The Digital Personal Data Protection Bill, 2022 (“2022 Bill”) was released by the Ministry of Electronics and Information Technology on November 18, 2022, with the stated intent of being concise, comprehensible, and simplified for the citizens. For these reasons, the 2022 Bill has made significant changes to the framework of the earlier Personal Data Protection Bill, 2019 (“2019 Bill”), which was withdrawn earlier this August during the Monsoon session of the Parliament.
We have prepared this detailed tracker to record the changes made in the 2022 Bill, and compared the differences in the key provisions of the 2022 Bill and the 2019 Bill. This tracker can be a helpful reference while analysing the two Bills, or even a quick guide to the changes brought out in the 2022 Bill.
This tracker has used the 2019 Bill as reference for the changes, as this was the last version of the Data Protection Bill which was introduced before the Parliament as a comprehensive legislation. We have analysed each clause and sub-clause of the 2022 Bill and compared it to the corresponding provisions of the 2019 Bill. We have provided the full text of the provisions (highlighting the differences) as well as a brief summary of changes under the 2022 Bill. Readers may use the 2022 Bill as the base, when looking for the changes made to specific provisions of the 2019 Bill.
As the public and expert analyses and opinions on the 2022 Bill are still being developed, we invite comments on any errors or omissions of corresponding provisions which may be present in this tracker.
On 26th May 2022, the Ministry of Electronics and Information Technology (MeitY), released the Draft National Data Governance Framework Policy (NDG Policy) for feedback and public comments. CCG submitted its comments on the NDG Policy, highlighting its feedback and key concerns with the proposed Data Governance Framework. The comments were authored by Joanne D’Cunha and Bilal Mohamed, and reviewed and edited by Jhalak M. Kakkar and Shashank Mohan.
The draft National Data Governance Framework Policy is a successor to the draft ‘India Data Accessibility and Use’ Policy, which was circulated in February 2022 for public comments and feedback. Among other objectives, the NDG policy aims to “enhance access, quality, and use of data to enable a data-led governance” and “catalyze AI and Data led research and start-up ecosystem”.
CCG’s comments to the MeitY are divided into five parts –
In Part I, of the comments we foreground our concerns by emphasising the need for comprehensive data protection legislation to safeguard citizens from potential privacy risks before implementing a policy around non-personal data governance.
In Part II, we focus on the NDG Policy’s objectives, scope, and key terminologies. We highlight that the NDG Policy lacks in sufficiently defining key terms and phrases such as non personal data, anonymisation, data usage rights, Open Data Portal, Chief Data Officers (CDOs), datasets ecosystem, and ownership of data. Having clear definitions will bring in much needed clarity and help stakeholders appreciate the objectives and implications of the policy. This also improves engagement from the stakeholders including the government in the policy consultation process. This also enhances engagement from the stakeholders, including the various government departments, in the policy consultation process. We also highlight that the policy does not illustrate how it will intersect and interact with other proposed data governance frameworks such as the Data Protection Bill 2021 and the Non Personal Data Governance Framework. We express our concerns around the NDG Policy’s objective of cataloguing datasets for increased processing and sharing of data matching with the aim to deploy AI more efficiently. It relies on creating a repository of data to further analytics, and AI and data led research. However, it does not take into consideration that increasing access to data might not be as beneficial if computational powers of the relevant technologies are inadequate. Therefore, it may be more useful if greater focus is placed on developing computing abilities as opposed to increasing the quantum of data used.
In Part III, we focus on the privacy risks, highlighting concerns around the development and formulation of anonymisation standards given the threat of re-identification from the linkage of different datasets. This, we argue, can pose significant risks to individual privacy, especially in the absence of a data protection legislation that can provide safeguards and recognise individual rights over personal data. In addition to individual privacy harms, we also point to the potential for collective harms from using aggregated data. To this end, we suggest the creation of frameworks that can keep up with the increased risks of reidentification posed by new and emerging technologies.
Part IV of our comments explores the institutional framework and regulatory structure of the proposed India Data Management Office. The proposed IDMO is responsible for framing, managing, reviewing, and revising the NDG Policy. Key concerns on the IDMO’s functioning pertain to the exclusion of technical experts and representatives of civil society and industry in the IDMO. There is also ambiguity on the technical expertise required for Chief Digital Officers of the Digital Management Units of government departments and ministries, and the implementation of the redressal mechanism. In this section, we also highlight the need for a framework within the Policy to define how user charges will be determined for data access. This is particularly relevant to ensure that access to datasets is not skewed and is available to all for the public good.
You can read our full submission to the ministry here.
The right to be forgotten empowers individuals to seek de-indexing, erasure, or deletion of their personal data. The right is significant because it enables an individual to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatised because of specific actions performed in the past”. However,the right to seek the erasure of information from the public domain conflicts with the right to freedom of expression and the right to access information. Thus, even jurisdictions that statutorily recognise the right to be forgotten enforce it in limited circumstances.
In 2014, the European Court of Justice (ECJ) recognised the right in Google Spain SL and Google Inc v Mario Costeja González where the court directed Google to de-index a newspaper article because it disclosed the financial history of the petitioner. De-indexing would remove the site from the search engine’s index (in this case, Google’s) but not from the source web page. The Court noted that in general the petitioner’s (i.e., the data subject’s) rights would override Google’s (i.e., the data controller’s) legitimate interest of prominently publishing the article, however a balance had to be struck depending on the nature of the information, particularly if the information was of interest to the public. In another judgment, Google LLC v CNIL the ECJ ruled that an obligation on a search engine to de-index a webpage for users in the EU did not extend to de-indexing the page in other jurisdictions. Subsequently, Article 17 of the General Data Protection Regulation of the European Union gave statutory recognition to the ‘right to be forgotten’. This Article empowers data subjects to seek the erasure of their personal data, if, among other things,there is no overriding legitimate cause (such as public interest) in the continued processing of their data.
In India, the right is yet to gain statutory recognition. Clause 20 of Data Protection Bill 2021 (‘DPB’), which has been recently scrutinised by a Joint Parliamentary Committee, recognises the right of data principals (i.e., individuals) to prevent the ‘continuing disclosure’ of personal data, if: (i) it has served the purpose for which it was collected or is no longer necessary for the said purpose; (ii) consent for such processing is withdrawn; or (iii) if the disclosure is contrary to any law. However, the right can only be enforced by an order of an Adjudication Officer appointed under the DPB. To get a favourable order, the data principal must demonstrate to the Officer that the interest in preventing the continued disclosure of their data overrides the right to freedom of speech and expression and the right to information of other citizens and the right of the data fiduciary to retain, use and process such data in accordance with provisions of DPB.
While the DPB is yet to be enacted into law, the Privacy High Court Tracker, launched by the Centre for Communication Governance as a part of its Privacy Law Library shows that High Courts across the country have begun to determine the contours of the right to be forgotten as applicable to Indians. Most notable is the Orissa High Court’s decision in Subhranshu Rout @ Gogul v the State of Odisha. This case did not involve a pleading seeking erasure of information. Instead, the discussion on the right to be forgotten arose when a person accused of sexually harassing a woman and uploading images of her on Facebook sought bail. In its judgment rejecting the bail application, the Court noted that while the Indian criminal justice system prescribes strong penal action against the alleged actions of the bail applicant, it did not provide any mechanism to delete the objectionable material from social media permanently. The Court found that allowing such offensive material to remain on social media was an affront to the victim’s privacy rights. The Court discussed the right to be forgotten extensively but did not order the removal of the objectionable material because of a lack of enabling legislation. At the same time, the Court permitted the victim to approach the Court separately, for the erasure of the offensive posts.
The Orissa High Court in Subhranshu Rout was presented with facts that did not require balancing the victim’s rights with the public interest. Unlike the Orissa High Court, the Delhi High Court, on at least two occasions, has passed interim orders enforcing the right to be forgotten against content that may have been in the public interest. The first was the case of Zulfiqar Ahman Khan v Quintillion Business Media. In Zulfiqar, the plaintiff had sought a permanent injunction against the defendant, which had published two articles documenting sexual harassment complaints against him as a part of the #MeToo campaign. After the defendants had agreed to take down the article during the pendency of the suit (without prejudice to their rights), the plaintiffs asked for an injunction against re-publication of the article by third parties. Again, this was not an application seeking erasure of information. Instead, it was a case of plaintiff seeking enforcement of injunction against re-publication of previously injuncted content. But in paragraph 9, the Court cited the right to be forgotten of the plaintiffs as one of the reasons to prevent re-publication of the article. However, the Court did not explain why the plaintiff’s right to privacy should be protected over the right to freedom of speech of the defendants and the right to information of the public at large.
The second case was an interim order in Jorawar Singh Mundy v Union of Indiawhere the petitioner sought the removal of a reported judgment from the public domain. In the judgment, the petitioner’s acquittal was upheld by the Delhi High Court. The petitioner’s grievance was that he faced a considerable disadvantage in seeking employment because the judgement showed up whenever anyone conducted a background verification on him. The Court directed Google to de-index the judgment and directed Indian Kanoon (the website where the judgement was posted) to block the judgement from being accessed via search engines. This interim order is subject to change based on the final decision of the Court, but this case is significant because in Jorawar, unlike the cases mentioned above,the petitioner expressly sought enforcement of his right to be forgotten which was granted by the Court.
However in a similar case, the Madras High Court in Karthik Theodre v Registrar General, Madras High Court, in its final decision dated 3 August 2021, adopted a different approach. The petitioner, therein, also sought destruction or erasure or redaction of personal information from a court decision (a judgment of acquittal) that was available in the public domain. While in its interim order, the Court found that a prima facie case was made out for redacting his name, the final judgment recorded that granting such a plea would lead to ‘utter confusion’ in the absence of a proper policy. The Court also observed that it would be more appropriate to await the enactment of data protection legislation which might provide an objective criterion to be followed while dealing with pleas of redaction of names of accused persons who were acquitted from criminal proceedings.
The Supreme Court has also considered the balance between the right to privacy and freedom of speech and expression in the context of judicial orders in R. Rajagopal v State of Tamil Nadu. In that case, the Court recognised that the right to privacy is implicit under Article 21. Still, it did not extend the protection to individuals from publications based on public records, including Court records. The Apex Court also noted that the exception to this rule must be carved out in cases involving a female victim of sexual assault who ‘should not be subjected to the indignity of [being identified by] her name.’ Considering the ease with which personal data can be accessed in the digital age, the scope of the exception may be expanded to include those cases where the publication of a judgment is unjust – as in the case of Jorawar Singh Mundy,where continued publication of the petitioner’s case did not contribute to public discourse but adversely affected his life. However, as the Madras High Court correctly points out, this should not be done in an ad-hoc manner without objective criteria, ideally provided by legislation or a policy formulated by courts themselves.
Nevertheless, until such criteria are enacted in the form of data protection legislation, which may take a while, the High Courts will continue to formulate the law on the right to be forgotten. The Madras High Court may have passed the buck to the legislature, but the Delhi High Court or the Kerala High Court where another case is pending, may not do so. But consistency across courts, especially in the context of judicial orders, is necessary.
Disclaimer – The author is part of the legal team representing Indian Kanoon in a case related to the right to be forgotten which is pending before the Kerala High Court
The Supreme Court of the US (SCOTUS) has carved out the right to privacy from various provisions of the US constitution, particularly the first, fourth, fifth, ninth and fourteenth amendments to the US constitution. The Court has included the right to privacy in varying contexts through an expansive interpretation of the constitutional provisions. For instance, the Court has read privacy rights into the first amendment for protecting private possession of obscene material from State intrusion; the fourth amendment for protecting privacy of the person and possessions from unreasonable State intrusion; and the fourteenth amendment which recognises an individual’s decisions about abortion and family planning as part of their right of liberty that encompasses aspects of privacy such as dignity and autonomy under the amendment’s due process clause.
The right to privacy is not expressly provided for in the US constitution. However, the Court identified an implicit right to privacy, for the very first time, in Griswold v. Connecticut(1965) in the context of the right to use contraceptives/ marital privacy. Since then, the Court has extended the scope to include, inter alia, reasonable expectation of privacy against State intrusion in Katz v. United States (1967), abortion rights of women in Roe v. Wade (1973), and right to sexual intimacy between consenting adults of the same-sex in Lawrence v. Texas (2003).
The US privacy framework consists of several privacy laws and regulations developed at both the federal and state level. As of now, the US privacy laws are primarily sector specific, instead of a single comprehensive federal data protection law like the European Union’s General Data Protection Regulation (GDPR) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). However, there are certain states in the US like California that have enacted comprehensive privacy laws, comparable to the GDPR and PIPEDA. The California Consumer Privacy Act (CCPA) which came into effect on January 1, 2020 aims to protect consumers’ privacy across industry. It codifies certain rights and remedies for consumers, and obligations for entities/businesses. One of its main aims is to provide consumers more control over their data by obligating businesses to ensure transparency about how they collect, use, share and sell consumer data.
India is in the midst of establishing a robust data governance framework, which will impact the rights and liabilities of all key stakeholders – the government, private entities, and citizens at large. As a parliamentary committee debates its first personal data protection legislation (‘PDPB 2019’), proposals for the regulation of non-personal data and a data empowerment and protection architecture are already underway.
As data processing capabilities continue to evolve at a feverish pace, basic data protection regulations like the PDPB 2019 might not be sufficient to address new challenges. For example, big data analytics renders traditional notions of consent meaningless as users have no knowledge of how such algorithms behave and what determinations are made about them by such technology.
Creative data governance models, which are aimed at reversing the power dynamics in the larger data economy are the need of the hour. Recognising these challenges policymakers are driving the conversation on data governance in the right direction. However, they might be missing out on crucial experiments being run in other parts of the world.
As users of digital products and services increasingly lose control over data flows, various new models of data governance are being recommended for example, data trusts, data cooperatives, and data commons. Out of these, one of the most promising new models of data governance is – data trusts.
(For the purposes of this blog post, I’ll be using the phrase data processors as an umbrella term to cover data fiduciaries/controllers and data processors in the legal sense. The word users is meant to include all data principals/subjects.)
What are data trusts?
Though there are various definitions of data trusts, one which is helpful in understanding the concept is – ‘data trusts are intermediaries that aggregate user interests and represent them more effectively vis-à-vis data processors.’
To solve the information asymmetries and power imbalances between users and data processors, data trusts will act as facilitators of data flow between the two parties, but on the terms of the users. Data trusts will act in fiduciary duty and in the best interests of its members. They will have the requisite legal and technical knowledge to act on behalf of users. Instead of users making potentially ill-informed decisions over data processing, data trusts will make such decisions on their behalf, based on pre-decided factors like a bar on third-party sharing, and in their best interests. For example, data trusts to users can be what mutual fund managers are to potential investors in capital markets.
Currently, in a typical transaction in the data economy, if users wish to use a particular digital service, neither do they have the knowledge to understand the possible privacy risks nor the negotiation powers for change. Data trusts with a fiduciary responsibility towards users, specialised knowledge, and multiple members might be successful in tilting back the power dynamics in favour of users. Data trusts might be relevant from the perspective of both the protection and controlled sharing of personal as well as non-personal data.
(MeitY’s Non-Personal Data Governance Framework introduces the concept of data trustees and data trusts in India’s larger data governance and regulatory framework. But, this applies only to the governance of ‘non-personal data’ and not personal data, as being recommended here. CCG’s comments on MeitY’s Non-Personal Data Governance Framework, can be accessed – here)
Challenges with data trusts
Though creative solutions like data trusts seem promising in theory, they must be thoroughly tested and experimented with before wide-scale implementation. Firstly, such a new form of trusts, where the subject matter of the trust is data, is not envisaged by Indian law (see section 8 of the Indian Trusts Act, 1882, which provides for only property to be the subject matter of a trust). Current and even proposed regulatory structures don’t account for the regulation of institutions like data trusts (the non-personal data governance framework proposes data trusts, but only as data sharing institutions and not as data managers or data stewards, as being suggested here). Thus, data trusts will need to be codified into Indian law to be an operative model.
Secondly, data processors might not embrace the notion of data trusts, as it may result in loss of market power. Larger tech companies, who have existing stores of data on numerous users may not be sufficiently incentivised to engage with models of data trusts. Structures will need to be built in a way that data processors are incentivised to participate in such novel data governance models.
Thirdly, the business or operational models for data trusts will need to be aligned to their members i.e. users. Data trusts will require money to operate – for profit entities may not have the best interests of users in mind. Subscription based models, whether for profit or not, might fail as users are habitual to free services. Donation based models might need to be monitored closely for added transparency and accountability.
Lastly, other issues like creation of technical specifications for data sharing and security, contours of consent, and whether data trusts will help in data sharing with the government, will need to be accounted for.
Privacy centric data governance models
At this early stage of developing data governance frameworks suited to Indian needs, policymakers are at a crucial juncture of experimenting with different models. These models must be centred around the protection and preservation of privacy rights of Indians, both from private and public entities. Privacy must also be read in its expansive definition as provided by the Supreme Court in JusticeK.S. Puttaswamy vs. Union of India. The autonomy, choice, and control over informational privacy are crucial to the Supreme Court’s interpretation of privacy.
(CCG’s privacy law database that tracks privacy jurisprudence globally and currently contains information from India and Europe, can be accessed – here)
The Personal Data Protection Bill, 2019 (PDP Bill/ Bill) was introduced in the Lok Sabha on December 11, 2019 , and was immediately referred to a joint committee of the Parliament. The joint committee published a press communique on February 4, 2020 inviting comments on the Bill from the public.
The Bill is the successor to the Draft Personal Data Protection Bill 2018 (Draft Bill 2018), recommended by a government appointed expert committee chaired by Justice B.N. Srikrishna. In August 2018, shortly after the recommendations and publication of the draft Bill, the Ministry of Electronics and Information Technology (MeitY) invited comments on the Draft Bill 2018 from the public. (Our comments are available here.)[1]
In this post we undertake a preliminary examination of:
The scope and applicability of the PDP Bill
The application of general data protection principles
The rights afforded to data subjects
The exemptions provided to the application of the law
In future posts in the series we will examine the Bill and look at the:
The restrictions on cross border transfer of personal data
The structure and functions of the regulatory authority
The enforcement mechanism and the penalties under the PDP Bill
Scope and Applicability
The Bill identifies four different categories of data. These are personal data, sensitive personal data, critical personal data and non-personal data
Personal data is defined as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling”. (emphasis added)
The addition of inferred data in the definition realm of personal data is an interesting reflection of the way the conversation around data protection has evolved in the past few months, and requires further analysis.
Sensitive personal data is defined as data that may reveal, be related to or constitute a number of different categories of personal data, including financial data, health data, official identifiers, sex life, sexual orientation, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations / beliefs. In addition, under clause 15 of the Bill the Central Government can notify other categories of personal data as sensitive personal data in consultation with the Data Protection Authority and the relevant sectoral regulator.
Similar to the 2018 Bill, the current bill does not define critical personal data and clause 33 provides the Central Government the power to notify what is included under critical personal data. However, in its report accompanying the 2018 Bill, the Srikrishna committee had referred to some examples of critical personal data that relate to critical state interest like Aadhaar number, genetic data, biometric data, health data, etc.
The Bill retains the terminology introduced in the 2018 Draft Bill, referring to data controllers as ‘data fiduciaries’ and data subjects ‘data principals’. The new terminology was introduced with the purpose of reflecting the fiduciary nature of the relationship between the data controllers and subjects. However, whether the use of the specific terminology has more impact on the protection and enforcement of the rights of the data subjects still needs to be seen.
Application of PDP Bill 2019
The Bill is applicable to (i) the processing of any personal data, which has been collected, disclosed, shared or otherwise processed in India; (ii) the processing of personal data by the Indian government, any Indian company, citizen, or person/ body of persons incorporated or created under Indian law; and (iii) the processing of personal data in relation to any individuals in India, by any persons outside of India.
The scope of the 2019 Bill, is largely similar in this context to that of the 2018 Draft Bill. However, one key difference is seen in relation to anonymised data. While the 2018 Draft Bill completely exempted anonymised data from its scope, the 2019 Bill does not apply to anonymised data, except under clause 91 which gives the government powers to mandate the use and processing of non-personal data or anonymised personal data under policies to promote the digital economy. There are a few concerns that arise in context of this change in treatment of anonymised personal data. First, there are concerns on the concept of anonymisation of personal data itself. While the Bill provides that the Data Protection Authority (DPA) will specify appropriate standards of irreversibility for the process of anonymisation, it is not clear that a truly irreversible form of anonymisation is possible at all. In this case, we need more clarity on what safeguards will be applicable for the use of anonymised personal data.
Second, is the Bill’s focus on the promotion of the digital economy. We have previously discussed some of the concerns regarding focus on the promotion of digital economy in a rights based legislation inour comments to the Draft Bill 2018.
These issues continue to be of concern, and are perhaps heightened with the introduction of a specific provision on the subject in the 2019 Bill (especially without adequate clarity on what services or policy making efforts in this direction, are to be informed by the use of anonymised personal data). Many of these issues are also still under discussion by thecommittee of experts set up to deliberate on data governance framework (non-personal data). The mandate of this committee includes the study of various issues relating to non-personal data, and to make specific suggestions for consideration of the central government on regulation of non-personal data.
The formation of the non-personal data committee was in pursuance of a recommendation by the Justice Srikrishna Committee to frame a legal framework for the protection of community data, where the community is identifiable. The mandate of the expert committee will overlap with the application of clause 91(2) of the Bill.
Data Fiduciaries, Social Media Intermediaries and Consent Managers
Data Fiduciaries
As discussed above the Bill categorises data controllers as data fiduciaries and significant data fiduciaries. Any person that determines the purpose and means of processing of personal data, (including the State, companies, juristic entities or individuals) is considered a data fiduciary. Some data fiduciaries may be notified as ‘significant data fiduciaries’, on the basis of factors such as the volume and sensitivity of personal data processed, the risks of harm etc. Significant data fiduciaries are held to higher standards of data protection. Under clauses 27-30, significant data fiduciaries are required to carry out data protection impact assessments, maintain accurate records, audit policy and the conduct of its processing of personal data and appoint a data protection officer.
Social Media Intermediaries
The Bill introduces a distinct category of intermediaries called social media intermediaries. Under clause 26(4) a social media intermediary is ‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services’. Intermediaries that primarily enable commercial or business-oriented transactions, provide access to the Internet, or provide storage services are not to be considered social media intermediaries.
Social media intermediaries may be notified to be significant data fiduciaries, if they have a minimum number of users, and their actions have or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.
Under clause 28 social media intermediaries that have been notified as a significant data fiduciaries will be required to provide for voluntary verification of users to be accompanied with a demonstrable and visible mark of verification.
Consent Managers
The Bill also introduces the idea of a ‘consent manager’ i.e. a (third party) data fiduciary which provides for management of consent through an ‘accessible, transparent and interoperable platform’. The Bill does not contain any details on how consent management will be operationalised, and only states that these details will be specified by regulations under the Bill.
Data Protection Principles and Obligations of Data Fiduciaries
Consent and grounds for processing
The Bill recognises consent as well as a number of other grounds for the processing of personal data.
Clause 11 provides that personal data shall only be processed if consent is provided by the data principal at the commencement of processing. This provision, similar to the consent provision in the 2018 Draft Bill, draws from various principles including those under the Indian Contract Act, 1872 to inform the concept of valid consent under the PDP Bill. The clause requires that the consent should be free, informed, specific, clear and capable of being withdrawn.
Moreover, explicit consent is required for the processing of sensitive personal data. The current Bill appears to be silent on issues such as incremental consent which were highlighted in our comments in the context of the Draft Bill 2018.
The Bill provides for additional grounds for processing of personal data, consisting of very broad (and much criticised) provisions for the State to collect personal data without obtaining consent. In addition, personal data may be processed without consent if required in the context of employment of an individual, as well as a number of other ‘reasonable purposes’. Some of the reasonable purposes, which were listed in the Draft Bill 2018 as well, have also been a cause for concern given that they appear to serve mostly commercial purposes, without regard for the potential impact on the privacy of the data principal.
In a notable change from the Draft Bill 2018, the PDP Bill, appears to be silent on whether these other grounds for processing will be applicable in relation to sensitive personal data (with the exception of processing in the context of employment which is explicitly barred).
Other principles
The Bill also incorporates a number of traditional data protection principles in the chapter outlining the obligations of data fiduciaries. Personal data can only be processed for a specific, clear and lawful purpose. Processing must be undertaken in a fair and reasonable manner and must ensure the privacy of the data principal – a clear mandatory requirement, as opposed to a ‘duty’ owed by the data fiduciary to the data principal in the Draft Bill 2018 (this change appears to be in line with recommendations made in multiple comments to the Draft Bill 2018 by various academics, including our own).
Purpose and collection limitation principles are mandated, along with a detailed description of the kind of notice to be provided to the data principal, either at the time of collection, or as soon as possible if the data is obtained from a third party. The data fiduciary is also required to ensure that data quality is maintained.
A few changes in the application of data protection principles, as compared to the Draft Bill 2018, can be seen in the data retention and accountability provisions.
On data retention, clause 9 of the Bill provides that personal data shall not be retained beyond the period ‘necessary’ for the purpose of data processing, and must be deleted after such processing, ostensibly a higher standard as compared to ‘reasonably necessary’ in the Draft Bill 2018. Personal data may only be retained for a longer period if explicit consent of the data principal is obtained, or if retention is required to comply with law. In the face of the many difficulties in ensuring meaningful consent in today’s digital world, this may not be a win for the data principal.
Clause 10 on accountability continues to provide that the data fiduciary will be responsible for compliance in relation to any processing undertaken by the data fiduciary or on its behalf. However, the data fiduciary is no longer required to demonstrate such compliance.
Rights of Data Principals
Chapter V of the PDP Bill 2019 outlines the Rights of Data Principals, including the rights to access, confirmation, correction, erasure, data portability and the right to be forgotten.
Right to Access and Confirmation
The PDP Bill 2019 makes some amendments to the right to confirmation and access, included in clause 17 of the bill. The right has been expanded in scope by the inclusion of sub-clause (3). Clause 17(3) requires data fiduciaries to provide data principals information about the identities of any other data fiduciaries with whom their personal data has been shared, along with details about the kind of data that has been shared.
This allows the data principal to exert greater control over their personal data and its use. The rights to confirmation and access are important rights that inform and enable a data principal to exercise other rights under the data protection law. As recognized in the Srikrishna Committee Report, these are ‘gateway rights’, which must be given a broad scope.
Right to Erasure
The right to correction (Clause 18) has been expanded to include the right to erasure. This allows data principals to request erasure of personal data which is not necessary for processing. While data fiduciaries may be allowed to refuse correction or erasure, they would be required to produce a justification in writing for doing so, and if there is a continued dispute, indicate alongside the personal data that such data is disputed.
The addition of a right to erasure, is an expansion of rights from the 2018 Bill. While the right to be forgotten only restricts or discontinues disclosure of personal data, the right to erasure goes a step ahead and empowers the data principal to demand complete removal of data from the system of the data fiduciary.
Many of the concerns expressed in the context of the Draft Bill 2018, in terms of the procedural conditions for the exercise of the rights of data principals, as well as the right to data portability specifically, continue to persist in the PDP Bill 2019.
Exceptions and Exemptions
While the PDP Bill ostensibly enables individuals to exercise their right to privacy against the State and the private sector, there are several exemptions available, which raise several concerns.
The Bill grants broad exceptions to the State. In some cases, it is in the context of specific obligations such as the requirement for individuals’ consent. In other cases, State action is almost entirely exempted from obligations under the law. Some of these exemptions from data protection obligations are available to the private sector as well, on grounds like journalistic purposes, research purposes and in the interests of innovation.
The most concerning of these provisions, are the exemptions granted to intelligence and law enforcement agencies under the Bill. The Draft Bill 2018, also provided exemptions to intelligence and law enforcement agencies, so far as the privacy invasive actions of these agencies were permitted under law, and met procedural standards, as well as legal standards of necessity and proportionality. We have previously discussed some of the concerns with this approach here.
The exemptions provided to these agencies under the PDP Bill, seem to exacerbate these issues.
Under the Bill, the Central Government can exempt an agency of the government from the application of this Act by passing an order with reasons recorded in writing if it is of the opinion that the exemption is necessary or expedient in the interest of sovereignty and integrity, security of the state, friendly relations with foreign states, public order; or for preventing incitement to the commission of any cognizable offence relating to the aforementioned grounds. Not only have the grounds on which government agencies can be exempted been worded in an expansive manner, the procedure of granting these exemptions also is bereft of any safeguards.
The executive functioning in India suffers from problems of opacity and unfettered discretion at times, which requires a robust system of checks and balances to avoid abuse. The Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) enable government surveillance of communications made over telephones and the internet. For drawing comparison here, we primarily refer to the Telegraph Act as it allows the government to intercept phone calls on similar grounds as mentioned in clause 35 of the Bill by an order in writing. However, the Telegraph Act limits the use of this power to two scenarios – occurrence of a public emergency or in the interest of public safety. The government cannot intercept communications made over telephones in the absence of these two preconditions. The Supreme Court in People’s Union for Civil Liberties v. Union of India, (1997) introduced guidelines to check abuse of surveillance powers under the Telegraph Act which were later incorporated in Rule 419A of the Indian Telegraph Rules, 1951. A prominent safeguard included in Rule 419A requires that surveillance and monitoring orders be issued only after considering ‘other reasonable means’ for acquiring the required information. The court had further limited the scope of interpretation of ‘public emergency’ and ‘public safety’ to mean “the prevalence of a sudden condition or state of affairs affecting the people at large and calling for immediate action”, and “the state or condition of freedom from danger or risk at large” respectively. In spite of the introduction of these safeguards, the procedure of intercepting telephone communications under the Telegraph Act is criticised for lack of transparency and improper implementation. For instance, a 2014 report revealed that around 7500 – 9000 phone interception orders were issued by the Central Government every month. The application of procedural safeguards, in each case would have been physically impossible given the sheer numbers. Thus, legislative and judicial oversight becomes a necessity in such cases.
The constitutionality of India’s surveillance apparatus inclduing section 69 of the IT Act which allows for surveillance on broader grounds on the basis of necessity and expediency and not ‘public emergency’ and ‘public safety’, has been challenged before the Supreme Court and is currently pending. Clause 35 of the Bill also mentions necessity and expediency as prerequisites for the government to exercise its power to grant exemption, which appear to be vague and open-ended as they are not defined. The test of necessity, implies resorting to the least intrusive method of encroachment up on privacy to achieve the legitimate state aim. This test is typically one among several factors applied in deciding on whether a particular intrusion on a right is tenable or not, under human rights law. In his concurring opinion in Puttaswamy (I) J. Kaul had included ‘necessity’ in the proportionality test. (However, this test is not otherwise well developed in Indian jurisprudence). Expediency, on the other hand, is not a specific legal basis used for determining the validity of an intrusion on human rights. It has also not been referred to in Puttaswamy (I) as a basis of assessing a privacy violation. The use of the term ‘expediency’ in the Bill is deeply worrying as it seems to bring down the threshold for allowing surveillance which is a regressive step in the context of cases like PUCL and Puttaswamy (I). A valid law along with the principles of proportionality and necessity are essential to put in place an effective system of checks and balances on the powers of the executive to provide exemptions. It seems unlikely that the clause will pass the test of proportionality (sanction of law, legitimate aim, proportionate to the need of interference, and procedural guarantees against abuse) as laid down by the Supreme Court in Puttaswamy (I).
The Srikrishna Committee report had recommended that surveillance should not only be conducted under law (and not executive order), but also be subject to oversight, and transparency requirements. The Committee had argued that the tests of lawfulness, necessity and proportionality provided for under clauses 42 and 43 (of the Draft Bill 2018) were sufficient to meet the standards set out under the Puttaswamy judgment. Since the PDP Bill completely does away with all these safeguards and leaves the decision to executive discretion, the law is unconstitutional. After the Bill was introduced in the Lok Sabha, J. Srikrishna had criticised it for granting expansive exemptions in the absence of judicial oversight. He warned that the consequences could be disastrous from the point of view of safeguarding the right to privacy and could turn the country into an “Orwellian State”. He has also opined on the need for a separate legislation to govern the terms under which the government can resort to surveillance.
Clause 36 of the Bill deals with exemption of some provisions for certain processing of personal data. It combines four different clauses on exemption which were listed in the Draft Bill 2018 (clauses 43, 44, 46 and 47). These include processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law; for the purpose of legal proceedings; personal or domestic purposes; and journalistic purposes. The Draft Bill 2018 had detailed provisions on the need for a law passed by Parliament or the State Legislature which is necessary and proportionate, for processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law. Clause 36 of the Bill does not enumerate the need for a law to process personal data under these exemptions. We hadargued that these exemptions granted by the Draft Bill 2018 (clauses 43, 44, 46 and 47) were wide, vague and needed clarifications, but the exemptions under clause 36 of the Bill are even more ambiguous as they merely enlist the exemptions without any specificities or procedural safeguards in place.
In the Draft Bill 2018, the Authority could not give exemption from the obligation of fair and reasonable processing, measures of security safeguards and data protection impact assessment for research, archiving or statistical purposes As per the current Bill, the Authority can provide exemption from any of the provisions of the Act for research, archiving or statistical purposes.
The last addition to this chapter of exemptions is that of creating a sandbox for encouraging innovation. This newly added clause 40 is aimed at encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest. The details of what the sandbox entails other than exemption from some of the obligations of Chapter II might need further clarity. Additionally, to be considered an eligible applicant, a data fiduciary has to necessarily obtain certification of its privacy by design policy from the DPA, as mentioned in clause 40(4) read with clause 22.
Though well appreciated for its intent, this provision requires clarification on grounds of selection and details of what the sandbox might entail.
[1] At the time of introduction of the PDP Bill 2019, the Minister for Law and Justice of India, Mr. Ravi Shankar Prasad suggested that over 2000 inputs were received on the Draft Bill 2018, based on which changes have been made in the PDP Bill 2019. However, these comments and inputs have not been published by MeitY, and only a handful of comments have been published, by the stakeholders submitting these comments themselves.
Huawei finds support from Indian telcos in the 5G rollout as PayPal withdrew from Facebook’s Libra cryptocurrency project; Foreign Portfolio Investors moved MeitY against in the Data Protection Bill; the CJEU rules against Facebook in case relating to takedown of content globally; and Karnataka joins list of states considering implementing NRC to remove illegal immigrants – presenting this week’s most important developments in law, tech and national security.
Digital India
[Sep 30] Why the imminent global economic slowdown is a growth opportunity for Indian IT services firms, Tech Circle report.
[Sep 30] Norms tightened for IT items procurement for schools, The Hindu report.
[Oct 1] Govt runs full throttle towards AI, but tech giants want to upskill bureaucrats first, Analytics India Magazine report.
[Oct 3] – presenting this week’s most important developments in law, tech and national security. MeitY launches smart-board for effective monitoring of the key programmes, The Economic Times report.
[Oct 3] “Use human not artificial intelligence…” to keep a tab on illegal constructions: Court to Mumbai civic body, NDTV report.
[Oct 3] India took 3 big productivity leaps: Nilekani, Livemint report.
[Oct 4] MeitY to push for more sops to lure electronic makers, The Economic Times report; Inc42 report.
[Oct 4] Core philosophy of Digital India embedded in Gandhian values: Ravi Shankar Prasad, Financial Express report.
[Oct 4] How can India leverage its data footprint? Experts weigh in at the India Economic Summit, Quartz report.
[Oct 4] Indians think jobs would be easy to find despite automation: WEF, Tech Circle report.
[Oct 4] Telangana govt adopts new framework to use drones for last-mile delivery, The Economic Times report.
[Oct 5] Want to see ‘Assembled in India’ on an iPhone: Ravi Shankar Prasad, The Economic Times report.
[Oct 6] Home market gets attractive for India’s IT giants, The Economic Times report.
Internet Governance
[Oct 2] India
Govt requests maximum social media content takedowns in the world, Inc42 report;
Tech Circle report.
[Oct 3]
Facebook can be forced to delete defamatory content worldwide, top EU court
rules, Politico EU report.
[Oct 4] EU
ruling may spell trouble for Facebook in India, The Economic Times report.
[Oct 4] TikTok,
TikTok… the clock is ticking on the question whether ByteDance pays its content
creators, ET Tech report.
[Oct 6] Why
data localization triggers a heated debate, The Economic Times report.
[Oct 7]
Sensitive Indian govt data must be stored locally, Outlook report.
Data
Protection and Privacy
[Sep 30] FPIs
move MeitY against data bill, seek exemption, ET markets report,
Inc42 report;
Financial Express report.
[Oct 1] United
States: CCPA exception approved by California legislature, Mondaq.com report.
[Oct 1] Privacy
is gone, what we need is regulation, says Infosys Kris Gopalakrishnana, News18 report.
[Oct 1]
Europe’s top court says active consent is needed for tracking cookies, Tech
Crunch report.
[Oct 3] Turkey
fines Facebook $282,000 over data privacy breach, Deccan Herald report.
Free
Speech
[Oct 1]
Singapore’s ‘fake news’ law to come into force Wednesday, but rights group
worry it could stifle free speech, The Japan Times report.
[Oct 2]
Minister says Singapore’s fake news law is about ‘enabling’ free speech, CNBC report.
[Oct 3] Hong
Kong protests: Authorities to announce face mask ban, BBC News report.
[Oct 3] ECHR:
Holocaust denial is not protected free speech, ASIL brief.
[Oct 4] FIR
against Mani Ratnam, Adoor and 47 others who wrote to Modi on communal
violence, The News Minute report;
Times Now report.
[Oct 5] UN asks
Malaysia to repeal laws curbing freedom of speech, The New Indian Express report.
[Oct 6] When
will our varsities get freedom of expression: PC, Deccan Herald report.
[Oct 6] UK
Government to make university students sign contracts limiting speech and
behavior, The Times report.
[Oct 7] FIR on
Adoor and others condemned, The Telegraph report.
Aadhaar,
Digital IDs
[Sep 30] Plea
in SC seeking linking of social media accounts with Aadhaar to check fake news,
The Economic Times report.
[Oct 1] Why
another omnibus national ID card?, The Hindu Business Line report.
[Oct 2] ‘Kenyan
court process better than SC’s approach to Aadhaar challenge’: V Anand, who
testified against biometric project, LiveLaw report.
[Oct 3] Why
Aadhaar is a stumbling block in Modi govt’s flagship maternity scheme, The
Print report.
[Oct 4]
Parliament panel to review Aadhaar authority functioning, data security, NDTV report.
[Oct 6] Roger Marshall, Deccan Herald, Big oil, Big Data and the shape of water.
[Oct 6] Neil Chatterjee, Fortune, The power grid is evolving. Cybersecurity must too.
[Oct 7] Scott W Pink, Modaq.com, EU: What is GDPR and CCPA and how does it impact blockchain?
[Oct 7] GN Devy, The Telegraph, Has India slid into an irreversible Talibanization of the mind?
[Oct 7] Susan Ariel Aaronson, South China Morning Post, The Trump administration’s approach to AI is not that smart: it’s about cooperation, not domination.
This week, Delhi International Airport deployed facial recognition on a ‘trial basis’ for 3 months, landline communications were restored in Kashmir as the Government mulls over certification for online video streaming platforms like Netflix and PrimeVideo – presenting this week’s most important developments in law, tech and national security.
Aadhaar
[Sep 3] PAN will be issued
automatically using Aadhaar for filing returns: CBDT, DD News report.
[Sep 3] BJD set to collect Aadhaar
numbers of its members in Odisha, Opposition parties slam move, News 18 report; The New Indian Express report; Financial Express report.
[Sep 5] Aadhaar is secure, says
ex-UIDAI chief, Times of India report.
[Sep 5] Passport-like Aadhaar centre
opened in Chennai: Online appointment booking starts, Livemint report.
[Sep 8] Plans to link Janani Suraksha
and Matra Vandan schemes with Aadhaar: CM Yogi Adityanath, Times of India report.
Digital India
[Sep 5] Digital media bodies welcome
26% FDI cap, Times of India report.
[Sep 6] Automation ‘not threat’
to India’s IT industry, ET Tech report.
[Sep 6] Tech Mahindra to modernise
AT&T network systems, Tech Circle report.
Data Protection and Governance
[Sep 2] Health data comes under the
purview of Data Protection Bill: IAMAI, Inc42 report.
[Sep 2] Credit history should not be
viewed as sensitive data, say online lenders, Livemint report.
[Sep 3] MeitY may come up with policy
on regulation of non-personal data, Medianama report.
[Sep 3] MeitY to work on a white paper
to gain clarity on public data regulations, Inc42 report.
[Sep 6] Treating data as commons is
more beneficial, says UN report, Medianama report.
[Sep 9] Indian Government may allow
companies to sell non-personal data of its users, Inc42 report, The Economic Times report.
[Sep 9] Tech firms may be compelled to
share public data of its users, ET Tech report.
Data Privacy and Breaches
[Sep 2] Chinese face-swap app Zao faces
backlash over user data protection, KrAsia report; Medianama report.
[Sep 2] Study finds Big Data eliminates
confidentiality in court judgments, Swiss Info report.
[Sep 4] YouTube will pay $170 million
to settle claims it violated child privacy laws, CNBC report; FTC Press Release.
[Sep 4] Facebook will now let people
opt-out of its face recognition feature, Medianama report.
[Sep 4] Mental health websites in
Europe found sharing user data for ads, Tech Crunch report.
[Sep 5] A huge database of Facebook
users’ phone numbers found online, Tech Crunch report.
[Sep 5] Twitter has temporarily
disabled tweet to SMS feature, Medianama report.
[Sep 6] Fake apps a trap to track your
device and crucial data, ET Tech report.
[Sep 6] 419 million Facebook users
phone numbers leaked online, ET Tech report; Medianama report.
[Sep 9] Community social media
platform, LocalCircles, highlights data misuse worries, The Economic Times report.
Free Speech
[Sep 7] Freedom of expression is not
absolute: PCI Chairman, The Hindu report.
[Sep 7] Chennai: Another IAS officer
resign over ‘freedom of expression’, Deccan Chronicle report.
[Sep 8] Justice Deepak Gupta: Law on
sedition needs to be toned down if not abolished, The Wire report.
Online Content Regulation
[Sep 3] Government plans certification
for Netflix, Amazon Prime, Other OTT Platforms, Inc42 report.
[Sep 4] Why Justice for Rights went to
court, asking for online content to be regulated, Medianama report.
[Sep 4] Youtube claims new hate speech
policy working, removals up 5x, Medianama report.
[Sep 6] MeitY may relax norms on
content monitoring for social media firms, ET Tech report; Inc42 report; Entrackr report.
E-Commerce
[Sep 4] Offline retailers accuse Amazon
and Flipkart of deep discounting, predatory pricing and undercutting, Medianama
report; Entrackr report.
[Sep 6] Companies rely on digital
certification startups to foolproof customer identity, ET Tech report.
Digital Payments and FinTech
[Sep 3] A sweeping reset is in the
works to bring India in line with fintech’s rise, The Economic Times report.
[Sep 3] Insurance and lending companies
in agro sector should use drones to reduce credit an insurance risks: DEA’s
report on fintech, Medianama report.
[Sep 4] Firefox will not block
third-party tracking and cryptomining by default for all users, Medianama report.
[Sep 4] Insurance companies are fueling
ransomware attacks, Defense One report.
[Sep 5] Firms facing shortage of
skilled workforce in cybersecurity: Infosys Research, The Economic Times report.
[Sep 5] Cybersecurity a boardroom
imperative in almost 50% of global firms: Survey, Outlook report; ANI report.
[Sep 5] DoD unveils new cybersecurity
certification model for contractors, Federal News Network report.
[Sep 5] Jigsaw Academy launches
cybersecurity certification programme in India, DQ India report.
[Sep 6] Indians lead the world as
Facebook Big Bug Hunters, ET Tech report.
[Sep 6] Australia is getting a new
cybersecurity strategy, ZD Net report.
[Sep 9] China’s 5G, industrial internet
roll-outs to fuel more demand for cybersecurity, South China Morning Post report.
Tech and National Security
[Sep 3] Apache copters to be inducted
today, The Pioneer report.
[Sep 3] How AI will predict Chinese and
Russian moves in the Pacific, Defense One report.
[Sep 3] US testing autonomous
border-patrol drones, Defense One report.
[Sep 3] Meet the coalition pushing for
‘Cyber Peace’ rules. Defense One report.
[Sep 4] US wargames to try out concepts
for fighting China, Russia, defense One report.
[Sep 4] Southern Command hosts seminar
on security challenges, Times of India report; The Indian Express report.
[Sep 4] Russia, already India’s biggest
arms supplier, in line for more, Business Standard report.
[Sep 4] Pentagon, NSA prepare to train
AI-powered cyber defenses, Defense One report.
[Sep 5] Cabinet clears procurement of Akash
missile system at Rs. 5500 crore, Times Now report.
[Sep 5] India to go ahead with $3.1
billion US del for maritime patrol aircraft, The Economic Times report.
[Sep 5] DGCA certifies ‘small’ category
drone for complying with ‘No-Permission, No-Takeoff’ protocol, Medianama report.
[Sep 5] India has never been aggressor
but will not hesitate in using its strength to defend itseld: Rajnath Singh,
The Economic Times report.
[Sep 5] Panel reviewing procurement
policy framework to come out with new versions of DPP, DPM by March 2020, The
Economic Times report; Business Standard report; Deccan Herald report.
[Sep 5] Russia proposes joint
development of submarines with India, The Hindu report.
[Sep 7] Proud of you: India tells ISRO
after contact lost with CHandrayaan-2 lander, India Today report.
Tech and Elections
[Sep 4] ECI asks social media firms to
follow voluntary code of ethics ahead of state polls: report, Medianama report.
[Sep 6] Congress party to reorganise its
data analytics department, Medianama report.
[Sep 5] Why the 2020 campaigns are
still soft targets for hackers, Defense One report.
[Sep 5] Facebook meets with FBI to
discuss election security, Bloomberg report.
[Sep 5] Facebook is making its own AI
deepfakes to head off a disinformation disaster, MIT Tech Review report.
Internal Security: J&K
[Sep 4] Long convoy, intel failure:
Multiple lapses led to Pulwama terror attack, finds CRPF inquiry, India Today report; Kashmir Media Service report; The Wire report.
[Sep 4] Extension of President’s Rule
in Kashmir was not delayed, MHA says in report to SC lawyer’s article,
Scroll.in report.
[Sep 6] Landline communication restored
in Kashmir Valley: Report, Medianama report.
[Sep 7] Kashmir’s Shia areas face
curbs, all Muharram processions banned, The Quint report.
[Sep 7] No question of army atrocities
in Kashmir as it’s only fighting terrorists: NSA Ajit Doval, India Today report.
[Sep 8] More than 200 militants trying
to cross into Kashmir from Pakistan: Ajit Doval, Money Control report.
[Sep 8] ‘Such unilateral actions are
futile’, says India after Pakistan blocks airspace for President Kovind,
Scroll.in report; NDTV report.
Internal Security: NRC
[Sep 2] Contradictory voices in Assam
Congress son NRC: Tarun Gogoi slams it as waste paper, party MP says historic
document, India Today report.
[Sep 3] Why Amit Shah is silent on NRC,
India Today report.
[Sep 7] AFSPA extended for 6 months in
Assam, Deccan Herald report.
[Sep 7] At RSS mega meet, concerns over
Hindus being left out of NRC: Sources, Financial Express report.
National Security Institutions
and Legislation
[Sep 5] Azhar, Saeed, Dawood declared
terrorists under UAPA law, Deccan Herald report; The Economic Times report.
[Sep 8] Home Minister says India’s
national security apparatus more robust than ever, Livemint report.
[Sep 8] Financial safety not national
security reason for women to join BSF: Study, India Today report.
Telecom/5G
[Sep 6] Security is an issue in 5G:
NCSC Pant on Huawei, Times of India report.
More on Huawei
[Sep 1] Huawei believes banning it from
5G will make countries insecure, ZD Net report.
[Sep 2] Huawei upbeat on AI strategy
for India, no word on 5G roll-out plans yet, Business Standard report.
[Sep 3] Huawei denies US allegations of
technology theft, NDTV Gadgets 260 report; Business Insider report; The Economic Times report.
[Sep 3] Shocking Huawei ‘Extortion and
Cyberattack’ allegations in new US legal fight, Forbes report; Livemint report, BBC News report; The Verge report.
[Sep 3] Committed to providing the most
advanced products: Huawei, ET Telecom report.
[Sep 4] Huawei says 5G rollout in India
will be delayed by 3 years if it’s banned, Livemint report
[Sep 4] Trump not interested in talking
Huawei with China, Tech Circle report.
[Sep 5] Nepal’s only billionaire
enlists Huawei to transform country’s elections, Financial Times report.
[Sep 8] Trump gets shocking new Huawei
warning – from Microsoft, Forbes report.
Emerging Tech
[Aug 30] Facebook is building an AI
Assistant Inside Minecraft, Forbes report.
[Sep 3] AWS partners with IIT KGP for
much needed push to India’s AI skilling, Inc42 report.
[Sep 3] Behind the Rise of China’s
facial recognition giants, Wired report.
[Sep 4] Facebook won’t use facial
recognition on you unless you tell it to, Quartz report.
[Sep 4] An AI app that turns you into a
movie star has risked the privacy of millions, MIT Technology Review report.
[Sep 6] Police use f facial recognition
is accepted by British Court, The New York Times report.
[Sep 6] Facebook, Microsoft announce
challenge to detect deepfakes, Medianama report.
[Sep 6] Facial recognition tech to
debut at Delhi airport’s T3 terminal; on ‘trial basis’ for next three months,
Medianama report.
Internet Shutdowns
[Sep 3] After more than 10 weeks,
internet services in towns of Rakhine and Chin restored, Medianama report.
[Sep 4] Bangladesh bans mobile phone
services in Rohingya camps, Medianama report.
Opinions and Analyses
[Sep 2] Michael J Casey, Coin Desk, A crypto fix for a broken international monetary system.
[Sep 2] Yengkhom Jilangamba, News18 Opinion, Not a solution to immigration problem, NRC final list has only brought to surface fault lines within society.
[Sep 2] Samuel Bendett, Defense One, What Russian Chatbots Think About Us.
[Sep 2] Shivani Singh, Hindustan Times, India’s no first use policy is a legacy that must be preserved.
[Sep 3] Abir Roy, Financial Express, Why a comprehensive law is needed for data protection.
[Sep 3] Dhirendra Kumar, The Economic Times, Aadhaar is back for mutual fund investments.
[Sep 3] Ashley Feng, Defense One, Welcome to the new phase of US-China tech competition.
[Sep 3] Nesrine Malik, The Guardian, The myth of the free speech crisis.
[Sep 3] Tom Wheeler and David Simpson, Brookings Institution, Why 5G requires new approaches to cybersecurity.
[Sep 3] Karen Roby, Tech Republic, Why cybersecurity is a big problem for small businesses.
[Sep 4] Wendy McElroy, Bitcoin.com, Crypto needs less regulation, not more.
[Sep 4] Natascha Gerlack and Elisabeth Macher, Modaq.com, US CLOUD Act’s potential impact on the GDPR.
[Sep 4] Peter Kafka, Vox, The US Government isn’t ready to regulate the internet. Today’s Google fine shows why.
[Sep 5] Murtaza Bhatia, Firstpost, Effective cybersecurity can help in accelerating business transformation.
[Sep 5] MG Devasahayam, The Tribune, Looking into human rights violations by Army.
[Sep 5] James Hadley, Forbes, Cybersecurity Frameworks: Not just for bits and bytes, but flesh and blood too.
[Sep 5] MR Subramani, Swarajya Magazine, Question at heart of TN’s ‘WhatsApp traceability case’: Are you endangering national security if you don’t link your social media account with Aadhaar?
[ Sep 5] Justin Sherman, Wired, Cold War Analogies are Warping Tech Policy.
[Sep 6] Nishtha Gautam, The Quint, Peer pressure, militant threats enforcing civil curfew in Kashmir?
[Sep 6] Harsh V Pant and Kartik Bommakanti, Foreign Policy, Modi reimagines the Indian military.
[Sep 6] Shuman Rana, Business Standard, Free speech in the crosshairs.
[Sep 6] David Gokhshtein, Forbes, Thoughts on American Crypto Regulation: Considering the Pros and Cons.
[Sep 6] Krishan Pratap Singh, NDTV Opinion, How to read Modi Government’s stand on Kashmir.
MeitY sought views on ‘non-personal data’; India and France announce joint research consortium on AI and digital partnership after NSA-level talks; Section 144 CrPC imposed in areas of Assam anticipating unrest after the publication of the NRC list as the MHA holds a high-level security meet on Kashmir; and the tussle between MeitY and the Niti Aayog for control over the Rs. 7000 cr AI project continues – presenting this week’s most important developments at the intersection of law and tech.
Aadhaar
[Aug 27] Aadhaar integration can weed
out fake voters: UIDAI’s Ajay Bhushan Pandey, Business Standard report.
[Aug 27] Government to intensify
Aadhaar enrolment in J&K after Oct 31: Report, Medianama report; Times Now report; The Quint report
[Aug 27] Interview: Why I filed a case
to link Aadhaar and Social Media Accounts, The Quint report.
[Aug 27] Aadhaar database cannot be
hacked even after a billion attempts: Ravi shankar Prasad, Money Control report.
[Aug 27] Most dangerous situation:
Justice Srikrishna on EC-Aadhaar linking, The Quint report.
[Aug 28] Aadhaar ads to women’s
problems in India. Here’s why. The Wire report.
[Aug 28] What Centre will tell Supreme
Court on Aadhaar and social media account linkage, The Hindustan Time report.
[Aug 28] All residents of an MP village
have the same date of birth on their Aadhaar, Business Standard report.
[Aug 29] Blood banks advised to ask for
donors’ Aadhaar cards, Times of India report.
[Aug 29] Aadhaar continues to evolve
and grow as India issues biometric seafarers’ ID, Biometric Update report.
[Aug 31] Aadhaar mandatory for farmers
to avail crop loan in Odisha, Odisha Sun Times report.
[Sep 1] NRIs to get Aadhaar sans
180-day wait in 3 months, The Hindu report.
[Sep 1] Aadhaar-liquor link to check
bottle littering? Deccan Herald report.
[Sep 1] Linking Aadhaar with social
media can lead to insidious profiling of people, says Apar Gupta, Times of
India report.
Digital India
[Aug 27] NASSCOM-DSCI on National
Health Stack: separate regulatory body for health, siloed registries, usage of
single ID, Medianama report.
[Aug 27] Govt looks to develop
electronics component manufacturing base in India: MeitY Secretary, YourStory report; Money Control report.
[Aug 30] India is encouraging foreign
firms to shift biz from China: report, Medianama report; Reuters report.
[Aug 30] Wipro, Google to speed up
digital shift of enterprises, ET Telecom report.
[Aug 30] Government committed to reach
public via technology, Times of India report.
[Aug 31] MeitY and Google tie up to
Build for Digital India, Livemint report; India TV report; ANI report; The Statesman report; Inc42 report.
[Sep 1] Govt is setting up high-tech
R&D facilities for India Inc to encourage big-bang projects, ET Tech report.
[Sep 1] Digitalisation is now forcing
NASSCOM to reinvent itself, ET Tech report.
Free Speech
[Aug 26] IAS Officer who quit over
‘losing freedom of expression’ was facing disciplinary action for misconduct,
Swarajya Magazine report.
[Aug 27] Withdraw media curbs in
Kashmir, The Hindu report.
[Aug 27] EU data caught in Facebook
audio transcribing, Politico report.
[Aug 30] BJP issues gag order on Pragya
Thakur after ‘black magic’ remark post Arun Jaitley’s death. News 18 report.
[Aug 31] Chargesheet filed against
ex-Union Minister Salman Khurshid over remark in UP CM Yogi Adityanath, India
Today report.
[Aug 31] Rafale deal: Rahul Gandhi
summoned by Mumbai court for calling Narendra Modi ‘commander-in-thief’,
Scroll.in report.
[Aug 31] Media freedom being curbed,
says Mamata, The Hindu report.
[Sep 1] Madurai man booked for Facebook
post against Centre, Army, Times of India report.
Internet Shutdowns
[Aug 26] Internet suspended in
Indonesia’s Papua region for ‘ security and order’ amid protests, Medianama report.
[Aug 29] Months after pledge to open
internet, Ethiopia disrupts connectivity amidst communal violence, Global
Voices report.
Data Protection and Privacy
[Aug 27] Government’s approach to data
is dangerous, says Justice Srikrishna, Medianama report.
[Aug 27] Microsoft’s lead EU data
watchdog is looking into fresh Windows 10 privacy concerns, Tech Crunch report.
[Aug 30] This Week in Tech: Facebook’s
privacy pivot (business model not included), The New York Times report.
[Aug 31] MeitY seeks views on
non-personal data, ET Tech report.
[Aug 31] Google to pay out $150-200m
over YouTube privacy claims: reports, The Hindu report.
[Sep 2] Let data protection Bill deal
with personal health data, says IAMAI, Business Standard report.
Intermediary Liability
[Aug 27] Government notices and issue
in TikTok’s ShareChat notices: To ask TikTok how its intermediary status is
consistent with claims on owning content, ET Telecom report; Inc42 report.
E-Commerce
[Aug 27] Thailand to tax e-commerce
companies from next year, Medianama report.
[Aug 27] NRAI sends notices to Swiggy,
Zomato, others on deep discounting, lack of transparency, Tech Circle report.
[Aug 29] MeitY may not include
E-commerce data in privacy bill, The Economic Times report; Medianama report; Inc42 report.
[Aug 29] 30% local sourcing FDI rule on
single brand retailers relaxed, physical stores before online sales not
necessary, Medianama report.
[Aug 29] Amazon moves Supreme Court
against direct selling companies: Report, Medianama report; The Economic Times report.
[Aug 30] India big enough for both
e-commerce and small retailers: Rajiv umar, ET Tech report.
[Aug 30] Zomato, Swiggy and NRAI discuss
issues, to meet again in September, Medianama report.
The ECI sought a legal mandate to link Aadhaar with Voter IDs; Facebook approached the Supreme Court over PILs demanding Aadhaar linkage with social media accounts; MEITY invited ‘select stakeholders’ for private consultations over the data protection bill; and a new panel to review defence procurement practices in India was constituted by the Defense Minister Rajnath Singh, who also hinted at dropping India’s no first use policy – presenting this week’s most important developments in law and tech.
Aadhaar
[Aug 19] EC seeks statutory baking to collect voters’ Aadhaar
numbers, The Times of India report.
[Aug 19] Facebook approaches SC over Aadhaar linkage pleas, The
Deccan Herald report; Firstpost report.
[Aug 20] Aadhaar to ensure farmers, not middlemen, get benefits,
The Economic Times report.
[Aug 21] SC cautions govt on linking Aadhaar with social media, ET
Tech report.
[Aug 21] Election Commission writes to law ministry, seeks legal
powers to collect Aadhaar numbers for cleaning up voters’ list, Firstpost report.
[Aug 22] Aadhaar may be used to verify SECC beneficiaries, The
Economic Times report.
[Aug 23] Centre to put QR code on fishermen’s Aadhaar cards to
secure sea route: Amit Shah, The Times of India report.
[Aug 24] Aadhaar-social media linking: 10 things to know about the
ongoing issue, India Today report.
[Aug 24] Govt to allow Aadhaar-based KYC for domestic retail
investors; amendments to PMLA to be issues, Firstpost report.
[Aug 25] Linking Aadhaar with electoral rolls will create Delhi,
Mumbai Analyticas: Justice Srikrishna, The Week report.
Digital India
[Aug 19] Indian companies at a disadvantage in tenders, says
Commerce ministry, Money Control report; The Times of India report.
[Aug 21] India’s IT Industry turns to flexi staffing to keep its
bench from idling, ET Tech report.
[Aug 22] Indian IT Firms step up patent filings as they look to
monetize their IP, ET Tech report.
[Aug 26] Time to revisit FTAs to fire up electronics: Ravi Shankar
Prasad, ET Rise report.
E-Commerce
[Aug 21] Government hopes for an Ecommerce GeM, ET Tech report.
[Aug 23] Technology reforming India’s retail businesses, ET Tech report.
Digital Payments
[Aug 22] RBI to allow e-mandates on card payments from September
1, Medianama report.
[Aug 22] Digital payment execs met Finance Ministry officials to
discuss demerits of removing MDR: report, Medianama report.
Cryptocurrencies
[Aug 18] US lawmakers to visit Switzerland to discuss Facebook’s
Libra, Cointelegraph report.
[Aug 21] Authorities seize crypto mining equipment from nuclear
power plant in Ukraine, Coin Desk report.
[Aug 23] $100K Crypto donation to Amazon rainforest charity
blocked by BitPay, Coin Desk report.
Internet Governance
[Aug 18] Google, Facebook, WhatsApp to be made more accountable
under new rules, Financial Express report.
Data Protection
[Aug 19] Google cuts some Android phone data for wireless carriers
amid privacy concerns, The Hindustan Times report.
[Aug 20] MEITY privately seeks responses to fresh questions on the
data protection bill from select stakeholders, Medianama report; ET Tech report; Business Standard report; Inc42 report.
[Aug 21] Google, Intel and Microsoft form data protection
consortium, Engadget report; The Economic Times report.
[Aug 22] Govt working towards tabling data protection bill in
winter session, Livemint report; The Economic Times report.
[Aug 24] India needs to draw a distinction between personal and impersonal
data: Ravi Shankar Prasad, Inc42 report.
[Aug 25] Data Protection Bill need of the hour, says Justice BN
Srikrishna, Inc42 report.
Social Media
[Aug 19] Social media accounts need to be linked with Aadhaar to
check fake news, SC told, Livemint report.
[Aug 20] Twitter and Facebook crack down on accounts linked to
Chinese campaign against Hong Kong, The Guardian report; Defense One report.
[Aug 20] Facebook’s new tool lets you see which apps and websites
tracked you, the New York Times report; ET Tech report.
[Aug 21] China cries foul over Facebook, Twitter block of fake
accounts, ET Tech report.
[Aug 20] Islamic preacher Zakir Naik banned from giving public
speeches in Malaysia, India Today report.
[Aug 20] Zakir Naik apologizes to Malaysians for racial remarks, India
Today report.
[Aug 21] Shehla rashid spreading fake news tro incite violence in
Jammu and Kashmir: Indian army, DNA India report.
[Aug 24] IAS Officer Kannan Gopinathan resigns over ‘lack of
freedom of expression’, The Hindu report; Scroll.in report.
[Aug 24] From colonial era to today’s India, a visual history of
national security laws used to crush dissent, Sroll.in report.
Internal Security: Status of J&K
[Aug 19] Kashmir: now for the legal battle, India Today report.
[Aug 20] Amit Shah meets NSA, IB Chief on J&K, NDTV report.
[Aug 21] Armed forces to get human rights and vigilance cell after
Rajnath Singh approves restructure, News 18 report.
[Aug 23] Opposition leaders demand release of Mehbooba Mufti, Omar
Abdullah, The Economic Times report.
[Aug 23] Blackout is collective punishment against people of
J&K: UN Human Rights experts call on India to end communications shutdown,
Medianama report.
[Aug 25] Amid massive clampdown, uneasy calm in volatile south
Kashmir, The Tribune report.
Tech and Law Enforcement
[Aug 20] Flaws in cellphone evidence prompt review of 10,000
verdicts in Denmark, The New York Times report.
[Aug 21] Supreme Court directs Madras HC not to pass final order
in WhatsApp traceability case, Entrackr report.
[Aug 21] Facebook, WhatsApp and the encryption dilemma – What
India can learn from the rest of the world, CNBC TV 18 report.
[Aug 21] WhatsApp’s response to Dr. Kamakoti’s recommendation for
traceability in WhatsApp, Medianama report.
[Aug 25] Curbs on Aadhaar data use delayed murder probe: Cops,
Deccan Herald report.
[Aug 26] End-to-end encryption not essential to WhatsApp as a
platform: Tamil Nadu Advocate General, Medianma report.
Tech and National Security
[Aug 18] New Panel to review defence procurement procedure to
strengthen ‘Make in India’, Bharat Shakti report; Jane’s 360 report.
[Aug 18] RSS affiliate sees Chinese telecom firms as security risk
for India, The Hindu report.
[Aug 18] Traders body calls for boycott of Chinese goods, seeks
upto 500% import duty, Livemint report.
[Aug 19] India looks to acquire military equipment on lease amidst
budget squeeze, Defence Aviation Post report.
[Aug 20] India, France likely to finalize roadmap for digital, cyber
security cooperation, The Economic Times report; The Indian Express report.
[Aug 20] ‘Make in India’ Software Defined Radio: ‘Mother’ of all solutions
for tactical communications of armed forces, Financial Express report.
[Aug 20] Need to reduce dependence on foreign manufacturers to
modernise Indian Air Force, says defence minister Rajnath Singh, Firstpost report.
[Aug 20] Strike total at all 41 ordnance factories, say unions on
day one, The Hindu Business Line report; Deccan Herald report.
[Aug 21] Government neglect my force HAL to crash land, Deccan
Herald report.
[Aug 21] Cabinet Secretariat raps MoD, MEA for not involving NSA,
The Economic Times report.
[Aug 21] Ajay Kumar appointed new Defence Secretary, The Economic
Times report.
[Aug 21] Ordnance factories continue strike, MoD calls their
products ‘high cost, low quality’, India.com report.
[Aug 24] It’s about national security: Arun Jaitley on how 2019
elections were different from 2014, India Today report.
[Aug 24] Gaganyaan: Russian space suits, French medicine for
Indian astronauts? The Hindu report.
[Aug 24] Ordnance strike: Unions to take a call on Centre’s
proposal on Aug 24, The Hindu Business Line report.
[Aug 25] Will India change its ‘No First Use’ policy? The Hindu report.
[Aug 21] French Eye: india to launch 8-10 satellites with France
as part of a ‘constellation’ for maritime surveillance, The Pioneer report.
Cybersecurity
[Aug 19] Global Cyber Alliance launches cybersecurity development
platform for Internet of Things (IoT) Devices, Dark reading report.
[Aug 19] The US Army is struggling to staff its cyber units: GAO,
Defense One report.
[Aug 20] A huge ransomware attack messes with Texas, Wired report.
[Aug 21] Experts call for cybersecurity cooperation at the Beijing
Cybersecurity Conference, Xinhua News report.
[Aug 23] Enterprises are increasingly adopting AI, ML in
cybersecurity: Experts, Livemint report.
[Aug 24] Anomaly detection as advanced cybersecurity strategy,
iHLS report.
Aug 24] Telangana preparing an army of cyber warriors, Telangana
Today report.
Internet of Things
[Aug 22] ITI-Bhubaneswar introduces Internet of Things curriculum,
The New Indian Express report.
[Aug 22] Will We Ever Have A Full Industrial Internet Of Things,
Forbes report.
[Aug 24] IKEA Smart Home Investment Could Be Boost The Internet Of
Things Needs, Forbes report.
Artificial Intelligence and Emerging Tech
[Aug 20] Use artificial intelligence for tax compliance: Direct
tax panel, Business Standard report.
[Aug 20] Artificial intelligence and the world of tax litigation,
Financial Express report.
[Aug 21] Intel launches first artificial intelligence chip
Springhill, The Hindu report; News18 report.
[Aug 22] Facial recognition attendance systems for teachers to be
installed in Gujarat’s govt schools, Medianama report.
[Aug 26] Yogi Govt Plans To Install Artificial Intelligence System
In 12,500 Public Sector Buses, Business World report.
Telecom/5G
[Aug 24] PMO clears BSNL-MTNL revival, merger off the table, The
Economic Times report.
[Aug 21] Nabeel Ahmed, Read Write, Artificial Intelligence: A tool or a threat to cybersecurity?
[Aug 21] Asheeta Regidi, Firstpost, Aadhaar-social media account linking could result in creation of a surveillance state, deprive fundamental right to privacy.
[Aug 22] Sanjay Hegde, The Hindu, Sacrificing liberty for national security.
[Aug 22] Ahmed Ali Fayyaz, The Quint, Fall of J&K: Real reason – ‘Jamhooriyat, Insaniyat, Kashmiriyat’?
[Aug 22] AS Dulat, The Telegraph, Kashmir: The perils of a muscular approach.
[Aug 22] Somnath Mukherjee, The Economic Times, Growth is the biggest national security issue.
[Aug 22] K Raveendran, The Leaflet, Aadhaar-social media profile linkage will open pandora’s box.
[Aug 22] Mariarosaria Taddeo and Francesca Bosco, World Economic Forum blog, We must treat cybersecurity as a public good, here’s why.
[Aug 23] Nikhil Pahwa, Medianama, Against Facebook-Aadhaar linking.
[Aug 23] Ilker Koksal, Forbes, The rise of crypto as payment currency.
[Aug 24] Kalev Lataru, Forbes, Social media platforms will increasingly define ‘truth’.
[Aug 25] Sandeep Unnithan, India Today, South block.
[Aug 25] Spy’s Eye, Outlook, Intel agencies need strengthening.
[Aug 26] Prasanna S., The Hindu, Privacy no longer supreme.
[Aug 26] Sunil Abraham, Business Standard, Linking Aadhaar with social media or ending encryption is counterproductive.
The CCG Blog 