The Supreme Court of the US (SCOTUS) has carved out the right to privacy from various provisions of the US constitution, particularly the first, fourth, fifth, ninth and fourteenth amendments to the US constitution. The Court has included the right to privacy in varying contexts through an expansive interpretation of the constitutional provisions. For instance, the Court has read privacy rights into the first amendment for protecting private possession of obscene material from State intrusion; the fourth amendment for protecting privacy of the person and possessions from unreasonable State intrusion; and the fourteenth amendment which recognises an individual’s decisions about abortion and family planning as part of their right of liberty that encompasses aspects of privacy such as dignity and autonomy under the amendment’s due process clause.
The right to privacy is not expressly provided for in the US constitution. However, the Court identified an implicit right to privacy, for the very first time, in Griswold v. Connecticut(1965) in the context of the right to use contraceptives/ marital privacy. Since then, the Court has extended the scope to include, inter alia, reasonable expectation of privacy against State intrusion in Katz v. United States (1967), abortion rights of women in Roe v. Wade (1973), and right to sexual intimacy between consenting adults of the same-sex in Lawrence v. Texas (2003).
The US privacy framework consists of several privacy laws and regulations developed at both the federal and state level. As of now, the US privacy laws are primarily sector specific, instead of a single comprehensive federal data protection law like the European Union’s General Data Protection Regulation (GDPR) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). However, there are certain states in the US like California that have enacted comprehensive privacy laws, comparable to the GDPR and PIPEDA. The California Consumer Privacy Act (CCPA) which came into effect on January 1, 2020 aims to protect consumers’ privacy across industry. It codifies certain rights and remedies for consumers, and obligations for entities/businesses. One of its main aims is to provide consumers more control over their data by obligating businesses to ensure transparency about how they collect, use, share and sell consumer data.
India is in the midst of establishing a robust data governance framework, which will impact the rights and liabilities of all key stakeholders – the government, private entities, and citizens at large. As a parliamentary committee debates its first personal data protection legislation (‘PDPB 2019’), proposals for the regulation of non-personal data and a data empowerment and protection architecture are already underway.
As data processing capabilities continue to evolve at a feverish pace, basic data protection regulations like the PDPB 2019 might not be sufficient to address new challenges. For example, big data analytics renders traditional notions of consent meaningless as users have no knowledge of how such algorithms behave and what determinations are made about them by such technology.
Creative data governance models, which are aimed at reversing the power dynamics in the larger data economy are the need of the hour. Recognising these challenges policymakers are driving the conversation on data governance in the right direction. However, they might be missing out on crucial experiments being run in other parts of the world.
As users of digital products and services increasingly lose control over data flows, various new models of data governance are being recommended for example, data trusts, data cooperatives, and data commons. Out of these, one of the most promising new models of data governance is – data trusts.
(For the purposes of this blog post, I’ll be using the phrase data processors as an umbrella term to cover data fiduciaries/controllers and data processors in the legal sense. The word users is meant to include all data principals/subjects.)
What are data trusts?
Though there are various definitions of data trusts, one which is helpful in understanding the concept is – ‘data trusts are intermediaries that aggregate user interests and represent them more effectively vis-à-vis data processors.’
To solve the information asymmetries and power imbalances between users and data processors, data trusts will act as facilitators of data flow between the two parties, but on the terms of the users. Data trusts will act in fiduciary duty and in the best interests of its members. They will have the requisite legal and technical knowledge to act on behalf of users. Instead of users making potentially ill-informed decisions over data processing, data trusts will make such decisions on their behalf, based on pre-decided factors like a bar on third-party sharing, and in their best interests. For example, data trusts to users can be what mutual fund managers are to potential investors in capital markets.
Currently, in a typical transaction in the data economy, if users wish to use a particular digital service, neither do they have the knowledge to understand the possible privacy risks nor the negotiation powers for change. Data trusts with a fiduciary responsibility towards users, specialised knowledge, and multiple members might be successful in tilting back the power dynamics in favour of users. Data trusts might be relevant from the perspective of both the protection and controlled sharing of personal as well as non-personal data.
(MeitY’s Non-Personal Data Governance Framework introduces the concept of data trustees and data trusts in India’s larger data governance and regulatory framework. But, this applies only to the governance of ‘non-personal data’ and not personal data, as being recommended here. CCG’s comments on MeitY’s Non-Personal Data Governance Framework, can be accessed – here)
Challenges with data trusts
Though creative solutions like data trusts seem promising in theory, they must be thoroughly tested and experimented with before wide-scale implementation. Firstly, such a new form of trusts, where the subject matter of the trust is data, is not envisaged by Indian law (see section 8 of the Indian Trusts Act, 1882, which provides for only property to be the subject matter of a trust). Current and even proposed regulatory structures don’t account for the regulation of institutions like data trusts (the non-personal data governance framework proposes data trusts, but only as data sharing institutions and not as data managers or data stewards, as being suggested here). Thus, data trusts will need to be codified into Indian law to be an operative model.
Secondly, data processors might not embrace the notion of data trusts, as it may result in loss of market power. Larger tech companies, who have existing stores of data on numerous users may not be sufficiently incentivised to engage with models of data trusts. Structures will need to be built in a way that data processors are incentivised to participate in such novel data governance models.
Thirdly, the business or operational models for data trusts will need to be aligned to their members i.e. users. Data trusts will require money to operate – for profit entities may not have the best interests of users in mind. Subscription based models, whether for profit or not, might fail as users are habitual to free services. Donation based models might need to be monitored closely for added transparency and accountability.
Lastly, other issues like creation of technical specifications for data sharing and security, contours of consent, and whether data trusts will help in data sharing with the government, will need to be accounted for.
Privacy centric data governance models
At this early stage of developing data governance frameworks suited to Indian needs, policymakers are at a crucial juncture of experimenting with different models. These models must be centred around the protection and preservation of privacy rights of Indians, both from private and public entities. Privacy must also be read in its expansive definition as provided by the Supreme Court in JusticeK.S. Puttaswamy vs. Union of India. The autonomy, choice, and control over informational privacy are crucial to the Supreme Court’s interpretation of privacy.
(CCG’s privacy law database that tracks privacy jurisprudence globally and currently contains information from India and Europe, can be accessed – here)
The Personal Data Protection Bill, 2019 (PDP Bill/ Bill) was introduced in the Lok Sabha on December 11, 2019 , and was immediately referred to a joint committee of the Parliament. The joint committee published a press communique on February 4, 2020 inviting comments on the Bill from the public.
The Bill is the successor to the Draft Personal Data Protection Bill 2018 (Draft Bill 2018), recommended by a government appointed expert committee chaired by Justice B.N. Srikrishna. In August 2018, shortly after the recommendations and publication of the draft Bill, the Ministry of Electronics and Information Technology (MeitY) invited comments on the Draft Bill 2018 from the public. (Our comments are available here.)
In this post we undertake a preliminary examination of:
The scope and applicability of the PDP Bill
The application of general data protection principles
The rights afforded to data subjects
The exemptions provided to the application of the law
In future posts in the series we will examine the Bill and look at the:
The restrictions on cross border transfer of personal data
The structure and functions of the regulatory authority
The enforcement mechanism and the penalties under the PDP Bill
Scope and Applicability
The Bill identifies four different categories of data. These are personal data, sensitive personal data, critical personal data and non-personal data
Personal data is defined as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling”. (emphasis added)
The addition of inferred data in the definition realm of personal data is an interesting reflection of the way the conversation around data protection has evolved in the past few months, and requires further analysis.
Sensitive personal data is defined as data that may reveal, be related to or constitute a number of different categories of personal data, including financial data, health data, official identifiers, sex life, sexual orientation, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations / beliefs. In addition, under clause 15 of the Bill the Central Government can notify other categories of personal data as sensitive personal data in consultation with the Data Protection Authority and the relevant sectoral regulator.
Similar to the 2018 Bill, the current bill does not define critical personal data and clause 33 provides the Central Government the power to notify what is included under critical personal data. However, in its report accompanying the 2018 Bill, the Srikrishna committee had referred to some examples of critical personal data that relate to critical state interest like Aadhaar number, genetic data, biometric data, health data, etc.
The Bill retains the terminology introduced in the 2018 Draft Bill, referring to data controllers as ‘data fiduciaries’ and data subjects ‘data principals’. The new terminology was introduced with the purpose of reflecting the fiduciary nature of the relationship between the data controllers and subjects. However, whether the use of the specific terminology has more impact on the protection and enforcement of the rights of the data subjects still needs to be seen.
Application of PDP Bill 2019
The Bill is applicable to (i) the processing of any personal data, which has been collected, disclosed, shared or otherwise processed in India; (ii) the processing of personal data by the Indian government, any Indian company, citizen, or person/ body of persons incorporated or created under Indian law; and (iii) the processing of personal data in relation to any individuals in India, by any persons outside of India.
The scope of the 2019 Bill, is largely similar in this context to that of the 2018 Draft Bill. However, one key difference is seen in relation to anonymised data. While the 2018 Draft Bill completely exempted anonymised data from its scope, the 2019 Bill does not apply to anonymised data, except under clause 91 which gives the government powers to mandate the use and processing of non-personal data or anonymised personal data under policies to promote the digital economy. There are a few concerns that arise in context of this change in treatment of anonymised personal data. First, there are concerns on the concept of anonymisation of personal data itself. While the Bill provides that the Data Protection Authority (DPA) will specify appropriate standards of irreversibility for the process of anonymisation, it is not clear that a truly irreversible form of anonymisation is possible at all. In this case, we need more clarity on what safeguards will be applicable for the use of anonymised personal data.
Second, is the Bill’s focus on the promotion of the digital economy. We have previously discussed some of the concerns regarding focus on the promotion of digital economy in a rights based legislation inour comments to the Draft Bill 2018.
These issues continue to be of concern, and are perhaps heightened with the introduction of a specific provision on the subject in the 2019 Bill (especially without adequate clarity on what services or policy making efforts in this direction, are to be informed by the use of anonymised personal data). Many of these issues are also still under discussion by thecommittee of experts set up to deliberate on data governance framework (non-personal data). The mandate of this committee includes the study of various issues relating to non-personal data, and to make specific suggestions for consideration of the central government on regulation of non-personal data.
The formation of the non-personal data committee was in pursuance of a recommendation by the Justice Srikrishna Committee to frame a legal framework for the protection of community data, where the community is identifiable. The mandate of the expert committee will overlap with the application of clause 91(2) of the Bill.
Data Fiduciaries, Social Media Intermediaries and Consent Managers
As discussed above the Bill categorises data controllers as data fiduciaries and significant data fiduciaries. Any person that determines the purpose and means of processing of personal data, (including the State, companies, juristic entities or individuals) is considered a data fiduciary. Some data fiduciaries may be notified as ‘significant data fiduciaries’, on the basis of factors such as the volume and sensitivity of personal data processed, the risks of harm etc. Significant data fiduciaries are held to higher standards of data protection. Under clauses 27-30, significant data fiduciaries are required to carry out data protection impact assessments, maintain accurate records, audit policy and the conduct of its processing of personal data and appoint a data protection officer.
Social Media Intermediaries
The Bill introduces a distinct category of intermediaries called social media intermediaries. Under clause 26(4) a social media intermediary is ‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services’. Intermediaries that primarily enable commercial or business-oriented transactions, provide access to the Internet, or provide storage services are not to be considered social media intermediaries.
Social media intermediaries may be notified to be significant data fiduciaries, if they have a minimum number of users, and their actions have or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.
Under clause 28 social media intermediaries that have been notified as a significant data fiduciaries will be required to provide for voluntary verification of users to be accompanied with a demonstrable and visible mark of verification.
The Bill also introduces the idea of a ‘consent manager’ i.e. a (third party) data fiduciary which provides for management of consent through an ‘accessible, transparent and interoperable platform’. The Bill does not contain any details on how consent management will be operationalised, and only states that these details will be specified by regulations under the Bill.
Data Protection Principles and Obligations of Data Fiduciaries
Consent and grounds for processing
The Bill recognises consent as well as a number of other grounds for the processing of personal data.
Clause 11 provides that personal data shall only be processed if consent is provided by the data principal at the commencement of processing. This provision, similar to the consent provision in the 2018 Draft Bill, draws from various principles including those under the Indian Contract Act, 1872 to inform the concept of valid consent under the PDP Bill. The clause requires that the consent should be free, informed, specific, clear and capable of being withdrawn.
Moreover, explicit consent is required for the processing of sensitive personal data. The current Bill appears to be silent on issues such as incremental consent which were highlighted in our comments in the context of the Draft Bill 2018.
The Bill provides for additional grounds for processing of personal data, consisting of very broad (and much criticised) provisions for the State to collect personal data without obtaining consent. In addition, personal data may be processed without consent if required in the context of employment of an individual, as well as a number of other ‘reasonable purposes’. Some of the reasonable purposes, which were listed in the Draft Bill 2018 as well, have also been a cause for concern given that they appear to serve mostly commercial purposes, without regard for the potential impact on the privacy of the data principal.
In a notable change from the Draft Bill 2018, the PDP Bill, appears to be silent on whether these other grounds for processing will be applicable in relation to sensitive personal data (with the exception of processing in the context of employment which is explicitly barred).
The Bill also incorporates a number of traditional data protection principles in the chapter outlining the obligations of data fiduciaries. Personal data can only be processed for a specific, clear and lawful purpose. Processing must be undertaken in a fair and reasonable manner and must ensure the privacy of the data principal – a clear mandatory requirement, as opposed to a ‘duty’ owed by the data fiduciary to the data principal in the Draft Bill 2018 (this change appears to be in line with recommendations made in multiple comments to the Draft Bill 2018 by various academics, including our own).
Purpose and collection limitation principles are mandated, along with a detailed description of the kind of notice to be provided to the data principal, either at the time of collection, or as soon as possible if the data is obtained from a third party. The data fiduciary is also required to ensure that data quality is maintained.
A few changes in the application of data protection principles, as compared to the Draft Bill 2018, can be seen in the data retention and accountability provisions.
On data retention, clause 9 of the Bill provides that personal data shall not be retained beyond the period ‘necessary’ for the purpose of data processing, and must be deleted after such processing, ostensibly a higher standard as compared to ‘reasonably necessary’ in the Draft Bill 2018. Personal data may only be retained for a longer period if explicit consent of the data principal is obtained, or if retention is required to comply with law. In the face of the many difficulties in ensuring meaningful consent in today’s digital world, this may not be a win for the data principal.
Clause 10 on accountability continues to provide that the data fiduciary will be responsible for compliance in relation to any processing undertaken by the data fiduciary or on its behalf. However, the data fiduciary is no longer required to demonstrate such compliance.
Rights of Data Principals
Chapter V of the PDP Bill 2019 outlines the Rights of Data Principals, including the rights to access, confirmation, correction, erasure, data portability and the right to be forgotten.
Right to Access and Confirmation
The PDP Bill 2019 makes some amendments to the right to confirmation and access, included in clause 17 of the bill. The right has been expanded in scope by the inclusion of sub-clause (3). Clause 17(3) requires data fiduciaries to provide data principals information about the identities of any other data fiduciaries with whom their personal data has been shared, along with details about the kind of data that has been shared.
This allows the data principal to exert greater control over their personal data and its use. The rights to confirmation and access are important rights that inform and enable a data principal to exercise other rights under the data protection law. As recognized in the Srikrishna Committee Report, these are ‘gateway rights’, which must be given a broad scope.
Right to Erasure
The right to correction (Clause 18) has been expanded to include the right to erasure. This allows data principals to request erasure of personal data which is not necessary for processing. While data fiduciaries may be allowed to refuse correction or erasure, they would be required to produce a justification in writing for doing so, and if there is a continued dispute, indicate alongside the personal data that such data is disputed.
The addition of a right to erasure, is an expansion of rights from the 2018 Bill. While the right to be forgotten only restricts or discontinues disclosure of personal data, the right to erasure goes a step ahead and empowers the data principal to demand complete removal of data from the system of the data fiduciary.
Many of the concerns expressed in the context of the Draft Bill 2018, in terms of the procedural conditions for the exercise of the rights of data principals, as well as the right to data portability specifically, continue to persist in the PDP Bill 2019.
Exceptions and Exemptions
While the PDP Bill ostensibly enables individuals to exercise their right to privacy against the State and the private sector, there are several exemptions available, which raise several concerns.
The Bill grants broad exceptions to the State. In some cases, it is in the context of specific obligations such as the requirement for individuals’ consent. In other cases, State action is almost entirely exempted from obligations under the law. Some of these exemptions from data protection obligations are available to the private sector as well, on grounds like journalistic purposes, research purposes and in the interests of innovation.
The most concerning of these provisions, are the exemptions granted to intelligence and law enforcement agencies under the Bill. The Draft Bill 2018, also provided exemptions to intelligence and law enforcement agencies, so far as the privacy invasive actions of these agencies were permitted under law, and met procedural standards, as well as legal standards of necessity and proportionality. We have previously discussed some of the concerns with this approach here.
The exemptions provided to these agencies under the PDP Bill, seem to exacerbate these issues.
Under the Bill, the Central Government can exempt an agency of the government from the application of this Act by passing an order with reasons recorded in writing if it is of the opinion that the exemption is necessary or expedient in the interest of sovereignty and integrity, security of the state, friendly relations with foreign states, public order; or for preventing incitement to the commission of any cognizable offence relating to the aforementioned grounds. Not only have the grounds on which government agencies can be exempted been worded in an expansive manner, the procedure of granting these exemptions also is bereft of any safeguards.
The executive functioning in India suffers from problems of opacity and unfettered discretion at times, which requires a robust system of checks and balances to avoid abuse. The Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) enable government surveillance of communications made over telephones and the internet. For drawing comparison here, we primarily refer to the Telegraph Act as it allows the government to intercept phone calls on similar grounds as mentioned in clause 35 of the Bill by an order in writing. However, the Telegraph Act limits the use of this power to two scenarios – occurrence of a public emergency or in the interest of public safety. The government cannot intercept communications made over telephones in the absence of these two preconditions. The Supreme Court in People’s Union for Civil Liberties v. Union of India, (1997) introduced guidelines to check abuse of surveillance powers under the Telegraph Act which were later incorporated in Rule 419A of the Indian Telegraph Rules, 1951. A prominent safeguard included in Rule 419A requires that surveillance and monitoring orders be issued only after considering ‘other reasonable means’ for acquiring the required information. The court had further limited the scope of interpretation of ‘public emergency’ and ‘public safety’ to mean “the prevalence of a sudden condition or state of affairs affecting the people at large and calling for immediate action”, and “the state or condition of freedom from danger or risk at large” respectively. In spite of the introduction of these safeguards, the procedure of intercepting telephone communications under the Telegraph Act is criticised for lack of transparency and improper implementation. For instance, a 2014 report revealed that around 7500 – 9000 phone interception orders were issued by the Central Government every month. The application of procedural safeguards, in each case would have been physically impossible given the sheer numbers. Thus, legislative and judicial oversight becomes a necessity in such cases.
The constitutionality of India’s surveillance apparatus inclduing section 69 of the IT Act which allows for surveillance on broader grounds on the basis of necessity and expediency and not ‘public emergency’ and ‘public safety’, has been challenged before the Supreme Court and is currently pending. Clause 35 of the Bill also mentions necessity and expediency as prerequisites for the government to exercise its power to grant exemption, which appear to be vague and open-ended as they are not defined. The test of necessity, implies resorting to the least intrusive method of encroachment up on privacy to achieve the legitimate state aim. This test is typically one among several factors applied in deciding on whether a particular intrusion on a right is tenable or not, under human rights law. In his concurring opinion in Puttaswamy (I) J. Kaul had included ‘necessity’ in the proportionality test. (However, this test is not otherwise well developed in Indian jurisprudence). Expediency, on the other hand, is not a specific legal basis used for determining the validity of an intrusion on human rights. It has also not been referred to in Puttaswamy (I) as a basis of assessing a privacy violation. The use of the term ‘expediency’ in the Bill is deeply worrying as it seems to bring down the threshold for allowing surveillance which is a regressive step in the context of cases like PUCL and Puttaswamy (I). A valid law along with the principles of proportionality and necessity are essential to put in place an effective system of checks and balances on the powers of the executive to provide exemptions. It seems unlikely that the clause will pass the test of proportionality (sanction of law, legitimate aim, proportionate to the need of interference, and procedural guarantees against abuse) as laid down by the Supreme Court in Puttaswamy (I).
The Srikrishna Committee report had recommended that surveillance should not only be conducted under law (and not executive order), but also be subject to oversight, and transparency requirements. The Committee had argued that the tests of lawfulness, necessity and proportionality provided for under clauses 42 and 43 (of the Draft Bill 2018) were sufficient to meet the standards set out under the Puttaswamy judgment. Since the PDP Bill completely does away with all these safeguards and leaves the decision to executive discretion, the law is unconstitutional. After the Bill was introduced in the Lok Sabha, J. Srikrishna had criticised it for granting expansive exemptions in the absence of judicial oversight. He warned that the consequences could be disastrous from the point of view of safeguarding the right to privacy and could turn the country into an “Orwellian State”. He has also opined on the need for a separate legislation to govern the terms under which the government can resort to surveillance.
Clause 36 of the Bill deals with exemption of some provisions for certain processing of personal data. It combines four different clauses on exemption which were listed in the Draft Bill 2018 (clauses 43, 44, 46 and 47). These include processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law; for the purpose of legal proceedings; personal or domestic purposes; and journalistic purposes. The Draft Bill 2018 had detailed provisions on the need for a law passed by Parliament or the State Legislature which is necessary and proportionate, for processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law. Clause 36 of the Bill does not enumerate the need for a law to process personal data under these exemptions. We hadargued that these exemptions granted by the Draft Bill 2018 (clauses 43, 44, 46 and 47) were wide, vague and needed clarifications, but the exemptions under clause 36 of the Bill are even more ambiguous as they merely enlist the exemptions without any specificities or procedural safeguards in place.
In the Draft Bill 2018, the Authority could not give exemption from the obligation of fair and reasonable processing, measures of security safeguards and data protection impact assessment for research, archiving or statistical purposes As per the current Bill, the Authority can provide exemption from any of the provisions of the Act for research, archiving or statistical purposes.
The last addition to this chapter of exemptions is that of creating a sandbox for encouraging innovation. This newly added clause 40 is aimed at encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest. The details of what the sandbox entails other than exemption from some of the obligations of Chapter II might need further clarity. Additionally, to be considered an eligible applicant, a data fiduciary has to necessarily obtain certification of its privacy by design policy from the DPA, as mentioned in clause 40(4) read with clause 22.
Though well appreciated for its intent, this provision requires clarification on grounds of selection and details of what the sandbox might entail.
 At the time of introduction of the PDP Bill 2019, the Minister for Law and Justice of India, Mr. Ravi Shankar Prasad suggested that over 2000 inputs were received on the Draft Bill 2018, based on which changes have been made in the PDP Bill 2019. However, these comments and inputs have not been published by MeitY, and only a handful of comments have been published, by the stakeholders submitting these comments themselves.
Huawei finds support from Indian telcos in the 5G rollout as PayPal withdrew from Facebook’s Libra cryptocurrency project; Foreign Portfolio Investors moved MeitY against in the Data Protection Bill; the CJEU rules against Facebook in case relating to takedown of content globally; and Karnataka joins list of states considering implementing NRC to remove illegal immigrants – presenting this week’s most important developments in law, tech and national security.
[Sep 30] Why the imminent global economic slowdown is a growth opportunity for Indian IT services firms, Tech Circle report.
[Sep 30] Norms tightened for IT items procurement for schools, The Hindu report.
[Oct 1] Govt runs full throttle towards AI, but tech giants want to upskill bureaucrats first, Analytics India Magazine report.
[Oct 3] – presenting this week’s most important developments in law, tech and national security. MeitY launches smart-board for effective monitoring of the key programmes, The Economic Times report.
[Oct 3] “Use human not artificial intelligence…” to keep a tab on illegal constructions: Court to Mumbai civic body, NDTV report.
[Oct 3] India took 3 big productivity leaps: Nilekani, Livemint report.
[Oct 4] MeitY to push for more sops to lure electronic makers, The Economic Times report; Inc42 report.
[Oct 4] Core philosophy of Digital India embedded in Gandhian values: Ravi Shankar Prasad, Financial Express report.
[Oct 4] How can India leverage its data footprint? Experts weigh in at the India Economic Summit, Quartz report.
[Oct 4] Indians think jobs would be easy to find despite automation: WEF, Tech Circle report.
[Oct 4] Telangana govt adopts new framework to use drones for last-mile delivery, The Economic Times report.
[Oct 5] Want to see ‘Assembled in India’ on an iPhone: Ravi Shankar Prasad, The Economic Times report.
[Oct 6] Home market gets attractive for India’s IT giants, The Economic Times report.
[Oct 2] India
Govt requests maximum social media content takedowns in the world, Inc42 report;
Tech Circle report.
Facebook can be forced to delete defamatory content worldwide, top EU court
rules, Politico EU report.
[Oct 4] EU
ruling may spell trouble for Facebook in India, The Economic Times report.
[Oct 4] TikTok,
TikTok… the clock is ticking on the question whether ByteDance pays its content
creators, ET Tech report.
[Oct 6] Why
data localization triggers a heated debate, The Economic Times report.
Sensitive Indian govt data must be stored locally, Outlook report.
Protection and Privacy
[Sep 30] FPIs
move MeitY against data bill, seek exemption, ET markets report,
Financial Express report.
[Oct 1] United
States: CCPA exception approved by California legislature, Mondaq.com report.
[Oct 1] Privacy
is gone, what we need is regulation, says Infosys Kris Gopalakrishnana, News18 report.
Europe’s top court says active consent is needed for tracking cookies, Tech
[Oct 3] Turkey
fines Facebook $282,000 over data privacy breach, Deccan Herald report.
Singapore’s ‘fake news’ law to come into force Wednesday, but rights group
worry it could stifle free speech, The Japan Times report.
Minister says Singapore’s fake news law is about ‘enabling’ free speech, CNBC report.
[Oct 3] Hong
Kong protests: Authorities to announce face mask ban, BBC News report.
[Oct 3] ECHR:
Holocaust denial is not protected free speech, ASIL brief.
[Oct 4] FIR
against Mani Ratnam, Adoor and 47 others who wrote to Modi on communal
violence, The News Minute report;
Times Now report.
[Oct 5] UN asks
Malaysia to repeal laws curbing freedom of speech, The New Indian Express report.
[Oct 6] When
will our varsities get freedom of expression: PC, Deccan Herald report.
[Oct 6] UK
Government to make university students sign contracts limiting speech and
behavior, The Times report.
[Oct 7] FIR on
Adoor and others condemned, The Telegraph report.
[Sep 30] Plea
in SC seeking linking of social media accounts with Aadhaar to check fake news,
The Economic Times report.
[Oct 1] Why
another omnibus national ID card?, The Hindu Business Line report.
[Oct 2] ‘Kenyan
court process better than SC’s approach to Aadhaar challenge’: V Anand, who
testified against biometric project, LiveLaw report.
[Oct 3] Why
Aadhaar is a stumbling block in Modi govt’s flagship maternity scheme, The
Parliament panel to review Aadhaar authority functioning, data security, NDTV report.
This week, Delhi International Airport deployed facial recognition on a ‘trial basis’ for 3 months, landline communications were restored in Kashmir as the Government mulls over certification for online video streaming platforms like Netflix and PrimeVideo – presenting this week’s most important developments in law, tech and national security.
[Sep 3] PAN will be issued
automatically using Aadhaar for filing returns: CBDT, DD News report.
[Sep 3] BJD set to collect Aadhaar
numbers of its members in Odisha, Opposition parties slam move, News 18 report; The New Indian Express report; Financial Express report.
[Sep 5] Aadhaar is secure, says
ex-UIDAI chief, Times of India report.
[Sep 5] Passport-like Aadhaar centre
opened in Chennai: Online appointment booking starts, Livemint report.
[Sep 8] Plans to link Janani Suraksha
and Matra Vandan schemes with Aadhaar: CM Yogi Adityanath, Times of India report.
[Sep 5] Digital media bodies welcome
26% FDI cap, Times of India report.
[Sep 6] Automation ‘not threat’
to India’s IT industry, ET Tech report.
[Sep 6] Tech Mahindra to modernise
AT&T network systems, Tech Circle report.
Data Protection and Governance
[Sep 2] Health data comes under the
purview of Data Protection Bill: IAMAI, Inc42 report.
[Sep 2] Credit history should not be
viewed as sensitive data, say online lenders, Livemint report.
[Sep 3] MeitY may come up with policy
on regulation of non-personal data, Medianama report.
[Sep 3] MeitY to work on a white paper
to gain clarity on public data regulations, Inc42 report.
[Sep 6] Treating data as commons is
more beneficial, says UN report, Medianama report.
[Sep 9] Indian Government may allow
companies to sell non-personal data of its users, Inc42 report, The Economic Times report.
[Sep 9] Tech firms may be compelled to
share public data of its users, ET Tech report.
Data Privacy and Breaches
[Sep 2] Chinese face-swap app Zao faces
backlash over user data protection, KrAsia report; Medianama report.
[Sep 2] Study finds Big Data eliminates
confidentiality in court judgments, Swiss Info report.
[Sep 4] YouTube will pay $170 million
to settle claims it violated child privacy laws, CNBC report; FTC Press Release.
[Sep 4] Facebook will now let people
opt-out of its face recognition feature, Medianama report.
[Sep 4] Mental health websites in
Europe found sharing user data for ads, Tech Crunch report.
[Sep 5] A huge database of Facebook
users’ phone numbers found online, Tech Crunch report.
[Sep 5] Twitter has temporarily
disabled tweet to SMS feature, Medianama report.
[Sep 6] Fake apps a trap to track your
device and crucial data, ET Tech report.
[Sep 6] 419 million Facebook users
phone numbers leaked online, ET Tech report; Medianama report.
[Sep 9] Community social media
platform, LocalCircles, highlights data misuse worries, The Economic Times report.
[Sep 7] Freedom of expression is not
absolute: PCI Chairman, The Hindu report.
[Sep 7] Chennai: Another IAS officer
resign over ‘freedom of expression’, Deccan Chronicle report.
[Sep 8] Justice Deepak Gupta: Law on
sedition needs to be toned down if not abolished, The Wire report.
Online Content Regulation
[Sep 3] Government plans certification
for Netflix, Amazon Prime, Other OTT Platforms, Inc42 report.
[Sep 4] Why Justice for Rights went to
court, asking for online content to be regulated, Medianama report.
[Sep 4] Youtube claims new hate speech
policy working, removals up 5x, Medianama report.
[Sep 6] MeitY may relax norms on
content monitoring for social media firms, ET Tech report; Inc42 report; Entrackr report.
[Sep 4] Offline retailers accuse Amazon
and Flipkart of deep discounting, predatory pricing and undercutting, Medianama
report; Entrackr report.
[Sep 6] Companies rely on digital
certification startups to foolproof customer identity, ET Tech report.
Digital Payments and FinTech
[Sep 3] A sweeping reset is in the
works to bring India in line with fintech’s rise, The Economic Times report.
[Sep 3] Insurance and lending companies
in agro sector should use drones to reduce credit an insurance risks: DEA’s
report on fintech, Medianama report.
MeitY sought views on ‘non-personal data’; India and France announce joint research consortium on AI and digital partnership after NSA-level talks; Section 144 CrPC imposed in areas of Assam anticipating unrest after the publication of the NRC list as the MHA holds a high-level security meet on Kashmir; and the tussle between MeitY and the Niti Aayog for control over the Rs. 7000 cr AI project continues – presenting this week’s most important developments at the intersection of law and tech.
[Aug 27] Aadhaar integration can weed
out fake voters: UIDAI’s Ajay Bhushan Pandey, Business Standard report.
[Aug 27] Government to intensify
Aadhaar enrolment in J&K after Oct 31: Report, Medianama report; Times Now report; The Quint report
[Aug 27] Interview: Why I filed a case
to link Aadhaar and Social Media Accounts, The Quint report.
[Aug 27] Aadhaar database cannot be
hacked even after a billion attempts: Ravi shankar Prasad, Money Control report.
[Aug 27] Most dangerous situation:
Justice Srikrishna on EC-Aadhaar linking, The Quint report.
[Aug 28] Aadhaar ads to women’s
problems in India. Here’s why. The Wire report.
[Aug 28] What Centre will tell Supreme
Court on Aadhaar and social media account linkage, The Hindustan Time report.
[Aug 28] All residents of an MP village
have the same date of birth on their Aadhaar, Business Standard report.
[Aug 29] Blood banks advised to ask for
donors’ Aadhaar cards, Times of India report.
[Aug 29] Aadhaar continues to evolve
and grow as India issues biometric seafarers’ ID, Biometric Update report.
[Aug 31] Aadhaar mandatory for farmers
to avail crop loan in Odisha, Odisha Sun Times report.
[Sep 1] NRIs to get Aadhaar sans
180-day wait in 3 months, The Hindu report.
[Sep 1] Aadhaar-liquor link to check
bottle littering? Deccan Herald report.
[Sep 1] Linking Aadhaar with social
media can lead to insidious profiling of people, says Apar Gupta, Times of
[Aug 27] NASSCOM-DSCI on National
Health Stack: separate regulatory body for health, siloed registries, usage of
single ID, Medianama report.
[Aug 27] Govt looks to develop
electronics component manufacturing base in India: MeitY Secretary, YourStory report; Money Control report.
[Aug 30] India is encouraging foreign
firms to shift biz from China: report, Medianama report; Reuters report.
[Aug 30] Wipro, Google to speed up
digital shift of enterprises, ET Telecom report.
[Aug 30] Government committed to reach
public via technology, Times of India report.
The ECI sought a legal mandate to link Aadhaar with Voter IDs; Facebook approached the Supreme Court over PILs demanding Aadhaar linkage with social media accounts; MEITY invited ‘select stakeholders’ for private consultations over the data protection bill; and a new panel to review defence procurement practices in India was constituted by the Defense Minister Rajnath Singh, who also hinted at dropping India’s no first use policy – presenting this week’s most important developments in law and tech.
[Aug 19] EC seeks statutory baking to collect voters’ Aadhaar
numbers, The Times of India report.
[Aug 19] Facebook approaches SC over Aadhaar linkage pleas, The
Deccan Herald report; Firstpost report.
[Aug 20] Aadhaar to ensure farmers, not middlemen, get benefits,
The Economic Times report.
[Aug 21] SC cautions govt on linking Aadhaar with social media, ET
[Aug 21] Election Commission writes to law ministry, seeks legal
powers to collect Aadhaar numbers for cleaning up voters’ list, Firstpost report.
[Aug 22] Aadhaar may be used to verify SECC beneficiaries, The
Economic Times report.
[Aug 23] Centre to put QR code on fishermen’s Aadhaar cards to
secure sea route: Amit Shah, The Times of India report.
[Aug 24] Aadhaar-social media linking: 10 things to know about the
ongoing issue, India Today report.
[Aug 24] Govt to allow Aadhaar-based KYC for domestic retail
investors; amendments to PMLA to be issues, Firstpost report.
[Aug 25] Linking Aadhaar with electoral rolls will create Delhi,
Mumbai Analyticas: Justice Srikrishna, The Week report.
[Aug 19] Indian companies at a disadvantage in tenders, says
Commerce ministry, Money Control report; The Times of India report.
[Aug 21] India’s IT Industry turns to flexi staffing to keep its
bench from idling, ET Tech report.
[Aug 22] Indian IT Firms step up patent filings as they look to
monetize their IP, ET Tech report.
[Aug 26] Time to revisit FTAs to fire up electronics: Ravi Shankar
Prasad, ET Rise report.
[Aug 21] Government hopes for an Ecommerce GeM, ET Tech report.
[Aug 23] Technology reforming India’s retail businesses, ET Tech report.
[Aug 22] RBI to allow e-mandates on card payments from September
1, Medianama report.
[Aug 22] Digital payment execs met Finance Ministry officials to
discuss demerits of removing MDR: report, Medianama report.
[Aug 18] US lawmakers to visit Switzerland to discuss Facebook’s
Libra, Cointelegraph report.
Internet services suspended in Kashmir; The unrest over the passage of the RTI bill continues as the president gives assent to the RTI Amendment bill. Rajya Sabha passes Unlawful Activities (Prevention) Amendment bill on Friday after days of deadlock — presenting this week’s most important developments in law and tech.
Data Protection Bill
[July 30] India to seek ‘adequacy’ status with GDPR after Data Protection Bill is passed, The Economic Times report; Medianama report.
[Aug 1] India should adopt strong data protection laws to improve data flows with EU, says envoy, The Economic Times report.
[Aug 2] Data Protection Law: Mahua Moitra alleges conflict of interests against lawyers working with govt, India Today report; The Wire report.
[Aug 5] Critical’ data list will be revised with time; move may trouble firms, ET Tech report.
Right to Information
Aug 1] Activists urge President to not give assent to RTI Bill; detained by police, Deccan Herald report; The New Indian Express report; Outlook report.
[Aug 2] ‘Use RTI to save RTI’ movement begins across the country as president Kovind gives assent to the RTI Amendment Bill, Money Life report.
National Security Law
[Aug 2] UAPA Bill passed in Rajya Sabha with 147 votes in favour, 42 against, India Today report; India Today report; The Hindu report; The Tribune analysis.
[Aug 2] CDS or NSA: A bone of contention in India’s strategic affairs, The Economic Times report.
[Aug 3] Trader arrested under National Security Act for alleged milk adulteration, NDTV report.
National Security and Free Speech
[Aug 2] Facebook takes down accounts and pages from UAE, Egypt, and Saudi Arabia, Medianama report.
[Aug 3] NIA for media gag in ‘sensitive’ Malegaon trial, The Times of India report.
[Aug 5] Omar Abdullah, Mehbooba put under house arrest, internet services snapped as Kashmir remains tense, News 18 report.
[Aug 5] Kashmir on edge: Security beefed up, restrictions imposed, Internet services suspended, many leaders ‘detained or arrested’. The Economic Times report.
[July 31] Amend law to regulate ride-hailing firms like Ola and Uber: SC tells Govt, Entrackr report.
[July 31] Bring a law to regulate Ola, Uber: SC asks Govy, ET Tech report
[July 31] CCI dismisses abuse of dominance complaint against OYO, ET Tech report; Entrackr report.
[July 31] Lok Sabha to become paperless from next session: Speaker, Times of India report.
[Aug 1] Delhi HC hears out petition demanding ban on online websites; ‘What makes you special?’ Chief Justice asks AIGF, Medianama report.
[Aug 1] EC announces revision of electoral rolls,. The Tribune report.
[Aug 5] Government to formulate broad set of rules for Ola, Uber soon, Entrackr report.
Data Privacy and Breaches
[July 29] EU court rules companies liable for data protection with Facebook ‘Like’ button, Telecom paper report.
[July 29] European Commission takes Spain, Greece to court for failing to enact data protection rules for police, Medianama report.
[July 31] Analysts flag data privacy concerns over FaceApp, ET Telecom report.
[July 31] Data breach discovered in financial services platforms Chqbook, Credit Fair by vpnMentor (full report), ET Tech report.
[July 31] Truecaller fixes bug after facing flak from users for automatic UPI signup, Entrackr report.
[Aug 1] Google halts Assistant speech data transcription in EU, The Economic Times report; POLITICO report.
[Aug 3] Apple contractors will stop listening to your Siri recordings – for now, Wired report.
[Aug 3] PIB Press release error made Aadhaar mandatory for driving license, The Quint report.
[Aug 4] Aadhaar updation centre comes up at BSNL office, The Tribune report.
[Aug 5] National Population register to include Aadhaar details, The Economic Times report; Entrackr report.
[Aug 1] Amazon may shop for stake in Reliance retail, ET Tech report; Entracke report.
[Aug 2] Biz in China not easy: IT cos tell Piyush Goyal, ET Tech report.
[Aug 1] UPI processed 822 million transactions in July, ET Tech report; Entrackr report; Medianama report.
[Aug 1] 50% dip in India’s fintech investments in H1 2019, ET Tech report.
The RTI Amendment Bill was passed by both houses of the Parliament as the Government considers relaxation in proposed data localisation requirements for foreign tech firms; crypto critiques by the Garg Committee’s proposed ban; probes and penalties in the struggle to regulate global tech giants— presenting this week’s most important developments in law and tech.
Right to Information
[July 23] Lok Sabha passes bill to amend RTI, Oppn says centre is weakening the law, Livemint report; The Economic Times report.
[July 23] Lok Sabha passes RTI Amendment Bill amid Opposition uproar; what changes have been proposed under new law, Firstpost report.
[July 24] 14 political parties from Rajya Sabha oppose the RTI amendment bill, The Economic Times report.
[July 24] Freedom of expression is under threat due to RTI Act amendments, say former Chief Information Commissioners, National Herald report.
[July 25] Rajya Sabha passes RTI amendment bill, Opposition walks out, Livemint report; India Today report; Business Standard report.
Data Protection Bill
[July 23] Personal data protection bill: IT Ministry may back storage curbs for critical, sensitive data, The Hindu Business Line report.
[July 27] Policymakers a divided lot on personal data bill provisions, ET Tech report.
[July 27] Personal data protection bill to take care of sovereign data concerns: Govt, ET Telecom report.
[July 28] Data protection bill still in limbo after 1 year; Govt refuses info, The Quint report.
[July 28] India will never compromise on its data sovereignty: Prasad, The Economic Times report; DNA India report; Firstpost report.
Data Protection and Privacy
[July 23] Equifax to pay $650 million for the 2017 data breach, Medianama report; New York Times report.
[July 24] Facebook agrees to pay record $5 billion settlement in privacy investigation, Time magazine report; NBC news report; The Economic Times report.
[July 25] Record Facebook fine won’t end scrutiny of the company, ET tech report.
[July 25] WhatsApp announces privacy investigation partnership, ET Tech report.
[July 25] WhatsApp to engage with policymakers to strengthen privacy, ET Telecom report.
[July 25] Facebook ends Microsoft, Sony access to friend data, ET Telecom report.
[July 25] Facebook warns of costly privacy changes, discloses another US probe, ET tech report.
[July 26] UK Data Protection Agency issues new guidelines for data sharing, JD Supra report.
[July 24] Only critical information may need to be housed in India, ET Tech report.
[July 24] India may tweak data privacy norms to keep only critical data in country: report, The Economic Times report; Business Today report.
[July 26] As data localisation gathers steam, RailTel goes on cloud offensive, The Hindu Business Line report.
[July 29] Big relief for foreign firms: Govt panel says no need to mirror personal data in India, Financial Express report; The Indian Express report.
[July 22] Empowering India’s hardware startups: Qualcomm signs a technical bilateral cooperation agreement with MeitY, YourStory.com report.
[July 23] TRAI wants to be country’s data czar, MeitY not keen, The Economic Times report; Money Control report.
[July 26] India’s agricultural farms get a technology lift, ET Tech report.
[July 29] India’s mid-cap IT firms caught between shrinking deals and rising costs, ET tech report.
[July 23] TikTok has removed over 60 lakh videos between July 2018 to April 2019, Medianama report.
[July 23] Why they want TikTok banned in India, Medianama report.
[July 24] Over 150 cases of fake news reported during Lok Sabha elections, says Union Minister, News18 report.
[July 24] Over 2100 URLs on social media blocked in 2019: Prasad, The Outlook report.
[July 25] Govt says porn sites blocked by Jio, Airtel and others after 3 court orders, hints watching porn not illegal, India Today report.
[July 26] Muslim hawker beaten up over Jai Shri Ram chants in Bengal, internet suspended after tension, India Today report.
[July 26] Social influencers make hay while content shines, ET Tech report.
[July 26] POCSO amendment bill expands child porn definition to ‘any visual depiction’ of sexually explicit content involving children, Medianama report.
[July 21] UIDAI to soon select adjudicating officer for inquiry in contravention cases, Money Control report.
[July 23] 100 plus e-seva centres in Chennai shut after operators lose access to Aadhaar website, Times of India report.
[July 24] Income Tax return 2019: Compulsory mention of Aadhaar in ITR, Financial Express report.
[July 24] Devendra Fadnavis joins the ‘link Aadhaar with voter IDs’ bandwagon: report, Medianama report.
[July 25] States can now use Aadhaar data for their schemes, ET Tech report; The Hindu Business Line report, Livemint report; Money Control report.
[July 25] Aadhaar linking not mandatory for activation of RuPay cards, Times Now News report.
[July 25] Aadhaar misuse surfaces in Gurugram, The Tribune report.
[July 25] Providing Aadhaar details for ‘parivar pehchan patra’ purely voluntary: Khattar, The Week report.
[July 25] All Aadhaar issues have been settled: Nandan Nilekani, The Economic Times report.
[July 26] Plea against Aadhaar-vote link filed before Delhi HC, The Telegraph report.
[July 28] Fake Aadhaar racket busted in Andhra Pradesh, The New Indian Express report.
[July 28] Linking Aadhaar with election ID would disenfranchise elderly and manual labourers: ECI told, Counterview report.
[July 22] How an in-house e-commerce platform revolutionised government procurement, ET Tech report.
[July 25] Shopping from Chinese e-tailers set to become more expensive, The Economic Times report; Entrackr report.
[July 26] Amazon engaging with Indian govt to seek stable e-commerce policy, ET Tech report.
[July 28] Government plans e-commerce boost for rural products, ET Tech report.
[July 29] Data, e-commerce laws held up as India, US talk, Hindustan Times report.
[July 26] Govt fears WhatsApp may share payment data with Facebook, others, ET Tech report.
[July 26] Digital payment firms wait for new finance secretary to discuss Merchant Discount rates (MDRs), ET tech report.
[July 27] WhatsApp’s payment service is now being tested by companies, ET Tech report.
[July 22] FINRA extends deadline for firms to report crypto activity, CoinDesk report.
The National Investigation Agency Act was amended by Parliament this week, expanding its investigation powers to include cyber-terrorism; FaceApp’s user data privacy issues; and the leaked bill to ban cryptocurrencies— presenting this week’s most important developments in law and tech.
[July 15] Govt plans Aadhaar based identification of patients to
maintain health records, Live Mint report;
The Indian Express report.
[July 15] Petition in Delhi HC seeking linking of Aadhaar with
property documents, Live Mint report.
[July 15] Government stops verification process using Aadhaar for
driving license, The Economic Times report.
[July 15] Government stops verification process
using Aadhaar for driving license: Nitin Gadkari, ET Auto report.
[July 18] Will Aadhaar interchangeability for
ITR make PAN redundant? Live Mint report.
[July 18] Govt floats idea for Aadhaar-like
database for mapping citizen health, Business Standard report;
Money Control report;
[July 19] Linking Aadhaar with Voter ID—
Election Commission to decide within weeks, The Print report;
India Legal analysis.
[July 21] Mumbai man fights against linking
Aadhaar to salary account, The Quint report.
[July 21] Violating SC rules, matrimonial site
sells love, marriage using Aadhaar data, National Herald report.
[July 22] Large cash deposits may soon need
Aadhaar authentication, Times of India report;
Money Control report.
Right to Information
[July 19] Bill to amend RTI law introduced in
Lok Sabha amid opposition, India Today report.
[July 18] Ajaz Khan of Big Boss fame arrested
by Mumbai Police for TikTok video, The Asian Age report;
DNA India report.
[July 19] Guwahati HC grants anticipatory bail
to poets accused of writing communally charged poetry on Assam citizenship
crisis, Live Law report.
[July 16] MeitY to finalise Intermediary
Liability rules amendment by month end, Medianama report;
Data Protection and Data Privacy
[July 17] Canada probing data theft at military
research center: reports, Business recorder report.
[July 17] BJP raises issue of privacy breach by
tech devices in Rajya Sabha, BJD demads more funds, News 18 report.
[July 17] TMC MPs protest outside Parliament in
Delhi, demand to bring Data Protection Law, DNA India report.