[July 15-22] CCG’s Week in Review: Curated News in Information Law and Policy

The National Investigation Agency Act was amended by Parliament this week, expanding its investigation powers to include cyber-terrorism; FaceApp’s user data privacy issues; and the leaked bill to ban cryptocurrencies— presenting this week’s most important developments in law and tech.

Aadhaar

• [July 15] Govt plans Aadhaar based identification of patients to maintain health records, Live Mint report; The Indian Express report.
• [July 15] Petition in Delhi HC seeking linking of Aadhaar with property documents, Live Mint report.
• [July 15] Government stops verification process using Aadhaar for driving license, The Economic Times report.
• [July 15] Government stops verification process using Aadhaar for driving license: Nitin Gadkari, ET Auto report.
• [July 18] Will Aadhaar interchangeability for ITR make PAN redundant? Live Mint report.
• [July 18] Govt floats idea for Aadhaar-like database for mapping citizen health, Business Standard report; Money Control report; Inc42 report.
• [July 19] Linking Aadhaar with Voter ID— Election Commission to decide within weeks, The Print report; India Legal analysis.
• [July 21] Mumbai man fights against linking Aadhaar to salary account, The Quint report.
• [July 21] Violating SC rules, matrimonial site sells love, marriage using Aadhaar data, National Herald report.
• [July 22] Large cash deposits may soon need Aadhaar authentication, Times of India report; Money Control report.

Right to Information

• [July 19] Bill to amend RTI law introduced in Lok Sabha amid opposition, India Today report.

Free Speech

• [July 18] Ajaz Khan of Big Boss fame arrested by Mumbai Police for TikTok video, The Asian Age report; DNA India report.
• [July 19] Guwahati HC grants anticipatory bail to poets accused of writing communally charged poetry on Assam citizenship crisis, Live Law report.

Internet Governance

• [July 16] MeitY to finalise Intermediary Liability rules amendment by month end, Medianama report; Inc42 report.

Data Protection and Data Privacy

• [July 17] Canada probing data theft at military research center: reports, Business recorder report.
• [July 17] BJP raises issue of privacy breach by tech devices in Rajya Sabha, BJD demads more funds, News 18 report.
• [July 17] TMC MPs protest outside Parliament in Delhi, demand to bring Data Protection Law, DNA India report.
• [July 17] Democrats issue warnings against viral Russia-based face-morphing app ‘FaceApp’, NPR report.
• [July 18] Government notice to Tiktok, Helo; asks to answer 21 questions or face ban, Gadgets Now report; Medianama report; Business insider report.
• [July 18] Singapore data protection enforcement guide released, Asia Business law Journal report.
• [July 18] Irish Data Protection Commission issues advice over FaceApp privacy concerns, RTE report.
• [July 18] Govt admits to data leak of unemployment figures ahead of May announcement in Rajya Sabha, terms the issue ‘serious’, Firstpost report.
• [July 19] From bad to worse: PM Modi’s office has asked IT Ministry to keep a close eye on TikTok, India Times report.
• [July 20] Equifax near $700 million settlement of data breach probes: WSJ, AL Jazeera report.
• [July 21] Jio backs data protection; highlights future growth areas like agriculture, healthcare and education, The Economic Times report.

Data Localisation

• [July 19] Firms exploring Telangana to set up data centres, The Hindu report.
• [July 22] Bytedance starts building local data centre in India after lawmakers complain of data privacy, Entrackr report.
• [July 22] China’s ByteDance to store Indian data locally after MPs raise concerns on privacy, national security, ET Tech report; Outlook report.
• [July 22] Jio backs data localization to stave off cyberattacks, ET Tech report; Medianama report.

Digital India

• [July 15] India lags peers in tech skills: Coursera study, ET Telecom report.
• [July 16] WiFi on the go: Government pushes to keep Bharat connected, ET Telecom report.
• [July 17] BMTC wants to reboot its IT plan, ET tech report.
• [July 19] How improved infrastructure and tech firms are changing game development in India, ET Tech report.

Digital Payments and E-Commerce

• [July 14] How women are sidelined in India’s e-commerce growth, ET Tech report.  
• [July 17] Digital payment firms write to Government, asking compensation for losses incurred due to ‘zero’ merchant fee, Latestly report.
• [July 22] How an in-house e-commerce platform Leaf Era has revolutionsed government procurement, ET Tech report.
• [July 22] Aditya Birla Payments Bank to shut down due to “unanticipated developments in business landscape”, Medianama report.

Cryptocurrency

• [July 15] Hacked crypto exchange Bitpoint discovers more millions are missing, Coin Desk report.
• [July 15] India: Leaked draft bill would ban all crypto except ‘Digital Rupee’, Coin Telegraph report.
• news to those Swiss authorities, Business Insider report.
• [July 16] US says cryptocurrency is a national security issue, The New Indian Express report.
• [July 16] Bitcoin and crypto suddenly branded a national security issue, Forbes report.
• [July 16] Crypto a security threat, instrument for illicit activities: Trump admin, Business Standard report.
• [July 17] Facebook said its Libra cryptocurrency will be regulated by Swiss authorities – but that was
• [July 17] Making sense of chaos? Algos scour social media for clues to crypto moves, ET Markets report. 
• [July 20] Cryptokart: Another Indian crypto exchange shuts doen operations, Coin Telegraph report.
• [July 22] Crypto-attacks are rising in Asia—and cybersecurity AI may be the best way to fight the threat: Darktrace, Business Insider report.

Emerging Tech

• [July 13] Facial recognition tech is growing stronger, thanks to your face, New York Times report.
• [July 19] Is there a tug of war between Niti Aayog, IT Ministry on artificial intelligence project? India Today report.

Big Tech

• [July 15] Tech giants to face US hearings on anti-trust, cryptocurrency, ET Telecom report.
• [July 15] Amazon Web Services still on pole for $10bn defence cloud deal after Oracle case crashes, DataEconomy.com report.
• [July 16] Google accused of ripping off digital ad technology in US lawsuit, ET Telecom report.
• [July 19] EU opens investigation into anti-competitive conduct of Amazon: Will it face heat in India too? Entrackr report.

Telecom/5G

• [July 17] Govt working on revival of BSNL: Minister tells Lok Sabha, The Hindu Business Line report.
• [July 19] Make in India: Only half of country’s 268 cellphone makers stay afloat, Financial Express report.

More on Huawei

• [July 16] The US Congress wants to block the Trump administration from weakening Huawei restrictions, The Verge report.
• [July 17] US-China talks stuck in rut over Huawei, The Wall Street Journal report.
• [July 19] Two-thirds of Canadians reject closer ties to China and want Huawei banned from 5G networks, poll says, South China Morning Post report.
• [July 20] White House to host meeting with tech executives on Huawei ban: report, Business Standard report.  

Cybersecurity

• [July 15] Use Indian IPRs to ensure telecom network security: Trade group. ET Telecom report.
• [July 15] Indian IT managers facing budget crunch for cybersecurity, Live Mint report. 
• [July 16] Your WhatsApp, Telegram files can be hacked: Symantec, ET Telecom report.
• [July 16] IT companies tightening salary budgets, leveraging variable pay for niche skills, ET Tech report.
• [July 17] Druva acquires hybrid data protection form CloudLanes, The Economic Times report.
• [July 17] Indian Army launches massive crackdown on personnel violating its cybersecurity norms, The Print report.
• [July 19] NSO spyware targets phones to get data from Google, Facebook, iCloud: Report, Medianama report.
• [July 20] New bills on cybersecurity, crime against women soon: Union Minister, India Today report; The Indian Express report.
• [July 21] An entire nation just got hacked, CNN report.
• [July 22] Fix Rogue audits; guard Indian data; bulletproof 5G: India’s new cybersecurity chief’s Vision 2020, ET Prime report.
• [July 22] Fake FaceApp software may infect your device, says global cybersecurity company Kaspersky Lab, New Nation report.

Tech and Elections

• [July 14] New election systems use vulnerable software, AP News report.

Tech and Law Enforcement

• [July 12] Revealed: This is Palantir’s Top-Secret User Manual for Cops, Vice Motherboard report.
• [July 22] WhatsApp traceability case: Details of data requests made by Tamil Nadu Govt to social media companies, Medianama report.

Tech and Military

• [July 14] French jetpack man flyboards up Champs-Elysees for Paris Parade, RFI report.
• [July 15] Dassault offset money to help in skill training: FM Nirmala Sitharaman, Money Control report. Economic Times report.
• [July 16] Modi Govt to buy Pilatus trainer aircraft following corruption charges, to ban Swiss defence firm for one year, OpIndia report.
• [July 16] If India chooses F-21, it will plug into ‘world’s largest fighter plane ecosystem’: Lockheed Martin, The Economic Times report.
• [July 17] AI has a bias problem and that can be a big challenge in cybersecurity, CNBC report
• [July 17] IAF on spares buying spree, The Quint report.
• [July 19] Lockheed Martin identifies 200 potential Indian partners, Hindustan Times report.
• [July 18] Navy to buy Rs. 1,589 crore satellite from ISRO, The Economic Times report.
• [July 18] Indian MoD issues RFP for heavyweight torpedoes for Kalvari-class submarines, Jane’s 360 report.
• [July 18] Rafale will provide IAF strategic deterrence: Defence Ministry, Money Control report. 
• [July 19] US F-35, poster child for ineptitude, inefficiency, The Middle East Monitor report.
• [July 19] South African Council to collaborate with Indian defence industry, Outlook India report.
• [July 20] DRDO carries out a dozen successful summer trials of NAG anti-tank missile, ANI report.
• [July 21] IAF Pilots could soon fly Tom Cruise;s fighter jet from Top Gun Maverick, News 18 report.
• [July 21] India to forge ahead with Russia accord despite US threat of sanctions, DNA India report.

National Security Legislation

• [July 15] Lok Sabha passes bill that gives more powers to NIA, Live Mint report, ANI report.
• [July 15] Lok Sabha passes NIA Amendment Bill to give more power to anti-terror agency; here’s all you need to know, Business Insider report.
• [July 17] What is the National Investigation Agency Bill and why is it in contention?, Money Control report.
• [July 17] Rajya Sabha passes National Investigation Agency Amendment Bill 2019, Live Mint report; Outlook India report.
• [July 18] Cabinet asks finance panel to consider securing non-lapsable funds for defence, The Indian Express report; Financial Express report.
• [July 20] New bills on cybersecurity, crime against women soon: Union Minister, India Today report; The Indian Express report.

Opinions and Analyses

• [July 11] Ryan Gallagher, The Intercept, How US Tech giants are helping build China’s Surveillance state.
• [July 15] Jemima Kelly, Financial Express, Trump v Crypto: rage against the obscene.
• [July 15] Ravi Shanker Kappor, News 18 Opinion, Cost of not carrying out economic reforms: Acute shortage of funds for military modernisation.
• [July 16] Jayshree Pandya, Forbes, Nuances of Aadhaar: India’s digital identity, identification system and ID.
• [July 16] Binoy Kampark, International Policy Digest, The UN’s free speech problem.
• [July 16] K Satish Kumar, DNA India, Need more clarity on data bill.
• [July 16] Abhishek Banerjee, Swarajya, Richa Bharti: The Free Speech Hero India Needs.
• [July 17] Ananth Krishnan, The Print, Three reasons why it’s not Huawei or the highway for India’s 5G future.
• [July 17] Rajesh Vellakat, Financial Express, Personal Data Protection Bill: Will it disrupt our data ecosystem?
• [July 17] Nouriel Roubini, Live Mint Opinion, Seychelles-based BitMEX and the great crypto heist.
• [July 17] Tim O’Reilly, Quartz, Antitrust regulators are using the wrong tools to break up Big Tech.
• [July 18] Tiana Zhang, Jodi Wu, Yue Qiu and Richard Sharpe, Mondaq, Newly released draft measures on data security management strengthen China’s data protection framework.
• [July 18] Gwyn D’Mello, India Times, If you worry about FaceApp and not your Facebook and Aadhaar, you have bigger problems.
• [July 18] Sue Halpern, The New Yorker, How Cyber Weaqpons are changing the landscape of modern warfare.
• [July 19] TV Mohandas Pai and Umakant Soni, Financial Express, An AI innovation engine for New India.
• [July 20] Amit Cowshish, The Tribune, Indo-US defence trade not free from encumbrances.
• [July 20] Umberto Sulpasso, Eurasia Review, Domestic Knowledge Product: Enhancing Wealth, Welfare and National Security—Analysis.
• [July 20] Tiffancy C Li, The Atlantic, FaceApp makes today’s privacy laws look antiquated.
• [July 20] Tom Robinson, Venture Beat, Crypto can prevent money laundering better than traditional finance.
• [July 21] Vimal Kumar Kashyap, The Pioneer, 5G to usher in fourth industrial revolution.
• [July 21] Michael Ashley, Forbes, It’s time to fight back for data sovereignty.
• [July 22] Vidushi Marda, The Hindu, Facial recognition is an invasive and inefficient tool.

Privacy Concerns Under the HIV Bill 2014

The Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Bill, 2014 (the HIV Bill) is likely to be tabled in the Rajya Sabha in the current winter session. The HIV Bill is aimed at preventing and controlling the spread of Human Immunodeficiency Virus (HIV) and Acquired Immune Deficiency Syndrome (AIDS) and protecting the human rights of those affected by HIV and AIDS.

Important human rights considerations under the HIV Bill include prohibiting discrimination against HIV+ persons and also addressing the causes from which such discrimination stems. Lack of safeguards for sensitive medical information such as a person’s HIV status and the subsequent use of this information for other purposes enhance the scope for discrimination. In an attempt to address this, the Bill imposes several obligations on central and state governments, healthcare providers and establishments (such as organisations, cooperative societies etc.). This post examines the provisions relating to three critical aspects of the HIV Bill – informed consent, disclosure of information and clauses related to confidentiality.

INFORMED CONSENT

Clause 2(n) defines “informed consent” under the HIV Bill. There are two elements to this definition. The first element stipulates that consent must be without any coercion, undue influence, fraud, mistake or misrepresentation. The second element requires that consent must be obtained after being informed of the risks, benefits and alternatives to the proposed intervention and in a language or manner that can be understood by the individual giving consent.

Clause 5 of the HIV Bill mandates that informed consent must be sought before subjecting any person to an HIV test, or if an HIV+ person or persons residing with her are subjected to any medical treatment, intervention or research. If the person in question is incapable of giving consent, it is to be sought from her representative.

Further, this clause stipulates that informed consent includes counselling both before and after such a test is conducted.

Clause 6 of the HIV Bill lays down four exceptions where medical interventions can be carried out without obtaining such consent. The first exception pertains to a court order that may require a person to undergo an HIV test if the court feels that this information is necessary to determine the issues before it.

The second exception allows the procuring, processing, distribution or use of a human body or parts (such as tissues, blood, semen or other bodily fluids) for medical research or therapy. This exception is extremely broad in its scope. The Bill does not define either ‘medical research’ or ‘therapy’. It is difficult to ascertain the exact purpose for this exemption based on the text of the Bill alone. Furthermore, it is unclear why an exception should be made for medical research at all. For example, South Africa’s ‘National HIV Counselling and Testing Policy Guidelines’ require informed consent to be in writing in the context of research and clinical trials. This exception also states that if the person undergoing the test requests its result prior to donation, she would only be entitled to it after having undergone post-test counseling.

The third exception deals with HIV tests for epidemiological or surveillance purposes where the test is anonymous and not for the purpose of determining a person’s HIV status. However, the subjects of these tests are required to be informed of the purposes of such a study. Again, despite the fact that the test is anonymous, it is unclear why the obligation to seek informed consent has been done away with. Participation in any study must be voluntary and based on an informed decision.

The final exception allows an HIV test to be conducted for screening purposes in licensed blood banks.

DISCLOSURE OF HIV STATUS

Clause 8 provides that no person can be compelled to disclose their own HIV status unless required to do so ‘by an order’ which states that the disclosure is necessary in the interest of justice or for the determination of issues before it. This clause fails to mention that the order must be by a competent court. The Parliamentary Standing Committee Report on this Bill had recommended this addition citing ambiguity in the existing provision. However, the HIV Bill has not been amended to reflect this recommendation.

The HIV Bill states that any person who has information about another’s HIV status or any other private information, which was either imparted in confidence or in a fiduciary relationship, cannot disclose or be compelled to disclose such information except with the informed consent of that person. This clause requires the consent to be recorded in writing.

However, the Bill envisages six situations where such disclosure may be made without seeking informed consent.

The first exception deals with disclosure made to another healthcare provider who is involved in the treatment or counseling of that person, provided that the disclosure is necessary for the treatment.

The second exception allows disclosure pursuant to an order of a court when the information is necessary in the interest of justice or for determination of any issue before it. Seeing that this exception permits disclosure specifically pursuant to a court order, there is no reasonable explanation for the vague drafting of the first part of Clause 8.

The third exception permits disclosure in suits or legal proceedings when such information is necessary for filing the proceedings or instructing one’s lawyers.

The fourth exception allows a physician or a counsellor to disclose the HIV+ status of a person to his or her partner if they reasonably believe that the partner is at significant risk of HIV transmission. However, Clause 9 stipulates safeguards for this. Such disclosure is only permissible if the HIV+ person has been counseled to inform their partner and the physician or counsellor is satisfied that this is not likely to happen. They are under an additional obligation to inform the HIV+ person of their intention to disclose this information to their partner. This information can only be disclosed in person and after the partner has been counselled.

Clause 9 further provides that if the HIV+ person is a woman who is at the risk of being abandoned or abused (physically or mentally) as a result of such disclosure, the counsellor or physician has an obligation to not inform her partner. This clause also absolves the physician or counsellor from any civil or criminal liability arising out of disclosure or non-disclosure under this clause.

The fifth exception allows disclosure if it relates to statistical or other information if it is reasonably clear that it cannot lead to that person’s identification. The last exception permits disclosure to officers of the central and state governments or the State AIDS Control Society for the purposes of monitoring, evaluation or supervision. This exception is also couched in extremely broad and vague terms. Ideally, the law must explicitly mention the specific Authority or officers who may have access to this information.

OBLIGATIONS OF ESTABLISHMENTS

Clause 11 of the HIV Bill requires every establishment (body corporate, co-operative society, organisations etc.) to adopt data protection measures to store HIV related information of persons. These measures will be framed by way of guidelines by the government, including mechanisms for accountability and liability.

SPECIAL PROCEDURE IN COURT

The HIV Bill also incorporates procedures to ensure confidentiality during judicial processes. It allows the court to pass an order to – a) suppress the identity of a person by using a pseudonym; b) hold the proceedings in camera; or c) restrain any publication that would disclose the identity of such person, if an application is made to this effect.

PENALTIES

It is pertinent to note that the HIV Bill makes no mention of any penalty for a breach of obligations under Clause 5 (pertaining to informed consent) and Clause 8 (pertaining to disclosure of information).

It also mandates every state government to create an Ombudsperson to hear complaints but almost all aspects pertaining to the Ombudsman’s qualifications, functions, jurisdiction have been left to delegated legislation by the relevant state. Further, Clause 24 stipulates that the Ombudsperson can inquire into violations ‘in relation to healthcare services by any person…’. While this might include violations related to informed consent, it remains unclear if the scope of the Ombudsman’s powers will include complaints related to unlawful disclosure of information.

The Bill must be welcomed for introducing procedural safeguards in medical interventions related to HIV+ persons. However, a lot of the provisions, including exceptions, suffer from over breadth and vagueness. Furthermore, the absence of any penalty for breach of provisions relating to informed consent and disclosure of information almost render these safeguards futile.