Logo

Defender of your Digital Freedom

All Posts | Mar 31,2020

Joint Letter to the Central and State Governments on Unwarranted, Excessive, Collection and Processing of Personal Data of Individuals during the ongoing COVID-19 Pandemic

March 31, New Delhi: Delhi-based non-profit legal services organization SFLC.IN along with a coalition of non-profit organisations, civil society groups, lawyers, public policy professionals, technologists, social activists, entrepreneurs, and citizens voice their concerns urging the government to resort to strict legal measures to regulate and supervise the collection, and subsequent processing of personal data of individuals during the ongoing COVID-19 pandemic. A joint letter was sent to Shri Amit Shah, Home Minister, Shri Harsh Vardhan, Minister of Health and Family Welfare, Shri Ravi Shankar Prasad, Minister of Electronics and Information Technology, as well as heads of various State Governments urging them to process the personal data of individuals within the territory of India, and conduct the monitoring of persons, only as per the law laid down through various judgments of the Supreme Court of India and the norms and principles enunciated therein. Any unwarranted, excessive, collection and processing of personal data can cause irreversible harms or violations of informational and bodily privacy of an individual. The organisations who have signed are CCAOI, Digital Empowerment Foundation, Free Software Movement of India, Internet Democracy Project, Internet Freedom Foundation, Internet Society-Delhi Chapter, IT For Change, SFLC.in and Swathanthra Malayalam Computing. Prasanth Sugathan, Voluntary Legal Director, SFLC.in said that “Central and State Governments are taking various steps like publishing information of patients and persons under quarantine and are coming out with apps that collect and process personal information. Although this is an extraordinary situation, care should be taken to ensure that the personal information of individuals are handled securely and with due care respecting their privacy rights. Any measure adopted for public health purpose should be the least intrusive and should not violate the privacy rights of individuals. Publishing of route maps and contact tracing should be done without publishing the personal details of patients” The letter highlights the following principles that the governments should follow while processing data during the ongoing Covid-19 Pandemic: Time-Limited: All measures related to the public emergency response to COVID-19 should be temporary in nature and limited in scope and should not become permanent features of governance. The personal data collected for the purpose of public health should only be retained during the response to the pandemic and deleted automatically without maintaining any copies, once the pandemic has been declared to be over. Necessity and Proportionality: Any collection, processing of personal data, including health data, shall be necessary and proportionate for the purpose of combating the pandemic and public health. In some states the list of persons who are under quarantine have been made public in the guise of public monitoring. This is excessive and a disproportionate invasion into the privacy of the individuals under quarantine. Transparency and Accountability: Processing of personal data must be conducted transparently, and appropriate notices must be provided about use, collection and purpose in an easy to read, plain language format. Individuals must be informed as to the volume, extent, and purpose of the personal data belonging to them being collected, processed, stored or transferred to any person. Use Restrictions: No use of the data unconnected to public health should be allowed. Use of such data for advertisement and commercial purposes unrelated to public health should be completely prohibited. No discrimination shall be meted out to individuals in the collection and processing of personal data during this pandemic and such personal data shall not be used to discriminate any individual in the future. Security:Security protections for data processing during the Covid-19 pandemic should not be compromised and the data must be maintained securely and must be exchanged only through secure platforms and hardware.  Any apps related to COVID-19 promoted by the Government should be secure and their data collection should be in tune with the principles mentioned herein. No Surveillance without Due Process:Any surveillance required to respond to the pandemic should be temporary and only to the extent and degree allowed by provisions of the Indian Telegraph Act, 1885 and the Information Technology Act, 2000 and the rules notified under these statutes. Any surveillance pursuant to the aforementioned statutes and other relevant laws such as the Epidemic Diseases Act, 1987, and the Code of Criminal Procedure, 1973 used for the monitoring of individuals during this pandemic are subject to judicial review. About SFLC.IN SFLC.IN is a donor-supported legal services organisation that brings together lawyers, policy analysts, technologists, and students to protect freedom in the digital world. SFLC.in promotes innovation and open access to knowledge by helping developers make great Free and Open Source Software, protect privacy and civil liberties for citizens in the digital world by educating and providing free legal advice and help policy makers make informed and just decisions with the use and adoption of technology. For further communication: Prasanth Sugathan Voluntary Legal Director, SFLC.IN prasanth @sflc.in +91 9013585902

All Posts | Dec 11,2019

Key Changes in the Personal Data Protection Bill, 2019 from the Srikrishna Committee Draft

Key Changes in the Personal Data Protection Bill, 2019 from the Srikrishna Committee Draft

The Personal Data Protection Bill, 2019 (“the PDP Bill, 2019)” was tabled in Parliament on December 11th, 2019. The PDP Bill, 2019 has brought in some new clauses – compliance obligations for social media companies and enhanced State power to exempt any government agency from the purview of the Bill; relaxed some existing provisions – done away with mandatory mirroring requirements for all personal data and done away with certain offences for transferring/ selling personal data; and in some cases removed extant requirements such as the creation of the Data Protection Funds, as compared to the Draft Personal Data Protection Bill, 2018, which was released last year.

Some of the key changes brought in by the PDP Bill, 2019 are as follows:

  1. Social Media Intermediaries and voluntary verification of accounts (Sec. 26 and 28 of the Bill)

The PDP Bill, 2019 extends the obligations of significant data fiduciaries to another class of entities called the social media intermediaries (“SMIs”). The Bill defines SMIs to mean intermediaries who primarily/ solely enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information using its services (it specially excludes entities like – e-commerce platforms, TSPs/ ISPs, search engines, cloud service providers, online encyclopedias, and email services from the definition of SMIs). Another qualification for an entity to be an SMI is – the likelihood or actual impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India [see Sec. 26(4)].

In addition to obligations such as – data protection impact assessments (Sec. 27), maintenance of records (Sec. 28), audit of policies (Sec. 29), and appointment of a data protection officer (Sec. 30), which are applicable to all significant data fiduciaries, SMIs are required to provide an option to users (registering from India or using the services in India) for voluntary verification of their accounts [the methods of such voluntary verification will be notified by the Central Government as per Sec. 93(1)(d) of the Bill]. Verified user accounts will be marked with a demonstrable verification mark [See Sec. 28(4)]. As per Sec. 29, data auditors are required to evaluate SMIs for timely implementation of their obligations under account verification norms.

Social media verification requirements are misplaced in data protection legislation. As under existing provisions [see Sec. 26(1)] social media companies could easily fall under the ambit of significant data fiduciaries, the only basis for this distinct classification could be to introduce account verification mechanisms. This new concept of verification of social media accounts does not belong in a comprehensive data protection regulation and must be removed.

  1. Central Government can Exempt any Government Agency from the Bill (Sec. 35 of the Bill)

Sec. 42 of the Draft Personal Data Protection Bill, 2018 (“the Srikrishna Bill”) allowed access of personal data to the Government for security purposes based on principles of necessity and proportionality and on the basis of authorisation under law. The provision for Government access to personal data under the PDP Bill, 2019 (Sec. 35) is wider, gives the Central Government power to exempt any government agency from the purview of the Bill (all or select provisions) and does not codify the principles of necessity and proportionality as determinants to access.

Sec. 35 of the PDP Bill, 2019 effectively enhances existing surveillance powers of the government and gives the State over arching authority to access personal data. This provision enables government surveillance projects like the NATGRID, CMS, and the nationwide facial recognition program, effectively enabling the Government to collect and process any category of personal data per their requirements. Even the Srikrishna Committee Report recognised that unfettered access to the Government of personal data, without adherence to established safeguards (such as necessity and proportionality as expounded in the privacy judgment of the Supreme Court – Puttaswamy) is potentially unconstitutional. Granting access of personal data to the Government, without appropriate safeguards and judicial oversight is against established constitutional principles and should not form part of the PDP Bill, 2019.

  1. Dilution of Data Localisation Requirements (Sec. 33 and 34 of the Bill)

The mandatory requirement for storing a mirror copy of all personal data in India as per Sec. 40 of the Srikrishna Bill has been done away with in the PDP Bill, 2019. Localisation requirements are only on sensitive and critical personal data (stored in India with conditions for transfer overseas). Critical personal data may only be processed in India [See Sec. 33(2)]. Sensitive personal data (“SPD”) may be transferred outside India based on explicit consent and a) if the transfer is made per a contract or intra-group scheme (approved by the data protection authority); or b) Central Government allows transfer to a country, entity or international organization; (requisite safeguards for protection of such personal data are prescribed under these provisions) or c) data protection authority may allow a transfer of SPD for specific purposes.

Similarly, for critical personal data, transfers may be allowed for health or other emergency services or where the Central Government approves transfers to a country, entity or international organization.

Though, removing the mandatory mirroring requirement is an appropriate change, users/ data principals should be given rights over where they wish to store their personal data and the State should not impose restrictions on transfer of such data, specially once explicit consent has been given.

  1. The Right to Erasure (Sec. 18 of the Bill)

The Srikrishna Bill did not contain a right to erasure, even under the right to be forgotten (“RTBF”) (See Sec. 27 of the Srikrishna Bill). The PDP Bill, 2019 has brought the right to erasure alongside the right to correction of personal data [See Sec. 18(1)(d)]. The data principal may request data fiduciaries for a right to erasure of personal data when such data is no longer necessary for the purpose of processing. Data fiduciaries may refuse such requests for erasure, but data principals may require fiduciaries to take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed by them.

This is a good inclusion as it enhances data principal rights to request the erasure of data which is no longer needed for the purpose of processing. Such a right was missing from Srikrishna Bill. A right to erasure should also be incorporated under the RTBF (under Sec. 20 of the PDP Bill, 2019), as presently, RTBF only includes a right to non-disclosure and not erasure.

  1. Removal of Judicial Member from Selection Committee Recommending Members to the Data Protection Authority (Sec. 42 of the Bill)

The PDP Bill, 2019 has removed the inclusion of a judicial member (the Chief Justice of India or another Supreme Court Judge) from the selection committee which is empowered to give recommendations to the Central Government for the appointment of members of the Data Protection Authority (“the DPA”) [the Srikrishna Bill included a judicial member in the selection committee - see Sec. 50(2) of the Srikrishna Bill]. Now, as per Sec. 42(2) of the PDP Bill, 2019, the selection committee will comprise of – a) the Cabinet Secretary (who’s also the Chairperson); b) Secretary, Department of Legal Affairs; and c) Secretary, Ministry of Electronics and Information Technology.

The DPA is completely dependent on the Central Government for its formation and membership. Considering that the PDP Bill, 2019 applies to the Government agencies as well, the regulatory body, which is tasked with enforcement of the Bill, is not independent from the State.

To ensure the independence of the DPA, there should be sufficient involvement of judicial members in the selection committee as well as in the DPA. This will guarantee judicial review and will quell concerns of conflict of interest.

  1. Central Government can direct Data Fiduciaries to share Anonymized Personal Data/ Non- Personal Data (Sec. 91 of the Bill)

Sec. 105 of the Srikrishna Bill, gave powers to the Central Government to formulate appropriate policies for the digital economy, including measures for its growth, security, integrity, prevention of misuse, in context to ‘non-personal data’. That Bill did not define what was meant by non-personal data or how was it to be utilized by the government. The PDP Bill, 2019, under Sec. 91, goes a step further – a) it defines non-personal data as data that does not fall under the definition of personal data [for the definition of personal data see Sec. 3(28)]; and b) empowers the Central Government to direct any data fiduciary/ processor to provide any anonymised personal data or non-personal data “...to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.” [See Sec. 91(2)]. Sec. 2(B) of the PDP Bill, 2019 specifies that the Bill would not apply to anonymised data, other than as provided by Sec. 91 – which enables the Central Government to request entities to convert personal data into anonymized data for their own use.

In September this year, the Ministry of Electronics and Information Technology, constituted an expert committee to deliberate over a data governance framework for the regulation of ‘non-personal data’. Till the report of this expert committee is published, it would not be appropriate for the PDP Bill, 2019 to include government access to non-personal/ anonymised data. The expert committee must invite recommendations from the public and give civil society an opportunity to comment on privacy rights related issues with anonymised/ non-personal data.

On the point of requesting anonymised and non-personal data by the Central Government from any data fiduciary, this may be an onerous demand on data fiduciaries. Applying anonymisation standards, specially for start-ups and SMEs may be a cumbersome task. There aren’t any safeguards appended to this provision. What if a data fiduciary does not properly anonymise personal data? Or shares non-personal data which can easily be turned into personally identifiable data by combining various data points? The Bill does not provide safeguards for such situations in the interest of privacy rights of data principals.

  1. Transparency in Data Sharing and the Concept of Consent Managers (Sec. 17, 21, and 23 of the Bill)

Sec. 17(3) of the PDP Bill, 2019, gives rights to data principals to access, in one place, the identities of data fiduciaries with whom their personal data has been shared by any (other) data fiduciary. This potentially enables data principals to review the entities with whom their personal data has been shared by one particular data fiduciary. This right has been added under the clause for the right to confirmation and access (this right was contained in Sec. 24 of the Srikrishna Bill).

This bolsters the rights framework in the PDP Bill, 2019. Data principals shall have the right to know about all the entities which are processing/ sharing their personal data. This, clubbed with the right to withdraw consent enhances the rights of the data principals in terms of their informational privacy.

The PDP Bill, 2019, also introduces the concept of ‘consent managers’ [See Sec. 21(1) and 23] which was not present in the Srikrishna Bill. The term Consent Managers is not defined in the definitions clause of the Bill, but is defined under an explanation to Sec. 23 as – a data fiduciary which enables a data principal to gain, withdraw, review and manage their consent through an accessible, transparent and interoperable platform. All consent management platforms are to be registered with the DPA [See Sec. 23(5)].

From a reading of the definition of consent managers, it seems like the PDP Bill, 2019 has introduced the concept of ‘consent dashboards’ as recommended by the Srikrishna Committee in its report. On the face of it consent management tools/ consent dashboards may help in reducing consent fatigue, but they might bring up fresh privacy challenges. A trail of metadata generated by consent dashboards might help create a detailed profile of an individuals user engagement online. Specially, when such management tools are required to be registered with the DPA, metadata generated by these tools may assist in profiling of citizens.

  1. Definitions of Personal and Sensitive Personal Data [Sec. 3(28) and (36) of the Bill]

The PDP Bill, 2019 has expanded the definition of personal data to include inferred data. Sec. 3(28) includes - “… and shall include any inference drawn from such data for the purpose of profiling”.

Including inferred data for the purpose of profiling in the definition of personal data is a positive move as this will give the right to data principals to request data fiduciaries for such data as well (See Sec. 17 of the Bill).

The PDP Bill, 2019 has taken off ‘passwords’ from under the purview of sensitive personal data. This may be for the reason for easy transfer of such data outside India when read in conjunction with the data localisation clauses – Sec. 33 and 34 of the Bill.

  1. Privacy by Design Policy (Sec. 22 of the Bill)

The PDP Bill, 2019 introduces a concept of a privacy by design policy. Every data fiduciary is required to prepare a privacy by design policy and have it certified by the DPA. There is a requirement on each data fiduciary to publish this privacy by design policy once it has been certified by the DPA.

  1. Removal of offences for obtaining, transferring, or selling of personal/ sensitive personal data (Sec. 90 and 91 of the Srikrishna Bill)

Offences for obtaining, transferring or selling of personal/ sensitive personal data have been removed from the PDP Bill, 2019 as compared to the Srikrishna Bill.

[There are other changes in the PDP Bill, 2019, like – removal of an obligation on data fiduciaries to demonstrate adherence to the Bill {Sec. 11(2) of the Srikrishna Bill}; SPD has been removed from the employer processing exception {Sec. 13(1) of the PDP Bill, 2019}; there is strict mandate now for data protection officers to be located in India {Sec. 30(3) of the PDP Bill, 2019}; and there is an exemption from certain clauses of the Bill for regulatory sandboxes (Sec. 40 of the PDP Bill, 2019). We will cover all these in our detailed analysis of the Bill.]

All Posts | Dec 04,2019

Our Statement on the Cabinet Approval of the Personal Data Protection Bill, 2019

Our Statement on the Cabinet Approval of the Personal Data Protection Bill, 2019

Today the Union Cabinet approved the Personal Data Protection Bill, 2019. The Government has proposed to introduce the Bill in the ongoing winter session of Parliament.

Our comments to the Justice Srikrishna Committee draft of the Bill can be accessed – here.

Comments submitted to the Justice Srikrishna Committee’s White Paper can be accessed – here.

Our expectations from the revised draft of the Personal Data Protection Bill, 2019:

  1. Data Localisation

  • We hope that the Government has removed the mandatory requirement of storing at least one copy of all personal data in India (mirroring requirement);

  • Narrowed the ambit and scope of critical personal data – which can only be stored in India; and

  • Revised the standards for cross-border transfer of personal data to make them less cumbersome.

  1. Government Access to Data and Surveillance Reform

  • We hope that the Government has considered provisions for surveillance reform and provided for sufficient safeguards against State access to personal data (i.e. processing of personal data by the State without the consent of individuals).

  • In the current draft, the Government has been provided over-arching exceptions and exemptions to process personal data without requisite procedural safeguards or judicial oversight.

To read our comprehensive report on India’s surveillance laws, please click – here.

  1. Independence of the Regulator

  • We hope that the Government has made appropriate changes to the regulatory structure proposed in the current version of the Bill i.e. the Data Protection Authority of India (“the DPA”) and the Adjudication Wing, to ensure the independence of these regulatory bodies.

  • In the current draft, the State has disproportionate control over the DPA and the Adjudication Wing, which will hamper effective enforcement of the law, specially when it applies to the Executive.

Transparency

In line with the Government’s Pre-Legislative Consultation Policy, we request the Ministry of Electronics and Information Technology to release all comments as received by them in the round of public consultation on the earlier draft of the Bill. This will be in line with principles of transparency and will help all stakeholders comprehensively assess the changes proposed in the new version of the Bill.

(Check paragraph 6 of the Pre-Legislative Consultation Policy - here)

We believe that the Personal Data Protection Bill, 2019, due its complexity and wide import, must be referred to the Standing Committee on Information Technology post its introduction in either House of Parliament. This will also provide sufficient time to stakeholders to give their comments on the latest version of the Bill.

All Posts | Nov 15,2019

A Detailed Analysis of the Swami Ramdev v. Facebook Judgment

Statement: At SFLC.in we believe that ordering intermediary platforms to take down content globally, negatively impacts freedom of expression online, as different countries have different standards of speech. Such orders often require intermediary platforms to rely on automated filters and scan each uploaded content to check for its legality, which severely undermines the privacy of Internet users throughout the world. If global take downs become the norm, then the standard of speech on the Internet will reflect that of nations having the most regressive laws on free expression. We believe that civil society organisations, including industry leaders and experts must come together and form global alliances to assist courts and ensure that the Internet doesn’t become the bastion of regressive regimes. These orders, instead of taking away power, further concentrate authority in the hands of Internet giants, as speech determination on the Internet gets further delegated to private decision making. The risk of private censorship dictated by algorithms is known to suppress minority and marginalized groups, affecting the equalizing power of the Internet.

Our short note on the case can be found – here.

An Analysis of Swami Ramdev v. Facebook – The Existential Risk of Global Take Down Orders

Facebook has appealed the order before a Division Bench of the Delhi High Court, further reading - here.

Facts of the Case

The core of the matter involved certain content in the form of videos, which contained summaries of the book on Swami Ramdev (popularly known as Baba Ramdev) titled - ‘Godman to Tycoon – The Untold Story of Baba Ramdev’ by Priyanka Pathak Narain. This book, as part of separate litigation before the Delhi High Court (Swami Ramdev v. Juggernaut Books – CM (M) 556/2018), had been restrained from being published as the court held that it contained prima-facie defamatory content on Baba Ramdev. In the present case, the petitioners (Baba Ramdev and Patanjali Ayurved Ltd.) asked the court to issue a global take down order, for the defamatory content in question, to Facebook, Google, YouTube, Twitter and other unidentified Internet intermediaries (‘John Does’ or ‘Ashok Kumars’). They contested that since the content in question could be accessed from international versions of the platforms, a global blocking order ought to be passed.

None of the Internet platforms had any objection to remove the defamatory content from their India specific domains, but contested against removing the content from their global services.

Key Averments by the Parties

Petitioners (Ramdev and Patanjali)

Petitioners argued that once a defamatory book or article was printed or published, then the publisher of such book was liable for defamation. Relying on Supreme Court decision in Shreya Singhal v. Union of India, the petitioners contended that once a court had ordered content to be taken off, it was bound to be removed globally. They placed their reasons on various definitions of the computer resource, computer system, and computer network under the IT Act, 2000 (IT Act), to back their argument that there was nothing in the IT Act which stopped courts from giving global take down orders. They also stated that the platforms already had the technical capability to carry out global blocking, as they take content off globally based on their community guidelines and terms of use. The petitioners also clarified that details of the users who had uploaded the content weren’t specific enough for them to identify the individuals and reach out to them for taking down the videos.

Defendants (Facebook, Google, YouTube and Twitter)

  • Platforms were mere intermediaries and not publishers, they were not liable for third party content on their websites. They did not perform constant monitoring on their services for each upload.
  • Petitioners did not implead parties who had actually uploaded the content in question.
  • What constituted defamation differed from country to country and passing a global disabling order would be contrary to the principle of comity of courts and would result in conflict of laws.
  • Indian Courts, should not impose their own standards of speech internationally.
  • Public interest differs from one country to another and an Indian court’s perception of public interest ought not bind other jurisdictions.
  • Dissemination of views on the internet was an essential ingredient of freedom of speech and expression and the integrity of national judicial systems must be maintained.
  • Sec. 75 which provides for extra territorial jurisdiction was limited to contraventions and offences under the IT Act and defamation wasn’t covered by these provisions.
  • The court’s order should be proportionate to the alleged harm. The harm from a global injunction will be much higher.
  • The book in question was already available on various international platforms for sale.
  • Geo-blocking of content specific to India would be enough to take care of petitioner’s interests.

The Central Issue

Whether Internet intermediaries like Facebook, Google, YouTube and Twitter, in accordance with the prevailing jurisprudence in India on content take down [intermediary platforms were only liable to take down illegal content from their websites, when ordered by a court or appropriate government agency (as per Shreya Singhal)], were required to take down content locally (i.e. restricted to India) or globally?

The Court’s Order?

  • The court held that once content was uploaded ‘from India’ and was made available globally, the removal of such content (once ordered by a competent court) shall also be ‘world-wide’ and not just restricted to India.
  • The court ordered the intermediaries to take down the content (defamatory videos) globally, if they were uploaded from India. For uploads from outside India, the court ordered platforms to ensure that they use appropriate geo-blocking measures, so that users from India (Indian IP addresses) were unable to access the content.
  • The court allowed Baba Ramdev and Patanjali Ayurved to notify the platforms (notice and take down mechanism) in case offending material was discovered by them in the future (for take down either from India or globally, depending on from where the content was uploaded). In cases where the platforms disagreed, they could intimate their disapproval, after which the complainants would need to take the recourse of courts.

Court’s Rationale

  1. The crux of the court’s reasoning lies in the interpretation of Sec. 79(3)(b) read with the definitions of computer resource, computer system, and computer network, as per the IT Act. The court explained that according to the said provision, intermediaries were obligated to remove content from their platforms once ordered by a competent court. Such content was to be removed from the ‘computer resource’ controlled by the intermediary. Since the definition of ‘computer resource’ included within its ambit a ‘computer network’ - which wasn’t merely a single computer but encompassed a maze or a network of computers akin to a global computer network, the content must be taken off globally. Another reasoning which the court relied on was that since the defamatory content, though it was uploaded from India, was available throughout the world and thus once held to be illegal, must be taken off globally.
  2. The court held that any other interpretation would not give full effect to the intent of the IT Act or the judgment of the Supreme Court in Shreya Singhal. Reiterating the principle upheld in Shreya Singhal, the court recognized that intermediaries shall not apply their own mind as to whether certain information should be blocked from their platform or not.
  3. As soon as certain content was uploaded from India and was made available globally, Indian courts attained jurisdiction for such content to be removed, not just from Indian domains, but globally.
  4. Based on an interpretation of Sec. 75 of the IT Act (which provides for extra territorial jurisdiction of the law), the court held that if content was uploaded from India or was located in India (can be accessed in India), Indian courts would have jurisdiction to pass global injunctions.
  5. On the question of technical feasibility of blocking content worldwide, the court relied on the reasoning that platforms took down information globally when their community guidelines were violated, thus having the capability to enforce such take downs.
  6. The court stated that once removal was ordered, it needed to be complete and not partial in nature. Geo-blocking could be easily circumnavigated by using VPN services, thus rendering the protection given to the aggrieved incomplete.
  7. The court reasoned that it needed to strike a balance between the right to free speech and expression and the right to privacy (of the aggrieved party in this instance), right to reputation, national security, and threats to sovereignty.

Analysis

  1. The Computer Resource/ Computer Network and Global Uploads Argument

The court’s main reason to order for a global take down was based on an interpretation of Sec. 79(3)(b) read with the definitions of computer resource, computer system, and computer network, as per the IT Act. It stated that Sec. 79(3)(b) enabled courts to order take down of content residing in a computer resource and since the definition of computer resource included that of computer network (a network of computers connected globally), the said provision enabled global take downs. The court’s logic was based in the argument that since the illegal content in question was uploaded globally, when ordered to be taken down, it was required to be taken off globally and not nationally.

This argument has the following flaw:

  • The logic of the court that in the present context – computer resource (in terms of content take down) meant to be the global computer network maintained by the intermediaries, as when content was uploaded it was made available globally is deeply concerning. The Internet ecosystem is based on the idea of free flow of information and data across the world. The proliferation and growth of the Internet has made the world a smaller place because we can communicate in real time across physical boundaries. If we were to reverse the court’s logic – then only content accessible in India would be immune from a global take down order and any other content which was distributed on global systems of the Internet would be susceptible to global take downs. As the essential nature of the services offered by Internet intermediaries like Facebook was global and boundary-less, in order to comply with global take downs and different standards of speech around the world, Internet intermediaries may need to design country specific platforms, which will splinter the Internet and effectively erode the promise of the open Internet as we know it.
  1. Effect on Global Free Speech Online

The court did not consider the effects of global take down orders on free speech online.

As argued by the platforms, there are varying standards of free speech around the world. Taking down content globally might negatively impact the speech rights of both - users and platforms in other countries such as the United States. Complying with the law of one country might make them run foul of the law in another. If adopted as regular practice by courts around the world, global take down orders will pose a major threat to free speech on the Internet as online speech will get defined by the countries with the most restrictive regulations on free speech.

Despite arguments about balancing of rights, the court did not explain how ordering of a global take down was a necessary and proportionate response to defamatory content on social media platforms, specially when all platforms had agreed to geo-block the content in question from India. Setting a precedent for Indian courts to order global take downs from social media platforms in order to protect the reputation of a well known Indian citizen is a disproportionate response to the harm which would have been suffered by Baba Ramdev, if such a global take down order would not have been ordered.

  1. Future Uploads and Notice and Take Down

The court recognized that Internet intermediary platforms could not apply their own mind as to whether certain information was to be blocked or not unless ordered by court (as held in Shreya Singhal) but then went on to establish a new notice and take down and counter-notice regime (for this particular case) expanding the jurisprudence as laid in Shreya Singhal by the Supreme Court.

For future uploads of the defamatory content, the court allowed Baba Ramdev to directly approach the Internet platforms pointing to the URLs in question and platforms would need to take the content down. To safeguard platforms from abuse, the court allowed them to send a counter-notice if they disagreed, after which Baba Ramdev would need to approach the courts for regular legal relief. Though there is merit in this approach, as it gives platforms the chance to respond to notices, this is going beyond what is prescribed in Indian law and jurisprudence around content take down. As recognized by the court itself, according to Shreya Singhal, platforms cannot apply their own judgment in determining what is legal or not. There may be chances of both over-censorship and untimely take down of defamatory content (with respect to this specific case) if private parties are to decide what is legal speech.

  1. The VPN Conundrum

One of the reasons the court did not accept the platforms’ arguments on geo-blocking being sufficient was due to the availability of VPN and web proxy services, using which users could access global versions of Internet platforms, thereby rendering geo-blocking ineffective. The court said that it could not get partial relief and for complete protection, a global take down was necessary. Thus, the court ordered that the defamatory content in question, which had been uploaded from India had to be taken down globally, but if the content was uploaded from outside India, the platforms would need be required to geo-block that content with respect to India.

The issue with this reasoning is, that users wanting to upload/ download the defamatory content , could continue to do it while using a computer in India by making use of VPN services. For illustration purposes – If X wanted to upload the defamatory content onto YouTube sitting in India after the court order (i.e. once the platforms had removed the content from their websites), they could mask their IP address using a VPN service to a country that was not India, say the United States. Once the content has been uploaded onto YouTube from another country it could subsequently only be blocked for access within India (as per the court’s order). Subsequently, when the content gets blocked from access in India, X or any other user from India could use a similar VPN service, mask its IP and continue to view the content on YouTube.

Thus, the court’s argument that a global take down was necessary due to availability of VPN services is erroneous as such services could continue to be utilized to both upload and download the content in question. The court did not consider such a scenario before arriving at its decision and a global blocking order was a disproportionate response to the question of accessibility of the video using VPN services.

  1. Sec. 75 – Extra Territorial Application of the IT Act

Relying on Sec. 75 of the IT Act the court stated that as long as uploading of content takes place from India or information is located in India on a computer resource, Indian courts would have jurisdictions to pass global injunctions.

Sec. 75 gives the IT Act extra territorial jurisdiction with respect to offences or contraventions committed outside India. Offences are covered under the IT Act from Sec. 65 to 67C and contraventions are covered under Sec. 43 and 43A of the Act.

Firstly, none of these provisions cover the activity of publishing or making available defamatory content. Secondly, as intermediary platforms by their definition are not publishers and enjoy safe-harbour protection for content uploaded by third parties (as per Sec. 79 of the IT Act and recognized by court) they cannot be said to have committed any contravention or offence under the IT Act. Therefore, the reasoning of the court that Sec. 75 enabled courts to order global take downs was misplaced.

  1. Global take downs and the CJEU

The Court of Justice of the European Union (EU’s top court) recently delivered two judgments, both which approved the ability of EU member nations to order global take downs after proper assessment.

In Eva Glawischnig-Piesczek v. Facebook Ireland Ltd. the CJEU while assessing a similar case of defamation and whether defamatory content could be ordered to be take down globally approved the authority of EU member nations to issue global take down orders. In this case the EU court also approved monitoring obligations on platforms like Facebook for ‘specific content’. This judgment is a blow to the online privacy rights of EU citizens due to the monitoring requirement.

36. Given that a social network facilitates the swift flow of information stored by the host provider between its different users, there is a genuine risk that information which was held to be illegal is subsequently reproduced and shared by another user of that network.”

Fortunately, in the present case, the Delhi High Court did not order for a general or specific monitoring requirement for future uploads, which would have disastrous for privacy rights of Internet users around the world.

In another recent case - Google v. CNIL, the CJEU refused to order for de-refrencing of links from Google’s global service due to difference in ‘right to be forgotten’ laws around the world. The court also stated that a balance needs to be struck between privacy and free speech. But the court went on to clarify that EU law does not specifically prohibit global take downs.

(SFLC.in intervened in this case)

We’ve written about the Google v. CNIL case – here.

In another case in Canada (Google Inc. v. Equustek Solutions Inc., 2017), where Google was asked to de-index listings for protection of trade secret rights of a subject from its global versions and it refused to do so, the Supreme Court of Canada ruled against Google and ordered a global take down requiring the search engine to de-index the relevant listings from its global versions. Though Google got preliminary relief on the Canadian Supreme Court judgment from a California court, the Supreme Court of British Columbia (Canada) refused to reverse the previous decision.

(SFLC.in intervened in this case)

Our comprehensive report on Intermediary Liability can be read – here.

The Delhi High Court relied on all these international judgments while arriving at its decision, illustrating how decisions on Internet governance from around the world drive the thinking of Indian courts as these novel issues crop up around the world.

We believe that civil society and experts from around the world need to come together and ensure that courts are provided proper assistance on law, technology and Internet policy so that they are able to appreciate these problems better and deliver decisions after analysing potential harms to users. Due to the global influence of such judgments on courts of the world, there is a growing need for global coordination of civil society members from around the world.

You can download and read the judgment here:

All Posts | Nov 07,2019

FAQ on surveillance in India.

What exactly is surveillance?

The Merrian - Webster dictionary defines surveillance as “keeping a close watch kept on someone or something”. In the context of this FAQ we refer to the word ‘surveillance’ only to the act of real-time surveillance conducted by Governments through telecommunication systems (namely, telephones and the Internet), though private actors may also conduct surveillance through various methods and offline methods are also used by governments to conduct surveillance.

 

Is there a way that survellience can happen offline as well?

Yes, Section 26 of the Indian Post Office Act, 1898 gives the government the power to intercept articles for public good. It has been mentioned in the section that when there is an occurrence of a public emergency or in the interest of public safety/tranquility an authorized officer of either the state or the central government by making an order in writing can intercept, detain or dispose of any kind of postal article. The subsection (2) of the section mentions that when there is unsurity of if the interception/detention or disposing off was done in public interest, a certificate issued by the government will be conclusive proof. However, for the purpose of this article, we will not be diving into details of offline surveillance.

 

Is suveillance in India legal?

Yes, as there exists a legal framework which enables the Government to conduct surveillance on the occurrence of certain circumstances. However, the surveillance has to be undertaken within the boundaries of this legal framework.

 

Which are the laws that regulate surveillance conducted by the government?

Telephones

1. The Indian Telegraph Act, 1885

  1. Section 3(1AA): Defines what a 'telegraph' is and means, “...any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means...”
  2. Section 5(2): This section is invoked to conduct surveillance over telegraph lines (as defined above, but with the occurence and condition of the pre-requisites of a public emergency or the interest of public safety.

2. Indian Telegraph Rules, 1951

  1. Rule 419A: This provision lays down the procedural law regarding telephone tapping. It was introduced by way of an amendment in 2007, which was necessitated by the Supreme Court's condemnation in the case People's Union for Civil Liberties v. Union of India (AIR 1997 SC 568) of the lack of procedure governing telephone tapping. The provision mandates that telephone tapping can be done only through a lawful order.
diagram explaining how lawful order to tap telephones are procured

Internet

Provisions dealing with Internet surveillance may be found interspersed throughout the Information Technology Act 2000 and several rules made thereunder.

1. Information Technology Act, 2000

diagram depicting the differences between the grounds for interception under Section 5 clause 2 of the Telelegraph Act and Section 69 B of the information technology act

 

  1. Section 69: Modeled extensively after Section 5(2) of the Telegraph Act, allows the Government to engage in surveillance of Internet data. However, there exists no pre- requisites for the invocation of Section 69 when compared with Section 5(2) of the Indian Telegraph Act, 1885 and has enlarged grounds.>
  2. Section 69B: This provision in turn deals with the surveillance of Internet metadata as compared to Internet data. Metadata is any data that gives information about other data. For example, if person A sends a message to person B, then the content of the message will be data and the data such as the time and date of sending and receiving the message, information about the devices from which the message was sent and received, profile information, etc. would be the metadata.

2. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

These rules lay down the provision for the procedural law related to the Internet-data surveillance conducted under Section 69 of the Information Technology Act.

3. Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009

These rules lay down the provision for the procedural law related to the Internet-data surveillance conducted under Section 69B of the Information Technology Act.

Under both the above Rules, the procedure laid down is substantially similar to the procedure laid down in Rule 419A of the Indian Telegraph Rules, 1951.

In addition to these laws, license agreements such as the Unified Access Service License (UASL), Internet Service License (ISL), and the Unified License (UL) which incorporates the former two licenses between the Department of Telecommunications and telecommunications service providers also enable the government to receive assistance from telecommunication service providers in conducting surveillance. Licensees must also provide in the interests of security, 'suitable monitoring equipment as per the requirement of the DOT or law enforcement agencies.

 

Are there any monitoring systems in place in India?

As per available information, the Central Monitoring System (CMS) and the National Intelligence Grid (NATGRID) are the two intelligence systems in place in India. Also, another system named Network Traffic Analysis (NETRA) was rumoured to be launched in 2014. NETRA was developed by the Centre for Artificial Intelligence and Robotics (CAIR), a lab under the Defense Research and Development Organisation (DRDO). However, not much information is available regarding the project.

In additions to such dedicated systems, state police forces also conduct monitoring of social media platforms and the web. For example, the Mumbai police force monitored social media platforms to tackle fake news surrounding the Maharashtra elections and similarly, the Uttar Pradesh police force has been put on ‘high alert’ in anticipation of the Ayodhya verdict and as part of vigilance, is conducting social media monitoring. However, this is purely not ‘backdoor’ surveillance but a scan and analysis of publicly available social media posts.

 

Which are the government agencies involved or carry out surveillance in India?

In a starred question which was raised in the Lok Sabha and answered on 11.02.2014, the names of the agencies authorised to intercept and collect details of telephonic conversations under Section 5(2) of the Indian Telegraph Act, 1885 read with Rule 419A of Indian Telegraph (Amendment) Rules, 2007. were listed as follows:


# Central Agencies

  1. Intelligence Bureau

  2. Narcotics Control Bureau

  3. Directorate of Enforcement

  4. Central Board of Direct Taxes

  5. Directorate of Revenue Intelligence

  6. Central Bureau of Investigation

  7. National Investigation Agency

  8. Research & Analysis Wing (R&AW)

  9. Directorate of Signal Intelligence, Ministry of Defence - for Jammu & Kashmir, North East & Assam Service Areas only

# State Agencies

  1. Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area only


As per the order of the Ministry of Home Affairs S.O. 6227(E) dated 20.12.2018 the following Security and Intelligence Agences were authorised “for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the Sub-section 69 (1) of the Information Technology Act, 2000 (21 of 2000) read with rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

  1. Intelligence Bureau

  2. Narcotics Control Bureau

  3. Enforcement Directorate

  4. Central Board of Direct Taxes

  5. Directorate of Revenue Intelligence

  6. Central Bureau of Investigation

  7. National Investigation Agency

  8. Cabinet Secretariat (RAW)

  9. Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North-East and Assam only)

  10. Commissioner of Police, Delhi

 

 

What is the remedy available in case you suspect that you have been placed under surveillance illegaly, for example the WhatsApp-NSO scandal?

Judicial recourse is obviously the effective remedy available for negating unlawful monitoring/surveillance efforts by the Government. Illegal monitoring methods, such as the one employed in the WhatsApp-NSO Spyware employs malicious hacking (also known has black-hat hacking) methods which amount to violation of Sections 43 and 66 of the Information Technology Act, 2000, which ascribes liability on the perpetrator of the crime.

Section 43

Section 43 of the Information Technology Act, 2000 deals with penalties and compensation for damage to computer, computer system etc. Section 43 ascribes civil liability to anyone who causes any damage to a computer or a computer system and demands the actor to pay damages (compensation) to the affected person.

Section 66

Section 66 deals with computer related offences. If any person, dishonestly or fraudulently, does any act referred to in Section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both. Section 66 ascribes criminal liability onto the prepetrator of a cyber crime.

 

 

How can I approach forums for securing a remedy?

1. Approaching Cyber Cells

All state police forces have a cybercrime division or a cyber cell or a dedicated cybercrime police station established where victims of cybercrimes can file complaints in case of a malicious cyber incident. First Information Reports can be filed under S. 154 of the Criminal Procedure Code, 1973 in case you are a victim of a cyber crime such as malicious hacking.

It is advised to provide as much information as you can while filing such complaints, including information regarding application and system logs, IP addresses, relevant screenshots. It would be wise to approach a cyber security expert or a digital forensics examiner if you are unaware of how to retrieve necessary information.

2. Approaching Magistrate Courts

If under any circumstances, the police officer/cell refuses to receive or investigate your complaint, recourse may be taken by approaching the Magistrate court through Section 156 (3) read with Section 190 of the Criminal Procedure Code, 1973 by filing a private complaint and seek a direction to the police station concerned to investigate the matter (called a ‘forwarding petition’).

3. Approaching the High Courts

If you suspect that you are being placed under surveillance through an illegal order in contravention to Section 5(2) of the Indian Telegraph Act, 1955 and Rule 419A of the Indian Telegraph Rules, 1951, or under Section 69 of the Information Technology Act, 2000, you can approach the appropriate state High Court under Article 226 of the Constitution of India invoking the ‘writ’ jurisdiction of the High Court to quash the illegal surveillance order and also for exemplary compensation. It is advisable to obtain relevant information regarding the surveillance order by filing RTI applications.

If you suspect that you are a victim of the WhatsApp-NSO Spyware row, then you can approach the High Court if your name has been revealed in any list released by Citizen Lab or any other publicly reported list.

What if the Information Officer under the State/Central authority refuses to furnish information your RTI Application is rejected citing exemptions under Section 8 of the Right to Information Act, 2005 or is delayed?

Under the RTI Act, application for information maybe refused to be furnished citing exemption from disclosure under different grounds enumerated in Section 8 of the Act (and also Section 9 if it infringes copyright of a person other than the State).

Normally, information sought by an application under the RTI Act, has to be furnished within 30 days from the receipt of the application by the public authority and if the information sought for by the applicant is concerned with the life and liberty of a person, it is to be provided within 48 (forty-eight) hours.

If any of the above is a case concerning your application or if you are not satisfied with the information supplied to you, you can still raise an appeal (within 30 days) to the first appellate authority (who is an officer senior in rank to the Information Officer) in the office of the public authority wherein you sought the application. If in case the first appellate authority also furnishes unsatisfactory information, you can approach the State/Central Information Commission (depending on whether the public authority is under the State or Central Government) by filing an appeal.

All Posts | Oct 31,2019

Our Statement on the WhatsApp Surveillance Issue

Our Statement on the WhatsApp Surveillance Issue

The use of sophisticated surveillance technology by governments violates basic human rights of privacy and free speech on the Internet. Vulnerable groups including journalists, minorities and lawyers rely on end-to-end encryption technology, like the one offered by WhatsApp, to remain secure online. Targeting journalists, academics and civil society by using surveillance technology, compromises constitutional and democratic principles on which our nation is built. Governments should refrain from using such methods which affect the security infrastructure the Internet is built on. At SFLC.in we've always argued that the Indian government must introduce comprehensive surveillance reform law to protect the rights of citizens. A few years back, we wrote a report on surveillance in India highlighting some major issues. We also conduct Digital Security Trainings for vulnerable groups such as - journalists and minorities to spread awareness about digital security practices such as encryption over the web - emails, browsers and texting apps.

To support our work on fighting for privacy and security online, you may donate to us at - https://sflc.in/donate.

All Posts | Oct 24,2019

Del. HC Orders for Global Take Down of Content

Delhi High Court Approves Take Down of Content Globally

Asks Facebook, Google, YouTube and Twitter to remove defamatory content from their global services

Statement: At SFLC.in we believe that ordering intermediary platforms to take down content globally negatively impacts freedom of expression online, as different countries have different standards of speech. Such orders, require intermediary platforms to rely on automated filters and scan each uploaded content to check for its legality, which severely undermines the privacy of Internet users throughout the word. If global take downs become the norm, then the standard of speech on the Internet will reflect that of nations having the most regressive laws on free expression.

Our detailed analysis of the judgment can be read - here.

In a far-reaching judgment delivered yesterday by the High Court of Delhi, the court affirmed the position that Indian courts can issue global take down orders to Internet intermediaries like Facebook, Google and Twitter for illegal content published by users of their platforms. The court discussed two recent judgments of the Court of Justice of the European Union (CJEU), wherein the top-court of the Union assessed the validity of global take down orders (Google v. CNIL and Eva Glawischnig-Piesczek v. Facebook).

[Since the time we posted this analysis, Facebook has sought an appeal of the Single Judge Bench decision in this matter before a Division Bench (comprising of two judges). The next hearing in this matter is on December 7th, 2019. We'll keep our readers updated with the developments in this case.]

[SFLC.in was an intervener in one of these matters before the CJEU – Google v. CNIL. To read a summary analysis of that matter, click here.]

In the current case – Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi High Court], the petitioner – Swami Ramdev (a public figure in India) requested the court to order global take down of content (videos), which was defamatory in nature, from online platforms – Facebook, Google, YouTube and Twitter (including other unnamed intermediaries). The content in question were videos about a book on Swami Ramdev titled - ‘Godman to Tycoon – The Untold Story of Baba Ramdev’ by Priyanka Pathak Narain. The petitioners in a separate suit before the Delhi High Court had already obtained a restraining order on the publishing of the book (Swami Ramdev v. Juggernaut Books – CM (M) 556/2018) on the basis that the book contained defamatory content on Swami Ramdev’s life.

All platforms agreed to take down the content in question from their India specific domains and use geo-blocking to ensure refusal of access (in accordance with law declared by the Supreme Court of India in Shreya Singhal v. Union of India). But on the question of global take downs, platforms resisted based on principles of international comity, different standards of speech and defamation around the world, and that they did not actively monitor uploads on their platforms being intermediary platforms.

The court refuted these claims and held that online platforms can be ordered to take down content globally by a competent court in India (global take down for illegal content uploaded from India and local take down/ geo-blocking for content uploaded from outside India). The court made the following arguments to support its stance:

  1. Interpretation of Sec. 79 of the IT Act: The court relying on Shreya Singhal stated that once an intermediary had been ordered by a court of law to take down content from its platform, such a platform must disable access not just from the local domains but from its global service. While arriving at this conclusion, the court relied on the definition of ‘computer resource’ under the IT Act and held that computer resource included a ‘computer network’ which meant that platforms had to remove content from their entire computer network (which meant their global service) once an Indian court had held content to be illegal.

  2. Global Uploads: The court argued that when information is uploaded on Internet platforms, they are available on their global services, thus at the time of take down too, such platforms must remove the content from their global domains and not just locally.

  3. Global Take Downs: The court stated that since all the said platforms take down content globally when certain information violates their community standards, therefore it was technologically possible for them to take down content ordered by courts globally too.

  4. Extra territorial jurisdiction of IT Act: Relying on Sec. 75 of the IT Act, the court held that the IT Act allows for extra territorial application for offences or contraventions committed outside India, so long as the computer system or network is located in India. Thus, so long as either the uploading takes place from India or the information/ data is located in India on a computer resource, Indian courts would have the jurisdiction to pass global injunctions.

  5. Removal should be complete: The court reasoned that once content has been asked to be taken off, such removal needs to be complete. The technological ability of users to circumvent geo-blocking (by using VPN and web proxy services) renders the protection incomplete and thus for a complete remedy, a take down must be global.

Interestingly, the court re-established a ‘notice-and-takedown’ mechanism for future uploads of the defamatory content in question, allowing Swami Ramdev to approach the platforms directly for future uploads. But, the court has allowed a counter-notice system for the specific case as well, by allowing platforms to refute claims of illegality and shifting the burden of proof back on claimants, in which case, they will have to approach the courts for an appropriate remedy.

Unfortunately, the court did not consider the following arguments while delivering its judgment:

  1. Effect on free speech and privacy: Different countries have different standards of speech and defamation around the world. Mandating platforms to take down content globally will run the risk of making intermediaries fall foul of law in other countries. For ex. if another nation asks for take down of content which is perfectly legal in India, it will affect the free speech and right to information rights of Indians on the Internet. Unfortunately, the court did not delve too deeply into this issue.

  2. Use of VPNs can still circumvent restriction: Users may still use VPN services to mask their upload location and both upload the illegal content and then use the same service to download said content as that information will only be blocked for Indian domains. Though the court has reasoned that global take downs become important due to the availability of VPN and web proxy services, despite the order, users can still utilise such services to upload and download the defamatory content in question, making use of a computer located in India. Thus global take down are not a proportionate remedy and the costs greatly outweigh the benefits, since easily available technology tools may circumvent the intended protection.

  3. Notice-and-takedown: The court recognized the principle as expounded in Shreya Singhal that intermediaries cannot apply their own mind when it comes to determining which information should be blocked or not, but in its order allowed the petitioners to send notices directly to platforms if the content in question was found to be re-uploaded (though the court allowed for a counter-notice mechanism, writing in new jurisprudence, it steered away from the protection granted to intermediaries by Shreya Singhal, where take downs could be requested only by courts or appropriate government agencies).

In the recent judgment of the CJEU in Google v. CNIL, the court while stating that Google cannot be made to de-reference links from its global service, based on the content which has been declared to be illegal by an EU member state, reasoned that ‘right to be forgotten’ (as was the issue in the particular case) standards were different in different nations around the world. Considering the principle of proportionality, wherein the ‘right to be forgotten’ needs to be balanced with the competing right to information of Internet users, the court held that since the standards of such proportionality will vary across the world, it will be incorrect to order Google to take down links from its global service. Such determination of different legal standards for speech or privacy around the world was not considered by the Delhi High Court while arriving at its decision.

Unfortunately, other judgments from around the world, in particular - Google Inc. v. Equustek Solutions Inc. where Google was asked to de-index listings for protection of trade secret rights of a subject from its global versions and the Supreme Court of Canada ruled against Google and ordered a global take down; and Eva Glawischnig-Piesczek v. Facebook Ireland Limited – where the CJEU asked Facebook to take down defamatory content against Ms. Piesczek from its global service, embolden the position taken by the Delhi High Court in ordering a global take down.

Indian courts must consider the free speech and privacy rights of Internet users while assessing intersections of technology and traditional laws such as defamation. The court while relying on the definitions of ‘computer resource’/ ‘computer network’ and while protecting the right to privacy and reputation of one individual, ended up undermining privacy, speech, and information rights of not just Indians but Internet users around the world.

Considering the issues arising from this matter, we will be shortly publishing a more detailed analysis of the case.

[Recently, we wrote a comprehensive report on Intermediary Liability covering trends in Indian law and policy and from around the world. You may download our report from – here.]

A copy of the judgment can also be downloaded from here:

All Posts | Aug 25,2019

Internet Multi Stakeholder Roundtable discussion


Internet Multi Stakeholder Roundtable discussion


As a precursor to the formation of the IMSC, SFLC.in and Global Network Initiative(GNI) are organizing a round table discussion on - 'Data Protection' and 'Intermediary Liability' on the 28th of August, 2019 (Wednesday). The discussion will be attended by members of the multi-stakeholder community and representatives from GNI. We request interested members to consider this as a 'Save the Date' for the event and drop in a line of confirmation for your attendance.

Please confirm your attendance to Sundar on sundar@sflc.in

Here is the brief agenda for the round table discussion on Internet multi-stakeholder coalition.

 

All Posts | Aug 15,2019

Youth and Privacy: It does matter


Youth and Privacy: It does matter


By Faisal Farooqui

 

Imagine a busy highway. A small child of four or five years old is running into the traffic. His/her parents nowhere to be seen. Who do you think should be blamed if there’s an accident?

Now imagine that the highway is social media, and the toddler is one of the many young users. The parents are the internet entrepreneurs and lawmakers, and the cars on this highway are the various data protection and privacy laws. Now who do you think should be blamed if the young user’s privacy is not protected?

 

In a world swarming with the new generation, we have all found the need to blame them when the question of privacy comes up. Statements like - ‘kids these days share everything on social media. There’s no concept of privacy for them.’ - are being used more and more.

Here’s my question - if the youth really doesn’t believe in privacy, why do their phones have maximum security codes to prevent anyone from using their device?

 

The younger generation, although innocent and comparatively naive, is still worried about their data privacy. Their notions about what data is important and what is not, is different from the older generation, but they also feel the need to protect who they are. More and more younger children, when clicking photos, choose to angle their phones in a way that it blocks their faces. The youth might share their every meal online and what goes on in their minds, but they choose to strategically conceal their faces.

 

Exactly like every young teenager, they have a private life. Our generation preferred to keep it hidden in a diary, their world lives on the internet. Similarly, when we grew up, we chose to discard our old diaries. We either stuffed them away in some corner, or discarded it altogether. The younger generation needs that option on the internet. If a photo clicked at 15 years of age is not protected, and can haunt you when you’re a part of the workforce, who do you blame? The internet? Or the naive child to clicked on agree before using a social media app?

 

I firmly believe that whatever may be the age, people want their privacy. Their data might differ based on interests and age, but their need for privacy will always remain. Right from a young age of 12, when they first create their social media accounts, to the ripe old age of 90, when they are just looking to renew old connections, people prefer a certain level of assurance that their sensitive data is protected, even from companies, because like we cannot blame an unknowing toddler for running into traffic, we cannot blame a young teenager for clicking on agree to ‘terms and condition's when they hardly understand it.

As internet entrepreneurs, law makers, and policy makers, it is our duty, nay responsibility, to make more stringent guidelines in terms of data protection and privacy. The mass audience might not be aware, but as the people with access to this knowledge, it is our job to protect them in the best way we can. The youth might not realise the implications of using certain apps, but as creator of apps, we must adhere to our responsibility of protecting their data, and letting them decide a suitable course of action in the future, when they understand the laws deeper.

 

picture of faisal

     

     Faisal Farooqui is the founder of MouthShut.com and a governing body member of SFLC.in