India’s Latest National Security Dilemma: The Huawei Ban and NAM(O) 2.0

Over two weeks after the ban on Huawei was imposed by the United States on suspicions of facilitating espionage on behalf of China, the newly appointed Minister of Electronics and IT, Ravi Shankar Prasad acknowledged that there are ‘complex security concerns’ around the deployment of Huawei’s technology in India. His statement comes soon after the TRAI’s statement emphasizing the need to indigenize telecom infrastructure in the aftermath of the US ban on Huawei.

The Chinese tech giant has been at the centre of controversy even before May 16, when President Trump signed an Executive Order entitled ‘Securing the Information and Communications Technology and Services Supply Chain’, declaring a national cybersecurity emergency, placing Huawei on the ‘Entity List’ of the US Department of Commerce under Supplement 4 to Part 744 of its  Export Administration Regulations. This implies that any US persons and corporate entities that continue to do business with Huawei would face heavy penalties that could potentially include criminal sanctions. Owing to the design of export control laws in the United States, the enforcement of the ban in the United States has extraterritorial effects. According to a Reuters report, US Secretary of State Mike Pompeo warned allies of potential difficulties in sustained cooperation and data sharing with the United States if they continued to use Huawei equipment despite the ban.

Huawei in the United States

Criminal charges pending against Huawei in US courts include serious allegations of corporate espionage, bank fraud, theft of trade secrets and most importantly, conspiracy to violate the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq) (IEEPA) by export of telecommunications services provided by a US citizen to Iran without permission from the Office of Foreign Assets Control (OFAC). It was on the grounds of violation of the IEEPA that the US successfully urged Canada to detain Huawei’s CFO, Meng Wanzhou, who is now awaiting potential extradition to the United States for prosecution for the crimes alleged against Huawei.

Some in the US national security community have even argued that this could potentially be an abuse of the President’s emergency powers under the IEEPA, the legislation that enables the US to‘financially asphyxiate targeted countries, entities or individuals’ that pose ‘any unusual and extraordinary threat’ to US national security interests. Others, based on Trump’s statement that saw Huawei being potentially included in a future trade deal with China, take the view that the ban is no more than a leveraging tool to get concessions from the Chinese Government. Yet more view it as a measure designed purely to protect US telecom industries from Chinese competition in the 5G race, to prevent the US from losing its edge in communications technologies.

A major reason for the rapid rise of Huawei on the global tech scene has been its competitive prices and convenient payment plans. Thanks to the ban, rival companies like Cicso, Ericsson, Nokia and Samsung do indeed, stand to gain significant advantages and grab bigger market shares, but their prices so far have not been able to compete with those offered by their Chinese counterparts.

Despite this ‘emergency’, a week after President Trump signed an Executive Order, the restrictions were eased by the US Department of Commerce to give American companies a 90 days window to adapt to the new restrictions. In the time that has passed, several tech companies have severed business ties with Huawei. Google was the first to respond, cutting off Huawei’s access to its Android platform, restricting existing users’ access to future security patches and updates. Microsoft, Intel, Qualcomm, Xilinx, Broadcomm, Panasonic and British Chip manufacturer ARM soon followed suit, causing serious disruptions in the global ICT supply chain, especially in its smartphone manufacturing. However, the smart phone business is only a small part of Huawei’s overall products range. It is noteworthy that as on date, Huawei controls 28% of the global marketshare in telecom equipment. In the first quarter of 2019, Huawei surpassed Apple to become the world’s second largest manufacturer of smartphones. Much to the worry of American telcos, some forecasts indicate that China is expected to represent 40% of all global 5G connections by 2025.

Several reports indicate that Huawei had long been preparing for impending restrictions from the US Government. Reportedly, it is developing its own OS ‘Ark’ and has challenged the National Defence Authorization Act 2018, which bans US Government agencies from procuring products manufactured by Huawei or ZTE.

China’s Retaliation

Although Huawei’s founder and CEO, Ren Zhengfei has opposed retaliation by the Chinese Government against Apple or other American tech companies, it remains to be seen how China will respond in the ongoing trade tensions with the US. Some changes to set up a mechanism that allows for higher degree of protection to its own national security interests have already been introduced in Chinese cyber security law in response. China has also threatened the creation of a ‘sweeping blacklist of US firms’ in retaliation. Reports indicate that the export of rare earth minerals to China by the US could be the next frontier in these ‘hostilities’.

In addition, the Chinese Defense Minister Wei Fenghe came out to explicitly state that Huawei was not part of its military, several Chinese officials have refuted US claims alleging that the decision to blacklist Huawei was unsupported by any evidence. Unsurprisingly though, Russia has rolled out the red carpet for Huawei, where it signed a deal to develop 5G infrastructure for Russian telecom provider MTS.

However, the most important piece of Chinese legislation for India to consider is the Chinese intelligence law passed in 2017 that makes it obligatory upon Chinese companies and other entities to share onshore and offshore data with the Government as and when called upon in the interest of national security.

Huawei in India

Some have argued that India would need to conclusively prove allegations of assisting the Chinese government in carrying out cyber espionage before taking any concrete steps to ban Huawei, otherwise India risks undermining its strategic autonomy and playing into the hands of the US. However, the argument seems focused exclusively on the rapid introduction and operationalization of 5G in India and ignores India’s previous run-ins with Huawei’s technology.

Telecom companies through the Cellular Operators Association of India have sought clarification from the Department of Telecommunications (DoT) on its stance qua usage of Huawei-manufactured equipment by telecom operators. Such a clarification is much needed, considering that Huawei has been kept on a see-saw since September 2018, when the US first started attempting to persuade allies to wall out Huawei in the 5G race. In India, Huawei was first excluded, then extended an invitation which was later rescinded. Huawei India’s CEO Jay Chen recently made a statement demanding a ‘level playing field’ for Huawei in the 5G trials, reiterating the request of the Chinese Government from December of last year.

Presently, telecom operators including Airtel and Vodafone use Huawei equipment in many of their circles in India. While the TRAI has highlighted the need for indigenizing of telecom infrastructure, the truth of the matter is that as on date, almost 60% of the Government’s telecom equipment, including especially that of BSNL is supplied by the Chinese companies ZTE and Huawei. This is despite the fact that BSNL’s allegations against Huawei of hacking into its networks were investigated in 2014. This makes the argument that requires conclusive proof of malicious activity difficult to sustain, if the security of the existing infrastructure has already been compromised in the past.

Huawei itself has urged the DoT for an expedited decision on its inclusion in the 5G trials, reportedly after having answered all queries posed to it by the DoT. The DoT appears divided on the issue – with one section that views it as an issue of not just technology, but also one of security with geopoilitcal ramifications, and the other seemingly inclined towards Huawei’s inclusion to maintain the competition and mitigate risks of relying on supplies from European vendors alone.

The New Berlin Wall and India’s Posturing

At the moment, India seems to have been caught in the middle of what has been dubbed as the New Cold War in tech–faced with prohibitively high prices on the one side, and a risk of Chinese cyber espionage on the other. On this point, some take the view that ‘what is cheap now may not be good in the long run’. National security choices require nations to make difficult trade-offs between economic and strategic goals and considerations, and the contours of the new ‘Great Powers’ relations are radically different to the one that ended with the fall of the Berlin Wall. The New York Times viewed the ban as one that is “about much more than crippling one Chinese tech giant”, and is forcing “nations to make an agonizing choice: Which side of the new Berlin Wall do they want to live on?”

In the collision of tech and trade, foreign policy choices of Governments are now closely intertwined with the commercial interests and health of the domestic telecom and tech industries. Although it is reassuring that India’s telecom minister seems intent on taking ‘a serious look’ at the technological advantage versus security concerns calculus before deciding on Huawei’s inclusion in the upcoming 5G trials, remedial and mitigation measures like reviving MTNL and BSNL services are measures for the long run. However, what makes India the desired location for ‘proxy wars’ in tech is the treasure trove of data that lies beneath the massive subscriber base of over 1.19 billion individuals to telecom services. As for the health of domestic markets, if anything, Indian telecom giants like Reliance Jio that uses 4G equipment manufactured by Samsung, could potentially stand to gain from the move, if Huawei were to be excluded from the Indian market and the 5G trials. It remains to be seen whether such a protectionist measure, following the footsteps of the US, would be introduced by the new Government that has re-risen to power on the promise of strengthening national security. A legitimate concern is the threat of retaliatory pressure tactics from the US if India does fail to do so.

It is notable that India has taken some measures to avoid offending the United States’ declared policies, while the decision on Huawei remains pending. A week after the ban, India stopped importing oil from Iran as well as Venezuela to comply with US sanctions after the US ended exemptions for eight countries including India. More recently, the US revoked India’s preferential trade status under the GSP (Generalised System of Preferences) trade program, alleging that India has not “assured the US that it will provide equitable and reasonable access to its markets”. The US-China trade war presents a similar spectrum of choices to India – while the Ministry of Commerce is mulling over the imposition of ‘retaliatory tariffs’, others take the position that India should cut interest rates to take advantage of the trade war to gain a stronger foothold in both markets.

Against the backdrop of this new political economy of the cybersecurity industry, a new kind of non-alignment seems to be emerging, creating an unmistakable split in traditional alliances between NATO members. Only two of the ‘Five Eyes Alliance’ of intelligence sharing other than the United States – Australia and New Zealand responded quickly by banning Huawei in their respective national jurisdictions. Some European counties, specifically – the UK and Germany, while also remaining mindful of the risks posed by Chinese covert activity through its tech industry that has undeniably acquired a global influence, are seemingly intent on not abandoning Huawei in the design of their 5G infrastructure. Canada too, while juggling the pending extradition of Huawei’s CFO to the US, appears determined to make an independent decision on the 5G question. At the moment, India’s policies seem to just as non-aligned as those of Germany or the United Kingdom – aimed at maintaining the free flow of investments and information while steadily moving towards indigenization of ICT and expansion of markets instead of encouraging protectionism to curb competition.

Until such time that India can completely indigenize the equipment, or alter its telecom equipment procurement policies across the board to exclude obvious threats to the integrity of our cybersecurity infrastructure, India’s choice seems to be a limited to a cybersecurity policy along the lines of the Nehruvian-era doctrine of non-alignment, perhaps with only slight tilt— this time, toward the United States? It would appear that the time is ripe for NaMo 2.0 to revisit the doctrine as NAM 2.0, in a manner that allows India to preserve the security alliance with one side, and an economic partnership to avoid disruptions and price escalations in our ICT supply chain on the other. In other words, the need of the hour is ‘to effectively manage our global opportunities to maximize our choices’ while preserving strategic autonomy.

Advertisements

Digitisation of Health / Medical Records: Is the law keeping up?

By Smitha Krishna Prasad

Medical and health records are increasingly digitised, and ease of access is considered one of the key benefits of this trend. However, patient privacy and security of such records are important concerns that need to be addressed both under the existing legal framework, and in terms of development of new laws.

Earlier this month, news reports suggested that private medical records of over 35000 patients had been made publicly available through the website of a diagnostic laboratory based in Mumbai. Reports indicate that the website of the lab was hacked. However, other reports specify that the lab has disclaimed liability, stating that any requirement for confidentiality is limited in applicability to doctors only. Further, the lab suggested that since they were shortly to be moving to a different system, there was no urgency in remedying the security flaws.

While the above seems to be an internal security issue on the part of the lab, we have seen that health records are a favourite for hackers, across the world. These records are then either held for ransom or sold by such hackers.

The healthcare industry as a whole is seen as one of the least secure industries globally. At the same time, medical and health records of individuals are increasingly being digitised. Individuals and institutions in the healthcare industry are digitising records within their organisations to improve ease of access. The Ministry of Health and Family Welfare, Government of India, is in the process of setting up an Integrated Health Information Platform, and has issued Electronic Health Record Standards (EHR Standards). The EHR Standards are meant to provide for creation and maintenance of health records in a standardised manner that would allow for interoperability across platforms and institutions across the country. There are many pros and cons to undertaking such a digitisation effort – however, this post is limited to examining the legal framework surrounding such digitisation and the protection of privacy of patients.

Current Legal Framework in India

Today, India does not have a comprehensive privacy law, or an industry specific privacy regulation that focuses on the healthcare / medical industry. We do have the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”), as well as the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (“MCI Code of Ethics”).

The MCI’s Code of Ethics provides that physicians must maintain medical records pertaining to patients for a period of 3 years from commencement of treatment. Further, physicians must also make such records available to patients, authorised attendants and legal authorities upon request. Physicians are also required to make efforts to computerise such records. While there is no specific provision on maintenance of privacy and security of these medical records, the MCI Code of Ethics does provide that confidences entrusted by patients to physicians must be not be revealed, unless required by law or in public interest. However, the MCI Code of Ethics is applicable to physicians i.e. doctors with MBBS or equivalent qualifications only.

On the other hand, the IT Act and the IT Rules are wider in application. They deal specifically with electronic records and require any person dealing with certain defined types of sensitive information, including medical records, to undertake data protection and security measures.

Any violation of the MCI Code of Ethics calls for disciplinary action against the concerned physician which could include removal of the physician’s name from the register of qualified physicians. The IT Act however, does not provide for any direct action or penalty in the case of non-compliance with the IT Rules, and relies on the person affected by the non-compliance to take action.

In addition to the MCI Code of Ethics and the IT Act, there are a few other laws such as the Medical Termination of Pregnancy Act, 1971 which provide for maintenance of confidentiality of patient information. However, these are largely specific to certain circumstances and are not comprehensive.

Potential Developments

In the absence of a comprehensive privacy and data protection law in India, some regulators have taken to establishing basic rules to protect consumers and individuals in their respective industries. For instance, the RBI places certain restrictions on the circumstances in which customer information can be shared by banks. Insurance and telecom companies are restricted from transferring certain customer information outside India.

Given the highly sensitive nature of medical / health related information, and recent trends of commoditisation of such information in the black market, such laws are much needed in the healthcare industry.

The EHR Standards do deal with certain aspects of privacy of patients and security of healthcare records. They prescribe several international standards to be adhered to by members of the healthcare industry while dealing with electronic health records. However, they appear to default back to the IT Act as the legislation that would govern the implementation of any data protection measures in relation to such records.

The Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Bill, 2014 also provides certain safeguards to ensure the privacy of patients, specifically in relation to their HIV status. Some concerns regarding the provisions of this bill have previously been discussed here. However, this proposed bill is again limited in scope, and does not apply across the medical industry.

Reports suggest that recognising the need for a more comprehensive law, the Central Government has taken up the initiative of drafting a healthcare industry specific privacy and data protection law.

Given that this law would be drafted from scratch, we suggest that it should be (a) holistic i.e. be applicable across the entire healthcare / medical industry, and not specifically to doctors / hospitals, and (b) technology agnostic, addressing medical / health information in any format, digitised or not.

The law should also take into account the internationally recognised privacy / fair information principles. These principles provide, among other things, for (a) collection of data by lawful means, and only when required (b) use of data for the purpose it is collected only, (c) adequate security measures to be undertaken to protect data, and (d) accountability and openness about policies in place for use and protection of data.

Further, to the extent that it provides for the digitisation of records, and implementation of EHR Standards, it should be ensured that, the principles of ‘privacy by design’ should be used. The concept of privacy by design stipulates that privacy and data protection measures must be built into any system as a default, taking a preventative approach to data protection rather than a remedial approach.

Another important concern is enforcement – our current laws such as the IT Act, do not provide for proactive enforcement in case of failure to protect privacy / data of individuals, and leave it up to the affected individuals to act. Ideally, a dedicated regulator with the ability to investigate and direct action against defaulters is required. Perhaps the role of the National e-Health Authority proposed by the Government could be expanded to deal with privacy and security of all health records and information.

While the idea of implementing a health privacy and data protection law is a welcome move, it remains to be seen how far this proposed legislation will go towards fully protecting patients’ rights.

NDTV INDIA BAN: A CASE OF REGULATORY OVERREACH AND INSIDIOUS CENSORSHIP?

In a highly contentious move, the Ministry of Information and Broadcasting (‘MIB’) issued an order banning the telecast of the Hindi news channel ‘NDTV India’ on 9^th November, 2016. The MIB imposed this ‘token penalty’ on NDTV India following the recommendation of an Inter-Ministerial Committee (‘IMC’). The IMC had found the channel liable for revealing “strategically sensitive information” during the coverage of Pathankot terrorist attacks on 4^th January, 2016. The ban has, however, been put on hold by the MIB after the Supreme Court agreed to hear a writ petition filed by NDTV India against the ban.

The order passed by the MIB raises some important legal issues regarding the freedom of speech and expression of the press. Since the news channels are constantly in the race for garnering Television Rating Points, they may sometimes overlook the letter of the law while covering sensitive incidents such as terrorist attacks. In such cases, regulation of the media becomes necessary. However, it is tricky to achieve an optimum balance between the various concerns at play here – the freedom of expression of the press and the people’s right to information, public interest and national security.

In this post, we discuss the background of the NDTV India case and the legal issues arising from it. We also analyze and highlight the effects of governmental regulation of the media and its impact on the freedom of speech and expression of the media.

NDTV Case – A Brief Background:

On January 29, 2016, the MIB had issued a show cause notice to NDTV India alleging that their coverage of the Pathankot military airbase attack had revealed vital information which could be used by terror operators to impede the counter-operations carried by the security forces. The notice also provided details regarding the alleged sensitive information revealed by NDTV India.

In its defence, the channel claimed that the coverage had been “balanced and responsible” and that it was committed to the highest levels of journalism. The channel also stated that the sensitive information allegedly revealed by the channel regarding critical defence assets and location of the terrorists was already available in the public domain at the time of reporting. It was also pointed out that other news channels which had reported on similar information had not been hauled up by the MIB.

However, the MIB, in its order dated January 2, 2016, held that NDTV India’s coverage contravened Rule 6(1)(p) of the Programme and Advertising Code (the ‘Programme Code’ or ‘Code’) issued under the Cable TV Network Rules, 1994 (‘Cable TV Rules’). In exercise of its powers under the Cable TV Networks (Regulation) Act, 1995 (‘Cable TV Act’) and the Guidelines for Uplinking of Television Channels from India, 2011, the MIB imposed a ‘token penalty’ of a day’s ban on the broadcast of the channel.

Rule 6(1)(p) of the Programme Code:

Rule 6 of the Code sets out the restrictions on the content of programmes and advertisements that can be broadcasted on cable TV. Rule 6(1)(p) and (q) were added recently. Rule 6(1)(p) was introduced after concerns were expressed regarding the real-time coverage of sensitive incidents like the Mumbai and Gurdaspur terror attacks by Indian media. It seeks to prevent disclosure of sensitive information during such live coverage that could act as possible information sources for terror operators.

Rule 6(1)(p) states that: “No programme should be carried in the cable service which contains live coverage of any anti-terrorist operation by security forces, wherein media coverage shall be restricted to periodic briefing by an officer designated by the appropriate Government, till such operation concludes.

Explanation: For the purposes of this clause, it is clarified that “anti-terrorist operation” means such operation undertaken to bring terrorists to justice, which includes all engagements involving justifiable use of force between security forces and terrorists.”

Rule 6(1)(p), though necessary to regulate overzealous media coverage especially during incidents like terrorist attacks, is vague and ambiguous in its phrasing. The term ‘live coverage’ has not been defined in the Cable TV Rules, which makes it difficult to assess its precise meaning and scope. It is unclear whether ‘live coverage’ means only live video feed of the operations or whether live updates through media reporting without visuals will also be considered ‘live coverage’.

Further, the explanation to Rule 6(1)(p) also leaves a lot of room for subjective interpretation. It is unclear whether the expression “to bring terrorists to justice” implies the counter operations should result in fatalities of the terrorists or if the intention is to include the coverage of the trial and conviction of the terrorists, if they were caught alive. If so, it would be highly impractical to bar such coverage under Rule 6(1)(p). The inherent vagueness of this provision gives wide discretion to the governmental authorities to decide whether channels have violated the provisions of the Code.

In this context, it is important to highlight that the Supreme Court had struck down Section 66A of the Information and Technology Act, 2000 in the case of Shreya Singhal vs. Union of India, on the ground of being vague and overboard. The Court had held that the vague and imprecise nature of the provision had a chilling effect on the freedom of speech and expression. Following from this, it will be interesting to see the stand of the Supreme Court when it tests the constitutionality of Rule 6(1)(p) in light of the strict standards laid down in Shreya Singhal and a spate of other judgments.

Freedom of Speech under Article 19(1)(a)

The right of the media to report news is rooted in the fundamental right to free speech and expression guaranteed under Article 19(1)(a) of the Constitution of India. Every right has a corresponding duty, and accordingly, the right of the media to report news is accompanied by a duty to function responsibly while reporting information in the interest of the public. The freedom of the media is not absolute or unbridled, and reasonable restrictions can be placed on it under Article 19(2).

In the present case, it can be argued that Rule 6(1)(p) fails to pass the scrutiny of Article 19(2) due to inherent vagueness in the text of the provision. However, the Supreme Court may be reluctant to deem the provision unconstitutional. This reluctance was demonstrated for instance, when the challenge to the constitutionality of the Cinematograph Act, 1952 and its attendant guidelines, for containing vague restrictions in the context of certifying films, was dismissed by the Supreme Court. The Censor Board has used the wide discretion available to it for placing unreasonable restrictions while certifying films. If the Supreme Court continues to allow such restrictions on the freedom of speech and expression, the Programme Code is likely to survive judicial scrutiny.

Who should regulate?

Another important issue that the Supreme Court should decide in the present case is whether the MIB had the power to impose such a ban on NDTV India. Under the current regulatory regime, there are no statutory bodies governing media infractions. However, there are self-regulatory bodies like the News Broadcast Standards Authority (NBSA) and the Broadcasting Content Complaint’s Council (BCCC).The NBSA is an independent body set up by the News Broadcasters Association for regulating news and current affairs channels. The BCCC is a complaint redressal system established by the Indian Broadcasting Foundation for the non-news sector and is headed by retired judges of the Supreme Court and High Courts. Both the NBSA and the BCCC regularly look into complaints regarding violations of the Programme Code. These bodies are also authorized to issue advisories, condemn, levy penalties and direct channels to be taken off air if found in contravention of the Programme Code.

The decision of the MIB was predicated on the recommendation made by IMC which comprises solely of government officials with no journalistic or legal background. The MIB should have considered referring the matter to a regulatory body with domain expertise like the NBSA that addresses such matters on a regular basis or at least should have sought their opinion before arriving at its decision.

Way Forward

Freedom of expression of the press and the impartial and fair scrutiny of government actions and policies is imperative for a healthy democracy. Carte blanche powers with the government to regulate the media as stipulated by Cable TV Act without judicial or other oversight mechanisms pose a serious threat to free speech and the independence of the fourth estate.

The imposition of the ban against NDTV India by the MIB under vague and uncertain provisions can be argued as a case of regulatory overreach and insidious censorship. The perils of such executive intrusion on the freedom of the media will have a chilling effect on the freedom of speech. This can impact the vibrancy of the public discourse and the free flow of information and ideas which sustains a democracy. Although the governmental decision has been stayed, the Supreme Court should intervene and clarify the import of the vague terms used in the Programme Code to ensure that the freedom of the press is not compromised and fair and impartial news reporting is not stifled under the threat of executive action.

“The Right to be Forgotten”: Balancing Personal Privacy with the Public’s right to access Information

Evolution of the right and Global framework

In the Internet age, when access to information is quick and easy, procuring personal information or past records about an individual is no longer a herculean task. The relevance of such information or the duration for which such data should be available for public access has hitherto not been debated.

There is growing global debate on a new right called “the right to be forgotten” or “the right of erasure”. This right allows people to request for removal of their personal information/data online after a period of time or if such information/data is no longer relevant. The origin of this right can be traced back to the French jurisprudence on the ‘right to oblivion’ or droit à l’oubli. The rationale behind this right was to allow criminal offenders who have already served their sentence to object to the publication of information regarding their crime and conviction. This was done to ease their process of social integration.

It was along these lines that the 1995 EU Data Protection Directive acknowledged the right to be forgotten. Under the Directive, it was stipulated that the member states should give people the guaranteed right to obtain from the ‘controller’ the rectification, erasure or blocking of data relating to them, the processing of which does not comply with the provisions of the Directive. The term ‘controller’ here refers to a natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of processing personal data.

In May 2014, the Court of Justice of the European Union (‘Court’) recognized the right to be forgotten as a part of the fundamental right to privacy in the Google case. The plaintiff, in this case, had requested for delinking of search results appearing on Google and the deletion of newspaper articles appearing online with respect to bankruptcy proceedings against him. The Court held that individuals have a right to request search engines to delink information which causes prejudice to them. However, the Court was careful to state that this right is not absolute and can be applied only when the data becomes ‘inadequate, irrelevant, excessive, not kept up to date, or kept for longer than necessary’ with respect to the purpose for which it was collected or processed. Accordingly, the Court directed Google to delink the search results in the instant case. It was further held that the publication of accurate data may be lawful at a given point in time, but in due course, it might become inconsistent with the law.

While the judgment in the Google case is a step in the right direction, it leaves much to be desired. The Court did not set out any guidelines or parameters to filter out information as ‘inadequate’ or ‘irrelevant’ or ‘excessive’. It has thrust the onerous task of balancing the right to privacy of an individual and the public’s right to access information on private search engines like Google. This raises critical questions regarding the suitability of private entities taking decisions which are of constitutional import. Pursuant to this judgment, the EU adopted the Data Protection Reforms which includes the right to be forgotten as an essential right under Article 17 of the Data Protection Regulations. This lays down the conditions for application of the right to be forgotten, and requires entities processing personal data to inform third parties regarding requests for erasure of links to any personal data. A detailed discussion of these regulations and their impact on India can be found here.

Challenges in enforcement

There are many legal and technical challenges in the enforcement of the right to be forgotten. The success rate of governments across the world in banning or removing pornographic websites or torrent sites from the Internet has not been great, since there are various ways of circumventing such bans. Further, the blocking or delinking of URLs by search engines does not guarantee that such information has been blocked or deleted from the Internet. There is also no way to ensure that such information is not uploaded again.

To enforce the ruling of the case discussed above, Google has created a mechanism through which an individual can make a request for taking down of or delinking of a specific search result bearing an individual’s name. Google evaluates such requests on various parameters like whether these results are an infringement on his right to privacy or whether such information is of public interest. In case of the former, the individual’s right to be forgotten trumps the public’s right to access information. However, if the information is of public interest, the right to information of the public prevails over privacy rights. This squarely makes Google the decision maker of the relevance, adequacy, and need for data to be available online for public access or not.

With the growing recognition of the right to be forgotten, the number of requests that search engines receive for taking down or delinking is only likely to increase, making it extremely difficult and cumbersome to scrutinize such requests manually. According to Google’s Transparency Report, as on 9^th October, 2016, Google had received 565,412 requests for the removal of URLs. The Report further states that it has already evaluated 1,717,714 URLs since May, 2014. The Report shows that Google has removed 43.2% of the URLs from the requests received. With a substantial increase in the number of requests, search engines may even consider using algorithms to deal with such requests instead of manually evaluating the privacy rights vis-à-vis public interest.

Further, search engines are also likely to tread on the side of caution and accept such requests rather than face expensive legal challenges across jurisdictions for non-compliance. This right may be misused by individuals as it will lead to artificial alteration of the content available online which may result in the delinking of pertinent information.

Recent developments in India

The data protection regime and data privacy laws of India are not comprehensive and dynamic enough to respond to technological advances in the modes of collection, transfer and use of personal information. The Information Technology Act, 2000 and the rules framed under the Act make up the primary legal framework that governs this subject. The Delhi High Court is currently hearing a matter (Laksh Vir Singh Yadav vs. Union of India, WP(C) 1021/2016) where the petitioner has requested for the removal of a judgment involving his mother and wife from an online case database. The petitioner claims that the appearance of his name in the judgment is causing prejudice to him and affecting his employment opportunities. It will be interesting to see the outcome of this case and how the larger debate of the right to privacy of an individual versus the right of public to access information unfolds in this case.

It is pertinent to note that the Delhi High Court is dealing with the request for removal of a court order which is a public document. This request is unusual and distinct from a request for delinking of search results appearing in search engines like Google since such delinking does not result in the removal of the information itself. Allowing the removal of such judgments from online case databases could result in the expunging of public records. Furthermore, the removal of judgments from online public databases will obstruct public access to case materials shedding light on critical questions of law.

While implementing the right to be forgotten, a very fine balance has to be struck between the right to freedom of speech and expression, public interest and personal privacy. To balance these conflicting rights, the judiciary may consider implementing a system where personal information like names, addresses etc. of the litigants are redacted from reportable judgments/orders especially in personal disputes. The courts have, in the past, refrained from divulging the identities of parties in order to respect their privacy in many rape or medico-legal cases.

With many unanswered questions surrounding this right, India requires a comprehensive data protection regime to regulate the entities collecting and processing personal data and to define the terms of use, storage and deletion of such personal data. This will ensure that such entities are obliged to take due care of the personal data in their possession and will also provide a framework for dealing with requests for removal or erasure of such personal data.

I&B Ministry forms Committee to regulate content in Government Advertising

Written By Joshita Pai

Following the direction by the Supreme Court, the Ministry of Information and Broadcasting issued an order last month establishing a three member committee to effectuate the Supreme Court Guidelines on Content Regulation of Government Advertising. Government advertising refers to the use of public funds by ruling parties to project their achievements or make announcements about upcoming initiatives. These advertisements however, have occasionally been politically motivated, demonstrating the need for the guidelines issued by the Court in the Common Cause judgment. The guidelines were issued on the basis of a report submitted by a Court-appointed committee on the issue of use of public funds in government advertising.

According to the recent MIB order, the Supreme Court Guidelines will function as a stopgap arrangement until a legislation comes into force to regulate the content projected in government sponsored advertisements. The body set up by the Ministry will address complaints from the general public on violation of the guidelines prescribed by  the Court. The Committee will be assisted by a member secretary, and will be set up parallelly at the state level, appointed by the respective State Governments. The three member body will be responsible for implementation of the SC guidelines on regulating content in government advertising.

Government Advertising

Government advertising is often regarded as informative and in public interest since it facilitates circulation of necessary information with respect to upcoming welfare schemes or the progress of government initiatives. However, advertisements of this nature are often used gain political mileage. This practice has been criticized for several reasons, ranging from arbitrary use of public funds to non-objective presentation of information. Colourful presentation of information on the part of the government does not foster public interest. The right to freedom of speech and expression exercisable by the government is not dispensable but Article 19 also grants the right to information, and accurate information at that, which stands in equal measure. Balancing conflicting interests in this regard is a herculean task.

Government advertising, unlike political advertising which also often transcends permissible boundaries, is sponsored by the use of public funds that governments in power have access to. According to the Election Commission of India, the expenditure on government sponsored advertisements is incurred by the public exchequer and is contrary to the spirit of free and fair election, as the party in power gets an undue advantage over other parties and candidates. The practice has beckoned the need for an oversight authority and a set of workable standards to regulate such advertising, which have been recommended time and again, most recently in the Law Commission Report on Electoral Reforms. Moreover, the Election Commission too has assessed the mushrooming phenomenon of advertising by existing governments. In furtherance of these observations, the ECI recommended that advertisements for achievements of existing governments, either Central or State, in any manner, should be prohibited for a period of six months prior to the date of expiry of the term of the House.

The Guidelines issued by the Supreme Court     

The case that brought about the guidelines was set in motion when Common Cause and the Centre for Public Interest Litigation sought to restrain the Union of India and State Governments from using public funds on government advertising. The petitioners emphasized that the object of these advertisements is generally to promote functionaries and candidates of a political party. One of the primary objections raised in the case was that such advertising is generally politically motivated. The petition called for the Court to issue comprehensive guidelines on usage of public funds on such advertisements. Giving due weightage to the plea, the Court appointed a committee to examine best practices in order to demarcate permissible advertising during campaigning from politically motivated advertisements. The committee submitted its report to the Supreme Court in September 2014 which contained a set of guidelines on content regulation in government advertising. These guidelines will be implemented by the committee established by the MIB.  

According to the Guidelines, government advertising “includes any message, conveyed and paid for by the government for placement in media such as newspapers, television, radio, internet, cinema and such other media but does not include classified advertisements; and includes both copy (written text/audio) and creatives (visuals/video/multimedia) put out in print, electronic, outdoor or digital media.”

The guidelines further suggest that government advertisements should be politically neutral and should not include photographs of political leaders unless it is essential, in which case only the photographs of the Prime Minister/Chief Minister or President/Governor may be used.  The enforceability of the guidelines has been left to the three member body which shall recommend actions accordingly.

According to the Guidelines, regulation of content should be guided by five fundamental principles:

1.  Advertising Campaigns to be related to Government responsibilities: The content of the government advertisement should be relevant to the government’s obligations and the rights of the citizens. 
2. Advertisement materials should be presented in an objective, fair, and accessible manner and be designed to meet the objectives of the campaign: The content and the design of the advertisement should be executed after exercise of due care and should not present previous policies of the government as new ones.
3. Advertisement materials should be objective and not directed at promoting political interests of ruling party: The advertisement should steer clear of making political arguments and should be neutral in nature and should not seek to influence public support.
4. Advertisement Campaigns must be justified and undertaken in an efficient and cost-effective manner: Optimum use of public funds and cost-effective advertisements reflect a need-based advertising approach
5. Government advertising must comply with legal requirements and financial regulations and procedures: The advertisements must be compliant with existing laws such as election laws and ownership rights.

Government advertisements are issued on several occasions. They are issued to present the completion of a successful tenure, to commemorate anniversaries of people and to announce public welfare projects. In these instances, the object of the advertisement can be achieved with objective presentation of information. The committee set up singularly seeks to ensure that the right of the government to use funds to sponsor advertisements is not misused.  

The New Data Protection Regulation and its Impact on India

Written By Joshita Pai

The European Parliament  adopted  the new Rules on Data Protection on the 14^th of April, 2016. The new Regulation replaces the General Rules on Data Protection, 1995 and the 2008 framework decision on cross-border data processing in police and judicial cooperation within the EU. In January 2012, the EU Commission first presented a package of proposals in order to update and modernize the present EU legal framework which was accepted subsequently by the Council in December 2015. The new data protection package consists of a general regulation on personal data processing in the EU and a directive on data processed by the police and judicial authorities.

Highlights of the Regulation

The regulation, establishes a stronger regime for protection of personal data by giving more control to the users in the digital market. It enshrines provisions on the much awaited right to be forgotten in the virtual space,[i] provisions  on the need for clear and affirmative consent and the right of an individual to be informed. Profiling of an individual by collecting a person’s data is often presented in the name of customized service and commercial interest of the company. The new regulation allows for a right to object against profiling unless it is necessary for legal enforcement purposes or for scientific research. The Directive also envisages provisions on data portability which will enable users to shift from one service provider to another, without losing the data accumulated in the use of the former.      Aside from vesting a bundle of rights in the hands of the users, the regulation makes way for an array of provisions for companies to abide by. The crucial provisions affecting business companies include:

1. Sanctions on companies that breach data transfer of upto 4% of annual profits: This provision in the regulation holds heavy bearing since its application extends to companies established outside the European Union. organisations will additionally be required to carry out data protection impact assessmentswhere their plans to process personal data are “likely to result in a high risk for the rights and freedoms of individuals”.
2. Provision for appointing a data protection officer if the company engages in processing of sensitive data: For businesses in which the “core activities” consist of processing operations that “by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”; or if it involves processing sensitive data on a large scale, the new Directive recommends the mandatory appointment of a DPO.
3. The introduction of the new one-stop-shop concept in the Regulation: The Regulation states there will be a single supervisory authority who will be engaging with business houses, instead of one authority in each member state. The ‘one-stop-shop’ will streamline cooperation between the data protection authorities on issues with implications for all of Europe.

The Impact of the new EU Regulation on India

The cross-border flow of data from the EU states to other nations has been contentious, visibly so after the Schrems decision which rendered the EU-US safe harbour provision inadequate. The decision called for a new set of guidelines which resulted in the creation of the EU-US privacy shield.

The EU framework of 1995 as well as the enhanced edition of the Regulation, prescribes a mandatory adequacy decision to determine whether the country in question adequately protects personal data. The new Regulation, dedicates a chapter on transfer of personal data to third party countries, and India’s interest in the Directive lies here. It provides that:

“A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, or a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.”

The European Commission in 2015 produced a report on Data Protection in India to assess the measures and standards adopted for protection of data in India. The report highlighted the lacunae in Indian laws pertaining to personal data. According to a recent survey by NASSCOM-DSCI, there is an opportunity loss of USD 2.0 billion – 2.5 billion owing to data transfer related issues. The report notes that EU clients are hesitant to offshore work to Indian companies because of the dearth of data protection standards in India. With particular regard to data protection, institutionalizing a regulatory regime in India has become a herculean task with no comprehensive legislation on data protection in force. Statutory attempts to this effect have either been dissipated across the arena or have not been effectively executed so far. The penalty of a 4% of annual turnover of a company on account of data breach is one of the outstanding features of the new Regulation and pitching this against the backdrop of a staggered regime on data protection in India indicates a host of repercussions.

Joshita Pai was a Fellow at the Centre for Communication Governance  (2015-2016) 

[i] ‘The right to be forgotten’ stirred up as a concept after a Spanish national sued Google Spain and a Spanish newspaper for retaining information about him that was published several years ago.

Anupam Kher’s Cockroach Tweet: Cultural Reference or Hate Speech?

Written by Siddharth Manohar

The noise surrounding the recent controversy regarding a tweet by Indian actor (and UN Ambassador for Gender Equality) Anupam Kher made it difficult to look into why it caught so much attention. That it did is beyond doubt, garnering over six thousand hits, significantly more than almost all of his other tweets. It was also followed by plenty of coverage and promotion from its audience, who responded while sharing their own views as well. Here I try to look at whether there was any basis for the criticism that the tweet received, and the degree to which it was justified.

To start off, it would be useful to reproduce the lines in their original form:

“घरों में पेस्ट कंट्रोल होता है तो कॉक्रोच, कीड़े मकोड़े इत्यादि बाहर निकलते है। घर साफ़ होता है।वैसे ही आजकल देश का पेस्ट कंट्रोल चल रहा है।”

Which translates into: “During pest control in houses, the cockroaches and other insects etc. are removed. The house gets cleaned. Similarly, pest control of the country is going on these days.”

On an initial reading, it is a harmless and vague insult. The use of the term ‘cockroach’, which has attracted the most attention, seems to be employed as a characterisation of anything undesirable, be they problems, politics, or people. As a standalone insult, it remains a lot less venomous as compared to some of the other material that one may find on the website. Apart from containing a reference to one of the actor’s films, it is also vague and targets no group explicitly. It is therefore understandable that the issue has its share of people who may be bewildered by what could possibly be quite so harmful in this particular tweet, and are likely to pass off criticism as an overreaction that seems to be increasingly common.

To understand if there is a valid criticism of the tweet, we look at the larger context in which such a term is understood. The comparing of groups of people to animals and pests has a long, concrete, and troubling history. The process has over time and study acquired the name of ‘dehumanisation’, the process by which language and discourse is used to make a group of people seem ‘less-than-human’. It is a widely documented and extremely effective method of incitement to violence.

The reasoning behind its usage in the process is also interesting and relevant. According to Helen Fein (Benesch, 2008), the purpose of this kind of discourse is to put a certain group of people outside the limits of moral considerations and obligations. This is because the default moral understanding of a majority of people is underpinned by the principle that it is unacceptable to carry out violent acts of hate, or to kill any person. The repeated categorisation of a group of people as the ‘other’, and the polarisation of their identity as a group not worthy of human respect or equal rights, has the effect on the mind of the larger public. Acts of violence and crimes start to seem more acceptable and less outrageous when committed against this group, and this process of dehumanisation escalates over time.

The narratives most often target a specific identity, most famously that of ethnicity and religious identity. The most prominent examples of this occur during the inter-war period in Germany, where there was a large amount of material alienating and dehumanising those of Jewish religion. The content was systematically churned out by state agencies instructed with an agenda. Similarly, the build-up to the Rwandan genocide in 1994 saw a very strong narrative which demonised the Tutsi ethnic group in Rwanda, labeling them as Inyenzi (cockroaches) that cannot contribute to society because of who they were, their basic identity. This narrative creates a larger feeling of resentment amongst the public against the people of the target group, making it easier to commit acts of violence against them. Susan Benesch would argue that there cannot in fact be a large scale violent attack against a group of people that live amongst a majority without the cooperation or the tacit acceptance of that larger group of people.

The comparison of people to pests and animals has repeatedly been used as a tool in this process of moulding public sentiment against certain groups of people. In these cases, the narrative that it served to created helped in the execution of large scale genocidal operations that have left millions of people killed over the decades. Dehumanisation has also been included as part of an academic study devising a ten-step model of genocide. The historical evidence is in overwhelming suggestion that the use of such terms to build a narrative is part of a larger build up towards organised violence based on lines of group identity.

To suggest that an Indian actor is sending out a call for violence is ill-thought out, and ignorant of the complexity of the issue. What does need to be observed however, is how easily discussions are used to create and divide identities, and what values are ascribed to these identities. While healthy and vociferous debate forms an important part of a democracy, also equally important is the tangible effect that speech can have on its immediate surroundings. It is the effects and the consequences (and harm) of speech that give rise to justifications for its regulation, and it is therefore always useful to keep a watchful eye on where public discourse takes us.