Digitisation of Health / Medical Records: Is the law keeping up?

By Smitha Krishna Prasad

Medical and health records are increasingly digitised, and ease of access is considered one of the key benefits of this trend. However, patient privacy and security of such records are important concerns that need to be addressed both under the existing legal framework, and in terms of development of new laws.

Earlier this month, news reports suggested that private medical records of over 35000 patients had been made publicly available through the website of a diagnostic laboratory based in Mumbai. Reports indicate that the website of the lab was hacked. However, other reports specify that the lab has disclaimed liability, stating that any requirement for confidentiality is limited in applicability to doctors only. Further, the lab suggested that since they were shortly to be moving to a different system, there was no urgency in remedying the security flaws.

While the above seems to be an internal security issue on the part of the lab, we have seen that health records are a favourite for hackers, across the world. These records are then either held for ransom or sold by such hackers.

The healthcare industry as a whole is seen as one of the least secure industries globally. At the same time, medical and health records of individuals are increasingly being digitised. Individuals and institutions in the healthcare industry are digitising records within their organisations to improve ease of access. The Ministry of Health and Family Welfare, Government of India, is in the process of setting up an Integrated Health Information Platform, and has issued Electronic Health Record Standards (EHR Standards). The EHR Standards are meant to provide for creation and maintenance of health records in a standardised manner that would allow for interoperability across platforms and institutions across the country. There are many pros and cons to undertaking such a digitisation effort – however, this post is limited to examining the legal framework surrounding such digitisation and the protection of privacy of patients.

Current Legal Framework in India

Today, India does not have a comprehensive privacy law, or an industry specific privacy regulation that focuses on the healthcare / medical industry. We do have the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”), as well as the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (“MCI Code of Ethics”).

The MCI’s Code of Ethics provides that physicians must maintain medical records pertaining to patients for a period of 3 years from commencement of treatment. Further, physicians must also make such records available to patients, authorised attendants and legal authorities upon request. Physicians are also required to make efforts to computerise such records. While there is no specific provision on maintenance of privacy and security of these medical records, the MCI Code of Ethics does provide that confidences entrusted by patients to physicians must be not be revealed, unless required by law or in public interest. However, the MCI Code of Ethics is applicable to physicians i.e. doctors with MBBS or equivalent qualifications only.

On the other hand, the IT Act and the IT Rules are wider in application. They deal specifically with electronic records and require any person dealing with certain defined types of sensitive information, including medical records, to undertake data protection and security measures.

Any violation of the MCI Code of Ethics calls for disciplinary action against the concerned physician which could include removal of the physician’s name from the register of qualified physicians. The IT Act however, does not provide for any direct action or penalty in the case of non-compliance with the IT Rules, and relies on the person affected by the non-compliance to take action.

In addition to the MCI Code of Ethics and the IT Act, there are a few other laws such as the Medical Termination of Pregnancy Act, 1971 which provide for maintenance of confidentiality of patient information. However, these are largely specific to certain circumstances and are not comprehensive.

Potential Developments

In the absence of a comprehensive privacy and data protection law in India, some regulators have taken to establishing basic rules to protect consumers and individuals in their respective industries. For instance, the RBI places certain restrictions on the circumstances in which customer information can be shared by banks. Insurance and telecom companies are restricted from transferring certain customer information outside India.

Given the highly sensitive nature of medical / health related information, and recent trends of commoditisation of such information in the black market, such laws are much needed in the healthcare industry.

The EHR Standards do deal with certain aspects of privacy of patients and security of healthcare records. They prescribe several international standards to be adhered to by members of the healthcare industry while dealing with electronic health records. However, they appear to default back to the IT Act as the legislation that would govern the implementation of any data protection measures in relation to such records.

The Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Bill, 2014 also provides certain safeguards to ensure the privacy of patients, specifically in relation to their HIV status. Some concerns regarding the provisions of this bill have previously been discussed here. However, this proposed bill is again limited in scope, and does not apply across the medical industry.

Reports suggest that recognising the need for a more comprehensive law, the Central Government has taken up the initiative of drafting a healthcare industry specific privacy and data protection law.

Given that this law would be drafted from scratch, we suggest that it should be (a) holistic i.e. be applicable across the entire healthcare / medical industry, and not specifically to doctors / hospitals, and (b) technology agnostic, addressing medical / health information in any format, digitised or not.

The law should also take into account the internationally recognised privacy / fair information principles. These principles provide, among other things, for (a) collection of data by lawful means, and only when required (b) use of data for the purpose it is collected only, (c) adequate security measures to be undertaken to protect data, and (d) accountability and openness about policies in place for use and protection of data.

Further, to the extent that it provides for the digitisation of records, and implementation of EHR Standards, it should be ensured that, the principles of ‘privacy by design’ should be used. The concept of privacy by design stipulates that privacy and data protection measures must be built into any system as a default, taking a preventative approach to data protection rather than a remedial approach.

Another important concern is enforcement – our current laws such as the IT Act, do not provide for proactive enforcement in case of failure to protect privacy / data of individuals, and leave it up to the affected individuals to act. Ideally, a dedicated regulator with the ability to investigate and direct action against defaulters is required. Perhaps the role of the National e-Health Authority proposed by the Government could be expanded to deal with privacy and security of all health records and information.

While the idea of implementing a health privacy and data protection law is a welcome move, it remains to be seen how far this proposed legislation will go towards fully protecting patients’ rights.

NDTV INDIA BAN: A CASE OF REGULATORY OVERREACH AND INSIDIOUS CENSORSHIP?

In a highly contentious move, the Ministry of Information and Broadcasting (‘MIB’) issued an order banning the telecast of the Hindi news channel ‘NDTV India’ on 9^th November, 2016. The MIB imposed this ‘token penalty’ on NDTV India following the recommendation of an Inter-Ministerial Committee (‘IMC’). The IMC had found the channel liable for revealing “strategically sensitive information” during the coverage of Pathankot terrorist attacks on 4^th January, 2016. The ban has, however, been put on hold by the MIB after the Supreme Court agreed to hear a writ petition filed by NDTV India against the ban.

The order passed by the MIB raises some important legal issues regarding the freedom of speech and expression of the press. Since the news channels are constantly in the race for garnering Television Rating Points, they may sometimes overlook the letter of the law while covering sensitive incidents such as terrorist attacks. In such cases, regulation of the media becomes necessary. However, it is tricky to achieve an optimum balance between the various concerns at play here – the freedom of expression of the press and the people’s right to information, public interest and national security.

In this post, we discuss the background of the NDTV India case and the legal issues arising from it. We also analyze and highlight the effects of governmental regulation of the media and its impact on the freedom of speech and expression of the media.

NDTV Case – A Brief Background:

On January 29, 2016, the MIB had issued a show cause notice to NDTV India alleging that their coverage of the Pathankot military airbase attack had revealed vital information which could be used by terror operators to impede the counter-operations carried by the security forces. The notice also provided details regarding the alleged sensitive information revealed by NDTV India.

In its defence, the channel claimed that the coverage had been “balanced and responsible” and that it was committed to the highest levels of journalism. The channel also stated that the sensitive information allegedly revealed by the channel regarding critical defence assets and location of the terrorists was already available in the public domain at the time of reporting. It was also pointed out that other news channels which had reported on similar information had not been hauled up by the MIB.

However, the MIB, in its order dated January 2, 2016, held that NDTV India’s coverage contravened Rule 6(1)(p) of the Programme and Advertising Code (the ‘Programme Code’ or ‘Code’) issued under the Cable TV Network Rules, 1994 (‘Cable TV Rules’). In exercise of its powers under the Cable TV Networks (Regulation) Act, 1995 (‘Cable TV Act’) and the Guidelines for Uplinking of Television Channels from India, 2011, the MIB imposed a ‘token penalty’ of a day’s ban on the broadcast of the channel.

Rule 6(1)(p) of the Programme Code:

Rule 6 of the Code sets out the restrictions on the content of programmes and advertisements that can be broadcasted on cable TV. Rule 6(1)(p) and (q) were added recently. Rule 6(1)(p) was introduced after concerns were expressed regarding the real-time coverage of sensitive incidents like the Mumbai and Gurdaspur terror attacks by Indian media. It seeks to prevent disclosure of sensitive information during such live coverage that could act as possible information sources for terror operators.

Rule 6(1)(p) states that: “No programme should be carried in the cable service which contains live coverage of any anti-terrorist operation by security forces, wherein media coverage shall be restricted to periodic briefing by an officer designated by the appropriate Government, till such operation concludes.

Explanation: For the purposes of this clause, it is clarified that “anti-terrorist operation” means such operation undertaken to bring terrorists to justice, which includes all engagements involving justifiable use of force between security forces and terrorists.”

Rule 6(1)(p), though necessary to regulate overzealous media coverage especially during incidents like terrorist attacks, is vague and ambiguous in its phrasing. The term ‘live coverage’ has not been defined in the Cable TV Rules, which makes it difficult to assess its precise meaning and scope. It is unclear whether ‘live coverage’ means only live video feed of the operations or whether live updates through media reporting without visuals will also be considered ‘live coverage’.

Further, the explanation to Rule 6(1)(p) also leaves a lot of room for subjective interpretation. It is unclear whether the expression “to bring terrorists to justice” implies the counter operations should result in fatalities of the terrorists or if the intention is to include the coverage of the trial and conviction of the terrorists, if they were caught alive. If so, it would be highly impractical to bar such coverage under Rule 6(1)(p). The inherent vagueness of this provision gives wide discretion to the governmental authorities to decide whether channels have violated the provisions of the Code.

In this context, it is important to highlight that the Supreme Court had struck down Section 66A of the Information and Technology Act, 2000 in the case of Shreya Singhal vs. Union of India, on the ground of being vague and overboard. The Court had held that the vague and imprecise nature of the provision had a chilling effect on the freedom of speech and expression. Following from this, it will be interesting to see the stand of the Supreme Court when it tests the constitutionality of Rule 6(1)(p) in light of the strict standards laid down in Shreya Singhal and a spate of other judgments.

Freedom of Speech under Article 19(1)(a)

The right of the media to report news is rooted in the fundamental right to free speech and expression guaranteed under Article 19(1)(a) of the Constitution of India. Every right has a corresponding duty, and accordingly, the right of the media to report news is accompanied by a duty to function responsibly while reporting information in the interest of the public. The freedom of the media is not absolute or unbridled, and reasonable restrictions can be placed on it under Article 19(2).

In the present case, it can be argued that Rule 6(1)(p) fails to pass the scrutiny of Article 19(2) due to inherent vagueness in the text of the provision. However, the Supreme Court may be reluctant to deem the provision unconstitutional. This reluctance was demonstrated for instance, when the challenge to the constitutionality of the Cinematograph Act, 1952 and its attendant guidelines, for containing vague restrictions in the context of certifying films, was dismissed by the Supreme Court. The Censor Board has used the wide discretion available to it for placing unreasonable restrictions while certifying films. If the Supreme Court continues to allow such restrictions on the freedom of speech and expression, the Programme Code is likely to survive judicial scrutiny.

Who should regulate?

Another important issue that the Supreme Court should decide in the present case is whether the MIB had the power to impose such a ban on NDTV India. Under the current regulatory regime, there are no statutory bodies governing media infractions. However, there are self-regulatory bodies like the News Broadcast Standards Authority (NBSA) and the Broadcasting Content Complaint’s Council (BCCC).The NBSA is an independent body set up by the News Broadcasters Association for regulating news and current affairs channels. The BCCC is a complaint redressal system established by the Indian Broadcasting Foundation for the non-news sector and is headed by retired judges of the Supreme Court and High Courts. Both the NBSA and the BCCC regularly look into complaints regarding violations of the Programme Code. These bodies are also authorized to issue advisories, condemn, levy penalties and direct channels to be taken off air if found in contravention of the Programme Code.

The decision of the MIB was predicated on the recommendation made by IMC which comprises solely of government officials with no journalistic or legal background. The MIB should have considered referring the matter to a regulatory body with domain expertise like the NBSA that addresses such matters on a regular basis or at least should have sought their opinion before arriving at its decision.

Way Forward

Freedom of expression of the press and the impartial and fair scrutiny of government actions and policies is imperative for a healthy democracy. Carte blanche powers with the government to regulate the media as stipulated by Cable TV Act without judicial or other oversight mechanisms pose a serious threat to free speech and the independence of the fourth estate.

The imposition of the ban against NDTV India by the MIB under vague and uncertain provisions can be argued as a case of regulatory overreach and insidious censorship. The perils of such executive intrusion on the freedom of the media will have a chilling effect on the freedom of speech. This can impact the vibrancy of the public discourse and the free flow of information and ideas which sustains a democracy. Although the governmental decision has been stayed, the Supreme Court should intervene and clarify the import of the vague terms used in the Programme Code to ensure that the freedom of the press is not compromised and fair and impartial news reporting is not stifled under the threat of executive action.

“The Right to be Forgotten”: Balancing Personal Privacy with the Public’s right to access Information

Evolution of the right and Global framework

In the Internet age, when access to information is quick and easy, procuring personal information or past records about an individual is no longer a herculean task. The relevance of such information or the duration for which such data should be available for public access has hitherto not been debated.

There is growing global debate on a new right called “the right to be forgotten” or “the right of erasure”. This right allows people to request for removal of their personal information/data online after a period of time or if such information/data is no longer relevant. The origin of this right can be traced back to the French jurisprudence on the ‘right to oblivion’ or droit à l’oubli. The rationale behind this right was to allow criminal offenders who have already served their sentence to object to the publication of information regarding their crime and conviction. This was done to ease their process of social integration.

It was along these lines that the 1995 EU Data Protection Directive acknowledged the right to be forgotten. Under the Directive, it was stipulated that the member states should give people the guaranteed right to obtain from the ‘controller’ the rectification, erasure or blocking of data relating to them, the processing of which does not comply with the provisions of the Directive. The term ‘controller’ here refers to a natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of processing personal data.

In May 2014, the Court of Justice of the European Union (‘Court’) recognized the right to be forgotten as a part of the fundamental right to privacy in the Google case. The plaintiff, in this case, had requested for delinking of search results appearing on Google and the deletion of newspaper articles appearing online with respect to bankruptcy proceedings against him. The Court held that individuals have a right to request search engines to delink information which causes prejudice to them. However, the Court was careful to state that this right is not absolute and can be applied only when the data becomes ‘inadequate, irrelevant, excessive, not kept up to date, or kept for longer than necessary’ with respect to the purpose for which it was collected or processed. Accordingly, the Court directed Google to delink the search results in the instant case. It was further held that the publication of accurate data may be lawful at a given point in time, but in due course, it might become inconsistent with the law.

While the judgment in the Google case is a step in the right direction, it leaves much to be desired. The Court did not set out any guidelines or parameters to filter out information as ‘inadequate’ or ‘irrelevant’ or ‘excessive’. It has thrust the onerous task of balancing the right to privacy of an individual and the public’s right to access information on private search engines like Google. This raises critical questions regarding the suitability of private entities taking decisions which are of constitutional import. Pursuant to this judgment, the EU adopted the Data Protection Reforms which includes the right to be forgotten as an essential right under Article 17 of the Data Protection Regulations. This lays down the conditions for application of the right to be forgotten, and requires entities processing personal data to inform third parties regarding requests for erasure of links to any personal data. A detailed discussion of these regulations and their impact on India can be found here.

Challenges in enforcement

There are many legal and technical challenges in the enforcement of the right to be forgotten. The success rate of governments across the world in banning or removing pornographic websites or torrent sites from the Internet has not been great, since there are various ways of circumventing such bans. Further, the blocking or delinking of URLs by search engines does not guarantee that such information has been blocked or deleted from the Internet. There is also no way to ensure that such information is not uploaded again.

To enforce the ruling of the case discussed above, Google has created a mechanism through which an individual can make a request for taking down of or delinking of a specific search result bearing an individual’s name. Google evaluates such requests on various parameters like whether these results are an infringement on his right to privacy or whether such information is of public interest. In case of the former, the individual’s right to be forgotten trumps the public’s right to access information. However, if the information is of public interest, the right to information of the public prevails over privacy rights. This squarely makes Google the decision maker of the relevance, adequacy, and need for data to be available online for public access or not.

With the growing recognition of the right to be forgotten, the number of requests that search engines receive for taking down or delinking is only likely to increase, making it extremely difficult and cumbersome to scrutinize such requests manually. According to Google’s Transparency Report, as on 9^th October, 2016, Google had received 565,412 requests for the removal of URLs. The Report further states that it has already evaluated 1,717,714 URLs since May, 2014. The Report shows that Google has removed 43.2% of the URLs from the requests received. With a substantial increase in the number of requests, search engines may even consider using algorithms to deal with such requests instead of manually evaluating the privacy rights vis-à-vis public interest.

Further, search engines are also likely to tread on the side of caution and accept such requests rather than face expensive legal challenges across jurisdictions for non-compliance. This right may be misused by individuals as it will lead to artificial alteration of the content available online which may result in the delinking of pertinent information.

Recent developments in India

The data protection regime and data privacy laws of India are not comprehensive and dynamic enough to respond to technological advances in the modes of collection, transfer and use of personal information. The Information Technology Act, 2000 and the rules framed under the Act make up the primary legal framework that governs this subject. The Delhi High Court is currently hearing a matter (Laksh Vir Singh Yadav vs. Union of India, WP(C) 1021/2016) where the petitioner has requested for the removal of a judgment involving his mother and wife from an online case database. The petitioner claims that the appearance of his name in the judgment is causing prejudice to him and affecting his employment opportunities. It will be interesting to see the outcome of this case and how the larger debate of the right to privacy of an individual versus the right of public to access information unfolds in this case.

It is pertinent to note that the Delhi High Court is dealing with the request for removal of a court order which is a public document. This request is unusual and distinct from a request for delinking of search results appearing in search engines like Google since such delinking does not result in the removal of the information itself. Allowing the removal of such judgments from online case databases could result in the expunging of public records. Furthermore, the removal of judgments from online public databases will obstruct public access to case materials shedding light on critical questions of law.

While implementing the right to be forgotten, a very fine balance has to be struck between the right to freedom of speech and expression, public interest and personal privacy. To balance these conflicting rights, the judiciary may consider implementing a system where personal information like names, addresses etc. of the litigants are redacted from reportable judgments/orders especially in personal disputes. The courts have, in the past, refrained from divulging the identities of parties in order to respect their privacy in many rape or medico-legal cases.

With many unanswered questions surrounding this right, India requires a comprehensive data protection regime to regulate the entities collecting and processing personal data and to define the terms of use, storage and deletion of such personal data. This will ensure that such entities are obliged to take due care of the personal data in their possession and will also provide a framework for dealing with requests for removal or erasure of such personal data.

I&B Ministry forms Committee to regulate content in Government Advertising

Written By Joshita Pai

Following the direction by the Supreme Court, the Ministry of Information and Broadcasting issued an order last month establishing a three member committee to effectuate the Supreme Court Guidelines on Content Regulation of Government Advertising. Government advertising refers to the use of public funds by ruling parties to project their achievements or make announcements about upcoming initiatives. These advertisements however, have occasionally been politically motivated, demonstrating the need for the guidelines issued by the Court in the Common Cause judgment. The guidelines were issued on the basis of a report submitted by a Court-appointed committee on the issue of use of public funds in government advertising.

According to the recent MIB order, the Supreme Court Guidelines will function as a stopgap arrangement until a legislation comes into force to regulate the content projected in government sponsored advertisements. The body set up by the Ministry will address complaints from the general public on violation of the guidelines prescribed by  the Court. The Committee will be assisted by a member secretary, and will be set up parallelly at the state level, appointed by the respective State Governments. The three member body will be responsible for implementation of the SC guidelines on regulating content in government advertising.

Government Advertising

Government advertising is often regarded as informative and in public interest since it facilitates circulation of necessary information with respect to upcoming welfare schemes or the progress of government initiatives. However, advertisements of this nature are often used gain political mileage. This practice has been criticized for several reasons, ranging from arbitrary use of public funds to non-objective presentation of information. Colourful presentation of information on the part of the government does not foster public interest. The right to freedom of speech and expression exercisable by the government is not dispensable but Article 19 also grants the right to information, and accurate information at that, which stands in equal measure. Balancing conflicting interests in this regard is a herculean task.

Government advertising, unlike political advertising which also often transcends permissible boundaries, is sponsored by the use of public funds that governments in power have access to. According to the Election Commission of India, the expenditure on government sponsored advertisements is incurred by the public exchequer and is contrary to the spirit of free and fair election, as the party in power gets an undue advantage over other parties and candidates. The practice has beckoned the need for an oversight authority and a set of workable standards to regulate such advertising, which have been recommended time and again, most recently in the Law Commission Report on Electoral Reforms. Moreover, the Election Commission too has assessed the mushrooming phenomenon of advertising by existing governments. In furtherance of these observations, the ECI recommended that advertisements for achievements of existing governments, either Central or State, in any manner, should be prohibited for a period of six months prior to the date of expiry of the term of the House.

The Guidelines issued by the Supreme Court     

The case that brought about the guidelines was set in motion when Common Cause and the Centre for Public Interest Litigation sought to restrain the Union of India and State Governments from using public funds on government advertising. The petitioners emphasized that the object of these advertisements is generally to promote functionaries and candidates of a political party. One of the primary objections raised in the case was that such advertising is generally politically motivated. The petition called for the Court to issue comprehensive guidelines on usage of public funds on such advertisements. Giving due weightage to the plea, the Court appointed a committee to examine best practices in order to demarcate permissible advertising during campaigning from politically motivated advertisements. The committee submitted its report to the Supreme Court in September 2014 which contained a set of guidelines on content regulation in government advertising. These guidelines will be implemented by the committee established by the MIB.  

According to the Guidelines, government advertising “includes any message, conveyed and paid for by the government for placement in media such as newspapers, television, radio, internet, cinema and such other media but does not include classified advertisements; and includes both copy (written text/audio) and creatives (visuals/video/multimedia) put out in print, electronic, outdoor or digital media.”

The guidelines further suggest that government advertisements should be politically neutral and should not include photographs of political leaders unless it is essential, in which case only the photographs of the Prime Minister/Chief Minister or President/Governor may be used.  The enforceability of the guidelines has been left to the three member body which shall recommend actions accordingly.

According to the Guidelines, regulation of content should be guided by five fundamental principles:

1.  Advertising Campaigns to be related to Government responsibilities: The content of the government advertisement should be relevant to the government’s obligations and the rights of the citizens. 
2. Advertisement materials should be presented in an objective, fair, and accessible manner and be designed to meet the objectives of the campaign: The content and the design of the advertisement should be executed after exercise of due care and should not present previous policies of the government as new ones.
3. Advertisement materials should be objective and not directed at promoting political interests of ruling party: The advertisement should steer clear of making political arguments and should be neutral in nature and should not seek to influence public support.
4. Advertisement Campaigns must be justified and undertaken in an efficient and cost-effective manner: Optimum use of public funds and cost-effective advertisements reflect a need-based advertising approach
5. Government advertising must comply with legal requirements and financial regulations and procedures: The advertisements must be compliant with existing laws such as election laws and ownership rights.

Government advertisements are issued on several occasions. They are issued to present the completion of a successful tenure, to commemorate anniversaries of people and to announce public welfare projects. In these instances, the object of the advertisement can be achieved with objective presentation of information. The committee set up singularly seeks to ensure that the right of the government to use funds to sponsor advertisements is not misused.  

The New Data Protection Regulation and its Impact on India

Written By Joshita Pai

The European Parliament  adopted  the new Rules on Data Protection on the 14^th of April, 2016. The new Regulation replaces the General Rules on Data Protection, 1995 and the 2008 framework decision on cross-border data processing in police and judicial cooperation within the EU. In January 2012, the EU Commission first presented a package of proposals in order to update and modernize the present EU legal framework which was accepted subsequently by the Council in December 2015. The new data protection package consists of a general regulation on personal data processing in the EU and a directive on data processed by the police and judicial authorities.

Highlights of the Regulation

The regulation, establishes a stronger regime for protection of personal data by giving more control to the users in the digital market. It enshrines provisions on the much awaited right to be forgotten in the virtual space,[i] provisions  on the need for clear and affirmative consent and the right of an individual to be informed. Profiling of an individual by collecting a person’s data is often presented in the name of customized service and commercial interest of the company. The new regulation allows for a right to object against profiling unless it is necessary for legal enforcement purposes or for scientific research. The Directive also envisages provisions on data portability which will enable users to shift from one service provider to another, without losing the data accumulated in the use of the former.      Aside from vesting a bundle of rights in the hands of the users, the regulation makes way for an array of provisions for companies to abide by. The crucial provisions affecting business companies include:

1. Sanctions on companies that breach data transfer of upto 4% of annual profits: This provision in the regulation holds heavy bearing since its application extends to companies established outside the European Union. organisations will additionally be required to carry out data protection impact assessmentswhere their plans to process personal data are “likely to result in a high risk for the rights and freedoms of individuals”.
2. Provision for appointing a data protection officer if the company engages in processing of sensitive data: For businesses in which the “core activities” consist of processing operations that “by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”; or if it involves processing sensitive data on a large scale, the new Directive recommends the mandatory appointment of a DPO.
3. The introduction of the new one-stop-shop concept in the Regulation: The Regulation states there will be a single supervisory authority who will be engaging with business houses, instead of one authority in each member state. The ‘one-stop-shop’ will streamline cooperation between the data protection authorities on issues with implications for all of Europe.

The Impact of the new EU Regulation on India

The cross-border flow of data from the EU states to other nations has been contentious, visibly so after the Schrems decision which rendered the EU-US safe harbour provision inadequate. The decision called for a new set of guidelines which resulted in the creation of the EU-US privacy shield.

The EU framework of 1995 as well as the enhanced edition of the Regulation, prescribes a mandatory adequacy decision to determine whether the country in question adequately protects personal data. The new Regulation, dedicates a chapter on transfer of personal data to third party countries, and India’s interest in the Directive lies here. It provides that:

“A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, or a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.”

The European Commission in 2015 produced a report on Data Protection in India to assess the measures and standards adopted for protection of data in India. The report highlighted the lacunae in Indian laws pertaining to personal data. According to a recent survey by NASSCOM-DSCI, there is an opportunity loss of USD 2.0 billion – 2.5 billion owing to data transfer related issues. The report notes that EU clients are hesitant to offshore work to Indian companies because of the dearth of data protection standards in India. With particular regard to data protection, institutionalizing a regulatory regime in India has become a herculean task with no comprehensive legislation on data protection in force. Statutory attempts to this effect have either been dissipated across the arena or have not been effectively executed so far. The penalty of a 4% of annual turnover of a company on account of data breach is one of the outstanding features of the new Regulation and pitching this against the backdrop of a staggered regime on data protection in India indicates a host of repercussions.

Joshita Pai was a Fellow at the Centre for Communication Governance  (2015-2016) 

[i] ‘The right to be forgotten’ stirred up as a concept after a Spanish national sued Google Spain and a Spanish newspaper for retaining information about him that was published several years ago.

Anupam Kher’s Cockroach Tweet: Cultural Reference or Hate Speech?

Written by Siddharth Manohar

The noise surrounding the recent controversy regarding a tweet by Indian actor (and UN Ambassador for Gender Equality) Anupam Kher made it difficult to look into why it caught so much attention. That it did is beyond doubt, garnering over six thousand hits, significantly more than almost all of his other tweets. It was also followed by plenty of coverage and promotion from its audience, who responded while sharing their own views as well. Here I try to look at whether there was any basis for the criticism that the tweet received, and the degree to which it was justified.

To start off, it would be useful to reproduce the lines in their original form:

“घरों में पेस्ट कंट्रोल होता है तो कॉक्रोच, कीड़े मकोड़े इत्यादि बाहर निकलते है। घर साफ़ होता है।वैसे ही आजकल देश का पेस्ट कंट्रोल चल रहा है।”

Which translates into: “During pest control in houses, the cockroaches and other insects etc. are removed. The house gets cleaned. Similarly, pest control of the country is going on these days.”

On an initial reading, it is a harmless and vague insult. The use of the term ‘cockroach’, which has attracted the most attention, seems to be employed as a characterisation of anything undesirable, be they problems, politics, or people. As a standalone insult, it remains a lot less venomous as compared to some of the other material that one may find on the website. Apart from containing a reference to one of the actor’s films, it is also vague and targets no group explicitly. It is therefore understandable that the issue has its share of people who may be bewildered by what could possibly be quite so harmful in this particular tweet, and are likely to pass off criticism as an overreaction that seems to be increasingly common.

To understand if there is a valid criticism of the tweet, we look at the larger context in which such a term is understood. The comparing of groups of people to animals and pests has a long, concrete, and troubling history. The process has over time and study acquired the name of ‘dehumanisation’, the process by which language and discourse is used to make a group of people seem ‘less-than-human’. It is a widely documented and extremely effective method of incitement to violence.

The reasoning behind its usage in the process is also interesting and relevant. According to Helen Fein (Benesch, 2008), the purpose of this kind of discourse is to put a certain group of people outside the limits of moral considerations and obligations. This is because the default moral understanding of a majority of people is underpinned by the principle that it is unacceptable to carry out violent acts of hate, or to kill any person. The repeated categorisation of a group of people as the ‘other’, and the polarisation of their identity as a group not worthy of human respect or equal rights, has the effect on the mind of the larger public. Acts of violence and crimes start to seem more acceptable and less outrageous when committed against this group, and this process of dehumanisation escalates over time.

The narratives most often target a specific identity, most famously that of ethnicity and religious identity. The most prominent examples of this occur during the inter-war period in Germany, where there was a large amount of material alienating and dehumanising those of Jewish religion. The content was systematically churned out by state agencies instructed with an agenda. Similarly, the build-up to the Rwandan genocide in 1994 saw a very strong narrative which demonised the Tutsi ethnic group in Rwanda, labeling them as Inyenzi (cockroaches) that cannot contribute to society because of who they were, their basic identity. This narrative creates a larger feeling of resentment amongst the public against the people of the target group, making it easier to commit acts of violence against them. Susan Benesch would argue that there cannot in fact be a large scale violent attack against a group of people that live amongst a majority without the cooperation or the tacit acceptance of that larger group of people.

The comparison of people to pests and animals has repeatedly been used as a tool in this process of moulding public sentiment against certain groups of people. In these cases, the narrative that it served to created helped in the execution of large scale genocidal operations that have left millions of people killed over the decades. Dehumanisation has also been included as part of an academic study devising a ten-step model of genocide. The historical evidence is in overwhelming suggestion that the use of such terms to build a narrative is part of a larger build up towards organised violence based on lines of group identity.

To suggest that an Indian actor is sending out a call for violence is ill-thought out, and ignorant of the complexity of the issue. What does need to be observed however, is how easily discussions are used to create and divide identities, and what values are ascribed to these identities. While healthy and vociferous debate forms an important part of a democracy, also equally important is the tangible effect that speech can have on its immediate surroundings. It is the effects and the consequences (and harm) of speech that give rise to justifications for its regulation, and it is therefore always useful to keep a watchful eye on where public discourse takes us.

The New Dimension to the UIDAI Debate: The Aadhaar Bill, 2016

 

Written By Joshita Pai

The discourse around Aadhaar has only aggravated since its inception, and one of the primary contentions of the debate has been the lack of a statutory force behind the initiative. Amidst all the speculations, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 was introduced on 3^rd of March as a money bill, on the grounds that subsidies and other benefits will be drawn from the Consolidated Fund of India. The Bill seeks to resolve the contention of the lack of a legislation backing Aadhaar. The Bill also allows for more schemes to be attached to Aadhaar in future. Presently, there are a handful of schemes attached to the Aadhaar which have been approved by the Supreme Court. The Bill is an ambitious task to provide a framework for operationalization of Aadhaar.

A Cursory Glimpse

The Bill, establishing the Unique Identification Authority of India (UIDAI) as the authority for the functionality of the Aadhaar process, provides for the conferment of an Aadhaar number, to every resident who submits her identity information. The Bill, in this context defines a resident in clause 2(5). Clause 2(n) provides that identity information includes biometric information and demographic information. Biometric information includes photograph, finger print, Iris scan, or such other biological attribute of an individual as may be specified by regulations. The demographic information includes information relating to name, date of birth, address and other relevant information of an individual specified by regulations but significantly excludes information about race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

According to clause 9, an Aadhaar number shall not confer or be a proof of, citizenship or domicile The Bill also carries a provision which may require Aadhaar holders to update their biometric and geographic information. The inconsistency in predictability of biometric data of an individual has been a contentious issue but the object of the provision here is as mentioned, the continued accuracy of the information in the repository.

Dissecting the Clauses

The Bill elevates the existence of an Aadhaar number to a proof of identity by virtue of clause 4(3).

Chapter IV of the Bill establishes the UIDAI as a body corporate, consisting of a Chairperson, a CEO and two part-time members. The CEO of the Authority will not be below the rank of Additional Secretary to the Government and will be appointed by the Central Government. The chapter deals with functions of the members, grants by Central Government, accounts and audits, qualifications and enumerations of the members. The Authority is responsible for the establishment, operation and maintenance of the Central Identities Data Repository. Clause 49 provides that the members of the UIDAI will be deemed as public servants. Clause 50 provides that the Central Government is not empowered to issue directions pertaining to technical or administrative matters undertaken by the authority.

Clause 16 of the Bill places restrictions on the Chairperson and members of the UIDAI who have ceased to hold office. It bars them from accepting employment in any management or company, which has been associated with any work contracted by the UIDAI, for a period of three years after the expiry of their employment. Listing the functions of the UIDAI, clause 23 provides that the authority shall formulate policies, procedures for issuing Aadhaar numbers and for the performing authentication of the same. The Authority is designated to carve out regulations including process of collection of information, specify what includes biometric and geographic information. The specifications have been left open to the authority, including the appointment of an entity to operate the Central Identities Data Repository.

The Bill creates a Central Identities Data Repository [Clause 2(h)] which will be the centralized database containing all Aadhaar numbers and details thereto. It will also be responsible for authentication and verification of the information provided by Aadhaar holders, at the time of enrollment. The registration of Aadhaar, has been made voluntary by the force of the Court’s order in August, 2016.

In light of this, clause 7 of the Bill mandates that proof of Aadhaar number is  necessary for the receipt of certain subsidies, benefits and services. The clause carves out a potential exception to the effect that if an Aadhaar number is not assigned to an individual, an alternate means of identification shall be offered for delivery of benefits.

Enabling accessibility to the Aadhar process, clause 5 of the Bill provides for special measures for issuance of Aadhaar to senior citizens, children, persons with disability persons who do not have any permanent dwelling houses. The clause is inclusive in nature.

Chapter VII of the Bill deals with penalties and liabilities for several offences. Impersonation at the time of enrolment as well as impersonation for the purpose of changing the demographic information of an Aadhaar number holder, is punishable with imprisonment. Providing a heavy liability for companies, clause 43 states

Where an offence under this Act has been committed by a company, every person who at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

A provision which stands out in the chapter listing out penalties is Clause 44. It reads as follows:

(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person, irrespective of his nationality.

(2) For the purposes of sub-section (1), the provisions of this Act shall apply to any offence or contravention committed outside India by any person, if the act or conduct constituting the offence or contravention involves any data in the Central Identities Data Repository (5(f))

Privacy Provisions in the Bill

The statement of objects and reasons appended to the Bill states that it seeks to provide “for measures pertaining to security, privacy and confidentiality of information in possession or control of the Authority including information stored in the Central Identities Data Repository”. 

Chapter VI of the Bill is built around the protection of information by the Authority, collected through the enrolment process. The Bill qualifies biometric information collected and stored in electronic form, as “electronic record” and “sensitive personal data or information” within the meaning of the Information Technology Act, 2000. The distinction between core biometric information and biometric information has been visibly emphasized. Clause 29 imposes a restriction on sharing information and bars the use of core biometric information for any purpose other than for the generation of Aadhaar numbers and authentication.

Clause 28(3) reads

“The Authority shall take all necessary measures to ensure that the information in the possession or control of the Authority, including information stored in the Central Identities Data Repository, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.”

Clause 28(5) further provides that the Authority or its officers or employees or any agency which maintains the Central Identities Data Repository shall not, whether during his service or thereafter, reveal any information stored in the Central Identities Data Repository or authentication record to anyone.

The Bill provides for information privacy at the stage of enrollment. According to Clause 3(2), the enrolling agency, which is appointed by the UIDAI for collection of identity information is bound to inform the individual at the time of enrollment, details about (i) the manner in which information collected will be used, (ii) the right of accessibility of information at the hands of the individual and the (iii) the nature of recipients of the information.  The manner of communication of such information has been left open to specific regulations which will be prescribed by the UIDAI.

The Bill provides for authentication of Aadhaar number by a requesting entity in relation to his biometric information or demographic information. Clause 2(u) defines “requesting entity” to mean an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.

Clause 8(2) makes it mandatory for the entity requesting authentication to obtain consent from the person whose information is to be collected for such authentication. It requires the requesting entity to ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication. The clause further provides that the Authority shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information excluding any core biometric information.

With respect to identity information, clause 29(3) restricts the use of such information available with a requesting entity and states that the identity information will only be used for the purpose specified to the individual at the time of enrollment and only with the prior consent of the individual.  Clause 32 enables an Aadhar number holder to access her/his own information and also mandates that records of request of authentication of an individual, should be maintained.

The functions of the Authority include performing authentication of Aadhaar numbers, deactivation of Aadhaar numbers. Clause 23(m) empowers the Authority to specify, by regulations, various processes relating to data management, security protocols and other technology safeguards under this Act; The UIDAI, according to Clause 23(q) is also entrusted with the function of promoting research and development for advancement in biometrics and related areas, including usage of Aadhaar numbers through appropriate mechanisms;

Disclosure of Information

Envisaging an exception to the protection of information provisions, clause 33 allows for disclosure of information in certain instances. It provides that disclosure of information, including identity information or authentication records is permissible if made in pursuance of an order of a Court (at least District judge), or in the interest of National Security by an officer of the level of Joint Secretary or above. However, the Bill does not define national security and the term in itself is vague and overbroad. It provides that such a direction shall be reviewed by an oversight committee consisting of Cabinet Secretary and Secretaries of Legal Affairs and DeitY. The problems of third party independent oversight and the volume of requests remain as is the case with the oversight committee under the Blocking Rules and the Telegraph Rules. The provisio appended to clause further provides that the direction in the interest of national security shall lapse after the expiry of three months from the date of issue.

Clause 37 of the Bill enshrines a penal provision for unauthorized disclosure of any identity information collected in the course of enrollment or the authentication process. This provision speculates a penalty for individuals as well as companies who engage in unwarranted disclosure. The Bill imposes a penalty for unauthorized access to the repository (clause 38), for tampering with data on the repository (clause 39). Chapter VII further provides for punishment of a requesting entity for unauthorized use of identity information.

The Bill contains vital provisions in terms of requesting entity applying for authentication, access of identity information by an Aadhaar-number holder to introducing liabilities. However, a deeper glance shows that several regulations are yet to be prescribed and have been left open-ended. The actualization of a legislation should however, not be conceived as a satisfactory response to the yet to be heard struggle for determining privacy as a constitutional right.              

 Joshita Pai was a Fellow at the Centre for Communication Governance from 2015-2016