Pixels & Privacy- The Delhi High Court’s Landmark Ruling on reporting Non-Consensual Intimate Images

November 12, 2023 Leave a comment

Mrs. X v. Union of India & Ors. (2023:DHC:2806)

Facts of the Case-

  1. The Petitioner herein is a married woman with a nine-year-old son. In 2019, the Petitioner became acquainted with the Accused who approached her through social media and introduced himself as a British Chartered Accountant. In July 2020, the Accused came over to Petitioner’s place and forced himself upon her. He allegedly clicked explicit pictures of the Petitioner, but also transferred to himself from the Petitioner’s phone her explicit pictures, that had been taken for the purpose of sharing with her husband. 
  1. The Accused involved the minor son of the Petitioner in various sexual acts as well. Thereafter, the Petitioner lodged a complaint against the said Accused at P.S Lajpat Nagar, and on the basis of which, a Zero FIR was registered. The Accused threatened the Petitioner that he would leak her sexually explicit photographs on various pornographic websites and that he would kill her son if she did not pay huge amounts of money to him. 
  1. The Petitioner was extorted into paying lakhs of money to the Accused, along with handing him all her jewellery. As the Petitioner was unable to pay any more money, the Accused leaked the Petitioner’s explicit images on various pornographic websites without her consent. This led to the Petitioner addressing a complaint dated 03.08.2021 to the SHO at P.S Lajpat Nagar. The said complaint stated that the Accused had made a YouTube channel in the Petitioner’s name, and has been posting her explicit videos and photographs on a daily basis. 
  1. Despite approaching the Grievance Cells of various Intermediaries (Google, Youtube, Bing, etc), and filing cyber complaints, her explicit images were not taken down. Thus, the Petitioner approached the Delhi High Court U/A 226 r/w S.482 CrPC, seeking blocking of certain sites exhibiting intimate images of the Petitioner and for registration of an FIR arising out of the complaint dated 03.08.2021.

The Hon’ble Court’s Analysis & Decision-

*The scope of the instant Writ Petition u/a 226 was expanded, and the directions rendered were limited to search engines, MEITY and Delhi Police.* 

  1. The Court analysed NCII (Non-consensual intimate image) vis-a-vis IT Act & Rules- Rule 3(2)(b) of the IT Rules, which lays down the grievance redressal mechanism that is to be followed by an intermediary, more or less defines NCII as any content which prima facie exposes the private area of any individual/shows such individual in full or partial nudity/shows or depicts such individual in any sexual act or conduct/is in the nature of impersonation in an electronic form, including artificially morphed images. Rule 3(2)(b) is not a charging offence. It is only under Section 66E of the IT Act that violation of privacy of an individual is punished with imprisonment which may extend to three years or with fine not exceeding two lakhs, or with both.
  1. Emphasis was supplied on the role of Search engines (para 30): “Search engines do not themselves store and transmit content, they allow users to locate and visit content. Search engines further rank the content in their order of relevance in a bid to solve the user’s query at the earliest. It is relevant to note that as search engines do not host content per se, they cannot take down the content available on a third-party platform. However, they can de-index specific URLs that can render the said content impossible to find due to the billions of webpages available on the internet and, consequently, reduce traffic to the said website significantly.” 
  1. Despite NCII abuse being perpetuated by a third-party user and causing harm to a stranger, the intermediary becomes liable for the conduct of the third-party user. Further, the IT Rules also devise a mechanism for the user/victim to directly approach intermediaries for removal of NCII content without having to obtain a Court order. Therefore, apart from making its own reasonable efforts in not publishing offending content, intermediaries can be requested to takedown offending content after being informed by a Court order or by an order of the appropriate Government or by the user themselves. 
  1. If the individual has the right to informational privacy, it also subsumes the individual’s right to be forgotten which has been held to be the consequence of the dignity of an individual and, thus, a facet of the right to privacy. A Division Bench of the Kerala High Court has recently in Vysakh K.G. v. Union of India and Ors., 2022 SCC OnLine Ker 7337, while adjudicating upon right to privacy vis-à-vis right to information, goes on to observe that, in the digital context, the “right to delisting” and “right to oblivion” are facets of the right to be forgotten. 
  1. The argument that has been advanced in the present case by the learned Senior Counsel appearing for the Respondent (Intermediaries) is that as search engines merely provide access to content and are not responsible for hosting the said content, directions must be rendered to the publishers and not the search engines themselves. It is at this stage that a search engine’s role in ensuring that one’s right to privacy is not contravened comes into prominence, especially with Rule 3(1)(m) which states that the intermediary shall respect all the rights accorded to the citizens under the Constitution, including Articles 14, 19 and 21. It is further essential to state that the continued existence of NCII content on the internet does not serve any public interest and it is punishable under Section 66E of the IT Act. The argument, therefore, put forth on behalf of the Intermediaries was not accepted by the Hon’ble Court. 
  1. Social Responsibility of Search Engines (para 46 onwards)  The newly amended Rule 3 of the IT Rules explicitly pronounces the obligation of the intermediary to not only “inform”, but to make “reasonable efforts” to ensure that its users do not publish content that is prohibited under Rule 3(1)(b). Thus, any directions given herein fall squarely within the statutory regime with regard to obligations of intermediaries. 
  1. Search engine plays an important role in the dissemination of content and its powers in connecting the said content to the consumers is undeniable. There resides a social obligation in these intermediaries to be proactive in de-indexing such links when it comes to its knowledge that such content is illegal. The Hon’ble High Court found the suggestion untenable that the user/victim must approach either the intermediary in question or the Courts every single time the NCII content is duplicated. Such a suggestion also frustrates the legislative intent behind the IT Rules which devises a time-bound schedule in removal of such content. The Hon’ble High Court further observed that an approach that entails the victim/user having to sift through the internet to identify and then share every URL hosting their NCII is unconscionable.
  1. Moreover, search engines cannot hide under the garb of not possessing the adequate technology to remove NCII content which has been reported without the victim/user having to approach the intermediary again and again. As per the Affidavit of Google LLC, hash-matching technology, generates a unique identifier/fingerprint/hash, exists for the purpose of removing CSAM. This technology allows detection and removal of the matched content that has previously been removed. For the purposes of removal of NCII, once such content has been identified and removed, the hash-matching technology can store only the unique identifier pertaining to the NCII content and in the event that such content is re-uploaded, it can filter out the same by going through its database of such fingerprints. A similar tool has already been built by Meta, and Microsoft. YouTube has also developed CSAI (Child Sexual Abuse Imagery) Match which is used by NGOs and other companies to identify abusive content. 
  1. The Hon’ble High Court stated that entities of the nature of Google and Microsoft, considering their ubiquity, cannot abscond or withdraw from their duties to the public at large in the name of reducing the liability they might incur, the Hon’ble Court was in fact inclined to agree with the submissions of the learned Senior Counsel appearing for Google and Microsoft that any direction that necessitates pro-active filtering on the part of intermediaries may have a negative impact on the right to free speech. No matter the intention of deployment of such technology, its application may lead to consequences that are far worse and dictatorial.
  1. One of the concerns that arises when we consider the right to privacy of an individual under Article 21 is its impact on the right to freedom of expression and speech. This issue requires an interpretation of the phrase “such content” in Rule 3(2)(b) and whether the same means a specific instance of identified NCII, as has been contended by the intermediaries, or all such content of identical nature, as submitted by the learned Amicus Curiae. The Hon’ble High Court observed that construing the phrase “such content” as “all content” is necessary to reduce the burden on the user/victim, however, “all content”, access to which is to be disabled, must pertain to NCII abuse that has already been reported.
  1. Search engines being an intermediary cannot hide behind the argument that they merely provide access to third-party websites as due diligence exercised as per Rule 3 is applicable to all intermediaries. In addition to “actual knowledge” as defined in Shreya Singhal v. Union of India as a Court order or upon being notified by the appropriate Government, Rule 3(2)(b) and (c) of the IT Rules now allows the victim/user to approach the intermediary on their own with their grievance. It mandates a timeline that must be adhered to when it comes to disabling access/de-linking the offending content. If read holistically, if the user/victim is required to approach with each specific URL again and again, this will only frustrate the purpose of the timelines and the grievance mechanism redressal as expounded under the IT Rules. 
  1. It has been submitted that the sustained practice with regard to content removal under the IT Act has been to provide specific URLs, however, this practice fails to account for a grievance redressal mechanism available to the user/victim and it is not justifiable, morally or otherwise, to suggest that an NCII abuse victim will have to constantly subject themselves to trauma by having to scour the internet for NCII content relating to them and having to approach the authorities again and again. Once it has been reported by the user/victim or a Court order or an order of the appropriate Government has been rendered, then the search engine cannot contend that any filtering of the content that is done subsequent to the reporting or the Order is proactive in nature; it can only be termed as being in pursuance to the reporting of existence of such content specific to an individual or a judicial Order. 
  1. The fact that search engines do not host or publish or create content themselves is of no consequence when it comes to the question of removal of the access to the offending content. It is undeniable that they do have the ability, the capacity, and the legal obligation to disable access to the offending content; this responsibility of the search engine cannot be brushed under the carpet on the ground that it does not host content. 
  1. The Hon’ble High Court in the said judgment painfully notes that there is an abysmal absence of a collaborative effort that should ideally be undertaken by the intermediaries and the State. The focus of such entities and authorities should be on the quick redressal of the complaint brought before them rather than the shirking of blame or making submissions on the onerous nature of their duties. In the process of shirking responsibility, precious time is lost in removal of the offending content and enables the offender to keep reposting the content. The endeavour of every entity involved should be to expeditiously resolve the issue. 

Directions & Recommendations by the Hon’ble Delhi High Court:

  1. On approaching the Court for a takedown order in a matter involving NCII content, the Petitioner must, along with the petition, file an affidavit in a sealed cover identifying the specific audio, visual images and key words that are being complained against, in addition to the allegedly offending URLs for ex facie determination of their illegality. 
  1. The Grievance Officer appointed by the intermediary must be appropriately sensitised. The definition of NCII abuse must be interpreted liberally by the intermediaries to include sexual content obtained without consent as well as sexual content obtained and intended for a private and confidential relationships. 
  1. The “Online Cybercrime Reporting Portal”, must have a status tracker for the complainant, commencing from filing of a formal complaint to the removal of the offending content. The portal must display various redressal mechanisms that can be accessed by the victim in cases of NCII. This display should be in all languages specified in the Eighth Schedule. The Portal, along with every other website of Delhi Police, should also display the contact details of each District Cyber P.S present in the NCT of Delhi.
  1. On the receipt of information, noting the nature of NCII content, the Delhi Police must immediately register a formal complaint in order to initiate an investigation and bring the perpetrators to book as soon as possible so as to prevent the repeated upload of the content. 
  1. Every District Cyber P.S must have an assigned Officer who must liaise with the intermediaries against which grievances have been raised by the victim who has approached the Delhi Police and an endeavour should be made to ensure that the grievance is resolved within the time schedules stipulated under the IT Rules. The intermediaries are directed to cooperate unconditionally as well as expeditiously respond to Delhi Police.
  1. A fully-functioning helpline available round-the-clock should be devised for the purpose of reporting NCII content. Operators and individuals manning this helpline must be sensitised about the nature of NCII content and must, under no circumstances, indulge in victim-blaming or shaming the victim. These operators should also have a database of organisations with registered counsellors, psychologists and psychiatrists available for reference to the victims. The Delhi Legal Services Authority may also be apprised and engaged in case the victims need legal aid.
  1. Search engines must employ the already existing mechanism with the relevant hash-matching technology on the lines of the one developed by Meta as has been discussed above. They cannot be allowed to avoid their statutory obligations by stating that they do not have the necessary technology, which is patently false as has been exhibited during the course of hearing. 
  1. The reporting mechanism under Rule 3(2)(c) of the IT Rules must be conveyed to the users by the intermediaries by way of prominent display of the same on the website of the intermediary. It is necessary for users to be made aware of the reporting mechanism and the onus for educating the users lies on the intermediaries.
  1. The timeframe as stipulated under Rule 3 of the IT Rules must be strictly followed without any exceptions, and if there is even minor deviation from the said timeframe, then the protection from liability under S, 79 of the IT Act cannot be invoked by the search engine. When a victim approaches a Court or a law enforcement agency and obtains a takedown order, a token or a digital identifier based approach must be adopted by search engines to ensure that the de-indexed content does not resurface. 
  1. As a long-term suggestion, a trusted third-party encrypted platform may be developed by MEITY in collaboration with various search engines under Rule 3(2)(c) for registering the offending NCII content or the communication link by the user/victim. Accordingly, the intermediaries in question may assign cryptographic hashes/identifiers to the said NCII, and automatically identify and remove the same through a safe and secure process.

The Information Technology Amendment Rules, 2023

June 27, 2023 Leave a comment

IT AMENDMENT RULES 2023: An Overview

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023

INTRODUCTION 

The aim of this primer is to provide an overview of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023 (“the Amendment”), which amend the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 Rules”). 

The Ministry of Electronics and Information Technology (“Meity”) amended the 2021 Rules, with the aim  to inter alia regulate the online gaming in India, along with ensuring safety to its users, broadly by governing-

  1. Online games
  2. Online real money game
  3. Permissible online game
  4. Permissible online real money game
  5. Online gaming intermediary
  6. Online gaming self-regulatory body and
  7. Restricting the spread of fake & misinformation. 

THE BASICS

The Amendment defines an ‘online game’ as a game that is offered via the internet, wherein the same can be accessed by any user through a computer resource or upon the access of an intermediary.

STAKEHOLDER ANALYSIS

  1. Online Game

The Amendment classifies online games into three subcategories. They are-

i) Online real money game- The Amendment defines ‘online real money game’ as an online game, wherein the user deposits in the form of cash/kind with an expectation and intention of earning winnings in the form of cash/kind on such deposits made. The Amendment further explains the term ‘winnings’ as any prize in cash/kind distributed to the user of the online game based on their performance in accordance with the rules of the game.

ii) Permissible online game- The Amendment defines ‘permissible online game’ as a permissible online real money game, and also includes: online game(s) which is not considered as online real money game (reference to Rule 4C of the Amendment). With this definition, the ambit of the 2021 Rules gets widened as the Central Government will have the power to extend and direct the applicability of the said rules to even those online games that do not require a user to make a deposit. Hence, even covering casual games under the 2021 Rules.

iii) Permissible online real money game- The Amendment defines ‘permissible online real money game’ as an online real money game that has been verified by an online gaming self-regulatory body under Rule 4A of the Amendment.

  1. Online Gaming Intermediary (“OGI”)

i) With the release of the Amendment, it seeks to classify a new category of intermediary i.e., OGI. The Amendment defines an ‘OGI’ as any intermediary that seeks to give access to one or more online games to users on its platform.

ii) Moreover, what is essential to note from the Amendment is that an OGI is required to comply with not just the due diligence obligations mentioned under Rule 3, but also with the additional due diligence requirements under Rule 4, on similar lines, like that of a significant social media intermediary may be required to do under the 2021 Rules.

  1. Online Gaming Self-Regulatory Body (“SRB”)

The Amendment welcomes another soon-to-be established entity(ies) within the purview of the said rules and allows such entity(ies) to self-regulate the online gaming industry in India, in accordance with the 2021 Rules. This self-regulatory body(ies) is to be called as an ‘online gaming self-regulatory body.’ They are defined as an entity designated by Meity under Rule 4A of the Amendment. The primary responsibility of the SRB is to verify ‘online real money game’ as ‘permissible online real money game.’

  1. Fact Check unit of the Govt.
  • A significant change brought in by the Amendment, (apart from regulating online games and platforms), pertains to curtaining fake and misleading information in relation to any business of the Central Government, which has been hosted, published, and transmitted on the intermediary’s platform. 
  • Further, the Amendment directs Meity to appoint a fact-checking unit of the central government, to identify and restrict the flow of fake and misleading information that pertains to the business affairs of the central government. 

DUE DILIGENCE- OGI

The Amendment aims to bring online gaming intermediaries to the same table along with the social and significant social media intermediaries. Earlier, the due diligence obligations mandated under Rule 3 of the 2021 Rules, only applied to social media intermediary(ies) and significant social media intermediary(ies). However, with the present Amendment, now even an OGI will be required to comply with Rule 3 of the 2021 Rules, including some new requirements/obligations brought in by the Amendment-

  1. An OGI shall not offer its users an online game that results in ‘user harm.’ The term ‘user harm’ has been explained in the Amendment as any effect that is considered detrimental to a user and/or child;
  2. An OGI shall not offer any online game unless it is verified as a permissible online game;
  3. Intermediaries shall not indulge in advertising/surrogate advertising or promoting a non-verified online game, and/or an OGI promoting such a game;
  4. An OGI that offers ‘permissible online real money game(s)’ is required to inform its users about the change in its rules and regulations, privacy policy, or user agreement within a time frame of 24 hours and not later than that;
  5. An OGI that offers ‘permissible online real money game’ shall on receipt of an order, provide all and/or any information under its possession to the government agency for the purpose of investigation, detection, prevention, prosecution of offenses, etc, within a time frame of 24 hours and not later than that;
  6. An OGI is required to prominently publish on its website and mobile app, the name and contact details of the grievance officer, along with the complaint mechanism for the user/victim to follow for addressing their complaints and grievances;
  7. Any person being aggrieved by the decision of the grievance officer of the OGI may prefer an appeal within 30 days from the receipt of such decision to the Grievance Appellate Committee;
  8. The OGI and the SRB are required to comply with the orders passed by the Grievance Appellate Committee and further are required to publish a compliance report on their respective website(s).

ADDITIONAL DUE DILIGENCE- OGI

It is essential to note here that following the 2021 Rules, the additional due diligence requirements under Rule 4, were only supposed to be a compliance obligation for the significant social media intermediary. However, with the present Amendment, even an OGI offering permissible online real money game, irrespective of its user base will be required to comply with Rule 4, including-

  1. Appointing a Chief Compliance Officer;
  2. Appointing a Nodal contact person, who shall be a resident in India;
  3. Appointing a resident Grievance officer, who shall be a resident in India;
  4. Publishing periodic reports monthly in relation to the complaints received, and the course of measure(s) duly taken;
  5. Maintaining a physical address in India, and publishing its details on the website and mobile application;
  6. Implementing a complaint and grievance mechanism for the users’ to file, track and check the status of their complaints;
  7. Verifying the users’ accounts, and marking such users with a visible mark;
  8. Displaying the verified mark obtained after due verification done from the concerned SRB;
  9. Informing the users’ about withdrawal/refund policy, manner of determining and distribution of winnings, fees and charges payable by the users, KYC procedure, measures undertaken for protecting the users’ deposits, and the procedure followed for verification of online real money game;
  10. Mandatory KYC before accepting deposits from the users;
  11. Prohibiting and banning OGI from offering its users’ credit facilities and/or enabling third-parties to finance for the purpose of playing such online game.

ELIGIBILITY CRITERIA FOR SRB

  • Verification of online real money game shall only be done by designated SRB(s). An entity may apply to Meity for being designated as an SRB, provided they fulfil the following-
  1. Entity registered under section 8 of the Companies Act, 2013;
  2. Membership is representative of the online gaming industry;
  3. The number of board of directors shall be 8. They shall have no conflict of interest, and possess skills, experience, and knowledge as mentioned under the said rules, for performing their roles & duties as a self-regulating body;
  4. Must have sufficient funds for performing their duties as a self-regulatory body;
  5. The MoA & AoA of the entity shall be compliant with the 2021 Rules and the Amendment.

VERIFICATION OF ONLINE REAL MONEY GAME

  • Upon receiving an application from an online real money game, the SRB shall verify and declare them as permissible online real money game, provided the following is satisfied-
  1. Such an online real money game shall not contain wagering on any outcome; and
  2. The OGI and such online real money game shall be compliant with Rule 3 and 4, law relating  to the age and competency to contract, along with the SRB’s framework.
  • The rule further clarifies the time-frame given to the SRB shall be three (3) months, in which they have to declare the applicant (online real money game) as permissible online real money. It is further stated that initially the SRB shall only rely upon the information provided to them by the applicant. However, the SRB shall complete the due inquiry with the said time-frame to declare them as compliant and permissible or reject their application in writing.
  • SRB must publish on their website and/or website, a list of all the permissible online real money game, their verification expiry date, suspended and revoked online real money game.
  • SRB must maintain and publish their members’ list on their website and/or mobile application.
  • SRB shall have the powers to suspend and revoke the verification of any online real money game, if they are satisfied that the said online real money game is not in compliance with the 2021 Rules and the Amendment.
  • The online real money game and the OGI must display the verified mark granted by the SRB on their platforms.
  • Every SRB is required to publish on their website and/or mobile application their framework of verifying online real money game, which shall also include-
  1. Measures taken to ensure that an online real money game is not against the interests of sovereignty, integrity and security of the nation;
  2. Measures to ensure that an online real money game does not cause user harm as described under the Amendment;
  3. Measures taken to ensure protection to minors;
  4. Measures undertaken to ensure protection against gaming addiction, fraud, financial loss, etc.
  • The Central government before issuing directions for blocking under section 69A of the IT Act, 2000, against a permissible online real money game, may consider the details published by the SRB.
  • SRBs’ must publish a framework of grievance redressal along with the contact details of their Grievance Officer. The complaints must be acknowledged within 24 hours by the Grievance officer, and resolution must be done within 15 days from the date of the complaint.
  • Meity may suspend and/or revoke the designation of the SRB, if it is satisfied and found necessary. However, the SRB shall be given an opportunity to be heard.

APPLICABILITY & COMPLIANCE OF CERTAIN OBLIGATIONS

The Amendment further states that the compliance obligations upon the OGI shall come into force only after the expiry of three (3) months from the date on which at least three (3) SRBs would have been designated and established in accordance with Rule 4A of the Amendment.

‘ONLINE GAME’ OTHER THAN ONLINE REAL MONEY GAME

The said rules may apply to only those online games, that come under the ambit of online real money game and permissible online real money game. However, if the Central government finds it necessary in the interest and security of the State, public order, and preventing user harm, etc, in those circumstances, even those online game other than online real money game will be required to comply with the following obligations-

  • the obligations under sub-clauses (ix) and (x) of clause (b) of sub-rule (1) of rule 3; sub-rules (1), (5), (6), (7), (10), and clause (d) of sub-rule (11) of rule 4; along with rule 4A.

CONCLUSION

With the significant rise in the development of online games around the globe, the massive user and fan base, along with the amount of money involved were essential to be considered, before regulating this space. However, letting this space go unregulated would be detrimental to the country’s economy and its national security. The notified Amendment aims to promote online gaming by making the industry more accountable and transparent to its users. 

However, there are still some questions unanswered, such as why Meity took this approach to bring online games and the platforms as ‘intermediaries’ and not as ‘publishers’ under the 2021 Rules. Moreover, there are still vagueness and clarifications required in relation to terms such as ‘online real money game’ and ‘user harm’, as the ambit of both these terms is too wide, and might result in overregulation and hamper the growth of the industry as a whole.

Interestingly, the Amendment has been challenged recently in the Bombay High Court, within a week of its notification. The writ petition primarily questions the power of Meity under Rule 3(1) (b) (v), which seeks to appoint a fact-checking unit of the central governing for curbing fake and misleading information relating to the central government’s business affairs.

Lastly, the true impact of this Amendment could only be judged after the provisions come into force, and how the industry reacts toward it.

A Guide to India’s Data Protection Law:         The Digital Personal Data Protection Bill, 2022

March 23, 2023 Leave a comment

              

Background & Evolution of Privacy in India

A.  The journey of India’s Right to Privacy is more than 6 decades old, and it was only in the year 2017, the Apex Court of the land recognized and declared the “Right to Privacy” as a fundamental right enshrined under Article 21 of the Indian Constitution, 1950, in a landmark decision in  Justice K S Puttaswamy(Retd.), & Anr v UOI& Ors(2017). Little did we know, but this landmark decision changed the course of History.

B.  With the advent of the right to privacy as a fundamental right, a Committee of experts was set up in August 2017, for the purpose of preparing a draft report on Data Protection under the leadership of Justice B.N Srikrishna, (former) Judge of the Supreme Court. 

C. The Experts Committee submitted its report along with a draft version of the legislation in the year 2018 which was titled “Personal Data Protection Bill, 2018” (“PDP, 18”). The PDP, 18 was further analyzed and approved by the Cabinet Ministry on 4th December, 2019. Later, the draft version was introduced in the Lok Sabha, however, the title was changed to- Personal Data Protection Bill, 2019 (“PDP, 19”). 

D.  The PDP, 18 and PDP, 19 were drafted for the same purpose, but both had flaws that did not make them a comprehensive draft version of the law, and hence, none of them were adopted/passed. With the aim to make PDP, 19 more comprehensive, it was referred to a newly constituted committee i.e., Joint Parliamentary Committee (“JPC”).

E. The JPC on 16th December 2021 during the Winter session, released a recommendation report on the PDP, 19 with 81 amendments and 12 recommendations. The recommendation report was released after 2 years to the public and was renamed “the Data Protection Bill, 2021” (“DPB, 21”), with a widened scope of the bill in its entirety (inclusion of non-personal data, etc).

F.   However, the DPB, 21 was withdrawn in the Parliament in the month of August 2022 on the ground that the Government was working on a more comprehensive legal framework, and the present draft version did not allow it.

G. Surprisingly, on 18th November, a 4th draft version of the bill was introduced for public consultation. This time the title of the draft version has been changed to- The Digital Personal Data Protection Bill, 2022 (“DPDP, 22”)

The purpose of this article is to be a go-to guide for your understanding of the DPDP, 22. Here, we will not just summarize the entire draft bill, but highlight all the key provisions from an industry perspective.

PURPOSE:

The purpose of this legislation is to regulate the processing of digital personal data, to enable an individual to practice his/her right to privacy of their personal data, and to ensure that such processing is done for a lawful purpose. 

APPLICABILITY:

The law applies to the processing of “digital personal data” and excludes “offline personal data”, however, if such offline personal data is later digitized then the processing of such data would fall under the ambit of this Bill. 

Further, from the territorial scope of the DPDP, 22, it applies to data processing both within and outside the territory of India. For the law to apply outside the territory of India, it is essential that such processing of digital personal data is related to-

  • Any profiling of a Data Principal within the territory of India; or
  • Any activity pertaining to offering goods/services to users (Data Principal) inside the territory of India.

The provisions of the DPDP, 22 shall not apply to-

  • Any non-automated processing of personal data;
  • Offline personal data;
  • Processing, done by an individual for a personal/domestic purpose;
  • If the personal data of an individual has been existing in a record for at least 100 years.

Surprisingly, there is no classification of the personal data provided in the DPDP, 22. However, the sector-specific regulations in due time may establish additional requirements pertaining to safeguarding such personal data. Lastly, the DPDP, 22 does not apply to non-personal data as compared to its previous version.

CONSENT 

  • The DPDP, 22 under section 5 states the grounds on which the Data Fiduciary shall process the personal data of the Data Principal. The processing under the DPDP, 22 shall be considered lawful only when the Data Principal has given consent or the consent is deemed to have been given.
  • The DPDP, 22 under section 7 defines the concept of “Consent” and states- that when the Data Principal has freely given, a specific, informed, and unambiguous indication to a Data Fiduciary for processing their personal data for a “specific purpose.” However, the same must be shown through an affirmative action by the Data Principal.
  • Moreover, the DPDP, 22 under section 6 provides for a mandatory requirement that must be fulfilled by the Data Fiduciary on or before seeking the consent of a Data Principal. The Data Fiduciary is mandated to provide an itemized notice to the Data Principal in clear language, which shall contain the description pertaining to the data that is required to be collected from the user and the purpose behind it.
  • In the itemized notice that is issued for seeking/requesting consent from the Data Principal for processing their personal data, the contact details of the authorized person/data protection officer of the Data Fiduciary must be mentioned. The Data Principal shall have the right to access such itemized notice requesting consent in either English or any language specified in the Eighth Schedule to the Constitution of India.
  • It is also essential to note that any additional personal data which is not necessary for the performance and fulfillment of a contract/agreement between the Data Principal & Data Fiduciary. In such scenarios, the Data Principal shall be free to refrain from giving consent.

DEEMED CONSENT

Here are some instances mentioned in the DPDP, 22 wherein, it is presumed that the processing of personal data is based on Deemed Consent. Deemed consent has been discussed under section 8 of the DPDP, 22. At present the DPDP, 22 provides 9 instances wherein consent is considered as deemed, and they are-

  1. In an event wherein, the Data Principal voluntarily provides their personal data to the Data Fiduciary, and the same is reasonably expected from them;
  2. In an event, wherein, the processing is based on the performance of any function under law, or provision of any service, or benefit to the Data Principal/issuance of any certificate/license or permit to any action of the Data Principal by any State institutions or agencies;
  3. Processing done in relation to compliance with court order(s)/judgement(s);
  4. Processing done in relation to medical emergency pertaining to threat to life/health of the Data Principal or any other person;
  5. Processing done in relation to provide medical treatment/assistance to people during epidemic, outbreak, and/or any such threat to public health;
  6. Processing done in relation to taking safety measures for providing services to people during disaster, and/or breakdown of public order;
  7. Processing done in relation to employment-related purposes;
  8. Processing done on the grounds of public interest;
  9. Processing done for any fair and reasonable purpose- wherein the legitimate interests of the Data Fiduciary outweigh any adverse effect on the Data Principal, public interest and the reasonable expectations of the Data Principal.

It is essential to note here that the notice mentioned under section 6 is not mandated where deemed consent is given by the Data Principal.

CROSS-BORDER TRANSFERS

The DPDP, 22 also lays down a provision for the cross-border transfer of digital personal data. Although, it does not specify or name which countries/territories will be treated as “trusted geographies” for permitting the cross-border transfer of digital personal data. However, section 17 states that the Central Government will only allow and notify those countries/territories for cross-border transfers, based on an assessment as it may consider necessary.

EXEMPTIONS

Moreover, under section 18, there are some exemptions listed out, which simply means that the provisions of the DPDP, 22 shall not apply, except section 9(4)- which states that the Data Fiduciary and Data Processor shall take all the reasonable security measures in order to mitigate potential breaches. The exemptions have been listed below-

  • Wherein, processing such personal data is essential to enforce a legal right/claim;
  • Wherein, the processing of personal data is in the interest of prevention, detection, investigation/prosecution of any offence/contravention of any law;
  • Wherein, the processing of personal data is done by the court of law, tribunal, quasi-judicial body, etc;
  • Wherein, the personal data belongs to an individual outside the Indian territory and is processed based on a contract between an individual from outside the Indian territory and a person based in India.

The DPDP, 22 further permits the government to exempt any of its agencies from the application of this law on the ground-

  • In the interest of the sovereignty & integrity of India;
  • State’s security;
  • Friendly relations with foreign States;
  • Public order.

OBLIGATIONS OF Data Fiduciary

The DPDP, 22 under section 9 onwards up to section 11 states the obligations of Data Fiduciary. 

  • Under section 9– This provision deals with the general obligations, such as the Data Fiduciary shall be held solely responsible in relation to complying with this law, even in cases wherein the data is processed on behalf of them by Data Processors and/or by another Data Fiduciary.
  • ensuring that the personal data processed is accurate and complete especially when such data is likely to be disclosed to another Data Fiduciary and/or the data processed will be used to make decisions that affects the Data Principal itself.
  • The Data Fiduciary shall also implement both technical and organizational measures with the aim to ensure complete compliance with this law. The Data Fiduciary and Data Processor shall ensure that they take all the possible reasonable measures and safeguards to mitigate potential breach.
  • In an event of a personal data breach, the Data Fiduciary or the Data Processor (as the case may be), shall notify the Data Protection Board along with each affected Data Principal.
  • The Data Fiduciary shall ensure that the personal data of the Data Principal is not retained once the purpose behind such processing is fulfilled, and/or where retention of the data is no more required for any legal/business purpose.
  • The Data Fiduciary is also required to publish the contact details of the data protection officer or the authorised personnel who may answer on behalf of the Data Fiduciary to all such questions/queries posed by the Data Principals pertaining to the processing of their personal data. They are also required to ensure a mechanism is at place that shall focus on grievance redressal.
  • Under section 10– These provisions lay out the additional obligations of the Data Fiduciary pertaining to the processing of children’s personal data.
  • Under the DPDP, 22 for processing of a child’s (anyone who has not completed 18 years of age) personal data, the Data Fiduciary is mandated to seek the parental consent, and only after obtaining the same, they may process the child’s data.
  • Furthermore, a Data Fiduciary shall not process a child’s personal data in scenarios where such processing will likely cause harm to that child.
  • A Data Fiduciary shall not track nor monitor a child’s behviour or direct targeted advertising upon a child.
  • Under section 11–  This provision states the additional obligations of a Significant Data Fiduciary. However, before getting into the obligations, we need to understand who exactly falls under the ambit of a “Significant Data Fiduciary.” 
  • A Significant Data Fiduciary is any Data Fiduciary or a class of data fiduciaries that are notified by the Central Government. They shall be notified based on some factors such as- the amount of personal data that is being processed; the risk of harm that the Data Principals are likely to face; its impact on the integrity & sovereignty, security, and public order of the nation.
  • Furthermore, a Significant Data Fiduciary is required to appoint a Data Protection Officer, and an independent Data Auditor, and is further mandated to take measures such as Data Protection Impact Assessment, etc.

RIGHTS & DUTIES OF Data Principal

The rights and duties of the Data Principal have been laid down in Chapter 3 of the DPDP, 22 starting from section 12 up till section 16. Here is the list of rights mentioned under section 12

  1. The Data Principal shall have the right to seek confirmation from the Data Fiduciary on whether their data has been processed or is being processed by them;
  2. The data subject shall have the right to seek the summary of their data that has been processed or is being processed by the Data Fiduciary;
  3. The Data Principal shall have the right to know with whom all the Data Fiduciary has shared their personal data, along with the categories of personal data that has been shared.

Under section 13– The Data Principal shall have the right to correction and erasure of their personal data that is with the Data Fiduciary.

Under section 14–  The Data Principal shall have the right to seek grievance redressal by registering a grievance with the Data Fiduciary. Moreover, if the Data Principal is not satisfied with the response, or does not receive any response from the Data Fiduciary, then in such scenarios, the Data Principal may register the complaint at the Data Protection Board.

Under section 15– The Data Principal shall have the right to nominate anyone, who shall exercise the rights of a Data Principal under the DPDP, 22 after the death/incapacity of the Data Principal.

Under section 16– The Data Principal is obliged under DPDP, 22 to perform certain duties such as-

  1. Shall ensure that they do not register any false/frivolous complaint with the Data Fiduciary and/or at the Data Protection Board;
  2. Shall not furnish false documents, impersonate another person, and/or suppress information while applying for any document, service, proof of identity, etc.
  3. While exercising their rights under section 13 pertaining to correction and erasure, Data Principal shall furnish verifiable and authentic information.  

DATA PROTECTION BOARD OF INDIA

The DPDP, 22 also proposes to establish a Board i.e., the Data Protection Board of India to pronounce decisions against complaints filed by Data Principals, to impose penalties for non-compliance not exceeding Rs. 500 crores, and perform all such functions as and when notified by the Central Government in due time.

PENALTIES

Here are the financial penalties listed out under schedule 1 of the DPDP, 22 for non-compliance with the provisions of the law.

  1. In an event, wherein the Data Fiduciary or Data Processor fails to take reasonable security measures in order to mitigate/prevent a data breach. For such incidents, a penalty of up to Rs. 250 crores shall be imposed.
  2. Where the Data Fiduciary fails to notify the Data Protection Board & the affected Data Principals about the breach. For such incidents, a penalty of up to Rs. 200 crores shall be imposed.
  3. In an event, wherein the Data Fiduciary fails to comply with the additional obligations pertaining to the processing of a child’s personal data (section 10). For such incidents, a penalty of Rs. 200 crores shall be imposed.
  4. Wherein, the Significant Data Fiduciary fails to comply with the additional obligations mentioned under section 11. In such scenarios, a penalty of up to Rs. 150 crores shall be imposed.
  5. In an event, wherein a Data Principal fails to comply with the duties mentioned under section 16. In such scenarios, a penalty of up to Rs. 10 thousand shall be imposed.
  6. Non-compliance with the provisions of the DPDP, 22 except for those listed above, shall lead to a penalty of up to Rs. 50 crore.

Privacy concerns abound in the official Beijing 2022 Winter Olympics app

March 23, 2023 Leave a comment

Introduction

The 2022 Winter Olympics were held in Beijing, China from 4th Feb-20th Feb 2022. Even before the start of the Winter Olympics 2022, China was being criticised and accused of allegations pertaining to human rights violations and other related controversies globally. Around 180 human rights groups were of the opinion that all the leaders globally and the governments should boycott the Winter Olympics in Beijing as the Chinese government was held solely responsible for the genocide of the minority communities in China. The Canadian government along with the UK and the United States government were the ones who decided to diplomatically boycott the games; this meant that these countries would only send their athletes to be a part of the games, whereas the government delegates and officials won’t either attend the games or be a part of the event.

But was this the only issue raised by the officials?

The other issue that was largely concerning the majority and the same was being discussed everywhere from news channels to even the U.S Olympics and Paralympics committee was related to the ‘privacy’ of the athletes as well as the ones who were planning to attend the games in Beijing.

The catch to this privacy-related issue is that those who were preparing to attend the 2022 Winter Olympics had to compulsorily download a mobile application called “MY2022”. This app had multiple security flaws and resulted in privacy concerns that were very much applicable to both the domestic as well as international athletes along with the ones who were merely attending. 

What is MY2022?

MY2022 is a mobile application that was made a requirement for all the athletes and the attendees of the Winter Olympic Games. The app performs multiple functions right from real-time chat with your contacts along with that video and audio options are also available for the users; users have the option to even share files with each other, as well as the app notifies its users about the weather and news updates. Furthermore, the app is also used to submit health customs information of those who are visiting China from other nations. This includes submitting the user’s passport details, demographic information along with travel, medical history (if any), COVID-19 vaccination status, and lab test results including users’ daily health status.

China’s intention behind collecting this information as per their official statements was to prevent the transmission of COVID-19 and hence was a part of the COVID protocol that was being followed during the Winter Olympics.

It was prescribed that all the athletes and attendees should download the app 14 days prior to their visit to China, and were required to monitor and submit their health information in order to track their health status on a daily basis. Many countries have relied on similar apps in order to track the health status of their citizens and the foreign travelers, especially if we take India as an example here, the app named ‘Aarogya Setu’ was extensively used and is even used today in order to monitor the health status of the people in India.

As per the Chinese government’s guide on the Olympic games, it was discovered that the MY2022 app was created by the Beijing Organising Committee for the 2022 Winter Olympics. However, later through public records and the App Store’s information, it was revealed that the owner of the app is a state-owned company called the ‘Beijing Financial Holding Groups’. continue reading

Impact of Data Breaches on Brand Value

March 23, 2023 Leave a comment

  

Introduction

Do you know what is more important for an entrepreneur or for a company other than profit making? It’s the reputation of that business in the market, in other words- Goodwill or Brand value. Haven’t you heard before that when a company’s representatives or a start-up seeks investment or funding from an investor(s), they have to do a valuation of their business before meeting their potential investors? Surprisingly, even while calculating the valuation of a company, its goodwill or brand value as of that date is also considered.

Since the brand value of a company is an intangible asset and is based on the trust and perception of the end-users or consumers, it becomes quite essential for every business to maintain that trust and relationship with their customers and users in order to be profitable.

Now this trust as discussed above is always at risk, due to factors such as- competition in the market, quality of the service/product offered, privacy issues, and many such other factors could affect the trust and relationship between the business and its customers and users. As the phrase rightly claims- “Customer is the King.” In this day and age, it is easy for businesses to reach out to a wide audience, thanks to the Internet. With the internet, today any business can easily be established and anyone can sell and provide products and services to anyone. 

The only concern or issue  that we tend to neglect is with regard to the privacy of the customers or the users of such products and services. Neglecting this issue could drastically impact the brand value of the business, and in this blog we will discuss privacy concerns that arise from data breaches and how it impacts the brand value.

       Impact of Data Breaches on Brand Value

To understand the current topic we rely on a report published by Infosys, titled, “Invisible Tech Real Impact.” This report takes into account the top 100 most valuable brands and talks about how privacy issues such as data breaches directly impact the brand value of the business. Since the brand value of a company is an intangible asset and is based on the trust and perception of the end-users or consumers, it becomes quite essential for every business to maintain that trust and relationship with their consumers and clients in order to be profitable. With the shift towards a digital economy, consumers globally prefer their privacy over every other concern.

Did you know?

  1. The year 2021 witnessed an increase in data breaches because every business and organization shifted their work to the online mode, which led to such breaches.
  2. There was a sudden hike in the average cost of a data breach after almost 17 years, and the cost rose from US$3.86 million to US$4.24 million on an annual basis. 
  3. The most common data breaches were of users’ credentials being stolen. The average cost of such breaches was US$4.3 million.
  4. Almost 36% of the breaches reported were connected to phishing attacks. Google identified nearly 2 million phishing websites in January 2022.
  5. The year 2021-22 also witnessed a sudden rise in android banking malware.
  6. Even social engineering attacks were at their peak in the year 2021-22.
  1. If we talk about Financial services (Investment banks, Insurance service providers, Credit/Debit card service providers, and Retail banks), it becomes quite obvious that they hold a lot of personal data or personally identifiable information of their customers, and cyber-criminals are often looking for such data. Hence, privacy issues such as phishing with the aim to compromise the users’ account credentials to gain unauthorized access becomes a prevailing concern in the financial sector. The report states that cyberattacks occur 300 times more in this sector. The cumulative value at risk (both monetary loss and loss in brand value) due to such data breaches in this sector is almost as high as $2.6 billion. Whereas, when it comes to traditional banks then the risk is almost up to 16-17% of their brand value.
  1. Technology companies are also at great risk- A recent survey states that 94% of telecom operators and experts confirmed that data breaches would increase with the advent of 5G technologies. Moreover, the cumulative risk including both the monetary and brand value amounts to as high as $29 billion. 53% of which represents the cumulative brand value of these technology companies. 
  1. The next on the list will be Consumer Brands (including- beverages, baby products, personal care, and food). As consumer brands are increasingly adopting the digital pathway, the potential threat to these brands is also rising. With an estimate of up to $4.3 billion at risk due to cyberattacks. As per a leading cybersecurity company’s statements, there has been a rise in cyberattacks against the manufacturers of these consumer goods by seven times in the year 2020-21.
  1. Automotive brands– The auto brands face reputational risk which can go up to 9% of their total brand value.
  1. The Media industry is also exposed to cyber threats, as it operates in the digital space. Hence their users are also exposed to such threats. The potential of such attacks such as disruption of service due to unauthorized access to their users’ accounts and data without their consent is always there. The OTT platform’s potential brand value at risk due to such threats is nearly 60% of its net income. Whereas, for audio streaming platforms the percentage is nearly 400% of their net income.
  1. Business services such as SaaS, Networking services, and other related services. As these services handle a vast amount of corporate data and it is often on the list of cyber-criminals. The cumulative brand value at risk could be high as $3.5 billion, and in some cases, it could be high by 111%. The work-from-home format during the pandemic has also led to an increase in such data breaches in almost 20% of organizations.

Solution: Building a privacy culture and ecosystem

  1. Awareness about digital privacy- The first step to instilling a privacy culture and contributing to the privacy ecosystem of the organization should be taken by the organization’s management. They will have to take the first call to introduce the concept of digital privacy and make this concept familiar to the entire organization through various seminars, conferences, team meetings, campaigns, and conducting many other social events. Nowadays, every organization be it tech or non-tech, consumes a lot of customer data and even their employees’ data too. Hence, it is essential to have a robust privacy ecosystem. This can only be achieved by educating the entire organization about the issues pertaining to data privacy and its impact on the organization’s reputation. 
  1. Understanding the law- The second stage is where the management level members and all the employees from different departments are to be taught about the governing laws regarding data protection & privacy. This stage is more like an extended version of the first stage, as just awareness about data privacy would not impact much. But by teaching them what each data protection law mandates, the technicalities, the compliance requirements, etc. If each employee is equipped with some of the basic privacy skills and knowledge, the organization will soon be privacy ready along with a robust privacy ecosystem.
  1. Training the employees and complying with industry standards- – This is another way of promoting a privacy culture inside an organization by way of training. Training your employees with the relevant skillset is a practice especially followed in the privacy domain today. Moreover, hiring employees with such a skill set is the new trend. It doesn’t matter which position you are applying for, having an additional skill set in privacy is an add-on. There are a few certifications that are recognized as industry standards, and it is considered essential standards of practice in multiple industries today. ISO standards are among them, along with IAPP’s certifications such as CIPP, CIPT, CIPM, etc., are some trending certificates that are seen as relevant in this domain, and people with such certifications have the edge over others.
  1. Investing and developing your security programs and practices- It is quite evident that if the organization has a privacy security program, then the same must be utilized. A security program would help the organization to keep track of all the data that was generated, shared, and used, along with the relevant timelines, the purpose of such data, the retention period, etc. Recording such details about the data in an organization is considered an essential practice, and for such practices to be followed requires investment. Hence, investing in security programs would promote the privacy culture and make the organization’s privacy ecosystem much stronger.   
  1. Choose vendors and other third parties wisely- Another important aspect that an organization should not neglect is to choose vendors and other third parties with whom the organization will share the data, either of their customers or employees.  Everything must be duly recorded, and such transactions should be governed by written contracts with clauses stating obligations upon such vendors and third parties, especially in the event of a data breach or any other potential dispute occurring out of a breach of any of the clauses partially or wholly. 

Conclusion

From the above statistics, we can easily draw the correlation between data breaches and their impact on the brand value of businesses. Every business runs on faith and trust between the business and their users, privacy issues pertaining to data breaches risk not just a handful of their users but every user data becomes a target. This is why countries have been implementing their own federal and state laws on data privacy and consumer safety and businesses are required to comply with those laws if they are processing the personal data of their users. These laws give a wide range of rights to the users such as- right to access to their data, right to deletion/correction of their data, etc.

California Privacy Rights Act & what it’s bringing to the table

March 23, 2023 Leave a comment

Introduction

In 2019, during the Facebook F8 Developer Conference, Facebook (now Meta) CEO- Mark Zuckerberg said something which was never been said before by any big techs, he said: “the future is private.” Based on this statement we can understand it’s not just Facebook alone or any other big techs, who are working in order to come in line with privacy, as privacy is the only hope available for tech companies to survive in this competing market today. We have seen and witnessed the rise in privacy-related concerns raised by millions of people, organizations, activists, lawyers, institutions, and other governmental agencies. This has only been possible due to the recent changes in the market, earlier the concept of privacy and the laws relating to privacy weren’t common, but due to global awareness about data & privacy of the individuals, lawmakers around the world have tried to accommodate legislations on data protection & privacy, one such example is of the General Data Protection Regulation (GDPR). 

The GDPR has truly influenced many nations to formulate their own laws regulating the flow of personal data in and outside their economy. As rightly said, “data is the new oil of the digital economy.” Having a regulation along with a regulatory authority becomes an essential part to monitor and safeguard the rights of the individuals as well as flow of this new oil in this digital era. 

In light of the above, California is one such state in the United States that has been successful in formulating a law on data protection & privacy for the residents of California, it was called the CCPA or California Consumer Privacy Act. It came into effect on 1st January 2020. But what we all need to know about this Act is that in November 2020, the voters in California approved and voted for an amended version of the CCPA and very soon this Act will get replaced by its successor called the CPRA or California Privacy Rights Act. In this blog we will dive into the new legislation i.e., the CPRA  and what all it brings to the table.

What is CPRA?

The California Privacy Rights Act (CPRA) is an extension or a successor to the former law on data protection & privacy also known as the California Consumer Privacy Act (CCPA). The CPRA will be effective from 1st January, 2023. However, some of its provisions have already been in action since 1st January, 2022, such as the consumers’ data collected by businesses and organizations on or after 1st January, 2022, CPRA will apply to such entities. Hence, it is advised that organizations and businesses that fall under the ambit of this new legislation should comply with its requirements starting from 1st January, 2022.

If we compare CPRA to its earlier version- CCPA, then the current Act in some way is more friendly toward small-businesses. Additionally, the CPRA widens the scope of the following-

  1. Consumers under this law get more rights;
  2. Fines for violating the provisions pertaining to children’s privacy have tripled;
  3. Limitation in the use of “sensitive personal information” of the users;
  4. Prevents and restricts businesses and organizations from knowing the users’ geolocation;
  5. Restricts businesses and organizations from profiling the users;
  6. Establishes a new agency- California Privacy Protection Agency, in order to ensure rigorous enforcement of the law;

However, we will be discussing all the new changes brought into this law in the later part of this blog.

CPRA applies to which entities?

The present law- CPRA, applies to only for-profit businesses & organizations that are either located in the State of California or do business with the residents of California. The essential ingredient that needs to be satisfied here is that- even if your business is not located in the State of California but if you have users’ from California, and your business is involved in collecting their data, your business would fall under the ambit of CPRA. Further, any one of the following requirements needs to be fulfilled in order to make sure, that CPRA applies to your business/organization-

  1. The entity needs to have annual gross revenue of $25 million or more;
  2. The entity should be involved in selling, sharing, or buying of 100,000 or more users’ personal information who are residing in California per year;
  3. The entity earns 50% or more of its annual gross revenue by way of sharing or selling the personal information of its California users/customers.

The following entities will also fall under the ambit of the current legislation-

  1. Joint ventures & partnerships- When each business has at least 40% or more interest, in such scenarios, each business/entity who falls under this category will be considered as a separate entity in itself.
  2. Moreover, if any entity/business who wishes to comply with CPRA, may do so, even if such entity doesn’t fulfill the above requirements.
  3. Even commonly controlled entities fall under the ambit of this legislation. Controlled entity is either controlled or controls a covered entity; Shares common branding with such entity; or has access to the covered entity’s consumers’ personal information.

Consumer rights under CPRA

  1. Right to opt-out- Under this new legislation, consumers now have the right to opt-in or opt-out in cases of collection, selling and/or sharing (with the third parties) of their sensitive personal information. Businesses that are involved in selling/sharing personal data with third-parties are required to add a “Do not sell my personal information” link on their homepage of their website. Moreover, businesses will also be required to add a “Limit the use of my sensitive personal information” link to comply with the CPRA’s requirement pertaining to limitation of using consumers’ sensitive information.
  2. Right to correct & delete personal information- The CPRA gives the consumer the right to both correct as well as delete their inaccurate personal information. Entities that fall under the ambit of this law, need to disclose this right to the users/consumers and fix all such errors/mistakes with respect to their personal information after receiving such requests from their users.
  3. Right to access data- Under this new legislation, consumers have the right to access their data by the entities who have collected it, and the time period is not restricted  or limited to 12-months, rather it goes beyond 12-month. The only exception to this right is that if doing so is impossible or requires disproportionate effort by the entity, in such scenarios the CPPA will determine what exactly “disproportionate effort” means as it could vary from case to case basis.
  4. Right to opt-out from automated decision making & profiling- Under this law, consumers have the right to opt-out from being part of both automated decisions & getting profiled by businesses and organizations based on their personal or sensitive personal data. Such organizations and businesses who are into collection of these data must notify the public or their users before such collection and also about how automated decision making works along with how it affects such individuals autonomy.
  5. Private right of action- Under this law, consumers have the right to sue and seek damages from the businesses and/or organizations who have collected their personal data and due to their negligence, the consumers’/users’ data get compromised or breached. In such cases, even an individual has a private right of action against such defaulting business/organization. Especially in cases when such user’s or consumer’s data exposes the following information:
  1. Email & password along with the security question and answer due to which it grants the attacker to easily access the user’s/innocent party’s account.
  2. In cases when the business or the organization is negligent in maintaining proper security standards as it is their responsibility and obligation to ensure reasonable security of the personal data of the consumers.
  3. Minors’ rights- The CPRA also aims to protect the privacy of children, as it specifically mentions that businesses and organizations must seek and obtain explicit consent before collecting, sharing or selling their data, how their data will be used and for how long it will be retained.

Note: Businesses and organizations who willfully neglect this criteria/exception, shall be deemed to have had actual knowledge about the consumer’s age.

Obligations for businesses under CPRA

  1. Reasonable implementation of security measures- The businesses and organizations that fall under the ambit of CPRA, are obliged to maintain and implement reasonable security measures in order to protect the personal information of their customers/users. Further, the businesses and organizations are advised to perform annual cybersecurity checks and are required to send the results to the CPPA for the auditing purpose.
  2. Contractual obligations- Under the CPRA, new obligations have been introduced for businesses that are into sharing, selling and/or disclosing personal data of their users/customers to their contractors/third party service providers, etc. In such scenarios, the business and the contractor/service provider must have a written contract stating the following (but not limited to)-
  1. Stating that the information disclosed or sold by the business to the third-party/service provider is only for limited purposes;
  2. Ensuring that both the contracting parties comply with the CPRA requirements;
  3. The third-party/service provider is obliged to notify the business if they are unable/no longer meet the CPRA compliance obligations;
  4. Lastly, the business has the right to take reasonable measures and actions in case of unauthorized access/use of the personal information.

3. Limited Defenses- The present act imposes certain limitation on the defenses used by the businesses, such as- from now businesses won’t be able to reply on the defense of maintaining and implementing reasonable security practices and procedures after a data breach, as the same won’t be considered as a cure or defense for that breach.

4. Storage limitation & principle of data minimization- These two principles can be seen in the EU’s GDPR. The principle of storage limitation states that an entity or a business should not retain the personal data of its users’ no longer than its intended purpose, and once the purpose is met, the data should be discarded. On the other hand, the principle of data minimization states that a business should limit the collection of personal data and should only collect if its directly relevant and necessary to accomplish a required purpose.

California Privacy Protection Agency

One of the major differences between CCPA & the current legislation- CPRA, is it seeks to establish an independent agency known as the California Privacy Protection Agency (CPPA). This agency will initiate actions through the Administrative Law Court as compared to the earlier privacy legislation in California (CCPA), which gave the state court system the authority to enforce the privacy law. 

Whereas the Administrative Law Court would further provide an independent and neutral hearing, and these hearings would be less formal and more transparent.

The present change further shifts the responsibility to enforce the CPRA to the newly established agency i.e, the CPPA, whereas, for the earlier privacy legislation- CCPA, this responsibility was given to the Office of the Attorney General. The CPPA will also be responsible for educating and awaring the general public about their consumer privacy rights.

Penalties under CPRA 

There is a 3X (times) increase in the penalties as compared to the earlier privacy legislation in California. The entities covered under this legislation could be fined up to $7,500/- per intentional violation and even for violations pertaining to personal information of people under the age of 16. Whereas, for non-intentional violations, entities/businesses could still be fined up to $2,500/-. In the earlier legislation (CCPA), there was a 30-days cure period, wherein, the cure-period automatically starts once there is a charge or allegation against the business stating any kind of violation. However, this has been struck down and cannot be found in this new legislation. 

Moreover, under the CPRA, the agency (CPPA) will now decide regarding the cure period or how much time does the business have to correct such violations. 

Conclusion

From the above discussion, we can clearly draw out all the new features of this latest legislation on data protection & privacy for the State of California. The CPRA will be enforced in 2023, however, some of its provisions are in effect starting from 1st January, 2022. It becomes essential for every business and organization to check whether they fall under the ambit of this new legislation or not. Moreover, the legislation applies to all the personal data/information collected starting from 1st January 2022, making it essential for every business to start complying with all the requirements starting from 2022. 

Apart from checking the applicability and scope of this legislation, businesses are further required to update their privacy policies, review and update their contracts with their vendors and other service providers in compliance with the CPRA, and lastly, by updating their websites, and the method of processing in accordance with the upcoming legislation.

CERT-In Directions dated 28 April 2022

March 23, 2023 Leave a comment

The Directions issued by CERT-In on April 28, 2022, for ensuring better cyber security measures in India as it focuses on the collection and storage of user’s sensitive information. As per the directions issued, VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns, and other forms of personally identifiable information. Let’s discuss the directions in a detailed manner- 

Firstly, as per the directive, VPN companies are mandatorily required to collect and validate customer names, physical addresses, email addresses, and phone numbers along with that they are required to provide the reason each customer is using such service, the dates they use it, and their “ownership pattern.” They are also required to provide the IP address and email address used by a customer to register for the service, along with a registration timestamp. Lastly, they must provide all IP addresses issued to a customer and a list of IP addresses being used by its customer base generally. 

Secondly, the directives by CERT-In will have a wide impact on almost every stakeholder involved in the usage of internet as it is applicable to all service providers, intermediaries, data centers, body corporate and Government organizations. Furthermore, any non-compliance to these directions could lead to criminal imprisonment up to a year as a punishment. 

The CERT-In was set up as a body under the Ministry of Electronics and Information Technology (“MeitY”) to conquer the rising cyber security concerns. Moreover, some form of monitoring of information of users was necessary in order to combat against rising cyber harms. Since the latest directives give CERT-In the power to store and use such sensitive information of users; the directives also mandate that virtual asset service providers must have mandatory KYC and submit their financial transactions report to CERT-In.

It must be noted that the centre will use all the legal and security safeguards along with proper administrative channels to access such information mandated under the present directives. A detailed analysis of the said directions in the next post. Stay tuned!

A quick guide on the concept- Privacy by Design

January 21, 2023 Leave a comment

Introduction

The concept of data privacy has been in papers way before the coming of the digital era, and so does the concept of Privacy by Design, which was introduced in the 90s by Ann Cavoukian, former Information and Privacy Commissioner for the Province of Ontario.

Privacy by Design (“PbD”) defines the nature of Privacy and how we must approach it. It means that at the beginning of an organization or a project’s existence, privacy must first be implanted, enabled and implemented into its very own foundation. Rather, than just looking at it from a compliance point of view and merely as a remedy against breaches and risks. Moreover, it should be adopted as a culture, and not as an add-on to your shopping cart list.

Let’s dive into how to implement PbD within an organization with its Seven foundational principles-

  1. Privacy measures should be “Proactive not Reactive”; “Preventive not Remedial”

Taking this viewpoint, it can make your team’s life easy and save your organization from huge penalties, here’s why- This principle discusses the very nature of privacy, and how it benefits and add value to an organization when it is proactively utilised. The reasoning behind the implementation of privacy should be to detect and minimize/eliminate potential threats, not wait for the potential threats to cause harm first, and then implement security measures. That’s not how privacy should work. An example of this could be- Conducting a Data Protection Impact Assessment before processing or Transfer Impact Assessment before cross-border transfers.

  • You must enable “Privacy as the Default setting”

This simply means that privacy must be implemented into the systems and processes as a default setting and by putting privacy at the forefront. Although, this looks the toughest to crack, however, it only minimizes the potential cyber risks. By enabling privacy as a default setting, your organization aims to achieve this by limiting the collection of data, not retaining the data after its purpose and ensuring that no users are required to act separately to protect their personal data. For example- having the personalised ads or precise location option turned off as a default setting.

  • “Privacy embedded into Design”

Privacy must be implemented into the skin of the products/services that you offer from its initial stage. It should be treated as an integral part of your business practice. Lastly, it shouldn’t be considered an add-on or a strategy taken as countering measures against risks. In simple terms, this principle states that an organization must thrive to provide privacy at all stages while offering the users with its products/services. For example, ensuring an end-to-end encrypted platform, giving users the choice of receiving targeted ads, etc.

  • Full Functionality – Positive-sum, Not Zero-sum

The fourth principle simply states that privacy by design is an approach which seeks to accommodate all legitimate interests, dismissing unnecessary trade-offs, and avoids all such false dichotomies such as privacy v security, etc, ensuring that by implementing privacy by design an organization could achieve a win-win scenario. For example, if an organization limits and minimizes data collection and data sharing, and destroys it according to its retention policy. This can ensure fewer security flaws, and enable users’ privacy to be at the forefront, without making any unnecessary trade-offs.

  • End-to-End Security – Full Lifecycle Protection

This principle simply states that data privacy & protection goes hand in hand, and shall be delivered during the entire lifecycle of the data. An organization must ensure all reasonable security measures are taken that are industry-recognized right from data collection to deletion. For example- During a cross-border transfer of personal data, an organization must conduct a transfer impact assessment in order to assess and analyse the potential risks, and only then move ahead with such transfers.

  • Visibility and Transparency – Keep It Open

This principle lays out that the privacy of the users means complete visibility and transparency of their data. To ensure this every organization must thrive to have easy-to-ready privacy and cookie policies. This could help users to understand exactly what happens with their data. Always remember, privacy is a trust-building initiative and has a direct impact on every organization.

  • Respect for User Privacy – Keep It User-centric

And, lastly, privacy only comes by putting consumers/users at the top. Organizations must keep in mind that at last they are processing their users’ data, and must ensure to keep it consumer-centric by granting them control and visibility over their data. Data privacy should come in line with respecting the users’ experience throughout. For example- a user must have the right to seek correction & erasure of his/her data from any platform.

What is DMARC and why it is important for businesses?

October 15, 2022 Leave a comment

Introduction

Today, every business and organization relies and is dependent on two most important things- the Internet & Data. With the emergence of the Internet, and the evolution from Web 1 to Web 2 and now to Web 3, this transition was always accompanied by various challenges, wherein the most concerning issue not just affects businesses, corporations, and governmental agencies, but also individuals, are Cyber-Attacks. 

In this Digital era, trade and communication highly rely on the use of Electronic Mail services (E-mail). As per a recent report by Statista, over 333 billion emails are delivered and sent each day. Moreover, 90% of the cyber-attacks on businesses and organizations are achieved through Phishing, Spamming & Spoofing over E-mails.

E-mail security threats are real and could cost businesses and organizations hefty losses, if not treated. How? Well, since electronic communications are the preferred way to connect with potential clients and consumers. If businesses fail to focus on e-mail security, it would be easy for an attacker to impersonate your business and send malicious mail to your clients and consumers. 

The present study will help you understand the relevance of e-mail security and the threats pertaining to it, along with the solution that every business must ensure to take.

Case Study

The sole purpose of this case study is to bring awareness about the seriousness of cyber-attacks via e-mail on businesses and their clients in cases where e-mail security is not dealt with care. For this case study, we won’t be naming any company.

ABC Pvt Ltd, an e-commerce company based in India markets its products to its potential buyers via e-mail. The e-commerce company also relies on e-mails for sending daily discounts and fashion trends to its subscribers. 

However, the e-commerce company was later informed by multiple sources and complaints that cyber-attackers were sending phishing e-mails and impersonating the e-commerce company which led to multiple cybercrimes. It was also later observed that all the actual e-mails that were sent by the e-commerce company itself were never delivered to their subscribers, instead multiple ISPs blacklisted all the domains of the e-commerce company.

It is essential to note here that phishing e-mails/attacks like these could be convincing to your clients and it would be hard for your clients to spot the difference between the original company and the scammer, which would eventually make your client fall into such phishing scams. This would further cause huge damage to the company’s brand image, and trust among its users/customers and potential clients, and its domain reputation would get affected due to such cyber-attacks.

 Now, in such scenarios, where the company itself doesn’t know about such security breaches due to lack of visibility or low visibility, which makes it tough to investigate such cyber-attacks or phishing in general. 

What are the remedies available and how will a business resolve this security breach and protect itself from such potential security threats?

Solution

The answer to the above case study is by implementing DMARC. Let’s understand what DMARC means, right from the basics.

What is DMARC?

DMARC or Domain-based Messaging Authentication, Reporting, and Conformance is a protocol/system that helps in authenticating e-mails and further protects the business’s domain from e-mail security threats/breaches such as spoofing, phishing, etc.

Let’s try to understand how DMARC works, exactly.

The DMARC constitutes of two main techniques and is essentially built on those verification techniques, they are-

1.         SPF or Sender Policy Framework; and

2.         DKIM or Domain Keys Identified Mail

Let’s try to further simplify these verification techniques in order to understand and get an overview of DMARC.

·      SPF is an e-mail authentication standard and is used as an industry practice concerning e-mail security. It allows only the authorized Senders of the Domain to send e-mails and further blocks others who are listed as the authorized senders of the domain. 

·      Here is what happens, when you as a Business implement SPF-

a.     You are required to publish all the authorized IP addresses that may send e-mails from your domain.

b.    Now, what happens next is that when an entity receives your e-mail, the server does a crosscheck to see whether the IP address matches your published list.

c.     If it matches, then such communications land in the inbox. On the other hand, if it doesn’t match, such an e-mail gets rejected straightaway by the e-mail server. Hence, ensuring and preventing phishing and other cyber threats.

d.    However, unfortunately, hackers have come up with multiple different ways to fool and bypass SPF technology. The only way to make effective use of and rely on SPF technology is by implementing DMARC.

DMARC is simply incorporating SPF technology along with DKIM.

·      The DKIM technology helps in creating a digital signature, which simply put the onus on the e-mail sender over the message that is shared across. The digital signature further guarantees that the content of the message sent has not been altered or modified. 

·      This technology is based on cryptography, which in simple terms means it creates a pair of keys (Public & Private keys) that are then used to verify the authenticity of the e-mail.

·      With the Private key, the e-mail is signed and when the receiving server receives the e-mail, it then verifies the same with the Public key.

This is how DMARC functions, and further shares detailed reports pertaining to failed e-mail authentication with the domain owner.

How does DMARC protect your Domain Reputation?

If your business has implemented DMARC, it will prevent and protect the customers and clients from phishing, spoofing, and other related security threats. We need to understand, that these malicious e-mails not just impact your information management system or cause data breaches, rather your domain may get blacklisted by multiple ISPs, which would straightaway impact your domain reputation along with that it breaks the trust of your customers since their data is at stake.

Discussion on- The Criminal Procedure (Identification) Bill, 2022 & the Right to Privacy

April 9, 2022 Leave a comment

Join us tonight at 9 PM (Instagram Live), in conversation with R H A Sikander, practicing Advocate at the Supreme Court of India, where we discuss the two important Bills- The Criminal Procedure (Identification) Bill, 2022 & The Data Protection Bill, 2021

Instagram live link- https://www.instagram.com/lawyerstrange/

#CriminalProcedureIdentificationBill2022

#PrivacyMatters

How to draft quality agreement for a pharmaceutical company

April 3, 2022 Leave a comment

First published on Ipleaders

Introduction

A contract in any industry or for any business is one of the most essential components, and carrying on a business or any kind of collaboration without a contract can be a nightmare for all parties involved. When parties enter into a contract, all their obligations and other clauses of the contract become binding upon each of the parties, and in case of a breach of any of the clauses, the one committing the breach becomes liable. So, contracts make the parties accountable to each other, hence, the quality of work gets better.

As we are living in this age of pandemic, there has been a rise in the consumption and production of drugs. From hoarding and black-marketing of medicines, the courts directing the concerned authorities to increase the production to the incredible growth in stock prices of pharmaceutical companies, within a single year we have seen and experienced so much. In this article, we will be focusing on quality agreements, as the name suggests, these agreements are extensively used for quality assurance of the drugs in the pharmaceutical industries. 

What is a quality agreement?

The quality agreement isn’t similar to any other agreement, rather these agreements have come under scrutiny from the concerned authorities worldwide, especially in India, as third party drug manufacturing hasn’t been defined under the Drugs and Cosmetics Rules, hence the liability of the third party involved in such agreements was a big question. 

Quality agreements are entered into by two or more people for the purpose of manufacturing, supply, and service while maintaining the quality of drugs and not compromising on them. These agreements are made primarily to comply with the quality of the drugs that are to be manufactured and also to comply with the regulations imposed by the government and/or to comply with the statutory obligations or as per the concerned authorities. 

One of the reasons why parties enter into such agreements is to expand their reach in the global market, to survive in the age of globalisation, businesses outsource contractors for manufacturing drugs at cost-efficient prices. India is one of the examples, where foreign pharmaceutical companies land up in the search of cheap labour and resources. Generally, the quality assurance department headed by the quality risk manager, along with the legal department of the pharma company and the contractor/vendor (manufacturer, laboratory, etc), collaborate together while drafting a quality agreement.

The scenario in India : before and after the 2020 amendment

In India before the 2020 amendment of the Drugs and Cosmetics Rules (“DCR”), drug marketers/distributors were not legally recognised which created huge confusion whether these quality agreements were legally enforceable or illegal in India or not, as the earlier rules didn’t have any provisions relating to the liability of the third party involved in such arrangements.

After the amendment to the DCR, contract manufacturing of drugs especially in India has become more transparent and there is more accountability of the parties involved in such agreements. From now on, both the drug manufacturer as well as the drug marketer or the distributor is now liable under the Indian laws. Hence, these agreements must be made with proper assistance and cooperation from all the parties in order to comply with all the required regulations as well as to provide the customers with the best possible product.

Why do parties enter into such agreements?

Quality agreements are stand-alone agreements, and they shouldn’t be read like an addendum or an attachment of the main agreement. This is because of the format and the language used while drafting these agreements. Regarding the question as to why parties enter into such agreements, while having the main agreement, then why do the parties need another/separate agreement, while these questions are normally asked by thousands of contract drafters. Now this question doesn’t have a single answer, however, the answers or the opinions are convincing. 

Now as we know that these agreements’ main purpose is to make sure that the quality of the product is as per the recognised standards and are not compromised for the sake of making profits, as these agreements deal with drugs, and drugs are essential goods/commodities in a person’s life. While manufacturing them, or testing them at laboratories, one has to keep in mind that they are doing a public service, although the only way to encourage these industries is by giving incentives, and in order to promote such development in these areas, it can only be done if these industries are not restricted by the authorities and are given reasonable freedom to make profits. The United States of America is the right example, as it doesn’t have any regulations regarding drug pricing, hence, the prices of drugs are way too high, as compared to the Indian drug’s prices, as India has a regulation regarding drug pricing.

Therefore, we can understand that the pharma companies go under huge pressure because of the government intervention or the laws laid down, the compliance issues and different approvals that these companies have to undergo in order to manufacture and as well as while releasing these drugs into the market. 

Things to keep in mind while drafting a quality agreement 

While drafting a quality agreement, the parties have to keep few things in mind:

1. Scope and purpose clause

This is the most important clause in the entire agreement, as it states the entire scope of work and purpose or the intent of the parties for which they have agreed to enter upon this agreement. This clause needs to be drafted properly keeping in mind the target and the final goal for which the parties have joined or collaborated. In case this clause hasn’t been drafted precisely or the parties haven’t drafted the clause as per their verbal agreement, then such situations can lead to major differences between the parties further creating disputes/conflicts between the involved parties. It is very important to customise the clause as per the mutual understanding of the parties so that future conflicts can be easily minimised.

2. Definitions and interpretation clause 

In this clause, the terms which have been used multiple times or the terms that convey more and have a wider ambit as per the agreement. Such terms can be mentioned under this clause so that the parties can easily interpret and understand such terms more comprehensively, therefore minimising confusion and conflicts regarding the interpretation of such terms and clauses.

3. Roles and responsibilities clause

In this clause, parties should mention their roles and responsibilities as per the agreement. It is very essential that parties elaborately mention each of their roles as well as their responsibilities to contribute and fulfill the purpose and scope of the work as per the mutual agreement between the parties. In case if this clause is taken for granted and vaguely drafted, it can result in differences between the parties, and ruin the relationship of the parties by creating conflict between them. To prevent such disputes relating to the role or responsibility of any of the party, this clause should be drafted keeping in mind all the formal discussions, facts stated by each of the party, promises/covenants by each of the party, purpose, and scope of the agreement

4. Resolution of disagreements clause

Now it can’t be denied that if parties are entering into an agreement, though the parties know that they have to cooperate with each other and fulfill all their roles, responsibilities and further comply with all the clauses and the laws, it obvious that during the term of the agreement, there will be a time that parties won’t agree with each other and such disagreements can be regarding the quality of the drugs, while auditing or inspecting, etc. During such disagreements, parties will have to resolve and come to a conclusion else the purpose of the agreement would get defeated and to prevent such events, it is mandatory to include a clause stating a mechanism or process or steps to resolve such disagreements and differences between the parties.

5. Assignment clause 

In this clause, parties have to mention that neither of the parties shall have the right to transfer or assign their roles, responsibilities, and promises/covenants to any other third party, as it would defeat the present agreement’s purpose. 

6. Term and termination clause

Under this clause, the parties shall mention the term of the agreement, and whether the same agreement can get revised or extended during or before the expiry of the term. Further parties can include or make a separate clause regarding the termination of the agreement, whether the agreement can or cannot be terminated unilaterally, and under which circumstances, the parties will have the power to terminate the agreement, etc.

Parties can include other clauses too as per their preference and can customise the entire agreement as per their mutual understanding. As there isn’t any proper formatting of a quality agreement, but certain clauses are a must, and the most important thing that the parties should always keep in mind, whether they are drafting a quality agreement or any other type of agreement, the parties should draft the agreement in such a way that there isn’t any space which would lead to communication barriers or restrict communication between the parties, as communication is the major factor that would lead to a success story or a major failure!

Conclusion

By now you might have an idea about what a quality agreement is, why parties refer to such agreements, and the important or the basic clauses that are to be included while drafting one. Now one more important thing that shouldn’t be ignored while researching or drafting or assisting someone in drafting a quality agreement is that these agreements should be drafted keeping mind the parties that are involved, other factors such as the scope of the work, the control under the agreement, as to who has the major control in the agreement, the ways or modes of communication, the importance of inspection and auditing with the respect to the materials used, basically the entire agreement shouldn’t be an online template or a previously used template, rather it should be a customised agreement catering the needs of the parties because resolving conflicts can get expensive at times.

All you need to know about a broadcasting agreement

March 31, 2022 Leave a comment

First published on Ipleaders

Introduction 

Broadcasting is a process wherein an art, a performance, or an event that has either been recorded or which is currently being recorded gets telecasted to a large and wide audience worldwide through TV signals, radio signals or through the Internet.

We are living in a digital world, where everything has been digitalised, in fact one of the major reasons is Covid-19, the entire world has completely shifted to virtual zone either for work-related purposes or for entertainment purpose.

Have you ever wondered, when you watch a live event, let’s say a Live Cricket match or Live Wrestling, even though you haven’t purchased the tickets for the event, but you’re still able to watch the same event at your comfort in your pyjamas, and still the Sports and Entertainment Industry manages to earn in Millions and sometimes in Billions! But how? Is broadcasting that expensive and easy money-making for these Industries?

In this article, we will discuss everything related to a broadcasting contract in great detail.

What is a broadcasting agreement?

A broadcasting agreement is an agreement entered by two or more parties for the telecast/broadcast of the specified event as mentioned in the agreement to reach maximum or a wide audience through different modes of telecast either through live streaming, through TV signals, subscription-based broadcast, and/or via internet signals, or radio signals.

A broadcasting agreement is entered between the event’s host or the content creator or the producer of the event (“Creator”) with the broadcasting agency(s) (“Broadcaster”). The Broadcaster has to telecast the event on the platform(s) as mutually agreed by the Creator and the Broadcaster (“Parties”). The Creator of the event grants a license to the Broadcaster to either have the exclusive rights relating to the broadcasting of the event or non-exclusive rights, as per the said agreement. 

The term “broadcast” has been defined under Section 2(dd) of the Copyright Act, 1957 as, communication to the public either via wired or wireless medium and also includes re-broadcast.

In a broadcasting agreement, the Content Creator/the performer or the producer is the sole owner of the rights relating to the Intellectual Property, as it is the Creator’s original work, hence it is his property, moreover a broadcasting agreement doesn’t mean to transfer the ownership of the Intellectual Property from the Content Creator to the Broadcaster. It merely gives the Broadcaster the license to distribute the said content/performance/event with the public at large through its network.

Importance of such agreements

To understand the concept of a broadcasting agreement, we need to first clarify two basic prerequisites, i.e., Why are these agreements/contracts made? And secondly, why broadcasting is important for this day and age?

As we know, through agreements, parties are bound by rights and duties as mutually agreed by them. To fulfil any purpose, an agreement gives the said purpose legal importance and makes it enforceable at the court of law, if in case an event of default occurs. To secure and protect oneself from fraud, it is very important to enter into an agreement before accepting any commercial or non-commercial deal.

Coming to the second part, as to why broadcasting is an important service is because it is considered to be a public service, and public service is for the greater good, which is considered to be a moral obligation of both the State as well as of an individual, or associations/corporates, etc. Most importantly, through the broadcasting services huge amount of income is generated within the economy as through broadcasting an event, the scope of viewership and audience gets enlarged, which is good for both the sport, the players as well as for the nation as a whole as it gives recognition to both the nation as well as the players get recognized for their efforts. 

A huge amount of income is generated through broadcasting, lets take few examples, the FIFA World Cup, ICC World Cup, IPL, WWE, UFC, Davis Cup, The U.S Open, etc are some of the sports wherein the broadcasting rights are sold in Millions of Dollars. If we take examples of Movies or TV series instead of sports, in 2015 Netflix acquired the streaming rights of Friends for $100M.

Now if parties are willing to spend a hefty amount of money for acquiring streaming or broadcasting rights, it will be prudent enough to secure the said transaction by entering into an agreement. Hence, the broadcasting agreement is not only a vital part of the transaction but it binds the concerned parties together and makes them legally bound to all the obligations mentioned as per the agreement.

Important clauses and provisions of the agreement

In a broadcasting agreement, few operative clauses are mandatory to be drafted and they are-

  1. Purpose clause- A purpose clause is drafted to mention the purpose behind the said agreement. The parties have to rightfully mention the exact purpose of the agreement, and the purpose shall not be illegal, otherwise the entire agreement would become void.
  2. License clause- In this clause, it is to be mentioned that the Creator/Producer or the owner is granting a license to the broadcaster to stream/telecast either live or recorded session of the event on its network(s) and platform(s). Whether the agreement is an exclusive broadcasting agreement or not, shall also be mentioned here. Everything relating to the broadcasting license shall be mentioned in this clause. 
  3. Habendum clause- In this clause, all the rights relating to the property (Intellectual property, in this case) shall be mentioned, if in future there is any confusion relating to the title and ownership of the Intellectual property, then this clause can be a life-saver.
  4. Representations and Warranties- In this clause, both the parties shall state the fact and shall comply with the such represented fact individually, so that in case if anything happens contrary to the said and accepted facts, then the parties shall be responsible individually. 
  5. Rights and Obligations clause- In this clause, all the rights and obligations of both parties shall be mentioned clearly.
  6. Dispute resolution clause- This clause is very crucial, and needs to be drafted with clarity, as this clause will determine how the parties shall deal with the future disputes that might happen between them. Parties can mention, “Parties hereby mutually agree that all the disputes arising out of this agreement shall be referred to arbitration”, something like this can be mentioned, also if the parties are referring to arbitration as the mode, then the seat, venue, governing law, number of arbitrators, whether opted for ad-hoc or institutional arbitration, these shall be mentioned and covered in the clause.
  7. Tenure clause- In this clause, the tenure of the entire agreement shall be correctly mentioned, so that no future conflict or dispute arises concerning the tenure of the agreement.
  8. Force Majeure clause- In case of any unforeseeable circumstance, if any of the parties or party is unable to fulfil its contractual obligation, then such defaults or event of defaults shall not lead to termination of the agreement.
  9. Promotions and Sponsorships clause- In this clause, the parties shall mention, whether any sponsors for the event and the ways of promotions of the event, shall be mentioned clearly.
  10. Event of Default clause- In this clause, all the events that lead to default of the obligations as promised by the parties as per the agreement shall be mentioned. At last, such events shall directly lead to the termination of the agreement.
  11. Termination clause- In this clause, the modes and ways of termination of the agreement shall be mentioned, and anything apart from the modes or ways of termination mentioned in the agreement shall not be considered as termination. All the event of default shall directly result in termination of the agreement, hence the “Event of default clause” shall go hand in hand with this clause.
  12. Payment and Fees clause- In this clause, the modes of payment and the entire fees charged or to be paid by the broadcaster to the Producer shall be mentioned. 

Any law governing the agreement?

A broadcasting agreement shall be governed by multiple laws depending on the place of operation of the said agreement. The laws that shall be governing a broadcasting agreement are-

  1. Intellectual Property law
  2. Contract law
  3. Arbitration
  4. Antitrust/Competition law

Implications of not getting into an agreement

If the parties have no written agreement/contract stating that they have successfully entered into a broadcasting agreement, then the same shall not be enforceable as well as it might get very tough to prove whether there was any agreement between the parties or not. In such situations, where parties act negligently and where the consideration is of hefty sum, there is always a high chance of fraud. To secure oneself and the agreement, it is imperative to have a record of the same in a written format, with the signatures of both parties.

An important thing to be noted down here is that, when parties agree to enter into an agreement, the reason why the lawyers or the contract draftsmen drafts a dispute resolution clause, is because although initially at the time of the agreement, the parties mutually agree to each other’s terms but are unable anticipate any future dispute, and a dispute is something which can never be eliminated, the difference of opinions, etc can’t be foreseen, hence, it is important to have a dispute clause, to protect the rights of about the parties, but if there is no written agreement, the complainant shall have to prove at first that there was an agreement between the parties and when the court of law is satisfied with the fact that there was an agreement, then only the court shall consider the latter allegations.

Hence, having a written agreement is a win-win situation to protect the rights of the parties against any mishap or fraud.

Case laws relating to broadcasting agreements

  1.  Neo Sports Broadcast Pvt Ltd v. New Sanjay Cable Network & Ors-

In this matter, the plaintiff entered into a broadcasting agreement with BCCI. Since BCCI granted a license to the plaintiff to broadcast test cricket matches between India and other countries, the plaintiff found out that the defendants without any authorization or license from the owner or the plaintiff were transmitting and making available the channel to their clients and the Hon’ble Delhi High Court held that, unauthorized transmission of the TV channel to a selected clientele also leads to commercial use of broadcast and leads to making available the content to the public. Hence, violates the broadcasting rights or broadcast reproduction rights of the plaintiff.

  1.  Star Sports India Private Limited vs. Prasar Bharati and Ors-

The Hon’ble Supreme Court of India held in this judgement, that the broadcasting rights of all the sports event that are of national importance must be shared with Prasar Bharti, free of all commercial interest. So, that the entire country can witness the importance of the game, and get inspired by the same, the core element of this judgement was public interest, and where the court is satisfied with the fact, that an issue is directly proportional to the public interest, then the court shall always favour and pass an order or judgement protecting the public interest at large. Hence, in this case, even though the broadcaster entered into a broadcasting agreement, still his rights weren’t protected, since, it was a matter of the public at large.

Conclusion 

By now, you must have understood the entire concept of a broadcasting agreement, and why parties do enter into such agreements; its importance and the implications, if there is no such agreement between the concerned parties. The basic idea behind an agreement is to mention everything at once during the initial phase of negotiations or at the time of drafting. When parties enter into an agreement, then they mutually agree to all the terms and conditions of the said agreement. It is the best way to secure a deal and transaction, especially if the transaction involves huge amount of money.

All you need to know about Representations & Warranties clause

March 29, 2022 Leave a comment

First published on Ipleaders

Introduction

If you don’t remember this historical news which was at the same time shocking and with mixed reactions, back in 2011, the greatest company of all time “Google” acquired “Motorola Mobility” for $12.5 Billion! In this article, we won’t be discussing the decade-old acquisition, which was later sold to Lenovo in the year 2014 for just $2.91 Billion. Rather, through this article, we will try to understand what an acquisition agreement is all about, the concept, its importance and relevance. Furthermore, we will discuss one of the most essential clauses which would be useful not only for the present agreement but would play a key role in every agreement that you’ll draft. The author has covered important aspects, which would help you in drafting an effective representations & warranties clause for any given agreement. 

What is an acquisition agreement?

We might have come across the term “Acquisition” at least once, but if not, then in simple words an acquisition is when one party acquires the other party, in the presence of an agreement (preferably a written agreement/contract). One of the most common mistakes that we all tend to make is that we use certain words interchangeably but the meaning of those words is opposite to each other in reality, still, we use those words as a synonym to one another. One such example is the usage of “Merger” and “Acquisition”, although both these words are used together, both of them don’t mean the same, rather both are opposite to each other. A Merger is when one person/entity mutually agrees with the other person/entity to merge and form into a new entity or a joint entity. Whereas, in an acquisition, one party/entity buys the other entity (entirely or the majority parts of the entity) to become the owner of that entity. 

An acquisition can be mainly of two types- 1) Asset sale transaction and 2) Stock or equity sale transaction.

In an asset sale transaction, when there is a sale of some/specific assets or all the assets from the seller’s company by the buyer’s company, such transactions are called Asset Sale transactions. The reason behind such transactions could be, when the buyer doesn’t want to buy those specific or certain assets, rather wishes to directly acquire them from the Seller. The other reasons could be when the buyer prefers flexibility, as the best part of these transactions is that the buying entity can avoid risk and unwanted liabilities and assets. Through these transactions, the buyer can specifically buy assets as per the needs of the buying entity and assume liabilities accordingly.

Whereas, in a stock or equity sale transaction, unlike the asset sale transaction where the buyer takes over the assets and liabilities of the selling company. In this, the buyer takes over the ownership of the selling company by buying the stocks or equity from the equity holders. For the selling company, such types of acquisition are preferred over the asset sale because in the present transaction the buyer is buying the ownership which means, all the known and unknown liabilities are getting transferred from the seller to the buying company, hence it’s a relief for the selling company, unlike in the asset sale transaction where the buying company can easily avoid unknown liabilities. 

In an acquisition agreement, it is very essential to draft an effective representations & warranties clause, to protect both the selling company’s and the buying company’s interests, also to protect the purpose of the agreement and lastly, if representation and warranties clause is not studied and drafted properly, it may easily lead to any future dispute between the parties resulting out of a breach which would further impact the relationship of the parties and finally would result in termination and/or with damages to be paid by the defaulting party to the innocent party.

If an acquisition is of asset sale transaction, then under the representations and warranties clause, the list and number of the assets along with the liabilities shall be mentioned and/or annexed in a schedule at the end of the agreement. The selling company should also mention the title and possession of such assets and further should also state that the sale and transfer of such title won’t lead to any breach of a third party’s right, parties can also mention if there is any charge against any of the assets or if any ongoing litigation or dispute is going internally or externally, etc. Similarly with an acquisition agreement dealing with stock sale transaction, in such agreements, ownership of the business, as well as the transfer of the Intellectual property, and any other asset, shouldn’t create any third party dispute, as well as the current financial condition of both parties shall be revealed to each other, etc. These are some examples regarding what all can be included under the representations and warranties clause for an acquisition agreement. Let’s now discuss the meaning of these two terms in more depth.

Meaning and purpose of a representations clause

Representations are statements or presentations of facts, it can be a statement of fact that was true in the past or is true at present. When an entity either the buyer or seller represents the other, this clause induces the other party to enter into an agreement. Representations are used for persuading the parties to enter into an agreement, but the same is not a part of the contract. For example, a representation can be “The Buying Company is duly incorporated under the Companies Act, 2013”. Although this is just a statement of fact that is true at the present moment but doesn’t form the purpose or scope of this agreement, rather it is just a statement from which the parties were persuaded and hence decided to enter into an agreement. 

More simply, we can say that a representation is a presentation of facts from the past to the present defining the status of an entity. If such facts are hidden from a potential buyer or an investor, it may further lead to a dispute in the near future. From a buyers perspective, the scope of representations and warranties clause should be drafted in a wider manner, so that there aren’t any restrictions when any claims are made from the buyer’s side.

Meaning and purpose of a warranties clause

Now we know, what a representations clause means and its importance as it is what a potential buyer or an investor would see first and then only he might bet on an investment that he is making and it is only possible through such clauses that a buyer would be willing to take the risk for his investment upon any company. Whereas warranties are a set of promises from an entity to another, such promises are for the present or for the future conditions as stated under the agreement, and these promises are contractual. So we can say that, when an entity represents something, to induce the other entity to get into an agreement, such representations are promised through warranties. For example: “The seller represents that his products are made from quality resources (this is the representation that the seller is making) and further warrants that if there is any defect in the product, such products can get exchanged or replaced by sending a notice to the seller within 30 days from the date of the purchase” (this is the warranty that the seller is providing). From a seller’s perspective, the scope of representations and warranties clause should be drafted more narrowly, so that the buyer is limited and restricted while claiming damages or any other claims.

Why are the representations & warranties clause so important in every contract?

By now we have discussed the meaning and purpose of both representation and warranty, and how we shouldn’t use both the terms interchangeably, as both the terms carry different meanings altogether. Since we now know the meaning and purpose of such essential clauses, it’s time to understand their importance and what happens when a party commits a breach under this clause.

When parties come into an agreement with each other, it is obvious that each of the parties will share some statement of facts, and further provide promises to such facts (representations and warranties) and only because of such facts and promises, parties will mutually agree to enter into an agreement, now if such statements of facts and promises aren’t written down into the contract or agreement, it might get very difficult for both the parties to claim or counterclaim if any dispute arises during the tenure of the agreement. Both parties should put down all the facts and promises that each of them has conveyed to each other while drafting the agreement. 

Warranty is not just simply a promise, rather it takes the market also into consideration. As the party or the company entering into an agreement needs to check the market condition as to what the other competitors are providing to the potential consumers as a warranty in their agreements.

Hence, it becomes mandatory and essential to have a representations and warranties clause in every agreement as it forms the basis of any agreement.

Under the Indian Contract Act, 1872 (“ACT”), neither representation nor warranty has been defined, but that doesn’t mean that these clauses won’t get governed or get any protection from the Act. If a party fails to fulfil any of the representation or warranty or both, the Act takes care of such events.

Section 18 of the Act, which talks about misrepresentation (without an intent to deceive) either by unwarranted statements or breach of duty or by inducing to make a mistake about the subject matter. A misrepresentation occurs when a party without an intent to deceive the other party, misrepresents a fact, or commits a breach, or innocently causes the party to make a mistake, such events can be termed as misrepresentation. 

The remedy for misrepresentation is provided under Section 19 of the Act, which states that in case of misrepresentation by a party to the other, the contract becomes voidable. The innocent party (party affected) can rescind or revoke the agreement/contract and can also claim compensation. Whereas in an event when the party fails to fulfil his promise or fails to comply with the warranty clause, the innocent party can only claim damages and/or compensation, the right to rescind the agreement is not available in such cases, as agreements/contracts are only voidable in the cases of misrepresentation, fraud and coercion. 

The exception to Section 19, talks about due diligence and if the party has failed to do due diligence before entering into the agreement, the party can’t claim compensation/damages and neither revoke the agreement. 

In the matter of Kopparthi Venkataratnam And Anr. vs Palleti Sivaraman And Anr. on 21 November, 1939

The Madras High court held, “This Court considered the effect of Section 19 of the Contract Act in Morgan v. The Government of Hyderabad, a case very similar to the one now before us. A vendee had deliberately concealed from a purchaser the fact that he had already granted a lease of the property sold, but the buyer if he had been diligent could have ascertained this. The Court held that the case was not within the exception to Section 19 and the absence of exercise of diligence by the plaintiff was not a defence open to the defendant who had concealed the fact of the execution of the lease in order to deceive the plaintiff and had induced him to enter into the contract. This is the position here”.

All India General Insurance Co. … vs S.P. Maheswari on 5 November 1959, the Madras High Court held that “In the case of warranty materiality or immateriality of the fact warranted signifies nothing. Its incorrectness constitutes a defence to an action on the policy, even though it be not material and be made in perfect good faith. But, in the case of a representation, the insurer can avoid the policy only by proving that the statement is false and fraudulent or that it was false and material to the risk. In other words, it is only a material misrepresentation that can avoid a policy if the truth of the facts contained in the representations is not warranted by the policy”.

“This brings us finally to the topics of nondisclosure or misrepresentation which are practically the positive and negative aspects of the same thing. The effect of misrepresentation on the contract is precisely the same as that of non-disclosure; it affords the aggrieved party ground for avoiding the contract”.

In Esso Petroleum v Mardon, Lord Denning MR concluded-“… it was a forecast made by a party, Esso, who had special knowledge and skill. It was the yardstick (the “e a c”) by which they measured the worth of a filling station. They knew the facts. They knew the traffic in the town. They knew the throughput of comparable stations. They had much experience and expertise at their disposal. They were in a much better position than Mr Mardon to make a forecast. It seems to me that if such a person makes a forecast -intending that the other should act on it and he does act on it- it can well be interpreted as a warranty that the forecast is sound and reliable in the sense that they made it with reasonable care and skill…. If the forecast turned out to be an unsound forecast, such as no person of skill or experience should have made, there is a breach of warranty.”

Sample draft of “Representations & Warranties clause”

In order to explain this draft in a better way, the author has taken Google and Motorola as the parties. Through this sample draft, the viewers will get a better understanding of drafting representations & warranties clauses. Since 2011, Google acquired Motorola Mobility, and they must’ve entered into an acquisition agreement in order to ensure that both the parties are legally bound by all the contractual obligations and to secure their investment. The following is a hypothetical draft between Google and Motorola Mobility-

                                      ACQUISITION AGREEMENT

This Acquisition Agreement (“AGREEMENT”) is entered on ________(effective date) at ________(place). By and between:

Google LLC, an American multinational technology company, incorporated under the American laws, with CIN ________, having its headquarters at ____________ and being represented by its Authorised signatory ___________. Hereinafter referred to as the “PURCHASER” (unless repugnant to the context, this expression shall mean and include successors-in-interest/office and assigns) of the First Part;

AND

Motorola Mobility LLC, an American consumer electronics and telecommunications company, with CIN ________, having its headquarters at ____________ and being represented by its Authorised signatory ___________. Hereinafter referred to as the “SELLER” (unless repugnant to the context, this expression shall mean and include successors-in-interest/office and assigns) of the Second Part;

The Purchaser and the Seller shall be collectively referred to as “PARTIES”.

*Here Recitals can be drafted, and after Recitals, you can start drafting all the important clauses of the Agreement*

NOW THIS AGREEMENT WITNESSETH AND IT IS HEREBY MUTUALLY AGREED AND DECLARED BY AND BETWEEN THE PARTIES HERETO AS UNDER:

  • Representations and Warranties 

The Seller acknowledges, represents and warrants to the Purchaser as follows:

  1. Seller is a manufacturing/electronic telecommunication company duly organized, validly existing and duly incorporated under American laws.
  2. The seller has full power and authority to execute and deliver this Agreement hereby and it has been duly authorized and approved by such officers, directors, shareholders, and/or members of the board as required by, and in accordance with the applicable laws.
  3. The balance sheet and income statement of Seller have been prepared as of _________ and is attached at the end of the Agreement as Schedule 1. The balance sheet fairly presents the financial condition of the seller and reflects all assets, properties, debts and liabilities of the Seller and the income statement fairly presents the results of operations of Seller for the period _________. The seller has no liability as of the date of the balance sheet.
  4. Seller shall permit the Purchaser and its representatives at all reasonable times during business hours and without interfering with the normal conduct of the business of Seller, to examine and have full access to all of the properties, books and records of Seller and to copy such books and records.
  5. There is no litigation or proceeding pending against the Seller at any courts, tribunals, commission, regulatory authority, and no controversy is pending or is to the knowledge of the Seller that would affect the right of the Seller to enter into this Agreement.

The Purchaser acknowledges, represents and warrants to the Seller as follows:

  1. Purchaser is a_________ duly organized, validly existing and in good standing under the laws of America.
  2. There is no litigation or proceeding pending against the Purchaser at any courts, tribunals, commission, regulatory authority, and no controversy is pending or is to the knowledge of the Purchaser that would affect the right of the Purchaser to enter into this Agreement.

You can amend, modify and add more points under this clause, every agreement will have representations and warranties clause and it shall be drafted as per the parties understanding and the type of agreement, it is better to draft and negotiate the agreement and customising as per the needs of the parties, rather than just copying clauses from the internet or other agreements, in order to minimise the risk of any future dispute.

Conclusion

By now we can’t deny the fact that the representations and warranties clause plays a vital role in every agreement/contract, and how important it is to draft it clearly without leaving any ambiguity. It is also important that how courts have interpreted and defined both representations and warranties differently, hence, these clauses should be drafted by keeping in mind such judgements and foreseeing some disputes beforehand, and also by negotiating between the parties (negotiation is the key) before finalising the draft. Always have a habit of reviewing your drafts over and over, because only a good draft can prevent claims and future disputes. It is important that you draft the agreement as per the needs of your client, and keep his rights protected under the agreement that you draft. It is also recommended that you should draft your clauses and agreement on your own, and not by copying from the templates available online, as each clause in an agreement will have a different meaning, purpose and scope, hence draft according to your client’s needs, and focus on the businesses of the parties involved in the agreement this is because the representations and warranties clause of a Franchise Agreement, shouldn’t be drafted just like or similar to an Intercreditor Agreement.

Your Guide to Managing Data Subject Access Requests

March 29, 2022 Leave a comment

DSAR means Data Subject Access Request, and this is one of the rights that a data subject or an individual under the General Data Protection Regulation (GDPR) enjoys. 

  1. A data subject is anyone whose data is collected, shared and processed by a data controller.
  2. A data controller is a company, organization or anyone who deals with the personal data/information of the data subjects. 

As per the GDPR, the data subject should be a resident living in the European Union.

Recital 63 of the GDPR states:

“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

  1. Reasons to have a DSAR process
S.NOReason(s) for DSAR
1.For confirming whether your organization/business processes the personal data of an individual (referred to as Data subjects).
2.For accessing the personal data/information of a data subject.
3.For determining whether such processing of data of the subject is on a lawful basis or not.
4.For knowing the duration/period for such data which has been stored in your organization/business
5.For enquiring about how the data subject’s personal information/data was obtained by your organization/business.
6.For obtaining information about automated decision-making and profiling from the data subject’s personal information.
7.For obtaining the names and further details of the third-parties with whom your organization/business is sharing the personal information of the data subject(s).

This isn’t an exhaustive list; a data subject has a right under the GDPR and can submit such a request (DSAR) without any given reason to the data controller and at any time. The data controller may only ask questions in order to verify the data subject’s identity. 

  1. Principles for DSAR

GDPR in the entirety is based on the following principles and it is the data controller’s responsibility and obligation to process data in accordance to the principles laid down-

Article 5 of the GDPR lays down the following principles-
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and Confidentiality
Accountability

Whereas, the DSAR is based on the rights granted to the data subjects under the GDPR-

Article(s)Right of the data subject
Art.15This article grants the data subject the right to access his/her personal data held by the data controller.
Art.16This article grants the data subject the right to rectify his/her inaccurate personal data without any undue delay caused by the data controller while giving access. 
Art.17This article grants the data subject with the right to be forgotten without causing any undue delay by the data controller.
Art.18This article grants the data subject the right to restrict the processing of his/her personal data.
Art.20This article grants the data subject the right to transmit his/her personal data to any other controller, and also to obtain his/her personal data in a machine-readable format.
Art.21This article grants the data subject the right to object to processing of his/her personal data.
Art.22This article grants the data subject the right not to be subjected to automated decision making and profiling.
  1. Steps to perform as a Data Controller-
S.No.Steps to be taken
1.The first step should be to verify the data subject’s identity and record the DSAR in the system.
2.The next step is collecting and categorizing the personal data that you have stored.
3.The next step should be to review the data subject’s request in order to understand the DSAR’s requirement. The reply to such a request should be within 30 days as mandated by the GDPR and without causing any undue delay.
4.Before sharing the response to the data subject, it is better to gather all the personal data of the data subject into the response, as the GDPR also encourages remote access to such data.
5.The data controller needs to ensure that the delivery of the data to the data subject should be secure as data leaks and breaches are quite expensive, moreover, it affects the trust among its users and the reputation/goodwill.
6.Once you have followed all the required steps, you are ready to send the response to the data subject
7.It is essential to remind the data subjects about their privacy rights and you may do so by adding a fews lines at the end of your response.

Comparing the stance on Protection of Non-Personal Data in India and EU

March 22, 2022 Leave a comment

First published on Tsaaro

Introduction & timeline of data protection in India

It is true that soon every business will become a tech business as “data” will be the new source of income. Managing and dealing with data of so many people by businesses and organisations, large or small, cannot be as easy as you may think. Leaving this area unregulated could lead to a global crisis from human rights violation to economic domination in the market, leading to endless privacy and cyber-crimes. Hence, regulating this area should be the prime focus of our nation’s government and any other country’s government where there is no privacy regulation. India recognised “privacy” as a fundamental right back in 2017 in a landmark decision passed by the Supreme Court in Justice K S Puttaswamy v. Union of India.

Right after the declaration of the “right to privacy” as a fundamental right, in July 2017, a Committee of Experts was constituted under the leadership of…continue reading

Can organizations monitor employees under the GDPR?

March 19, 2022 Leave a comment

First published at Tsaaro Academy ( click here )

Introduction 

Do we have the right to privacy and can we enjoy it as a right especially upon our personal data when we are at our workplace? This is the fundamental question that this blog would be dealing with, from the perspective of the General Data Protection Regulation also known as GDPR.

Coming to the next important question as to what will come under the ambit of ‘personal data’? The simple answer would be- A personal data will include all the sensitive categories of data that are related to an identifiable natural person. The following are some examples of personal data-

  • Physical or mental health condition;
  • Sex life and sexual orientation;
  • Racial or ethnic origin;
  • Political opinions, religious beliefs;
  • Trade union membership;
  • Biometric data.

When it comes to monitoring employees, businesses and organizations are not new to this concept, rather the concept of surveillance is decades old. In order to understand and analyze this question, it is important to first understand the employee-employer relation, as we know that it’s an undisputed fact that there will always remain an imbalance of power between the two, which is why the concept of consent cannot be a relevant ground on claiming that such monitoring was genuine or not arbitrary.

Since we are living in the age of digitalization, we need to understand that anything we do either professionally or in our private sphere, we tend to leave our digital footprints on the internet which means that we can easily be traced by anyone and also we are opening doors to potential scammers and other related risks as our data is scattered everywhere on the internet that is also the reason why our ‘Data’ is the new gold/fuel for today’s businesses and organizations.

How is monitoring done on employees?

Monitoring of employees can be done easily through CCTVs, softwares and now we have spywares too. But what exactly will constitute ‘monitoring’ ? It can be monitoring an employee’s internet history, emails, financial transactions, call logs, his private chats with employees and/or with other people...continue reading

Do you carry medicines while traveling? Then you must know this…..

February 16, 2022 Leave a comment

If your medicines contain narcotic substance then carrying a prescription or any other valid document stating the purpose of use of such medicine is essential otherwise you can get arrested.

For more details you can read the latest judgment passed by the Madhya Pradesh High Court in the case of Rajkamal Namdev v State.

#medicine#law#legalnews#legaladvice#lawstudent#lawyer#covid_19#awareness#reels#instagram#narcotic#india#ndps#travelling#information#arrest#criminallaw#legalknowledge#prescription#doctor#pharmacist#livelaw#barandbench#supremecourt#highcourtsofindia#delhi#supremecourtofindia#advocate#lawschool#viral

Can a police officer check your phone randomly?

February 16, 2022 Leave a comment

Can a police officer check your mobile phone randomly and go through your private chats and/or web history?

No, as it is against our Fundamental Right- Right to Privacy mentioned under Article 21 and guaranteed to us by the Indian Constitution. There needs to be a Judicial Warrant for such searches, otherwise it would be an illegal search which is against the Constitution & our Fundamental Rights.

Exception to this- Whether there is a recorded reason for an urgency of police intervention or there is an ongoing investigation against the person.

#criminaljustice #criminallaw #criminallawyer #india #illegal #privacyiseverything #privacy #constitutionofindia #crpc #law #rights #police #invasionofprivacy #lawstudent #supremecourt #highcourt #lawstudentsofinstagram

Understanding Prenuptial & Parenting Agreements and the essential clauses- Effective drafting tips.

February 10, 2022 Leave a comment
Source: Times of India

Author: Aarlin Moncy (HILSR, School of Law, Jamia Hamdard)

This article will give you a brief understanding about the concept of Parenting & prenuptial Agreements and how to draft them.

Introduction

Family is considered to be one of the most important as well as the most influential part of a person’s life. People say that we get influenced by our surroundings, but we forget to mention that initially before our friends or workplace, our first hand interaction is with our family. So it is obvious that the impact (positive or negative) of a family on a person’s life can’t be ignored.

As from the title of this article, you may or may not be familiar with the concept and the importance of this topic. But before further discussing the topic in detail, let me ask you one question: Is marriage a contractual union/relationship? If your answer to this is “YES”, then concepts like pre-nuptial agreements, post-nuptial agreements, parenting agreements, etc, would be an easier concept to you as these concepts are getting more common in the modern day and are practised extensively in the developed countries. If your answer to the above question was “NO”, then let me help you understand the entire concept through this article. 

What is a parenting agreement?

A parenting agreement is a written agreement mutually agreed by the married couple, and are made usually after the couple decides to separate and part ways with a common objective or purpose to support their child or children in order to give them all the care they deserve from both their parents, even though they are separated (legally). Parenting agreements are formed on the basic principle of joint custody or shared custody, with an aim to promote the welfare of the child.

A parenting agreement can be made as a part of a prenuptial agreement or can even be made as a separate agreement after the couple decides to split.

What are prenuptial agreements?

Pre-nuptial agreements are those agreements that are made before the marriage, now these agreements are primarily made to serve as a medium to resolve future uncertainty or disputes between the couple. These agreements are majorly drafted in order to protect the financial assets of the couple, and that’s why most of the clauses in these agreements relate to assets of each partner, how it needs to be divided, how much amount needs to be transferred as maintenance, whether the amount needs to be paid only one-time or it needs to be paid on monthly basis by one of the partners to the other, how much amount needs to be transferred to support their child/children, etc, are the clauses that are present in a prenuptial agreement. The couple can decide by themselves as to what all they require and need in a prenuptial agreement, and as per their requirements, a customised agreement can be drafted.

It is to be noted that prenuptial agreements may include a parenting clause too, but these agreements are not at all similar to parenting agreements, as both these agreements serve different purposes after all. The former is made before the marriage in order to protect the financial assets of the couple during their divorce and the latter is made only to serve as a mutual agreement with respect to parenting and giving care to their child/children post-separation or divorce.

The legality of Prenuptial agreements

If the legality of these agreements is considered then, these agreements are not legal in India, because in India, marriages are not considered to be contractual relation/union between man and woman, rather it is seen as a sacred and spiritual union of the two beings. Hence, prenuptial agreements are not legally valid in India, but that doesn’t mean that these agreements are irrelevant. Prenuptial agreements are used and are more prevalent in the west, this is simply because of the difference in the ideology, culture, tradition, laws, etc.

Is a parenting agreement similar to a parenting plan?

Parenting agreements lay out a planned guideline stating how the separated couple can raise their child/children without compromising their child’s best interest. Hence, a parenting plan or a parenting agreement are used as a synonym to one another. In other words, we can say that a parenting agreement lays down a parenting plan focusing on how the partners shall carry out their roles and duties through a joint or shared custody of their child.

These plans can only be drafted if the court has granted joint or shared custody of the child, in case the custody of the child has been given to either of the two partners, then these agreements are not valid. 

It is important that while the agreement or the plan is drafted, suggestions from both sides need to be taken, partners may negotiate, and only if there is a mutual understanding between them, then only such plans or agreements may be finalised. While drafting such agreements, all the essentials of a valid contract must be kept in mind, else enforcing such agreements or the validity of such agreements would be an issue.

Are parenting agreements legally enforceable and binding in India?

This is one of the most important questions that need to be highlighted because if these agreements are not enforceable in the court of law or are not legally valid then there is no point in referring to these agreements. The question of legality is like a test to check whether such agreements or plans are valid or not in India. As we know that in India, marriages are not seen as any contractual form of union between two parties, rather it is seen and celebrated as spiritual, sacred and holy. Hence, these agreements stating the position of the two partners after their separation and providing guidelines on how to raise their child or children are contradictory to the traditions, religious beliefs and culture of many Indians and also degrades the meaning and purpose of Indian marriages.

But before diving into this question, let us understand first that when can the partners refer to a parenting agreement? The simple answer to this is when the court grants shared or joint custody of the child. Interestingly, in India, there aren’t any laws that provide for joint or shared custody of a child. Usually, the Indian courts grant the custody of the child as per the interpretation of the statutes and also focusing on various other factors like, the overall condition of each parent, whether they are stable or not, financially well or not, their relationship with their child, etc, and also taking into consideration the child’s interest. 

But, the jurisprudence and the court’s understanding behind determining the question of child custody has been changing, and the reasons could be many, but one of them could be the influence of the west and accepting the fact that a child would need the love from both of his/her parents no matter what, and hence, we can see that the Indian courts through their judgements are granting shared or joint custody of their child, but not in all cases. It largely depends upon the facts and circumstances that are different from case to case. The major principle that is prevalent in each judgement is ‘the best interest of the child’ and the same shouldn’t be ever compromised.

The apex court in, Mausami Moitra Ganguli vs Jayanti Ganguli, observed that, “it is the welfare and interest of the child and not the rights of the parents which is the determining factor for deciding the question of custody.”

The Supreme Court in Gaytri Bajaj vs Jiten Bhalla, held “The desire of the child coupled with the availability of a conducive and appropriate environment for proper upbringing together with the ability and means of the concerned parent to take care of the child are some of the relevant factors that have to be taken into account by the Court while deciding the issue of custody of a minor.”

In Mrs. Elizabeth Dinshaw Vs. Arvand M. Dinshaw and Anr., the Apex Court has observed that whenever there is a question before the Court pertaining to the custody of the minor child, the matter is to be decided not on consideration of the legal rights of the parties/parents but solely and predominantly on what would best serve the interest and welfare of the child.

In McGrath (infants), Re (1893) 1 Ch 143: 62 LJ Ch 208 (CA), it was held that, “The dominant matter for the consideration of the court is the welfare of the child. But the welfare of a child is not to be measured by taking money as a determining factor, or by physical comfort only. The word ‘welfare’ must be taken in its widest sense. The moral or religious welfare of the child must be considered as well as its physical well-being. Nor can the ties of affection be disregarded.”

From the above discussion, we can understand that the courts take the interest of the child as of great value and it is the governing principle in each of the judgements relating to custody of a child.

Coming back to the question of the legality of a parenting agreement/parenting plans, if the partners have already drafted one, then the court might consider the same but it depends on the factor that whether such agreements are providing for the best interest of the child or not, and if it is providing, then the court might accept such plans and validates it by passing an order.. The court might make a few amendments to it keeping into account the principle of  “what’s best for the child”. 

These agreements are very common in the west, but surprisingly back in 2015, the law commission of India released a report titled as, ‘Reforms in guardianship and custody laws in India’. The report even mentioned the concept of a parenting plan, and it also stated that such plans are not legal documents and the approval of the court is mandatory to make such agreements enforceable and legally binding.

The court may amend these agreements/plans whenever needed from time to time, and it shouldn’t be construed as a final order/judgement passed by the court.

What are the essential clauses in a parenting plan/agreement?

Following are some of the essential clauses that you may consider including while drafting a parenting plan or agreement either jointly or individually. 

Note- The same shall have legal effect only after the court has reviewed it and has passed an order/judgement regarding such agreement keeping in mind that the child’s interest must be served through such an agreement.

  1. Visitation rights clause- In this clause, you may specify your rights relating to visiting your child, in case the child is not staying with you. You may draft this clause by taking into account all the scenarios and making it without any ambiguity. Your clause shall answer questions such as, when are you allowed to visit, timings, duration, etc.
  2. Major decision making & guidance clause- In this clause, you can specify as to who will be given the right relating to making major decisions only in case if the child has not attained the age of majority, and whether such rights are equally shared among the partners or not.
  3. Physical custody clause- As from the name only one can understand what all this clause shall include. This clause shall include and shall briefly explain the schedule stating the time, duration, days, months, etc as to for how long each partner shall have the physical custody of their child, whether physical custody will include staying with maternal and paternal grandparents, etc. For convenience, a schedule may be drafted to highlight the agreed time and duration of physical custody.
  4. Maintenance clause- This clause may state the monthly compensation/maintenance that needs to be provided by both the parents to their child for the purpose of education, health, basic necessities, entertainment, sports, etc. The partners/parents may start a joint account where the maintenance amount can be easily transferred. The right over the maintenance amount shall only be with the child.
  5. Physical & Mental health care & support clause- This clause shall provide for the medical assistance and expenses that the child might need anytime. Acknowledging the fact that the health of the child needs to be prioritised by providing the best medical assistance and support.
  6. Dispute resolution clause- This clause is important as this clause may function or will be referred to during any dispute or difference that may arise between the partners relating to any of the clause or the entire agreement as a whole, and such disputes shall be resolved only through the agreed and mentioned dispute resolution mechanism.
  7. Weekends, School holidays, festivals, birthdays, trips/tours clause- This clause shall state the rights of each of the partners relating to taking their child out during weekends, festive season, during birthdays, taking them on a trip or tour, etc. This clause can also be drafted on a tabular form describing all the possibilities as to when and for how long each of the partners are permitted to take their child out with them.
  8. School related responsibilities clause- This clause shall state all the roles and responsibilities as a parent and shall be equally divided between the partners. Responsibilities such as attending the Parent teachers’ meeting, attending the annual function, picking and dropping the child, etc.
  9. Contact with Relatives and Significant Others clause- This clause shall state whether the child be allowed or permitted to meet the extended families of each of the partners or not.

Conclusion

By now you must be familiarised with the concept of parenting agreements. It is a great step by the Indian judiciary by allowing and promoting joint or shared custody and giving the partners/couple an opportunity to customise their own parenting plan. It is important that the interest of the child is not only served through court orders but the same shall also be promoted through such agreements and plans. 

The importance of a shared or joint custody should be discussed and further be improved in order to provide a robust legislation relating to joint custody. The couple before finalising their separation need to be properly counselled and such counselling is necessary if they have a child together. The judiciary shall never compromise on the present prevailing principle of “best interest of the child”, and it shall always aim to pass such directions, orders and judgements that would not only be best for the overall development of the child but shall also focus on preventing mental health issues that the child may face during the time of divorce of his/her parents.

References    

Role of Media in Criminology

May 25, 2022 Leave a comment

Guest post by- Ms. Fatima Sufiyaan

The term ‘criminology’ is not used in everyday parlance. As a law student, when the subject was first introduced to us, even I was confused as to what is meant by the term. Therefore, before starting off with the article, let us discuss the term ‘criminology’. 

According to Encyclopedia Britannica, “Criminology is the scientific study of the non legal aspects of crime and delinquency, including it’s causes, correction and prevention.” 

We understand that crime is viewed from a legal perspective; in the sense that a crime is committed through individual actions and the societal response to those actions are punishments. However, while studying criminology, criminologists do not look at the legal perspective; instead, they focus on the broader aspects of crime and criminologists.  

Now that the meaning of Criminology is clear, let us understand the term ‘Mass media’. Generally speaking mass media is technology that is intended to reach mass audience. It is the primary means of communication used to reach the vast majority of the general public.

When we co-relate the two terms, mass media and criminology, we get to understand how the media influences the study of crime and punishment. 

As we already are aware of, that the relationship between the criminal justice system and the media, primarily has been the subject of research, speculation, and commentary throughout the twentieth century. The media always has had a profound effect on how the public perceives and understands the criminal justice system. Aside from the massive interest that the general public has with crime and criminals, people also want to know how those crimes are discovered and dealt with by the system. 

Mass media plays a fundamental role in public policy making and the media coverage of crime news, stories helps to set the agenda and reinforce support for penal policies. 

The greatest example of the same could be news channels and newspapers. People dedicate their time in watching the 9’o clock news to understand what is going on in the world and in the justice system, after which they form feedbacks, which is kept in high regard by the Courts and the Parliament all around the world. Therefore, we can safely say that to a large extent, the media shapes the working of the justice system. 

The media has without second-guessing, an important role as it primarily acts as the ‘eyes’ and ‘ears’ of the public. The relationship between crime and mass media’s insight about it is crucial to formulate the criminal justice system. 

There is a long history of moral panics about the effects of experience to popular media and cultural forms. Stanley Cohen gave the term ‘Moral Panic’. It can be defined as a public mass movement, based on false or exaggerated perceptions or information that exceeds the actual threat the society is facing. It is said, that typically a moral panic is most likely to be perpetrated by the news media. 

There are two perceptions about the moral panics constructed by media; for conservative, the media glamourizes the crime and underestimates public insecurities, whereas for liberals, the media overstates the crime and produces moral panics to justify an authoritarian crime control policy. 

The media defines the public image of police, prosecutors, courts and corrective measures by acting as gatekeepers of crime coverage. The mass media’s capacity to reach vast audiences of citizens and policymakers also positions it as an essential resource for the criminal justice system and all of its attendant judicial and law enforcement organisations. 

For the criminal justice system to operate effectively, it must have the authority that derives from people’s willingness to grant it legitimacy, and media storytelling can profoundly affect this process. 

Bronislaw Malinowski believed that all legal institutions are platforms for controlling illegal affairs, and for venting the feelings of oppression and injustice unleashed against the individuals. Michel Foucault (1979) points out that by the eighteenth century the masses could sympathise with the accused and ‘the people never felt closer to those who paid the penalty than in those rituals intended to show the horror of the crime and the invincibility of power exercised without moderation or restraint.’

However, there are certain downsides as well, when it comes to mass media’s role in criminal justice system. 

Agenda-setting theory (Maxwell McCombs and Donald L. Shaw) is concerned with how the media constructs depictions the world and in turn how this influences the people in looking at the world.

Mainstream media draws attention to certain aspects of politics at the expense of other issues by reporting news about one issue, while ignoring other issues. The legitimacy of governance depends on the consensus of rulers, and it is generally believed that policy makers should not assume policies outside the boundaries they provide. Therefore, public opinion is a legitimate consideration for policy makers when making decisions. 

In his book Crime, Culture and the Media, Eamonn Carrabine states that reporting crime 24/7 contributes to the cultural climate of horror. Media representation can adversely affect the perception of crime-related topics and impair the implementation of security measures. 

Danilo Y (2001) states: “The depiction of violent crime by the media deepens our understanding of crime and justice and is reflected in public policy.” 

According to Hayward and Young (2007), the media and the general public are always obsessed with crime and criminals. Crime news coverage has created an ambitious audience and has been a consistent theme of popular culture throughout the 20th century.

Further development of public policy begins with the recognition that problems exist. The pre-political stages are: topic formation, political demands and agenda formation. The media increases newspaper sales by entertaining people about crime, but ultimately distorts the public’s understanding of crime as a serious social problem. According to Leishman P. and Mason P. (2002), news media, like the entertainment industry, targets criminal articles, as does reality television and other forms of infotainment.

Crime stories and illustrations are an important part of all mass media content.

Media acts as an investigation, such as a pretrial investigation by state law enforcement agencies. It reveals political corruption, fraud, and many criminal cases in society. Therefore, although it is an important source of information, it serves as a source of information and thus supports the national criminal justice system. This is possible because the press is not subject to prior restrictions, but ultimately civil and criminal liability for the disclosure of information and news of false, profane, obscene, or inciting in nature, might be asked.

In India, there are many cases in which law enforcement authorities have been violently awakened from sleep and further urged to take action against the accused. In the Shakti Mills Gang Rape case, a photojournalist was gangraped by five men at Shakti Mills in Mumbai. In this case, timely media intervention facilitated the criminal procedure and urged another 18-year-old switchboard operator to report being raped at the same location in July 2013 in accordance with 2013 law. In this case, the media undoubtedly played an important role in promoting the criminal justice system.

In State v. Ram Singh and Another (SC No 114/2013), also known as the Nirbhaya Incident, on December 16, 2012, five men and a young man raped an emergency medical student on a moving bus, then cruelly attacked her and caused her severe injuries. The Indian media reported extensively daily on the incident, which shook the country’s collective consciousness due to the complete fall of crime. The media reported the incident immediately and helped generate strong public opinion. Thorough follow-up did not subside or extinguish the awakening of the masses. On September 13, 2013, the court sentenced the defendant to death. On March 13, 2014, the Supreme Court upheld the death penalty.

In conclusion, media activists are the most welcome attitude, the calm attitude between the two extreme situations of media exaggeration and media lethargy.

But such activism should be countered by a bit of restraint so that the danger of developing into a media tyranny cannot be ruled out. The media is the fourth pillar of a democratic nation. When public opinion is the lifeline of a country, the press is the body and means to carry it, nurture it, preserve it, and give it a concrete and concrete form. Criminal investigations and court proceedings relate to the issue of freedom of life and dignity. Criminal consequences can have serious consequences for people’s minds and bodies. The work of the media and the media must not undermine or deviate from the notions of life, freedom and dignity of an individual. If innocent people are convicted and punished, it’s certainly a shame, not because of what they did, but because of misery and media fantasies. A person will not be punished for a crime in India unless it is proved beyond reasonable doubt. But if a person is punished for media interference, but there is a suspicion that the person may be innocent, in the case of media interference, the real sinner is the media. Media ethics must be recognized, learned and practiced by the media in order to maintain the most trusted social system in the democratic world.

References:

  1. https://study.com/academy/lesson/what-is-mass-media-definition-types-influence-examples.html
  2. tandfonline.com/doi/abs/10.1080/1478601X.1993.10383020
  3. https://www.simplypsychology.org/folk-devils-and-moral-panics-cohen-1972.html#:~:text=Moral%20panic%20is%20defined%20as,values%2C%20interests%2C%20and%20safety.
  4. https://halshs.archives-ouvertes.fr/halshs-00178422/document
  5. https://www.encyclopedia.com/law/legal-and-political-magazines/mass-media-and-crime
  6. https://en.wikipedia.org/wiki/Agenda-setting_theory
  7. https://www.communicationtheory.org/agenda-setting-theory/
  8. https://lawaspect.com/role-media-criminal-justice-system/
  9. https://www.csirs.org.in/uploads/paper_pdf/role-of-media-in-the-indian-justice-system-with-special-reference.pdf
  10. https://courseware.cutm.ac.in/wp-content/uploads/2020/06/Role-of-Media-in-Criminology.pdf