] India, Russia discuss space cooperation, The Hindu report
  • [July 12] Israel arms company signs $100 million missile deal with Indian army, Middle East Monitor report.

Defense Budget: Reports and Analyses

  • [July 8] Budget 2019: India redirects foreign aid to Indian ocean countries, NSCS expenditure hiked, Business Standard report.
  • [July 8] Laxman K Behera, Institute for Defense Studies and Analysis, India’s Defence budget 2019-20.
  • [July 8] PK Vasudeva, Deccan Herald, An alarming fall: Defence Budget 2019-20.
  • [July 8] Mihir S Sharma, Business Standard, Budget 2019: India won’t become a superpower with these allocations.
  • [July 9] PRS Legislative Research’s analysis: Ministry of Defence Demands for Grants 2019-20.
  • [July 9] Why Sitharaman’s budgetary allocation is unlikely to satisfy defence establishment, The Economic Times report.
  • [July 10] Brahma Chellaney, Hindustan Times, India’s defence planning has no clear strategic direction.
  • [July 10] Harsh V Pant, Live Mint Opinion, We need not whine about India’s small defence budget.
  • [July 12] Commodore Anil Jai Singh, Financial Express, Budget 2019: Optimising the Defence Budget and the need for organizational reform.
  • [July 13] Shekhar Gupta, The Print, Modi isn’t about to change India into national security state like Pakistan and bankrupt it.
  • [July 13] Budget 2019: Cybersecurity – a holy grail for government’s Digital India dream, Financial Express analysis.
  • [July 15] Ravi Shanker Kapoor, News 18 Opinion, Cost of not carrying out economic reforms: acute shortage of funds for military modernization.

Opinions and Anlayses

  • [July 8] Adam Bemma, Al Jazeera, Is Sri Lanka using the Easter attacks to limit digital freedom?
  • [July 9] Dr M Suresh Babu and Dr K Bhavana Raj, The Hans India, Data Protection Bill – boon or bane for digital economy?
  • [July 8] Walter Olson, The CATO Institute blog, One year later, the harms of Europe’s data-privacy law.
  • [July 8]  Jack Parrock, Euro News, The Brief: Data privacy v. surveillance transatlantic clash.
  • [July 9] Abhijit Mukhopadhyaya and Nishant Jha, ORF, Amidst US-China standoff Huawei battles for survival.
  • [July 10] Kuldip Kunmar, The Economic Times, Budget 2019 shows govt’s will to use Aadhaar to track financial transactions.
  • [July 11] Darryn Pollock, Forbes, Is Facebook forming a crypto mafia as Libra foundation members boost each other’s businesses?
  • [July 12] Amitendu Palit, Financial Express, India ditches data dialogue again.
  • [July 12] Shantanu Roy-Chaudhary, The Diplomat, India-China-Sri Lanka Triangle: The Defense Dimension.
  • [July 12] Richard A Clarke and Robert K Knake, The Wall Street Journal, US companies learn to defend themselves in cyberspace.
  • [July 12] Simon Chandler, Coin Telegraph, US Sanctions on Iran Crypto Mining— Inevitable or Impossible?
  • [July 12] Shekhar Chnadra, Scientific American, What to expect from India’s second Moon mission.
  • [July 14] Agnidipto Tarafder and Siddharth Sonkar, The Wire, Will the Aadhaar Amendment Bill Pass Judicial Scrutiny?
  • [July 14] Scott Williams, Live Wire, Your crypto overlords are coming…
  • [July 15] Why Google cloud hasn’t picked up yet in India, ET Telecom report
Advertisements

The Proposed Regulation of DNA Profiling Raises Critical Privacy Concerns

The Union Cabinet recently approved the DNA Technology (Use and Application) Regulation Bill, 2018 (“DNA Profiling Bill”), which is scheduled to be introduced in Parliament today (31st July). The Bill is largely based on the 2017 Law Commission Report on “Human DNA Profiling – A draft Bill for the Use and Regulation of DNA-Based Technology”, which seeks to expand “the application of DNA-based forensic technologies to support and strengthen the justice delivery system of the country.

Apart from identifying suspects and maintaining a registry of offenders, the Bill seeks to enable cross-matching between missing persons and unidentified dead bodies, and establishing victim identity in mass disasters.

Features of the Bill

The Bill envisages the setting up of a DNA profiling board which shall function as the regulatory authority and lay down guidelines, standards and procedures for the functioning of DNA laboratories and grant them accreditation. The board will also assist the government in setting up new data banks and advise the government on “all issues relating to DNA laboratories”. In addition, it will make recommendations on legislation and practices relating to privacy issues around storage and access to DNA samples.  

DNA data banks will also be established, consisting of a national data bank as well as the required number of regional data banks. Regional data banks must mandatorily share all their information with the national data bank. Every data bank shall maintain databases of five categories of data – crime scenes, suspects or undertrials, offenders, missing persons, and unknown deceased persons.

The 2017 draft has made significant changes to address concerns raised about the previous 2015 draft. These include removing the index of voluntarily submitted DNA profiles, deleting the provision allowing the DNA profiling board to create any other index as necessary, detailing serious offences for DNA collection, divesting the database manager of discretionary powers, and introducing redressal mechanisms by allowing any aggrieved person to approach the courts. Additionally, it has added legislative provisions authorising licensed laboratories, police stations and courts to collect and analyse DNA from certain categories of people, store it in data banks and use it to identify missing/ unidentified persons and as evidence during trial.

The new Bill has attempted to address previous concerns by limiting the purpose of DNA profiling, stating that it shall be undertaken exclusively for identification of a person and not to extract any other information. Safeguards have been put in place against misuse in the form of punishments for disclosure to unauthorised persons.

The Bill mandates consent of an accused before collection of bodily substances for offences other than specified. However, any refusal, if considered to be without good cause, can be disregarded by a Magistrate if there is reasonable cause to believe that such substances can prove or disprove guilt. Any person present during commission of a crime, questioned regarding a crime, or seeking a missing family member, may volunteer in writing to provide bodily substances. The collection of substances from minors and disabled persons requires the written consent of their parents or guardians. Collection from victims or relatives of missing persons requires the written consent of the victim or relative. Details of persons who are not offenders or suspects in a crime cannot be compared to the offenders’ or suspects’ index, and any communication of details can only be to authorised persons.

Areas of Concern

Although the Bill claims that DNA testing is 99.9% foolproof, doubts have recently been raised about the possibility of a higher error rate than previously claimed. This highlights the need for the proposed legislation to provide safeguards in the event of error or abuse.

The issue of security of all the data concentrated in data banks is of paramount importance in light of its value to both government and private entities. The Bill fails to clearly spell out restrictions or to specify who has access to these data banks.

Previous iterations of the Bill have prompted civil society to express their reservations about the circumstances under which DNA can be collected, issues of consent to collection, access to and retention of data, and whether such information can be exploited for purposes beyond those envisaged in the legislation. As in the case of Aadhaar, important questions arise regarding how such valuable genetic information will be safeguarded against theft or contamination, and to what extent this information can be accessed by different agencies. The present Bill has reduced the number of CODIS loci that can be processed from 17 to 13, thus restricting identification only to the necessary extent. However, this provision has not been explicitly stated in the provisions of the legislation itself, casting doubt over the manner in which it will be implemented.

Written consent is mandatory before obtaining a DNA sample, however withholding of consent can be overruled by a Magistrate if deemed necessary. An individual’s DNA profile can only be compared against crime scene, missing person or unknown deceased person indices. A court order is required to expunge the profile of an undertrial or a suspect, whose profile can also be removed after filing of a police report. Any person who is not a suspect or a convicted offender can only have their profile removed on a written petition to the director of the data bank. The consent clause is also waived if a person has been accused of a crime punishable either by death or more than seven years in prison. However, the Bill is silent on how such a person’s profile is to be removed on acquittal.

Moreover, the Bill states that “the information contained in the crime scene index shall be retained”. The crime scene index captures a much wider data set as compared to the offenders’ index, since it includes all DNA evidence found around the crime scene, on the victim, or on any person who may be associated with the crime. The indefinite retention of most of these categories of data is unnecessary, as well as contrary to earlier provisions that provide for such data to be expunged. However, the government has claimed that such information will be removed “subject to judicial orders”. Importantly, the Bill does not contain a sunset provision that would ensure that records are automatically expunged after a prescribed period.

While the Bill provides strict penalties for deliberate tampering or contamination of biological evidence, the actual mechanisms for carrying out quality control and analysis have been left out of the parent legislation and left to the purview of the rules.

Crucially, the Bill has not explicitly defined privacy and security protections such as implementation of safeguards, use and dissemination of genetic information, security and confidentiality and other privacy concerns within the legislation itself – leaving such considerations to the purview of regulation (and out of parliamentary oversight). The recently released Personal Data Protection Bill, 2018 does little to allay these concerns. As per this Bill, DNA Banks will be classified as significant data fiduciaries, and thus subject to audits, data protection impact assessments, and appointment of a special data protection officer. However, although genetic information is classified as sensitive personal data, the Data Protection Bill does not provide sufficient safeguards against the processing of such data by the State. In light of the proposed data protection framework, and the Supreme Court confirming that the right to privacy (including the right to bodily integrity) is a fundamental right, the DNA Profiling Bill as it stands in its present form cannot be implemented without violating the fundamental right to privacy.

The Personal Data Protection Bill, 2018

After months of speculation, the Committee of Experts on data protection (“Committee”), led by Justice B N Sri Krishna, has submitted its recommendations and a draft data protection bill to the Ministry of Electronics and Information Technology (“MEITY”) today. As we sit down for some not-so-light weekend reading to understand what our digital futures could look like if the committee’s recommendations are adopted, this series puts together a quick summary of the Personal Data Protection Bill, 2018 (“Bill”).

Scope and definitions

The Committee appears to have moved forward with the idea of a comprehensive, cross-sectoral data protection legislation that was advocated in its white paper published late last year. The Bill is meant to apply to (i) the processing of any personal data, which has been collected, disclosed, shared or otherwise processed in India; and (ii) the processing of personal data by the Indian government, any Indian company, citizen, or person / body of persons incorporated or created under Indian law. It also applies to any persons outside of India that engage in processing personal data of individuals in India. It does not apply to the processing of anonymised data.

The Bill continues to use the 2-level approach in defining the type of information that the law applies to. However, the definitions of personal data and sensitive personal data have been expanded upon significantly when compared to the definitions in our current data protection law.

Personal data includes “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information”. The move towards relying on ‘identifiability’, when read together with definitions of terms such as ‘anonymisation’, which focuses on irreversibility of anonymisation, is welcome, given that section 2 clearly states that the law will not apply in relation to anonymised data. However, the ability of data processors / the authority to identify whether an anonymisation process is irreversible in practice will need to be examined, before the authority sets out the criteria for such ‘anonymisation’.

Sensitive personal data on the other hand continues to be defined in the form of a list of different categories, albeit a much more expansive list, that now includes information such as / about official identifiers, sex life, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations / beliefs.

Interestingly, the Committee has moved away from the use of other traditional data protection language such as data subject and data controller – instead arguing that the relationship between an individual and a person / organisation processing their data is better characterised as a fiduciary relationship. Justice Sri Krishna emphasised this issue during the press conference organised at the time of submission of the report, noting that personal data is not to be considered property.

Collection and Processing

The Bill elaborates on the notice and consent mechanisms to be adopted by ‘data fiduciaries’, and accounts for both data that is directly collected from the data principal, and data that is obtained via a third party. Notice must be given at the time of collection of personal data, and where data is not collected directly, as soon as possible. Consent must be obtained before processing.

The Committee’s earlier white paper, and the report accompanying the Bill have both discussed the pitfalls in a data protection framework that relies so heavily on consent – noting that consent is often not informed or meaningful. The report however also notes that it may not be feasible to do away with consent altogether, and tries to address this issue by way of adopting higher standards for consent, and purpose limitation. The Bill also provides that consent is to be only one of the grounds for processing of personal data. However, this seems to result in some catch-all provisions allowing processing for ‘reasonable purposes’. While it appears that these reasonable purposes may need to be pre-determined by the data protection authority, the impact of this section will need to be examined in greater detail. The other such wide provision in this context seems to allow the State to process data – another provision that will need more examination.

Sensitive personal data

Higher standards have been proposed for the processing of sensitive personal data, as well as personal / sensitive personal data of children. The emphasis on the effect of processing of certain types of data, keeping in mind factors such as the harm caused to a ‘discernible class of persons’, or even the provision of counselling or child protection services in these sections is welcome. However, there remains a wide provision allowing for the State to process sensitive personal data (of adults), which could be cause for concern.

Rights of data principals

The Bill also proposes 4 sets of rights for data principals: the right to confirmation and access, the right to correction, the right to data portability, and the right to be forgotten. There appears to be no right to erasure of data, apart from a general obligation on the data fiduciary to delete data once the purpose for collection / processing of data has been met. The Bill proposes certain procedural requirements to be met by the data principal exercising these rights – an issue which some have already pointed out may be cause for concern.

Transparency and accountability

The Bill requires all data fiduciaries to adopt privacy by design, transparency and security measures.

Each data fiduciary is required to appoint a data protection officer, conduct data protection impact assessments before the adoption of certain types of processing, maintain records of data processing, and conduct regular data protection audits. These obligations are applicable to those notified as ‘significant data fiduciaries’, depending on criteria such as the volume and sensitivity of personal data processed, the risk of harm, the use of new technology, and the turnover of the data fiduciary.

The requirements for data protection impact assessments is interesting – an impact assessment must be conducted before a fiduciary undertakes any processing involving new technologies, or large scale profiling or use of sensitive personal data such as genetic or biometric data (or any other data processing which carries a risk of significant harm to data principals). If the data protection authority thinks that such processing may cause harm (based on the assessment), they may direct the fiduciary to cease such processing, or impose conditions on the processing. The language here implies that these requirements could be applicable to processing by the State / private actors, where new technology is used in relation to Aadhaar, among other things. However, as mentioned above, this will be subject to the data fiduciary in question being notified as a ‘significant data fiduciary’.

In a welcome move, the Bill also provides a process for notification in the case of a breach of personal data by data fiduciaries. However, this requirement is limited to notifying the data protection authority, which then decides whether there is a need to notify the data principal involved. It is unfortunate that the Committee has chosen to limit the rights of data principals in this regard, making them rely instead on the authority to even be notified of a breach that could potentially harm them.

Cross border transfer of data

In what has already become a controversial move, the Bill proposes that at least one copy of all personal data under the law, should be stored on a server or data centre located in India. In addition, the central government (not the data protection authority) may notify additional categories of data that are ‘critical’ and should be stored only in India.

Barring exceptions in the case of health / emergency services, and transfers to specific international organisations, all transfer of personal data outside India will be subject to the approval of the data protection authority, and in most cases, consent of the data principal.

This approval may be in the form of approval of standard contractual clauses applicable to the transfer, or a blanket approval of transfers to a particular country / sector within a country.

This provision is ostensibly in the interest of the data principals, and works towards ensuring a minimum standard of data protection. The protection of the data principal under this provision, like many other provisions, including those relating to data breach notifications to the data principal, will be subject to the proper functioning of the data protection authority. In the past, we have seen that simple steps such as notification of security standards under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, have not been undertaken for years.

In the next post in this series, we will discuss the functions of the authority, and other provisions in the Bill, including the exemptions granted, and penalties and remedies provided for.

The General Data Protection Regulation and You

A cursory look at your email inbox this past month presents an intriguing trend. Multiple online services seem to have taken it upon themselves to notify changes to their Privacy Policies at the same time. The reason, simply, is that the European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, 2018.

The GDPR marks a substantial overhaul of the existing data protection regime in the EU, as it replaces the earlier ‘Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.’ The Regulation was adopted by the European Parliament in 2016, with a period of almost two years to allow entities sufficient time to comply with their increased obligations.

The GDPR is an attempt to harmonize and strengthen data protection across Member States of the European Union. CCG has previously written about the Regulation and what it entails here. For one, the instrument is a ‘Regulation’, as opposed to a ‘Directive’. A Regulation is directly binding across all Member States in its entirety. A Directive simply sets out a goal that all EU countries must achieve, but allows them discretion as to how. Member States must enact national measures to transpose a Directive, and this can sometimes lead to a lack of uniformity across Member States.

The GDPR introduces, among other things, additional rights and protections for data subjects. This includes, for instance, the introduction of the right to data portability, and the codification of the controversial right to be forgotten. Our writing on these concepts can be found here, and here. Another noteworthy change is the substantial sanctions that can be imposed for violations. Entities that fall foul of the Regulation may have to pay fines up to 20 million Euros, or 4% of global annual turnover, whichever is higher.

The Regulation also has consequences for entities and users outside the EU. First, the Regulation has expansive territorial scope, and applies to non-EU entities if they offer goods and services to the EU, or monitor the behavior of EU citizens. The EU is also a significant digital market, which allows it to nudge other jurisdictions towards the standards it adopts. The Regulation (like the earlier Directive) restricts the transfer of personal data to entities outside the EU to cases where an adequate level of data protection can be ensured. This has resulted in many countries adopting regulation in compliance with EU standards. In addition, with the implementation of the GDPR, companies that operate in multiple jurisdictions might prefer to maintain parity between their data protection policies. For instance, Microsoft has announced that it will extend core GDPR protections to its users worldwide. As a consequence, many of the protections offered by the GDPR may in effect become available to users in other jurisdictions as well.

The implementation of the GDPR is also of particular significance to India, which is currently in the process of formulating its own data protection framework. The Regulation represents a recent attempt by a jurisdiction (that typically places a high premium on privacy) to address the harms caused by practices surrounding personal data. The lead-up to its adoption and implementation has generated much discourse on data protection and privacy. This can offer useful lessons as we debate the scope and ambit of our own data protection regulation.

SC Constitution Bench on Aadhaar – Final Hearing (Day XXXVIII)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2018 and concluded on May 10, 2018. Summaries of the arguments advanced in the previous hearings can be found here.

Senior counsel Gopal Subramaniam continued with his rejoinder.

He started off by discussing the concept of dignity, stating that it was not meant to be promoted since it was assured under the preamble. He stated that dignity is inbuilt and would not depend on the largesse of the state.

Referring to the Aadhaar notifications, he stated that if the purpose of these notifications was to benefit individuals, the state would have to create conditions to ‘flower the dignity’ of people.

Justice Sikri commented on the duty of the state to provide benefits, which would also be a part of dignity. He stated that this would not just be applicable in cases of deprivation under Article 21 and that it would be an affirmative action.

Mr. Subramaniam agreed, stating that it would be an affirmative action. Further, he stated that the Act would have to be scrutinized to decipher whether it was an enabler or whether it was passed under the guise of enablement.

He then stated that the notifications begin with a preamble, which refers to the guarantee of seamless delivery of services.

He then discussed alternate forms of identification, like ration cards, stating that existing forms of identification were not failing, and Aadhaar therefore did not have a purpose.

He referred to examples of women in Jharkhand who could not get services despite having ration cards, due to failed Aadhaar authentication.

He also discussed the Essential Commodities Act and the central governments obligation.

He also discussed the applicability of the test of the ‘true purpose of the law’.

Further, he discussed the lack of machineries that were set up under the Aadhaar programme, stating that Aadhaar did not serve any special purpose since existing machineries were used to deliver services.

Mr. Subramaniam then went on to discuss the asymmetry of power under Section 7 of the Aadhaar Act.

He also stated that the Act was not enacted for a proper purpose. Further, he stated that the first step of legitimate aim was ‘proper purpose’. He also stated that it could only be justified if the right was preserved and that dignity and autonomy were not preserved under Section 7 of the Act.

Further on the issue of ‘proper purpose’, referring to the idea of ‘Socratic contestation’, he stated that a claim to a proper purpose would not qualify as a proper purpose.

Mr. Subramaniam then discussed the three letters of authentication. He stated that authentication was at the heart of the act and that failure of authentication was a ground for denial.  In relation to requesting entities, he discussed their lack of accountability under the law.

Further, he discussed the GDPR and the change in protocol. He also discussed the concerns about privacy of communication and not the privacy of individuals.

Further, he stated that there weren’t any other jurisdictions where the state could take all of its citizens data.

He also stated that declaration of human rights was necessary for this act. Further, he stated that the Act reduced people to numbers and also discussed the perils of using probabilistic algorithms.

Referring to Section 7 of the Act, he discussed ‘grants, subsidies, benefits’ as expressions of condescension.

Mr. Subramaniam further discussed the ‘power’ under the Act, stating that the power enables the collection of information.

He discussed the test in constitutional law, which was to question whether the state should logically be the holder of such information.

Further, he stated that if knowledge was power, giving information to the state would signal a ceding of power.

Justice Chandrachud commented on the nature of subsidies, to which Mr. Subramaniam stated that subsidy was provided at different levels of government.

Mr. Subramaniam then discussed Section 7 and stated that under it, strict rights were being bracketed. He further stated that it was not merely a segregation and that entitlements were being treated like grants.

On this Justice Chandrachud stated that wage payment was a benefit, to which Mr. Subramaniam responded, stating that wage payment would be a vested right.

He further discussed the Courts guidelines for rehabilitation laid down in 1982 in relation to bonded labourers, before deciding whether to rehabilitate or free them.

In this regard, he also discussed the incarceration of mentally ill citizens and the writs of mandamus issued to the Union.

Moving on, Mr. Subramaniam discussed census data and its use at federal and state levels. He stated that states had policies in regard to requesting data from the central planning commission.

He further stated that census data was a way of social mobilization, and that there was pre-existing data owing to the census.

He then discussed the concepts of horizontal protection and vertical protection, stating that the former was more important in the given instance.

Further, he discussed bodily integrity and autonomy as important considerations.

He also stated that ultimately, the fundamental freedoms in India must never be compared with the 4th Amendment under the United States constitution.  He also stated that the Indian constitution was a living document.

On the issue of Section 7, Justice Chandrachud stated that it is an enabling provision and not a mandate. He stated that it enabled the government to impose a mandate, the difference arising from may/shall.

Further, it was stated that these rights could not be ‘wielded down’. He also stated that there was no common denominator and rights could not be subsidies. Further on the issue of Part 3, he stated that the rights conduced to dignity.

Mr. Subramaniam then discussed identities and the dissolution of some kinds of identities.

He stated that if an act like manual scavenging was antithetical to the soul then he would want it destigmatized with the march of time. He further discussed how certain actions were akin to unmaking the dignity of people.

On the issue of fake profiles, he stated that it was not a matter of sticking up for fake profiles, but rather a matter of sticking up for better administration.

On the alleged voluntary nature of Aadhaar, he questioned how people could be asked to contract when they were not even under the capacity to contract.

Further, on the ‘legitimate aim’ of Aadhaar, he stated that collecting massive amounts of information would not satisfy this aim. He stated that the means used had to be adept and valid.

He also discussed the issue of two competing rights, which had to be balanced. In this regard, he discussed the concepts of freedom, autonomy, self-preservation and self-actualization. He also stated that the act of balancing had a direct correlation with seminal values and objectively protected values.

Mr. Subramaniam then stated that no contemporary studies on Aadhaar had taken place, the last one having been conducted a decade ago.

He then went on to read excerpts on an individual’s inalienable rights, stating that an individual should not be required to give up their rights.

Further, he stated that the procedure established by law had to be just, fair and reasonable.

On the Aadhaar project, he stated that there wasn’t merely a possibility of abuse, but that the Act postulated compelled behaviour.

He stated that the primary focus was that the judiciary had an obligation to protect fundamental rights.

Referring to the Constitution, he stated that it was a living document and should be seen as transformative. Further, he discussed parliamentary supremacy and the capacity to refuse. He stated that autonomy and integrity were intertwined in the capacity to refuse and if the capacity was obliterated, then the autonomy would also follow suit.

Mr. Subramaniam further discussed relief, stating that the petitioners would want the data stored to be taken down. He also stated that the Bench should exercise its powers under Article 32 and also rely on the case of Nilabati Behera.

Lastly, he stated that the propensity of information was an important consideration as well.

Next, senior counsel Anand Grover commenced with his rejoinder. He was brief, stating that none of the contentions of breaches of security had been dealt with and that privacy should not lose its character.

Next, senior counsel Arvind Datar commenced with his rejoinder.

He started off by stating that ‘pith and substance’ had no application to the legitimacy of an article and would not be applicable to a money bill.

Further, he discussed the difference between a money bill and a financial bill, stating that consolidated fund matters would be covered by financial bills.

He also discussed Article 117(1) in this context.

He stated that the Aadhaar Act could not have been passed as a financial bill.

Further, he discussed the doctrine of severability and whether certain portions of the Aadhaar Act could be removed.

He stated that the doctrine of severability could only apply if a statute was valid and certain portions are invalid. He stated that if the rest of the statute ‘made sense’ and was valid, it could be retained. However, in this instance, the statute itself was invalid, and relying on the Kihoto Hollohan case, he stated that a statute that was fatal at its inception could not be saved.

Mr. Datar also discussed the Mangalore Ganesh Beedi works case and subsequently Article 110(b) of the constitution.

Further, he discussed the issue of linking bank accounts to Aadhaar.

He stated that millions of bank accounts have already linked to Aadhaar and that permanent linking did not seem to serve a purpose and that accounts should be delinked once determination was over.

Next, senior counsel P.C. Chidambaram commenced his rejoinder. He discussed the issue of the Aadhaar Act being passed as a money bill.

He started off by discussing the interpretation of ‘only’ under Article 110(1), and went on to discuss how clause (g) must be read narrowly.

Lastly, he stated that a non-money bill being passed as a money bill would effectively limit the power of the Parliament, by disallowing review, which should not be condoned by the Court. He also stated that the doctrine of severability would not hold credence if the legislature was unconstitutional to begin with. Further, he discussed how the doctrine of pith and substance would not be applicable to bills passed under Article 110.

Next, senior counsel K.V. Viswanathan commenced his rejoinder. He discussed the theories of proportionality and balancing of rights. He stated that the balancing of rights proposition by the respondents was incorrect, and that fundamental rights would not survive. Further he discussed exception handling and the problem with making vested rights conditional on Section 7 of the Act. He also stated that citizens should not have to face the burden brought about by systems for ‘targeted and efficient delivery’.

Lastly, senior counsel P.V. Surendranath discussed the problem with excessive delegation.

The hearing concluded on the 10th of May and the matter is now reserved for judgment.

 

SC Constitution Bench on Aadhaar – Final Hearing (Day XXXVII)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Senior Counsel Shyam Divan continued with his rejoinder. He started off by addressing the UIDAI’s responses to the questions posed by the petitioners.

In this regard, he discussed the architecture of the Aadhaar programme, along with inorganic seeding. He discussed how entities of the Aadhaar architecture allowed traceability and location tracking. He also discussed flawed statistics that were released on the rate of authentication success.

Mr. Divan then referred to a 2009 order, which did not mention that biometric authentication would be a part of the Aadhaar programme.

He then discussed the unauthorized collection of data by the UIDAI, stating that biometric information was collected without any statutory authority. He stated that India was not a monarchy and unauthorized collection of this nature should not be permitted.

He also stated that the UIDAI had no way of verifying the accuracy of the information on its database . He also stated that there was no contractual obligation created between UIDAI and its agents. He then went on to refer to a hypothetical log of authentication, that was created to illustrate the point that biometric authentication would allow for tracking and profiling.

Mr. Divan then went on to discuss the World Bank report and the high level advisory committee. He stated that the report, which discussed the benefits of Aadhaar, stating that it was not as impartial as it seemed to be, and likened it to a ‘sales pitch’. He also stated that there were no people with expertise in civil liberties and privacy on that committee.

He then went on to discuss Section 59 of the Aadhaar Act and the validity of biometric information that was collected prior to the Aadhaar Act.

He also stated that under the Aadhaar programme, citizens were being compelled to ‘voluntarily’ sign up.

He stated that certain schemes should be excluded from the purview of Aadhaar, these included schemes that affected vulnerable portions of society. He stated that women who were rescued from trafficking, bonded labourers, children, those who were in need of rehabilitation and others, should be excluded.

In this regard, he stated that Sarva Shiksha Abhiyan should not require Aadhaar authentication.

Mr. Divan stated that the principle of non-retrogression would apply, and that it would not be possible to go backwards in human rights law.

He then questioned how Supreme Court orders could be overridden by economic advisers in the ministry.

He went on to refer to the August and October 2015 orders, stating that Aadhaar was declared voluntary in those orders and that it could not be declared mandatory till the Supreme Court decided it was.

He then went on to discuss the powers under Articles 226 and 227 of the Constitution, stating that the ‘magic’ lied in the fact that bureaucrats could not override independent judicial power and that their actions would be checked under the law.

He also discussed the issue of the Act being passed as a money bill.

Moving on, he referred to the an ‘intricate scheme of defences’ in the Constitution, and that there was a whole set of defences, the last being the court.

Referring to the ‘second bulwark’, he stated that Article 111 of the Constitution would also not be applicable if the Aadhaar Act was upheld as a money bill.

He then discussed the importance of protecting demographic information, and the ‘fatal’ features of the Aadhaar programme.

Lastly, he questioned if the Aadhaar programme could stand the first five words of the Constitution – ‘We the people of India’.

Senior Counsel Gopal Subramaniam continued with his rejoinder. He started off by discussing acts of malfeasance and misfeasance.

He referred to Section 33 of the Aadhaar Act, stating that there was a complete giveaway of information, including identity information or authentication records.

He questioned the information that was made available to the state, stating that there seemed to be no nexus between the requirement of knowledge and the delivery of services. He stated that this went against Puttaswamy vs. Union of India.

He stated that the collection of data of over a billion people was not fool-proof, referring to the Cambridge Analytica case.

Further, he questioned what happens when the legislature was not an enabler, stating that the law would be disempowering, if not empowering.

Referring to the Facebook data leak, he stated that this leak was thought to affect elections and political power dynamics in Singapore.

Further, he stated that the issue was not merely multiple classes of people that were, but also the price of revelation.

He also discussed the issue of legislative competence and voidness.

Lastly, he discussed the case of West Ramnad and the ability of the state to enact laws retrospectively.

He stated that the sine qua non for retrospective validation was the prior existence of a statute, which was not the case with Aadhaar.

The hearing will continue on the 10th of May.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXXVI)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

The AG resumed his submissions on the issue of money bill. He reiterated that Ar.110(1)(g) is a stand alone provision and therefore there can be a bill which deals only with it and not deal with Ar.110(a)-(f). Referring to s.57, he submitted that independent laws can be passed under the section as long as it is relatable to Ar.110(a)-(g).

The CJI interjected that s.57 is an enabling provision that allows the state legislature to introduce Aadhaar either as a money bill or not for various services and that its nature would be examined only if its challenged in a court of law.

Justice Chandrachud mentioned that when Aadhaar platform is used by the states through law or by private parties through contract, it must conform with the data protection provision.

The AG responded that Aadhaar architecture is created by central law and therefore unless it authorizes the use, the states can’t use it. He further submitted that the government of India has created this massive structure to provide subsidies and other services but requires it to be self-sustaining and therefore has opened it to the private parties.

Justice Chandrachud interjected that s.7 retains the nexus to the consolidated fund of India (CFI) but s.57 snaps it. He pointed out that a private party could join the Aadhaar infrastructure through contract for purposes that have no nexus to the CFI. He said that based on this, the petitioners are arguing that s.57 does not qualify as money bill.

The AG responded that one has to look at the Act in totality and not examine if each provision would qualify as money bill. He conceded that s.7 is the nexus to the money bill but submitted that s.57 is part of the Parliament’s efforts to open the Aadhaar platform to other entities.

Next, he discussed the issue of telecom linking to Aadhaar. He argued that the linking eliminates all possibilities of forgery and fraud. He pointed out that the linking will remain optional only till the final disposal of the matter.

The AG then submitted that surveillance is prohibited under the Act and therefore the Act cannot be struck down merely because there is a possibility for it. He raised objection to the usage of the terms “concentration camp”, “electronic leash”, and “totalitarian state” by the petitioners.

Senior counsel Shyam Divan commenced the rejoinder on behalf of the petitioners. He submitted that it is the first time that a technology of this kind is deployed in a democracy. He stated that Supreme Court is the absolute vanguard of traversing human rights into technology. He argued that surveillance state is not permissible under Constitution and objected to the respondent’s argument that Aadhaar infrastructure does not result in surveillance.

He next referred to an affidavit filed by the Union on March 9, 2018.

He submitted that there are three elements of surveillance- identity of person, date and time, and location. He pointed out that the Act itself requires identity, date, and time at the time of authentication. Referring to the affidavit and presentation of the CEO and supporting documents, he argued that the response of the government’s experts to the petitioner’s experts states that biometric database is accessible to third party vendors. He submitted that the breach of the verification log would leak location of places where an individual performed his authentication in the past five years. He submitted that this compromises the security of privacy. He further pointed out that as per the presentation report, it is possible to track the current location of the individual even in the absence of a breach. He submitted that the UIDAI knows the location but for a third party to access the location, he would have to breach the verification log.

He therefore submitted that as per the experts of both parties, all three elements of surveillance are satisfied by the Aadhaar architecture.

Justice Chandrachud interjected that in a digital world one cannot ever have a guarantee of absolute security and therefore as long as the database is kept secure, an adequate level of privacy is maintained. Mr. Divan responded that this is not just a privacy issue but also a limited government issue. He argued that the coercive power of government cannot extend to the creation of an infrastructure that is capable of tracking people across five years in real time.

Next, referring to the CEO’s submission that all devices will have a unique ID to enable traceability and detection of fraud, he submitted that this would enable the individual to be traced using the device.

Mr. Divan then raised objection to the AG’s submission that UIDAI is distinct and autonomous and that the union government is different from it and therefore the latter would not be provided with access to the data. He argued that no instrumentality of state should establish such a mass surveillance regime. He submitted that the Supreme Court should not permit something so deeply flawed to function in the country.

He argued that if our constitution repudiates surveillance state, we cannot have a legislation which allows it. He submitted that the Supreme Court should not usher in a machinery that can trace back the locations, as it is constitutionally impermissible. He further submitted that if the court arrives at the conclusion that there is indeed surveillance, then balancing of rights is impossible.

Next, he referred to the answers submitted to the UIDAI in response to the questions asked by the petitioners subsequent to the CEO’s presentation. He pointed out that in the answers the UIDAI has mentioned that it does not take responsibility for correct or incorrect identification but only provides a matching system which is a self certification system. He argued that the UIDAI does not verify the authenticity of the documents submitted and with the linking of the bank accounts to the Aadhaar, now even the bank authorities do not check the authenticity of the documents. He submitted that UIDAI has no responsibility for identity.

The hearing will continue on May 9, 2018.