Logo

Defender of your Digital Freedom

All Posts | Sep 18,2019

Concerns with undisclosed and selective consultation on the Draft Personal Data Protection Bill, 2018

On August 25, 2019 Ministry of Electronics and Information Technology held undisclosed and selective consultation on the Draft Personal Data Protection Bill, 2018. In our joint letter to MietY we urge the government to abide by democratic process of public consultation. We request MeitY to hold fresh public consultation by giving equal opportunity to all stakeholders to present their comments. View our joint letter to MeitY here.

All Posts | Sep 02,2019

Follow-up Comments on the Consultation on Draft Personal Data Protection Bill, 2018

On August 20, 2019 we learned that the Ministry of Electronics and Information Technology (MeitY) was conducting a follow-up consultation on the draft Personal Data Protection Bill, 2018 with selective stakeholders. MediaNama published the list of questions that had been sent by MeitY to these stakeholders. We sent in our responses for these questions. A copy of our submission can be accessed below. Our previous submission on the Bill is available at https://privacy.sflc.in/our-comments-draft-data-protection-bill/ .

All Posts | Apr 01,2019

Our Comments to DPIIT on the Draft National E-commerce Policy

On 23rd February, 2019, the Department for Promotion of Industry and Internal Trade (“the DPIIT”) released the Draft National E-Commerce Policy (“the Draft Policy”) with the objective to help stakeholders fully benefit from opportunities arising from the progressive digitization of the domestic digital economy and establish a level playing field for all stakeholders in the digital economy.

Though, titled as the ‘National E-Commerce Policy’ the document addresses a wide range of subjects, such as data protection and ownership, cross-border data flow, foreign investment, tax, competition issues, intellectual property and intermediary liability, among other things. These issues affect a number of stakeholders and industries in addition to e-commerce websites and their consumers.

Our comments, inter alia, address issues with the Draft Policy like - jurisdiction of the DPIIT, data ownership and sovereignty, data localisation, intermediary liability and law enforcement access to data. Our detailed comments are as follows:

All Posts | Jan 08,2019

FAQ on Draft Amendment of Intermediary Guidelines Rules in India

The Central Government notified the Information Technology (Intermediaries Guidelines) Rules, 2011 in April, 2011. A draft amendment of these Rules has been issued by the Ministry of Electronics and Information Technology (MeitY), ostensibly for dealing with the fake news and misinformation problem. However, the Rules could result in weakening the security and privacy of apps and websites and erode the safe harbour protection available to intermediaries. MeitY is seeking comments to the Draft Rules by 15 January 2019.

This FAQ aims at making these Draft Rules easy to understand and at making various stakeholders aware of the problems with the draft Rules.

Who are Intermediaries?

Intermediaries are entities that provide services enabling the delivery of online content to the end user. Let us look at the players involved in this chain:

Internet Service Providers (ISPs) – ISPs like Airtel and MTNL help users to get connected to the Internet by means of wired or wireless connections.

Search engines – These are websites like Google and Bing that help users to search for specific information on the web. They provide links to websites that have content relevant to the search terms given by the user.

DNS providers – These service providers translate the domain names (eg. www.sflc.in) to addresses (e.g. 13.126.242.41) that can be understood by computers.

Web hosts – These are service providers like GoDaddy.com that provide space on servers to place files for various websites so that these sites can be accessed by users.

Interactive websites – This includes social media sites like Facebook and Twitter that act as platforms to store and retrieve content, blogging platforms like Blogspot and Wordpress, auction sites like eBay, and payment gateways like PayPal. The pictorial representation gives an overview of the intermediaries involved in a common Internet transaction.

Cyber Cafes – It means any facility from where access to the Internet is offered by any person in the ordinary course of business to the members of the public. The Information Technology Act, 2000 includes cyber cafes also under the ambit of the definition of intermediaries.

Internet flow chart

What is Intermediary Liability?

Interactive websites like blogging platforms, messaging apps, social media and e-auction sites host / transmit user-generated content. Cyber cafes, free WiFi providers and telecom companies such as providers of broadband and mobile data act as a mere pipeline for people to access the Internet. Sometimes content posted by users could be illegal, like content infringing on someone's copyright or pornographic content. The intermediaries who host / transmit this content could also be held liable for the content if they do not satisfy the conditions for gaining immunity from such liability laid down by the law.

What is meant by ‘Safe Harbour Protection’?

The intermediaries like telecom service providers, cyber cafes, web hosts, social networking sites and blogging platforms provide important tools and platforms that allow users to access the Internet, host content, share files and transact business. Websites like Blogspot, Youtube and Facebook only provide a platform for users to post their content, and do not have any editorial control over this content.

Governments across the world realised that these intermediaries must be given protection from legal liability that could arise out of illegal content posted by users, considering the importance of these intermediaries in the online space and the fact that their mode of operation was quite different from the traditional brick-and-mortar businesses. Countries like the USA, members of the European Union and India provide protection to intermediaries from such user generated content. Such protection is often termed as a 'safe harbour' protection.

Do Intermediaries enjoy Safe-Harbour Protection in India?

Yes, Section 79 of the Information Technology Act, 2000 gives the intermediaries protection from liabilities that could arise out of any legal action initiated on the basis of user generated content.

The safe harbour protection available to intermediaries is conditional upon their observing “due diligence” while discharging their duties and observing guidelines issued by the Government in this regard.

These guidelines have been issued in the form of the Information Technology (Intermediary Guidelines) Rules, 2011. The Ministry of Electronics and Information Technology is now proposing an amendment of these Rules by issuing the Draft Rules. Under the new draft, the roles and responsibilities of intermediaries will be widened, and in turn, the rights of users will be reduced.

How do the Draft Intermediary Rules Operate?

The new intermediary guidelines, mandate the intermediaries to impose a set of rules and regulations on users like you and me. The terms of such regulations include a broad list of categories of content which should not be posted by users.

Up until March 2015, any person aggrieved by any content on the Internet could ask the intermediaries to take down such content. Intermediaries were obliged to remove access to such content within a period of 36 hours from the time of receipt of the complaint. These provisions were read down by the Hon’ble Supreme Court in Shreya Singhal v Union of India and it was held that content needs to be taken down only when directed by a Court order or by the appropriate Government.

As per the Draft Rules, intermediaries are obliged to take down the content on receipt of a court order or a direction from the Government or an agency of the Government within a period of 24 hours. The intermediaries which do not comply with a take-down order lose safe harbour under the Information Technology Act, 2000.

Rules in a nutshell for Intermediaries:

Do’s

  1. Publish Rules / Privacy Policy.

  2. Inform users monthly that their services could be terminated if they don’t comply with the Rules and Privacy Policy.

  3. Assist Government agencies within 72 hours of receiving request and enable tracing out the originator of unlawful information. An originator is the person that first sent a message, image, audio, video or file.

  4. Follow reasonable security practices as prescribed in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011.

  5. For an intermediary with more than 50 lakh users:

    1. Incorporate as a Company in India

    2. Have a permanent office in India

    3. Appoint a nodal person for coordination with Law Enforcement

  6. On receiving court order/ notification from a Government agency, remove unlawful information within 24 hours.

  7. Preserve unlawful information for 180 days or a longer period as required.

  8. Deploy automated tools to remove unlawful information.

  9. Report cyber security incidents to CERT.IN.

  10. Publish name of Grievance Officer.

  11. Strictly follow provisions of the IT Act or any other laws in force.

Dont’s

  1. Don't knowingly host prohibited content.

  2. Don’t initiate transmission, select receiver or modify information.

  3. Don’t deploy or install or modify the technical configuration of computer resource which may change or has the potential to change the normal course of operation of the computer resource.

What is the kind of content that is restricted under the Rules?

You cannot host information that is a

  • grossly harmful,

  • harassing,

  • blasphemous,

  • defamatory,

  • obscene,

  • pornographic,

  • paedophilic,

  • libellous,

  • invasive of another's privacy,

  • hateful, or racially, ethnically objectionable,

  • disparaging,

  • relating or encouraging money laundering or gambling,

  • or otherwise unlawful in any manner whatever,

  • harm minors in any way or

  • infringes any patent, trademark, copyright or other proprietary right.

  • violates any law for the time being in force;

  • deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

  • threatens public health or safety; promotion of cigarettes or any other tobacco products or consumption of intoxicant including alcohol and Electronic Nicotine Delivery System (ENDS) & like products that enable nicotine delivery except for the purpose & in the manner and to the extent, as may be approved under the Drugs and Cosmetics Act, 1940 and Rules made thereunder;

  • threatens critical information infrastructure.

These terms are so confusing. Are they defined anywhere?

That's a little complicated! The terms describing unlawful content are very ambiguous and most of these are not defined either in the Rules or in the IT Act, 2000. In fact many of these terms are not defined in any statute.

So, you are saying that we do not know what these terms mean? Doesn't the normal English language meaning apply to them?

The basic principle of law is that it requires certainty. We need to be told exactly what is allowed and what is prohibited in our country. In fact, the Hon’ble Supreme Court had struck down Section 66A of the Information Technology Act, 2000, as the terms used in the provisions were ambiguous and vague. This prohibited list includes terms like defamatory, obscene, harassing or infringes any patent, trademark, copyright or other proprietary right amongst others. These terms can mean different things to different people. What is obscene to a certain set of persons may be art to another. What is defamatory for one person may be political satire for others. Proving infringement of proprietary rights is to be done by the Judiciary with the help of experts and businesses cannot be closed down merely on the basis of suspicion or whims.

We are running a start-up which provides an interactive service to users using a website and an app. Do these Rules affect us?

The Rules will bind all intermediaries as defined by the IT Act, 2000, once it is notified. Rule 3(7) of the Draft Rules mandates that the intermediary shall be a company incorporated under the Companies Act. This is applicable only to those intermediaries that have more than 50 lakh users in India or is in the list specifically notified by the Government. Such companies should also have a permanent registered office in India with a physical address and should appoint a nodal person of contact and an alternate senior functionary for 24 X 7 coordination with law enforcement agencies.

O.K. I am bored and I am not sure if these Rules affect me anyway.

Well! Watch out what you post next time as your status update, as it might offend someone or the automated tool deployed by the intermediary could find the content to be illegal resulting in the intermediary terminating your services. In addition to regulating content the Rules also deal with government's power to access user information from the intermediary.

The Rules mandate intermediaries to cooperate with government agencies and provide information to them for the purpose of verification of identity, or for prevention, detection, investigation, prosecution etc when a request has been made by the agency in writing. This power granted to the Government agencies does not have any system of checks and balances to safeguard the interests of users.

The Rules also mandate the intermediaries to inform the users that their services can be terminated if they violate the terms of service. So you are left to the mercy of the intermediaries. Whether they want you to access the Internet or not is their prerogative, not yours! This provision could have far more serious consequences than the three strikes legislation that has been introduced in countries like France, South Korea and Taiwan.

In short, this will lead to:

  • censorship of content.

  • curtailment of your freedom to express opinions

  • violation of your right to privacy as the intermediaries could be forced to part with user information without any checks and balances.

  • a right for intermediaries to arbitrarily disconnect services of users.

Enough of this technical and legal jargon. Just tell me what can I do.

The Government is accepting comments on these draft Rules till January 15th and Counter comments are accepted till January 28th, 2019. Comments / suggestions may be sent to gccyberlaw[at]meity[dot]gov[dot]in, pkumar[at]meity[dot]gov[dot]in or dhawal[at]gov[dot]in

You could also blog about the Rules, write articles in media and be involved in activities that would raise awareness about the issue.

All Posts | Jan 07,2019

Over 14000 Websites Blocked By MEITY

There has been considerable spike in the number of websites/URLs being blocked from public access. Concerns on internet censorship cover inadequate safeguards, disproportionate blocking and ambiguous blocking orders.

The Ministry of Electronics and Information Technology (MeitY), in its reply to an RTI application filed by SFLC.in has stated that the ministry has blocked 14221 websites/URLs between 2010 to 2018 under Section 69A of the IT Act, 2000. The Ministry refused to provide the names and URLs of websites blocked in 2018 and copies of blocking orders issued in 2018, taking refuge under Section 8(1)(a) of RTI Act read with Section 69A of the IT, Act and Rules under them.

Section 69A of the Information Technology Act, 2000 mentions that the Central Government or an officer authorized by it may, through a speaking order recorded in writing, block public access to information on a computer resource, by directing any agency of government or intermediary. Such public access is blocked when it is necessary ‘in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above’.

The section also provides for establishing a procedure and safeguards subject to which such blocking of access is to be carried out. Pursuant to this, the Central Government notified ‘The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009’.

A copy of RTI reply has been published below.

All Posts | Jan 02,2019

The Aadhaar and Other Laws (Amendment) Bill, 2018

 

Today, the Central Government introduced, The Aadhaar and Other Laws (Amendment) Bill, 2018 in the Lok Sabha. The Bill seeks to amend the Aadhaar Act, 2016 to comply with the conditions as set out in the Aadhaar judgment of the Supreme Court (Justice KS Puttaswamy v. UOI) [WP (Civil) No. 494 of 2012] and amend the Indian Telegraph Act, 1885 and the Prevention of Money-Laundering Act, 2002 to introduce voluntary linking of Aadhaar details with mobile connections and bank accounts.

For key highlights of the Aadhaar judgment, you may click - here and for reporting unwarranted requests of linking Aadhaar, you may click - here.

A copy of the Aadhaar and Other Laws (Amendment) Bill, 2018 may be accessed here:

All Posts | Dec 24,2018

Technology Policy Developments in India: 2018

As we tread towards the end of the year, 2018. SFLC.in brings you a summary of Tech-Policy developments for the year. We at SFLC.in, participated in some interesting technology policy initiatives in 2018. After the Right to Privacy judgment and EU GDPR, India this year saw extensive activity on the tech-policy front, TRAI submitted its recommendation on privacy, B.N Srikrishna Committee presented the draft of the first Personal Data Protection Bill and the much awaited Aadhaar verdict was delivered by the Constitutional bench. Apart from these, the sphere saw various initiatives, they can be summarized as follows:

Item No.

Date

Policy Initiative/ Document

Description

  1.  

April 25, 2018

Social Media Communications Hub (SMCH)

The Ministry of Information and Broadcasting released a bid document (“SMCH Bid Document”) stating its intent to establish a Social Media Communication Hub, which would enable processes such as analyzing large volumes of data across diverse digital platforms in real time, comprehensive analytics along with monitoring and analyzing social media communications etc.

The proposal was challenged in the Supreme Court by Trinamool Congress MP, Mahua Moitra.

The project was subsequently withdrawn by the Government, as informed by the Attorney General, Mr. K.K Venugopal on August 3, 2018.

SFLC.in live tweeted the developments in the matter. There were multiple points of concern regarding the SMCH Bid Document, a few of the issues are highlighted here: https://sflc.in/social-media-communications-hub-privacy-nightmare

  1.  

May 1, 2018

Draft National Digital Communications Policy.

The Department of Telecommunication released the draft with an objective of inviting public comments/ inputs to make the National Digital Communications Policy-2018 a robust document and an enabler for achieving the desired goals. Stakeholders comments were invited until 1st June 2018.

The Draft policy has been quite broad in terms of recognizing and outlining various issues that have an impact on communications network in India. A few significant issues that were highlighted: access to Internet, net neutrality, data protection and privacy, to name a few.

SFLC.in analysed the policy and submitted it’s comments based on its extensive research on issues of access and open source softwares.

  1.  

May 22, 2018

Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018

Salient Features:

  1. All organisations having “Protected System”(U/s 2(k); primary covers government organisations) shall constitute an Information Security Steering Committee(ISSC) under the chairmanship of CEO/MD/Secretary.

  2. Mandate of ISSC includes approving information security policies of Protected Systems; setting mechanisms for timely communication of cyber incidents; sharing information security audits etc.

  3. Nominate Chief Information Security Officer (CISO) as provided in “Guidelines for Protection of Critical Information Infrastructure”

  4. Establish, monitor and continually improve Information Security Management System (ISMS) of the Protected System.

  1.  

June 4, 2018

NITI Aayog published India’s strategy document on Artificial Intelligence

It was published by NITI Aayog on June 4, 2018 by NITI Aayog. It identified 5 priority sectors for leveraging AI: Healthcare, Agriculture, Education, Smart Cities and Infrastructure and Smart Mobility and Transportation. Besides, it deliberated on challenges, ethical, privacy, security issues related to AI and skill development.

SFLC.in analysis can be found here - https://sflc.in/welcome-ai-indian-governments-ambitious-policy-proposal

CEO Amitabh Kant informed that a task force would be setup for speedy implementation of the suggestions; setting up COREs (centres of research excellence) and ICTAIs (international centers of transformational AI).

 

July 16, 2018

Telecom Regulatory Authority of India (TRAI) issued: Recommendations on "Privacy, . Security and Ownership of Data in the Telecom Sector".

TRAI had suo-moto issued recommendation on "Privacy,

Security and Ownership of Data in the Telecom Sector". The recommendations analyses if the current data protection framework is adequate. The recommendations dealt with certain important issues such as: control over data, data security, cross border data transfers among others, consent, data minimization and encryption among others.

The DoT stated that they would currently not take up these recommendations, and they referred the same to B.N Srikrishna Committee.

SFLC.in actively participated both rounds of consultation process. Comments and counter-comments to TRAI consultation may be accessed at:https://privacy.sflc.in/our-comments-on-the-trai/ & https://privacy.sflc.in/our-counter-comments-on-the-trai-consultation-paper-on-privacy-security-and-ownership-of-data-in-the-telecom-sector/

  1.  

July 27, 2018

The Personal Data Protection Bill, 2018

The Bill has recognized the right to privacy as a fundamental right and protection of personal data as an essential facet of informational privacy. It provides for data protection obligations such as purpose and collection limitation, notice and consent regime; provides stricter consent requirements for sensitive personal data and personal data of children; sets up enforcement and grievance redressal mechanism and various other provisions related to data protection. However, there are certain issues with the bill as well. These include data localisation, lack of independence in Data Protection Authority of India, wide exemptions, online surveillance, independence of data protection officers among others.

SFLC.in’s contribution: Team submitted comments on the draft bill, which may be accessed: https://privacy.sflc.in/our-comments-draft-data-protection-bill/.

  1.  

July 27, 2018

Justice BN Srikrishna Committee Report

The Personal Data Protection Bill, 2018 came along with the J. BN Srikrishna Committee Report. Its key focus areas include consent and notice; data ownership and user rights, data processing, data protection officers/authority, jurisdiction and data localisation, protection against surveillance etc. The committee elicited public consultations, comments until Jan., 2018.

SFLC.in’s Contribution: SFLC.in was at the forefront of public consultations and submitted comments. Prior to submitting the comments, team organized series of round-table discussions in Delhi, Mumbai, Bangalore and Kochi to understand the perspective of various stakeholders. Report of these events is located at: https://sflc.in/summary-report-series-discussion-personal-data-protection-bill-2018.

  1.  

July 31, 2018

DoT’s approval of TRAI’s recommendations on Net Neutrality

TRAI released its recommendations on Net Neutrality in November, 2017 These included:

  1. Prohibiting discriminatory treatment of content, updating license agreements for ISP to incorporated principles of non discriminatory treatment of content

  2. Setting up a multistakeholder watchdog under DoT for enforcing net neutrality, website blocking by government/court orders kept outside the ambit; IoT kept within the ambit of net neutrality.

In July, 2018, the Telecom Commission approved these recommendations.

  1.  

Sept 26, 2018

Justice K.S. Puttaswamy (Retd) & And vs. UOI & Ots (CWP 494 (2012))

(Aadhaar Judgment)

The Supreme Court delivered its much awaited judgment in the Aadhaar case, wherein it upheld the constitutionality of the Aadhaar Act, 2016 barring a few provisions on disclosure of personal information, cognizance of offences and use of the Aadhaar ecosystem by private corporations.

Major Features of the judgment can be accessed here: https://sflc.in/key-highlights-aadhaar-judgment, FAQ on the Aadhaar judgement: https://sflc.in/faqs-aadhaar-judgment

  1.  

November 28, 2018

State of Rajasthan Government: No more Internet Shutdowns for prevention of cheating in examinations.

A Public Interest Litigation challenging orders that were promulgated to impose Internet Shutdowns in Rajasthan to prevent cheating in examinations was filed at the Jodhpur High Court, located in the State of Rajasthan on 25th July 2018.

Home Department of Rajasthan submitted an additional affidavit stating that the suspension of Internet Services for conducting examinations does not fall in the ambit of ‘public safety’ or ‘public emergency’ as provided under the Temporary Suspension of Telecom Services Rules, 2017. In the light of the said affidavit filed by the State of Rajasthan, a division bench comprising of Justice Sangeeta Lodha and Justice Dinesh Mehta disposed off the matter, on Wednesday, 28th November 2018.

Read more at: https://sflc.in/home-department-state-rajasthan-no-more-internet-shutdowns-prevention-cheating-examinations

  1.  

December 20, 2018

Ministry of Home Affairs notified certain competent authorities under sub-section (1) of Section 69 of IT Act 2000.

In the exercise of powers conferred upon sub-section (1) of Section 69 of IT Act 2000 read with rule 4 of the IT Rules 2009, Ministry of Home Affairs notified the following authorities as competent authority:

Intelligence Bureau, Narcotics Central Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate  of Revenue Intelligence, CBI, NIA, RAW, Directorate of Signal Intelligence, & Commissioner of Police, Delhi.


 

All Posts | Jul 30,2018

Brief Analysis of The Personal Data Protection Bill, 2018

On 27 July 2018, the nine-member expert committee headed by Justice B.N. Srikrishna submitted its Report along with a draft bill titled The Personal Data Protection Bill, 2018 (“the Bill”) to the Ministry of Information and Technology (MeitY). The Report and the Bill are a result of a process that began last year, including internal meetings and a public consultation by the expert committee through a whitepaper. We, along with many other stakeholders, submitted our comments to the whitepaper in January 2018. (more…)

All Posts | Jul 28,2018

Summary of the Personal Data Protection Bill, 2018

This is a summary of the key provisions of the Personal Data Protection Bill, 2018 (“the Bill”/ “the Act”). The Bill has been divided into 15 Chapters. It is composed of 112 Sections, with 2 schedules and 4 recitals. According to Section 1 of the Bill, the law shall apply to the whole of India. (more…)