technology law

Pixels & Privacy- The Delhi High Court’s Landmark Ruling on reporting Non-Consensual Intimate Images

November 12, 2023 Leave a comment

Mrs. X v. Union of India & Ors. (2023:DHC:2806)

Facts of the Case-

  1. The Petitioner herein is a married woman with a nine-year-old son. In 2019, the Petitioner became acquainted with the Accused who approached her through social media and introduced himself as a British Chartered Accountant. In July 2020, the Accused came over to Petitioner’s place and forced himself upon her. He allegedly clicked explicit pictures of the Petitioner, but also transferred to himself from the Petitioner’s phone her explicit pictures, that had been taken for the purpose of sharing with her husband. 
  1. The Accused involved the minor son of the Petitioner in various sexual acts as well. Thereafter, the Petitioner lodged a complaint against the said Accused at P.S Lajpat Nagar, and on the basis of which, a Zero FIR was registered. The Accused threatened the Petitioner that he would leak her sexually explicit photographs on various pornographic websites and that he would kill her son if she did not pay huge amounts of money to him. 
  1. The Petitioner was extorted into paying lakhs of money to the Accused, along with handing him all her jewellery. As the Petitioner was unable to pay any more money, the Accused leaked the Petitioner’s explicit images on various pornographic websites without her consent. This led to the Petitioner addressing a complaint dated 03.08.2021 to the SHO at P.S Lajpat Nagar. The said complaint stated that the Accused had made a YouTube channel in the Petitioner’s name, and has been posting her explicit videos and photographs on a daily basis. 
  1. Despite approaching the Grievance Cells of various Intermediaries (Google, Youtube, Bing, etc), and filing cyber complaints, her explicit images were not taken down. Thus, the Petitioner approached the Delhi High Court U/A 226 r/w S.482 CrPC, seeking blocking of certain sites exhibiting intimate images of the Petitioner and for registration of an FIR arising out of the complaint dated 03.08.2021.

The Hon’ble Court’s Analysis & Decision-

*The scope of the instant Writ Petition u/a 226 was expanded, and the directions rendered were limited to search engines, MEITY and Delhi Police.* 

  1. The Court analysed NCII (Non-consensual intimate image) vis-a-vis IT Act & Rules- Rule 3(2)(b) of the IT Rules, which lays down the grievance redressal mechanism that is to be followed by an intermediary, more or less defines NCII as any content which prima facie exposes the private area of any individual/shows such individual in full or partial nudity/shows or depicts such individual in any sexual act or conduct/is in the nature of impersonation in an electronic form, including artificially morphed images. Rule 3(2)(b) is not a charging offence. It is only under Section 66E of the IT Act that violation of privacy of an individual is punished with imprisonment which may extend to three years or with fine not exceeding two lakhs, or with both.
  1. Emphasis was supplied on the role of Search engines (para 30): “Search engines do not themselves store and transmit content, they allow users to locate and visit content. Search engines further rank the content in their order of relevance in a bid to solve the user’s query at the earliest. It is relevant to note that as search engines do not host content per se, they cannot take down the content available on a third-party platform. However, they can de-index specific URLs that can render the said content impossible to find due to the billions of webpages available on the internet and, consequently, reduce traffic to the said website significantly.” 
  1. Despite NCII abuse being perpetuated by a third-party user and causing harm to a stranger, the intermediary becomes liable for the conduct of the third-party user. Further, the IT Rules also devise a mechanism for the user/victim to directly approach intermediaries for removal of NCII content without having to obtain a Court order. Therefore, apart from making its own reasonable efforts in not publishing offending content, intermediaries can be requested to takedown offending content after being informed by a Court order or by an order of the appropriate Government or by the user themselves. 
  1. If the individual has the right to informational privacy, it also subsumes the individual’s right to be forgotten which has been held to be the consequence of the dignity of an individual and, thus, a facet of the right to privacy. A Division Bench of the Kerala High Court has recently in Vysakh K.G. v. Union of India and Ors., 2022 SCC OnLine Ker 7337, while adjudicating upon right to privacy vis-à-vis right to information, goes on to observe that, in the digital context, the “right to delisting” and “right to oblivion” are facets of the right to be forgotten. 
  1. The argument that has been advanced in the present case by the learned Senior Counsel appearing for the Respondent (Intermediaries) is that as search engines merely provide access to content and are not responsible for hosting the said content, directions must be rendered to the publishers and not the search engines themselves. It is at this stage that a search engine’s role in ensuring that one’s right to privacy is not contravened comes into prominence, especially with Rule 3(1)(m) which states that the intermediary shall respect all the rights accorded to the citizens under the Constitution, including Articles 14, 19 and 21. It is further essential to state that the continued existence of NCII content on the internet does not serve any public interest and it is punishable under Section 66E of the IT Act. The argument, therefore, put forth on behalf of the Intermediaries was not accepted by the Hon’ble Court. 
  1. Social Responsibility of Search Engines (para 46 onwards)  The newly amended Rule 3 of the IT Rules explicitly pronounces the obligation of the intermediary to not only “inform”, but to make “reasonable efforts” to ensure that its users do not publish content that is prohibited under Rule 3(1)(b). Thus, any directions given herein fall squarely within the statutory regime with regard to obligations of intermediaries. 
  1. Search engine plays an important role in the dissemination of content and its powers in connecting the said content to the consumers is undeniable. There resides a social obligation in these intermediaries to be proactive in de-indexing such links when it comes to its knowledge that such content is illegal. The Hon’ble High Court found the suggestion untenable that the user/victim must approach either the intermediary in question or the Courts every single time the NCII content is duplicated. Such a suggestion also frustrates the legislative intent behind the IT Rules which devises a time-bound schedule in removal of such content. The Hon’ble High Court further observed that an approach that entails the victim/user having to sift through the internet to identify and then share every URL hosting their NCII is unconscionable.
  1. Moreover, search engines cannot hide under the garb of not possessing the adequate technology to remove NCII content which has been reported without the victim/user having to approach the intermediary again and again. As per the Affidavit of Google LLC, hash-matching technology, generates a unique identifier/fingerprint/hash, exists for the purpose of removing CSAM. This technology allows detection and removal of the matched content that has previously been removed. For the purposes of removal of NCII, once such content has been identified and removed, the hash-matching technology can store only the unique identifier pertaining to the NCII content and in the event that such content is re-uploaded, it can filter out the same by going through its database of such fingerprints. A similar tool has already been built by Meta, and Microsoft. YouTube has also developed CSAI (Child Sexual Abuse Imagery) Match which is used by NGOs and other companies to identify abusive content. 
  1. The Hon’ble High Court stated that entities of the nature of Google and Microsoft, considering their ubiquity, cannot abscond or withdraw from their duties to the public at large in the name of reducing the liability they might incur, the Hon’ble Court was in fact inclined to agree with the submissions of the learned Senior Counsel appearing for Google and Microsoft that any direction that necessitates pro-active filtering on the part of intermediaries may have a negative impact on the right to free speech. No matter the intention of deployment of such technology, its application may lead to consequences that are far worse and dictatorial.
  1. One of the concerns that arises when we consider the right to privacy of an individual under Article 21 is its impact on the right to freedom of expression and speech. This issue requires an interpretation of the phrase “such content” in Rule 3(2)(b) and whether the same means a specific instance of identified NCII, as has been contended by the intermediaries, or all such content of identical nature, as submitted by the learned Amicus Curiae. The Hon’ble High Court observed that construing the phrase “such content” as “all content” is necessary to reduce the burden on the user/victim, however, “all content”, access to which is to be disabled, must pertain to NCII abuse that has already been reported.
  1. Search engines being an intermediary cannot hide behind the argument that they merely provide access to third-party websites as due diligence exercised as per Rule 3 is applicable to all intermediaries. In addition to “actual knowledge” as defined in Shreya Singhal v. Union of India as a Court order or upon being notified by the appropriate Government, Rule 3(2)(b) and (c) of the IT Rules now allows the victim/user to approach the intermediary on their own with their grievance. It mandates a timeline that must be adhered to when it comes to disabling access/de-linking the offending content. If read holistically, if the user/victim is required to approach with each specific URL again and again, this will only frustrate the purpose of the timelines and the grievance mechanism redressal as expounded under the IT Rules. 
  1. It has been submitted that the sustained practice with regard to content removal under the IT Act has been to provide specific URLs, however, this practice fails to account for a grievance redressal mechanism available to the user/victim and it is not justifiable, morally or otherwise, to suggest that an NCII abuse victim will have to constantly subject themselves to trauma by having to scour the internet for NCII content relating to them and having to approach the authorities again and again. Once it has been reported by the user/victim or a Court order or an order of the appropriate Government has been rendered, then the search engine cannot contend that any filtering of the content that is done subsequent to the reporting or the Order is proactive in nature; it can only be termed as being in pursuance to the reporting of existence of such content specific to an individual or a judicial Order. 
  1. The fact that search engines do not host or publish or create content themselves is of no consequence when it comes to the question of removal of the access to the offending content. It is undeniable that they do have the ability, the capacity, and the legal obligation to disable access to the offending content; this responsibility of the search engine cannot be brushed under the carpet on the ground that it does not host content. 
  1. The Hon’ble High Court in the said judgment painfully notes that there is an abysmal absence of a collaborative effort that should ideally be undertaken by the intermediaries and the State. The focus of such entities and authorities should be on the quick redressal of the complaint brought before them rather than the shirking of blame or making submissions on the onerous nature of their duties. In the process of shirking responsibility, precious time is lost in removal of the offending content and enables the offender to keep reposting the content. The endeavour of every entity involved should be to expeditiously resolve the issue. 

Directions & Recommendations by the Hon’ble Delhi High Court:

  1. On approaching the Court for a takedown order in a matter involving NCII content, the Petitioner must, along with the petition, file an affidavit in a sealed cover identifying the specific audio, visual images and key words that are being complained against, in addition to the allegedly offending URLs for ex facie determination of their illegality. 
  1. The Grievance Officer appointed by the intermediary must be appropriately sensitised. The definition of NCII abuse must be interpreted liberally by the intermediaries to include sexual content obtained without consent as well as sexual content obtained and intended for a private and confidential relationships. 
  1. The “Online Cybercrime Reporting Portal”, must have a status tracker for the complainant, commencing from filing of a formal complaint to the removal of the offending content. The portal must display various redressal mechanisms that can be accessed by the victim in cases of NCII. This display should be in all languages specified in the Eighth Schedule. The Portal, along with every other website of Delhi Police, should also display the contact details of each District Cyber P.S present in the NCT of Delhi.
  1. On the receipt of information, noting the nature of NCII content, the Delhi Police must immediately register a formal complaint in order to initiate an investigation and bring the perpetrators to book as soon as possible so as to prevent the repeated upload of the content. 
  1. Every District Cyber P.S must have an assigned Officer who must liaise with the intermediaries against which grievances have been raised by the victim who has approached the Delhi Police and an endeavour should be made to ensure that the grievance is resolved within the time schedules stipulated under the IT Rules. The intermediaries are directed to cooperate unconditionally as well as expeditiously respond to Delhi Police.
  1. A fully-functioning helpline available round-the-clock should be devised for the purpose of reporting NCII content. Operators and individuals manning this helpline must be sensitised about the nature of NCII content and must, under no circumstances, indulge in victim-blaming or shaming the victim. These operators should also have a database of organisations with registered counsellors, psychologists and psychiatrists available for reference to the victims. The Delhi Legal Services Authority may also be apprised and engaged in case the victims need legal aid.
  1. Search engines must employ the already existing mechanism with the relevant hash-matching technology on the lines of the one developed by Meta as has been discussed above. They cannot be allowed to avoid their statutory obligations by stating that they do not have the necessary technology, which is patently false as has been exhibited during the course of hearing. 
  1. The reporting mechanism under Rule 3(2)(c) of the IT Rules must be conveyed to the users by the intermediaries by way of prominent display of the same on the website of the intermediary. It is necessary for users to be made aware of the reporting mechanism and the onus for educating the users lies on the intermediaries.
  1. The timeframe as stipulated under Rule 3 of the IT Rules must be strictly followed without any exceptions, and if there is even minor deviation from the said timeframe, then the protection from liability under S, 79 of the IT Act cannot be invoked by the search engine. When a victim approaches a Court or a law enforcement agency and obtains a takedown order, a token or a digital identifier based approach must be adopted by search engines to ensure that the de-indexed content does not resurface. 
  1. As a long-term suggestion, a trusted third-party encrypted platform may be developed by MEITY in collaboration with various search engines under Rule 3(2)(c) for registering the offending NCII content or the communication link by the user/victim. Accordingly, the intermediaries in question may assign cryptographic hashes/identifiers to the said NCII, and automatically identify and remove the same through a safe and secure process.

The Information Technology Amendment Rules, 2023

June 27, 2023 Leave a comment

IT AMENDMENT RULES 2023: An Overview

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023

INTRODUCTION 

The aim of this primer is to provide an overview of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023 (“the Amendment”), which amend the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 Rules”). 

The Ministry of Electronics and Information Technology (“Meity”) amended the 2021 Rules, with the aim  to inter alia regulate the online gaming in India, along with ensuring safety to its users, broadly by governing-

  1. Online games
  2. Online real money game
  3. Permissible online game
  4. Permissible online real money game
  5. Online gaming intermediary
  6. Online gaming self-regulatory body and
  7. Restricting the spread of fake & misinformation. 

THE BASICS

The Amendment defines an ‘online game’ as a game that is offered via the internet, wherein the same can be accessed by any user through a computer resource or upon the access of an intermediary.

STAKEHOLDER ANALYSIS

  1. Online Game

The Amendment classifies online games into three subcategories. They are-

i) Online real money game- The Amendment defines ‘online real money game’ as an online game, wherein the user deposits in the form of cash/kind with an expectation and intention of earning winnings in the form of cash/kind on such deposits made. The Amendment further explains the term ‘winnings’ as any prize in cash/kind distributed to the user of the online game based on their performance in accordance with the rules of the game.

ii) Permissible online game- The Amendment defines ‘permissible online game’ as a permissible online real money game, and also includes: online game(s) which is not considered as online real money game (reference to Rule 4C of the Amendment). With this definition, the ambit of the 2021 Rules gets widened as the Central Government will have the power to extend and direct the applicability of the said rules to even those online games that do not require a user to make a deposit. Hence, even covering casual games under the 2021 Rules.

iii) Permissible online real money game- The Amendment defines ‘permissible online real money game’ as an online real money game that has been verified by an online gaming self-regulatory body under Rule 4A of the Amendment.

  1. Online Gaming Intermediary (“OGI”)

i) With the release of the Amendment, it seeks to classify a new category of intermediary i.e., OGI. The Amendment defines an ‘OGI’ as any intermediary that seeks to give access to one or more online games to users on its platform.

ii) Moreover, what is essential to note from the Amendment is that an OGI is required to comply with not just the due diligence obligations mentioned under Rule 3, but also with the additional due diligence requirements under Rule 4, on similar lines, like that of a significant social media intermediary may be required to do under the 2021 Rules.

  1. Online Gaming Self-Regulatory Body (“SRB”)

The Amendment welcomes another soon-to-be established entity(ies) within the purview of the said rules and allows such entity(ies) to self-regulate the online gaming industry in India, in accordance with the 2021 Rules. This self-regulatory body(ies) is to be called as an ‘online gaming self-regulatory body.’ They are defined as an entity designated by Meity under Rule 4A of the Amendment. The primary responsibility of the SRB is to verify ‘online real money game’ as ‘permissible online real money game.’

  1. Fact Check unit of the Govt.
  • A significant change brought in by the Amendment, (apart from regulating online games and platforms), pertains to curtaining fake and misleading information in relation to any business of the Central Government, which has been hosted, published, and transmitted on the intermediary’s platform. 
  • Further, the Amendment directs Meity to appoint a fact-checking unit of the central government, to identify and restrict the flow of fake and misleading information that pertains to the business affairs of the central government. 

DUE DILIGENCE- OGI

The Amendment aims to bring online gaming intermediaries to the same table along with the social and significant social media intermediaries. Earlier, the due diligence obligations mandated under Rule 3 of the 2021 Rules, only applied to social media intermediary(ies) and significant social media intermediary(ies). However, with the present Amendment, now even an OGI will be required to comply with Rule 3 of the 2021 Rules, including some new requirements/obligations brought in by the Amendment-

  1. An OGI shall not offer its users an online game that results in ‘user harm.’ The term ‘user harm’ has been explained in the Amendment as any effect that is considered detrimental to a user and/or child;
  2. An OGI shall not offer any online game unless it is verified as a permissible online game;
  3. Intermediaries shall not indulge in advertising/surrogate advertising or promoting a non-verified online game, and/or an OGI promoting such a game;
  4. An OGI that offers ‘permissible online real money game(s)’ is required to inform its users about the change in its rules and regulations, privacy policy, or user agreement within a time frame of 24 hours and not later than that;
  5. An OGI that offers ‘permissible online real money game’ shall on receipt of an order, provide all and/or any information under its possession to the government agency for the purpose of investigation, detection, prevention, prosecution of offenses, etc, within a time frame of 24 hours and not later than that;
  6. An OGI is required to prominently publish on its website and mobile app, the name and contact details of the grievance officer, along with the complaint mechanism for the user/victim to follow for addressing their complaints and grievances;
  7. Any person being aggrieved by the decision of the grievance officer of the OGI may prefer an appeal within 30 days from the receipt of such decision to the Grievance Appellate Committee;
  8. The OGI and the SRB are required to comply with the orders passed by the Grievance Appellate Committee and further are required to publish a compliance report on their respective website(s).

ADDITIONAL DUE DILIGENCE- OGI

It is essential to note here that following the 2021 Rules, the additional due diligence requirements under Rule 4, were only supposed to be a compliance obligation for the significant social media intermediary. However, with the present Amendment, even an OGI offering permissible online real money game, irrespective of its user base will be required to comply with Rule 4, including-

  1. Appointing a Chief Compliance Officer;
  2. Appointing a Nodal contact person, who shall be a resident in India;
  3. Appointing a resident Grievance officer, who shall be a resident in India;
  4. Publishing periodic reports monthly in relation to the complaints received, and the course of measure(s) duly taken;
  5. Maintaining a physical address in India, and publishing its details on the website and mobile application;
  6. Implementing a complaint and grievance mechanism for the users’ to file, track and check the status of their complaints;
  7. Verifying the users’ accounts, and marking such users with a visible mark;
  8. Displaying the verified mark obtained after due verification done from the concerned SRB;
  9. Informing the users’ about withdrawal/refund policy, manner of determining and distribution of winnings, fees and charges payable by the users, KYC procedure, measures undertaken for protecting the users’ deposits, and the procedure followed for verification of online real money game;
  10. Mandatory KYC before accepting deposits from the users;
  11. Prohibiting and banning OGI from offering its users’ credit facilities and/or enabling third-parties to finance for the purpose of playing such online game.

ELIGIBILITY CRITERIA FOR SRB

  • Verification of online real money game shall only be done by designated SRB(s). An entity may apply to Meity for being designated as an SRB, provided they fulfil the following-
  1. Entity registered under section 8 of the Companies Act, 2013;
  2. Membership is representative of the online gaming industry;
  3. The number of board of directors shall be 8. They shall have no conflict of interest, and possess skills, experience, and knowledge as mentioned under the said rules, for performing their roles & duties as a self-regulating body;
  4. Must have sufficient funds for performing their duties as a self-regulatory body;
  5. The MoA & AoA of the entity shall be compliant with the 2021 Rules and the Amendment.

VERIFICATION OF ONLINE REAL MONEY GAME

  • Upon receiving an application from an online real money game, the SRB shall verify and declare them as permissible online real money game, provided the following is satisfied-
  1. Such an online real money game shall not contain wagering on any outcome; and
  2. The OGI and such online real money game shall be compliant with Rule 3 and 4, law relating  to the age and competency to contract, along with the SRB’s framework.
  • The rule further clarifies the time-frame given to the SRB shall be three (3) months, in which they have to declare the applicant (online real money game) as permissible online real money. It is further stated that initially the SRB shall only rely upon the information provided to them by the applicant. However, the SRB shall complete the due inquiry with the said time-frame to declare them as compliant and permissible or reject their application in writing.
  • SRB must publish on their website and/or website, a list of all the permissible online real money game, their verification expiry date, suspended and revoked online real money game.
  • SRB must maintain and publish their members’ list on their website and/or mobile application.
  • SRB shall have the powers to suspend and revoke the verification of any online real money game, if they are satisfied that the said online real money game is not in compliance with the 2021 Rules and the Amendment.
  • The online real money game and the OGI must display the verified mark granted by the SRB on their platforms.
  • Every SRB is required to publish on their website and/or mobile application their framework of verifying online real money game, which shall also include-
  1. Measures taken to ensure that an online real money game is not against the interests of sovereignty, integrity and security of the nation;
  2. Measures to ensure that an online real money game does not cause user harm as described under the Amendment;
  3. Measures taken to ensure protection to minors;
  4. Measures undertaken to ensure protection against gaming addiction, fraud, financial loss, etc.
  • The Central government before issuing directions for blocking under section 69A of the IT Act, 2000, against a permissible online real money game, may consider the details published by the SRB.
  • SRBs’ must publish a framework of grievance redressal along with the contact details of their Grievance Officer. The complaints must be acknowledged within 24 hours by the Grievance officer, and resolution must be done within 15 days from the date of the complaint.
  • Meity may suspend and/or revoke the designation of the SRB, if it is satisfied and found necessary. However, the SRB shall be given an opportunity to be heard.

APPLICABILITY & COMPLIANCE OF CERTAIN OBLIGATIONS

The Amendment further states that the compliance obligations upon the OGI shall come into force only after the expiry of three (3) months from the date on which at least three (3) SRBs would have been designated and established in accordance with Rule 4A of the Amendment.

‘ONLINE GAME’ OTHER THAN ONLINE REAL MONEY GAME

The said rules may apply to only those online games, that come under the ambit of online real money game and permissible online real money game. However, if the Central government finds it necessary in the interest and security of the State, public order, and preventing user harm, etc, in those circumstances, even those online game other than online real money game will be required to comply with the following obligations-

  • the obligations under sub-clauses (ix) and (x) of clause (b) of sub-rule (1) of rule 3; sub-rules (1), (5), (6), (7), (10), and clause (d) of sub-rule (11) of rule 4; along with rule 4A.

CONCLUSION

With the significant rise in the development of online games around the globe, the massive user and fan base, along with the amount of money involved were essential to be considered, before regulating this space. However, letting this space go unregulated would be detrimental to the country’s economy and its national security. The notified Amendment aims to promote online gaming by making the industry more accountable and transparent to its users. 

However, there are still some questions unanswered, such as why Meity took this approach to bring online games and the platforms as ‘intermediaries’ and not as ‘publishers’ under the 2021 Rules. Moreover, there are still vagueness and clarifications required in relation to terms such as ‘online real money game’ and ‘user harm’, as the ambit of both these terms is too wide, and might result in overregulation and hamper the growth of the industry as a whole.

Interestingly, the Amendment has been challenged recently in the Bombay High Court, within a week of its notification. The writ petition primarily questions the power of Meity under Rule 3(1) (b) (v), which seeks to appoint a fact-checking unit of the central governing for curbing fake and misleading information relating to the central government’s business affairs.

Lastly, the true impact of this Amendment could only be judged after the provisions come into force, and how the industry reacts toward it.

A Guide to India’s Data Protection Law:         The Digital Personal Data Protection Bill, 2022

March 23, 2023 Leave a comment

              

Background & Evolution of Privacy in India

A.  The journey of India’s Right to Privacy is more than 6 decades old, and it was only in the year 2017, the Apex Court of the land recognized and declared the “Right to Privacy” as a fundamental right enshrined under Article 21 of the Indian Constitution, 1950, in a landmark decision in  Justice K S Puttaswamy(Retd.), & Anr v UOI& Ors(2017). Little did we know, but this landmark decision changed the course of History.

B.  With the advent of the right to privacy as a fundamental right, a Committee of experts was set up in August 2017, for the purpose of preparing a draft report on Data Protection under the leadership of Justice B.N Srikrishna, (former) Judge of the Supreme Court. 

C. The Experts Committee submitted its report along with a draft version of the legislation in the year 2018 which was titled “Personal Data Protection Bill, 2018” (“PDP, 18”). The PDP, 18 was further analyzed and approved by the Cabinet Ministry on 4th December, 2019. Later, the draft version was introduced in the Lok Sabha, however, the title was changed to- Personal Data Protection Bill, 2019 (“PDP, 19”). 

D.  The PDP, 18 and PDP, 19 were drafted for the same purpose, but both had flaws that did not make them a comprehensive draft version of the law, and hence, none of them were adopted/passed. With the aim to make PDP, 19 more comprehensive, it was referred to a newly constituted committee i.e., Joint Parliamentary Committee (“JPC”).

E. The JPC on 16th December 2021 during the Winter session, released a recommendation report on the PDP, 19 with 81 amendments and 12 recommendations. The recommendation report was released after 2 years to the public and was renamed “the Data Protection Bill, 2021” (“DPB, 21”), with a widened scope of the bill in its entirety (inclusion of non-personal data, etc).

F.   However, the DPB, 21 was withdrawn in the Parliament in the month of August 2022 on the ground that the Government was working on a more comprehensive legal framework, and the present draft version did not allow it.

G. Surprisingly, on 18th November, a 4th draft version of the bill was introduced for public consultation. This time the title of the draft version has been changed to- The Digital Personal Data Protection Bill, 2022 (“DPDP, 22”)

The purpose of this article is to be a go-to guide for your understanding of the DPDP, 22. Here, we will not just summarize the entire draft bill, but highlight all the key provisions from an industry perspective.

PURPOSE:

The purpose of this legislation is to regulate the processing of digital personal data, to enable an individual to practice his/her right to privacy of their personal data, and to ensure that such processing is done for a lawful purpose. 

APPLICABILITY:

The law applies to the processing of “digital personal data” and excludes “offline personal data”, however, if such offline personal data is later digitized then the processing of such data would fall under the ambit of this Bill. 

Further, from the territorial scope of the DPDP, 22, it applies to data processing both within and outside the territory of India. For the law to apply outside the territory of India, it is essential that such processing of digital personal data is related to-

  • Any profiling of a Data Principal within the territory of India; or
  • Any activity pertaining to offering goods/services to users (Data Principal) inside the territory of India.

The provisions of the DPDP, 22 shall not apply to-

  • Any non-automated processing of personal data;
  • Offline personal data;
  • Processing, done by an individual for a personal/domestic purpose;
  • If the personal data of an individual has been existing in a record for at least 100 years.

Surprisingly, there is no classification of the personal data provided in the DPDP, 22. However, the sector-specific regulations in due time may establish additional requirements pertaining to safeguarding such personal data. Lastly, the DPDP, 22 does not apply to non-personal data as compared to its previous version.

CONSENT 

  • The DPDP, 22 under section 5 states the grounds on which the Data Fiduciary shall process the personal data of the Data Principal. The processing under the DPDP, 22 shall be considered lawful only when the Data Principal has given consent or the consent is deemed to have been given.
  • The DPDP, 22 under section 7 defines the concept of “Consent” and states- that when the Data Principal has freely given, a specific, informed, and unambiguous indication to a Data Fiduciary for processing their personal data for a “specific purpose.” However, the same must be shown through an affirmative action by the Data Principal.
  • Moreover, the DPDP, 22 under section 6 provides for a mandatory requirement that must be fulfilled by the Data Fiduciary on or before seeking the consent of a Data Principal. The Data Fiduciary is mandated to provide an itemized notice to the Data Principal in clear language, which shall contain the description pertaining to the data that is required to be collected from the user and the purpose behind it.
  • In the itemized notice that is issued for seeking/requesting consent from the Data Principal for processing their personal data, the contact details of the authorized person/data protection officer of the Data Fiduciary must be mentioned. The Data Principal shall have the right to access such itemized notice requesting consent in either English or any language specified in the Eighth Schedule to the Constitution of India.
  • It is also essential to note that any additional personal data which is not necessary for the performance and fulfillment of a contract/agreement between the Data Principal & Data Fiduciary. In such scenarios, the Data Principal shall be free to refrain from giving consent.

DEEMED CONSENT

Here are some instances mentioned in the DPDP, 22 wherein, it is presumed that the processing of personal data is based on Deemed Consent. Deemed consent has been discussed under section 8 of the DPDP, 22. At present the DPDP, 22 provides 9 instances wherein consent is considered as deemed, and they are-

  1. In an event wherein, the Data Principal voluntarily provides their personal data to the Data Fiduciary, and the same is reasonably expected from them;
  2. In an event, wherein, the processing is based on the performance of any function under law, or provision of any service, or benefit to the Data Principal/issuance of any certificate/license or permit to any action of the Data Principal by any State institutions or agencies;
  3. Processing done in relation to compliance with court order(s)/judgement(s);
  4. Processing done in relation to medical emergency pertaining to threat to life/health of the Data Principal or any other person;
  5. Processing done in relation to provide medical treatment/assistance to people during epidemic, outbreak, and/or any such threat to public health;
  6. Processing done in relation to taking safety measures for providing services to people during disaster, and/or breakdown of public order;
  7. Processing done in relation to employment-related purposes;
  8. Processing done on the grounds of public interest;
  9. Processing done for any fair and reasonable purpose- wherein the legitimate interests of the Data Fiduciary outweigh any adverse effect on the Data Principal, public interest and the reasonable expectations of the Data Principal.

It is essential to note here that the notice mentioned under section 6 is not mandated where deemed consent is given by the Data Principal.

CROSS-BORDER TRANSFERS

The DPDP, 22 also lays down a provision for the cross-border transfer of digital personal data. Although, it does not specify or name which countries/territories will be treated as “trusted geographies” for permitting the cross-border transfer of digital personal data. However, section 17 states that the Central Government will only allow and notify those countries/territories for cross-border transfers, based on an assessment as it may consider necessary.

EXEMPTIONS

Moreover, under section 18, there are some exemptions listed out, which simply means that the provisions of the DPDP, 22 shall not apply, except section 9(4)- which states that the Data Fiduciary and Data Processor shall take all the reasonable security measures in order to mitigate potential breaches. The exemptions have been listed below-

  • Wherein, processing such personal data is essential to enforce a legal right/claim;
  • Wherein, the processing of personal data is in the interest of prevention, detection, investigation/prosecution of any offence/contravention of any law;
  • Wherein, the processing of personal data is done by the court of law, tribunal, quasi-judicial body, etc;
  • Wherein, the personal data belongs to an individual outside the Indian territory and is processed based on a contract between an individual from outside the Indian territory and a person based in India.

The DPDP, 22 further permits the government to exempt any of its agencies from the application of this law on the ground-

  • In the interest of the sovereignty & integrity of India;
  • State’s security;
  • Friendly relations with foreign States;
  • Public order.

OBLIGATIONS OF Data Fiduciary

The DPDP, 22 under section 9 onwards up to section 11 states the obligations of Data Fiduciary. 

  • Under section 9– This provision deals with the general obligations, such as the Data Fiduciary shall be held solely responsible in relation to complying with this law, even in cases wherein the data is processed on behalf of them by Data Processors and/or by another Data Fiduciary.
  • ensuring that the personal data processed is accurate and complete especially when such data is likely to be disclosed to another Data Fiduciary and/or the data processed will be used to make decisions that affects the Data Principal itself.
  • The Data Fiduciary shall also implement both technical and organizational measures with the aim to ensure complete compliance with this law. The Data Fiduciary and Data Processor shall ensure that they take all the possible reasonable measures and safeguards to mitigate potential breach.
  • In an event of a personal data breach, the Data Fiduciary or the Data Processor (as the case may be), shall notify the Data Protection Board along with each affected Data Principal.
  • The Data Fiduciary shall ensure that the personal data of the Data Principal is not retained once the purpose behind such processing is fulfilled, and/or where retention of the data is no more required for any legal/business purpose.
  • The Data Fiduciary is also required to publish the contact details of the data protection officer or the authorised personnel who may answer on behalf of the Data Fiduciary to all such questions/queries posed by the Data Principals pertaining to the processing of their personal data. They are also required to ensure a mechanism is at place that shall focus on grievance redressal.
  • Under section 10– These provisions lay out the additional obligations of the Data Fiduciary pertaining to the processing of children’s personal data.
  • Under the DPDP, 22 for processing of a child’s (anyone who has not completed 18 years of age) personal data, the Data Fiduciary is mandated to seek the parental consent, and only after obtaining the same, they may process the child’s data.
  • Furthermore, a Data Fiduciary shall not process a child’s personal data in scenarios where such processing will likely cause harm to that child.
  • A Data Fiduciary shall not track nor monitor a child’s behviour or direct targeted advertising upon a child.
  • Under section 11–  This provision states the additional obligations of a Significant Data Fiduciary. However, before getting into the obligations, we need to understand who exactly falls under the ambit of a “Significant Data Fiduciary.” 
  • A Significant Data Fiduciary is any Data Fiduciary or a class of data fiduciaries that are notified by the Central Government. They shall be notified based on some factors such as- the amount of personal data that is being processed; the risk of harm that the Data Principals are likely to face; its impact on the integrity & sovereignty, security, and public order of the nation.
  • Furthermore, a Significant Data Fiduciary is required to appoint a Data Protection Officer, and an independent Data Auditor, and is further mandated to take measures such as Data Protection Impact Assessment, etc.

RIGHTS & DUTIES OF Data Principal

The rights and duties of the Data Principal have been laid down in Chapter 3 of the DPDP, 22 starting from section 12 up till section 16. Here is the list of rights mentioned under section 12

  1. The Data Principal shall have the right to seek confirmation from the Data Fiduciary on whether their data has been processed or is being processed by them;
  2. The data subject shall have the right to seek the summary of their data that has been processed or is being processed by the Data Fiduciary;
  3. The Data Principal shall have the right to know with whom all the Data Fiduciary has shared their personal data, along with the categories of personal data that has been shared.

Under section 13– The Data Principal shall have the right to correction and erasure of their personal data that is with the Data Fiduciary.

Under section 14–  The Data Principal shall have the right to seek grievance redressal by registering a grievance with the Data Fiduciary. Moreover, if the Data Principal is not satisfied with the response, or does not receive any response from the Data Fiduciary, then in such scenarios, the Data Principal may register the complaint at the Data Protection Board.

Under section 15– The Data Principal shall have the right to nominate anyone, who shall exercise the rights of a Data Principal under the DPDP, 22 after the death/incapacity of the Data Principal.

Under section 16– The Data Principal is obliged under DPDP, 22 to perform certain duties such as-

  1. Shall ensure that they do not register any false/frivolous complaint with the Data Fiduciary and/or at the Data Protection Board;
  2. Shall not furnish false documents, impersonate another person, and/or suppress information while applying for any document, service, proof of identity, etc.
  3. While exercising their rights under section 13 pertaining to correction and erasure, Data Principal shall furnish verifiable and authentic information.  

DATA PROTECTION BOARD OF INDIA

The DPDP, 22 also proposes to establish a Board i.e., the Data Protection Board of India to pronounce decisions against complaints filed by Data Principals, to impose penalties for non-compliance not exceeding Rs. 500 crores, and perform all such functions as and when notified by the Central Government in due time.

PENALTIES

Here are the financial penalties listed out under schedule 1 of the DPDP, 22 for non-compliance with the provisions of the law.

  1. In an event, wherein the Data Fiduciary or Data Processor fails to take reasonable security measures in order to mitigate/prevent a data breach. For such incidents, a penalty of up to Rs. 250 crores shall be imposed.
  2. Where the Data Fiduciary fails to notify the Data Protection Board & the affected Data Principals about the breach. For such incidents, a penalty of up to Rs. 200 crores shall be imposed.
  3. In an event, wherein the Data Fiduciary fails to comply with the additional obligations pertaining to the processing of a child’s personal data (section 10). For such incidents, a penalty of Rs. 200 crores shall be imposed.
  4. Wherein, the Significant Data Fiduciary fails to comply with the additional obligations mentioned under section 11. In such scenarios, a penalty of up to Rs. 150 crores shall be imposed.
  5. In an event, wherein a Data Principal fails to comply with the duties mentioned under section 16. In such scenarios, a penalty of up to Rs. 10 thousand shall be imposed.
  6. Non-compliance with the provisions of the DPDP, 22 except for those listed above, shall lead to a penalty of up to Rs. 50 crore.

CERT-In Directions dated 28 April 2022

March 23, 2023 Leave a comment

The Directions issued by CERT-In on April 28, 2022, for ensuring better cyber security measures in India as it focuses on the collection and storage of user’s sensitive information. As per the directions issued, VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns, and other forms of personally identifiable information. Let’s discuss the directions in a detailed manner- 

Firstly, as per the directive, VPN companies are mandatorily required to collect and validate customer names, physical addresses, email addresses, and phone numbers along with that they are required to provide the reason each customer is using such service, the dates they use it, and their “ownership pattern.” They are also required to provide the IP address and email address used by a customer to register for the service, along with a registration timestamp. Lastly, they must provide all IP addresses issued to a customer and a list of IP addresses being used by its customer base generally. 

Secondly, the directives by CERT-In will have a wide impact on almost every stakeholder involved in the usage of internet as it is applicable to all service providers, intermediaries, data centers, body corporate and Government organizations. Furthermore, any non-compliance to these directions could lead to criminal imprisonment up to a year as a punishment. 

The CERT-In was set up as a body under the Ministry of Electronics and Information Technology (“MeitY”) to conquer the rising cyber security concerns. Moreover, some form of monitoring of information of users was necessary in order to combat against rising cyber harms. Since the latest directives give CERT-In the power to store and use such sensitive information of users; the directives also mandate that virtual asset service providers must have mandatory KYC and submit their financial transactions report to CERT-In.

It must be noted that the centre will use all the legal and security safeguards along with proper administrative channels to access such information mandated under the present directives. A detailed analysis of the said directions in the next post. Stay tuned!

Your Guide to Managing Data Subject Access Requests

March 29, 2022 Leave a comment

DSAR means Data Subject Access Request, and this is one of the rights that a data subject or an individual under the General Data Protection Regulation (GDPR) enjoys. 

  1. A data subject is anyone whose data is collected, shared and processed by a data controller.
  2. A data controller is a company, organization or anyone who deals with the personal data/information of the data subjects. 

As per the GDPR, the data subject should be a resident living in the European Union.

Recital 63 of the GDPR states:

“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

  1. Reasons to have a DSAR process
S.NOReason(s) for DSAR
1.For confirming whether your organization/business processes the personal data of an individual (referred to as Data subjects).
2.For accessing the personal data/information of a data subject.
3.For determining whether such processing of data of the subject is on a lawful basis or not.
4.For knowing the duration/period for such data which has been stored in your organization/business
5.For enquiring about how the data subject’s personal information/data was obtained by your organization/business.
6.For obtaining information about automated decision-making and profiling from the data subject’s personal information.
7.For obtaining the names and further details of the third-parties with whom your organization/business is sharing the personal information of the data subject(s).

This isn’t an exhaustive list; a data subject has a right under the GDPR and can submit such a request (DSAR) without any given reason to the data controller and at any time. The data controller may only ask questions in order to verify the data subject’s identity. 

  1. Principles for DSAR

GDPR in the entirety is based on the following principles and it is the data controller’s responsibility and obligation to process data in accordance to the principles laid down-

Article 5 of the GDPR lays down the following principles-
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and Confidentiality
Accountability

Whereas, the DSAR is based on the rights granted to the data subjects under the GDPR-

Article(s)Right of the data subject
Art.15This article grants the data subject the right to access his/her personal data held by the data controller.
Art.16This article grants the data subject the right to rectify his/her inaccurate personal data without any undue delay caused by the data controller while giving access. 
Art.17This article grants the data subject with the right to be forgotten without causing any undue delay by the data controller.
Art.18This article grants the data subject the right to restrict the processing of his/her personal data.
Art.20This article grants the data subject the right to transmit his/her personal data to any other controller, and also to obtain his/her personal data in a machine-readable format.
Art.21This article grants the data subject the right to object to processing of his/her personal data.
Art.22This article grants the data subject the right not to be subjected to automated decision making and profiling.
  1. Steps to perform as a Data Controller-
S.No.Steps to be taken
1.The first step should be to verify the data subject’s identity and record the DSAR in the system.
2.The next step is collecting and categorizing the personal data that you have stored.
3.The next step should be to review the data subject’s request in order to understand the DSAR’s requirement. The reply to such a request should be within 30 days as mandated by the GDPR and without causing any undue delay.
4.Before sharing the response to the data subject, it is better to gather all the personal data of the data subject into the response, as the GDPR also encourages remote access to such data.
5.The data controller needs to ensure that the delivery of the data to the data subject should be secure as data leaks and breaches are quite expensive, moreover, it affects the trust among its users and the reputation/goodwill.
6.Once you have followed all the required steps, you are ready to send the response to the data subject
7.It is essential to remind the data subjects about their privacy rights and you may do so by adding a fews lines at the end of your response.

Aarlin Moncy: Discussing Law & Technology

April 27, 2020 Leave a comment

Hello everyone! I am yours truly, LawyerStrange, aka Aarlin Moncy!

Thank you for visiting my page. Here, you will find blogs and video content on topics (but not limited to) such as- Data protection & Privacy, Cyber law, Constitutional law, contract law, movies and comics.

But the idea is to make this platform an exclusive page for Technology Law. Help me in this journey to build a community for tech & comic geeks. Let’s grow together.

Feel free to contact me and do share your suggestions.

Thanks again!

Stay safe and Take care!