A Holistic Approach to Personal Data Protection

After detailed deliberations, the Joint Committee of Parliament on the Personal Data Protection Bill has made several important recommendations, and a debate is currently raging in the country over some of those proposals.

The Committee’s recommendations need to be understood in the broader context of personal data protection and to support the growth of a robust innovation and data-driven digital economy.

The Committee has proposed to include a new clause to include non-personal data within the ambit of the Bill, since renamed as Data Protection Bill, 2021.

This has been done to take a holistic approach towards processing of data, both personal and non-personal, as with the advent of advanced technologies like artificial intelligence and sophisticated data analytics, it may not be too difficult in future to relate anonymised personal data (a form of non-personal data) to individuals.

However, the revised Bill only contains a provision for formulating rules regarding non-personal data at a later stage. Currently, it does not have any substantive provisions in this regard.

A key provision in the Bill to allow certain exemptions to the government data fiduciaries has generated a lot of discussion.

The exemptions under Section 35 of the Bill need to be on a case-to-case basis and only on the grounds of sovereignty and integrity of India, security, etc. which are within the ambit of reasonable restrictions under Article 19(2) of the Constitution.

Further, the reasons for exemptions have to be just, fair, reasonable and proportionate which are as per norms laid down by the Supreme Court in its 2017 privacy judgement in the Puttaswamy case.

The exemptions under Section 12 are narrower and more specific for facilitating better delivery of government services, disaster management, dealing with epidemics and medical emergencies, etc.

Government entities are not exempted from their obligations as data fiduciaries and complying with the rights of data principals in general. There are adequate safeguards in the Bill to prevent any misuse of such exemptions, including oversight by the Data Protection Authority (DPA).

Another recommendation that has generated much debate relates to making social media platforms liable for content hosted on their platforms from unverified accounts and making verification of accounts mandatory.

However, this is only for those platforms that do not act as intermediaries eligible for safe harbour as per Section 79 of the Information Technology Act, 2000. This is only a recommendation that needs to be examined by the government later and is not part of the revised Bill.

Concerns have also been raised over the compliance burden on startups and its impact on innovation.

To address this concern, the Bill places much greater emphasis on compliance by the significant data fiduciaries with additional obligations, such as periodic audits, appointment of data protection officers, etc. Startups and small businesses do not need to comply with these additional obligations as they would not be classified as significant data fiduciaries.

The Bill also provides for the creation of a sandbox to encourage innovation. Processing of personal data of foreign nationals is also exempted under the Bill.

Another key concern is regarding the provisions for data localisation.

Section 33 of the Bill makes it clear that sensitive personal data shall continue to be stored in India, while Section 34 allows its transfer outside India under certain conditions.

The EU GDPR places similar conditions on data transfer to only those countries which fulfil the ‘data adequacy’ norms.

These provisions will make it easier for Indian entities to attract more outsourcing business from abroad as India would fulfil these norms. Storage of sensitive personal data within India would support the growth of hyperscale data centres and an innovative data-driven economy.

Concerns have also been raised over another recommendation relating to norms for testing the integrity of hardware and software on devices.

This has been done to prevent any unauthorised data breaches through insertion of any untrusted hardware. This provision has been added within the scope of functions of the DPA under Section 49 and can be implemented only after the DPA formulates an appropriate code of practice in consultation with the relevant stakeholders.

The concept of privacy has evolved from the Aristotelian concept of idios, meaning “one’s own” or “private”, in ancient times to its modern-day focus on informational privacy.

The Data Protection Bill, 2021 provides a holistic framework for addressing informational privacy that will also help greatly in the growth of a robust digital economy in India.

(The above article appeared in The Economic Times on January 9, 2022 and is available at: https://economictimes.indiatimes.com/tech/catalysts/ettech-opinion-a-holistic-approach-to-personal-data-protection/articleshow/88775228.cms?from=mdr. The views are personal.)

‘Digitisation has transformed India’s governance model’

The next wave of digitization needs to ensure that digital opportunities should ..

Traceability vs Privacy: The Real Issue is of Collective Security

Societies have long realised the need to provide collective security for all to ensure sustainable development and prosperity. Providing collective security involved imposing some form of social control to regulate individual and group behaviour through gathering information about individuals. In the modern information age, a good government can ensure collective security through efficient use of information for law enforcement without necessarily encroaching upon individual privacy.

Countries around the world have enacted laws to ensure that such information could be collected easily through various sources to help in achieving the wider societal goal of collective security. The US enacted the Stored Communications Act (SCA) in 1986 to require the internet service providers (ISPs) to provide content and metadata on stored emails to the government agencies under certain conditions. As this law soon became outdated due to rapid technological advances, the US passed the Communication Assistance for Law Enforcement Act (CALEA) that required the telecom companies to redesign their networks to facilitate wiretapping by the government agencies. Later, in 2005, it was expanded to cover ISPs and services like Skype, etc.

UK and Australia have gone even further in enacting laws that require device makers and software developers to provide access to encrypted data. The Investigative Powers Act 2016 and the Investigatory Powers Regulations 2018 in the UK provide sweeping powers to the intelligence and law enforcement agencies to carry out both targeted and bulk interception of internet communications and hack into devices to access data. The Telecommunications Assistance and Access Act 2018 of Australia gives broad powers to the government agencies to require communication service providers (CSPs) to decrypt any communication.

The raging debate in India over the ‘traceability’ provision in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 must be understood in the context of the need for ensuring collective security as a social good. The rules require the significant social media intermediaries to identify the first originator of a message in India for investigation of grave offences relating to the sovereignty and integrity of the country, crimes against women and children, etc. that are punishable with a minimum prison term of 5 years.

Critics have claimed that this provision would seriously undermine privacy and force the intermediaries to break the end-to-end encryption. However, the rules make it very clear that what is required to be provided by the intermediaries is only the metadata about the first originator of the offending message, and not its contents. The message itself needs to be provided by the law enforcement agencies to the intermediaries. There is no attempt to make them break any encryption. With such safeguards built into the rules, the provision cannot be termed as harming privacy. In fact, the rules place much less onerous obligations on the intermediaries for sharing information compared to what several other countries have mandated, as noted earlier.

The law and the evolving jurisprudence in this domain in India have provided strong safeguards for ensuring freedom of expression and privacy. The upcoming Personal Data Protection Bill aims to further enhance this legal framework for protection of personal data and online privacy subject to reasonable checks in the interest of collective and national security. John Locke, a famous 17^th century philosopher and the “Father of Liberalism”, argued in his Second Treatise of Civil Government that individuals needed a strong government to be able to exercise their individual rights and liberties.

There need not necessarily be a trade-off between privacy and collective security. Collective security is just as essential to make people feel safe and allow them to enjoy their privacy protections to function effectively as individuals. The new IT Rules seek to achieve that larger social good.

(The above article appeared in The Economic Times on 10th October 2021. It is available at: https://economictimes.indiatimes.com/tech/catalysts/traceability-vs-privacy-the-real-issue-is-of-collective-security/articleshow/86721078.cms?from=mdr. The views are personal.)

The Race for Global Leadership in AI: Where Does India Stand?

Over 50 countries around the world have announced their own national strategies on Artificial Intelligence (AI) and many others are rushing to do so. AI holds great potential as the key driving force for the next phase of economic growth led by technological innovation and no nation wants to be left behind. However, which countries are early movers in the global AI sweepstakes and where does India stand in the race for global AI leadership?

AI generally refers to capability of machines to mimic human-like cognitive functions, such as learning, thinking and problem solving. It comprises a suite of technologies, e.g., machine learning, deep learning, speech recognition, image processing, etc. that underpin broader technologically driven transformations happening in diverse domains: education, healthcare, industry 4.0, autonomous vehicles, etc. AI also has huge potential military applications in the development of autonomous weapons. There is a growing feeling in many countries that leadership in AI would be crucial in determining strategic and geopolitical influence in future, both at regional and global levels.

Several countries and jurisdictions, such as USA, China, European Union, UK, etc., have already announced their national AI strategies and are early movers in this rapidly evolving technology. Most of them have tried to leverage their own strengths to advance their capabilities in AI. However, they all focus on certain common key elements in varying degrees in their strategies: research and development (R&D), skilling, building data ecosystems, developing computing and network infrastructure, collaborative partnerships, ethics, and regulation.

The US launched its first federal initiative on AI in 2016 and a revamped initiative in 2019 with focus on five key elements: R&D, technical standards, training, promoting public trust and confidence, and protecting the American technological advantage while promoting international collaboration. It has generously funded its AI initiative, with a total budget of approximately $1 billion for non-defence AI R&D in 2020. It had also committed $2 billion over five years on AI R&D in defence in 2018.

The European Union (EU) first published its Coordinated Plan on AI in 2018. It has published an updated plan in April 2021 that focuses on four key components: AI development and implementation, R&D and building data ecosystems, skilling and fostering trust in AI, and building strategic leadership in high impact sectors such as climate, health, and mobility. The public and private funding for AI is estimated to be around EUR 20 billion per year till 2030.

China announced its “New Generation Artificial Intelligence Development Plan” in 2017 with the overarching goal of becoming the world leader in AI by 2030 by creating a trillion Yuan (approx. US$ 150 billion) AI industry in China. The plan focuses on developing and deploying AI in a wide range of economic sectors including defence. While the plan and the strategy are central, the implementation is to be done by the local governments and the private sector. The total national and local government funding on AI programmes is estimated to be in the range of tens of billions of US dollars.

The UK announced its AI Sector Deal in 2018 with the key goal of becoming the world’s most innovative economy in AI. It focuses on education and training, R&D, promoting networking and partnerships, regulation to build trust, developing open data ecosystems, and networking and computing infrastructure. The total funding commitment for the strategy is around GBP 2.7 billion.

Where does India stand in the global race for leadership in AI? The NITI Aayog’s discussion paper on national strategy on AI in 2018 focuses on leveraging AI for inclusive growth and mentions five key domains: healthcare, education, agriculture, smart cities, and transportation and mobility. It also notes five key barriers to excellence in AI that need to be addressed: lack of R&D expertise, lack of high-quality datasets, lack of a regulatory framework on privacy and security, high resource cost and low awareness, and absence of a collaborative approach to adoption and applications. It proposed setting up of five centres of research excellence and 20 centres for transformational AI with a total funding of around Rs. 7,000 crores. However, though the strategy paper was published in 2018, India is yet to launch a comprehensive and coordinated national programme on AI. One study by Oxford Insights placed India at the 40^th position in the world in the Government AI Readiness Index out of 172 countries, a drop of 23 places from the 2019 rankings. Though India currently ranks third in the world in terms of total number of research publications in AI, we need to quickly formulate and implement a well-designed national programme on AI with adequate funding to become a global leader in this strategic technology. This is eminently possible if we can leverage our strengths in R&D due to a strong network of academic and research institutions, availability of a huge talent base and high-quality datasets in diverse domains, and presence of a globally competitive IT sector within the country.

(The author is a senior IAS officer and is currently working as Additional Secretary in the Ministry of Electronics and IT. The views are personal.)

The above article appeared in The Economic Times on 22 August, 2021. The link is here: https://economictimes.indiatimes.com/tech/tech-bytes/the-race-for-global-leadership-in-ai-where-does-india-stand/articleshow/85520265.cms

Unduly Worried Over New Information Technology Rules

In a communication dated June 11, three UN Special Rapporteurs raised serious concerns over provisions of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. They claim that these provisions do not meet the standards of rights to privacy and to freedom of expression as per the Articles 17 and 19 of the International Covenant on Civil and Political Rights (ICCPR) and that some of the due diligence obligations of intermediaries may infringe upon a ‘’wide range of human rights”.

They claim that the terms such as “ethnically or racially objectionable”, “harmful to child”, “impersonates another person”, etc. are broad and lack clear definitions and may lead to arbitrary application. Nothing could be further from truth. These terms have been very well defined and understood in both Indian and international law and jurisprudence. The Rule 3(1)(b) of the IT Rules specifies these terms clearly as part of a user agreement that the intermediaries must publish. They are aimed at bringing more transparency in how intermediaries deal with the user content and are not violative of the UN’s Joint Declaration on Freedom of Expression and “Fake News”, Disinformation and Propaganda.

It must also be mentioned that the Rule 3(1)(d) allows for removal of an unlawful content relating to sovereignty and integrity of India, security of the state, friendly relations with foreign states, public order, etc. only upon an order by a competent court or by the Appropriate Government. This is as per the due process specified by the Supreme Court in the Shreya Singhal Vs Union of India case in 2015. Given the potential of immense harm that can be caused by such unlawful content being freely available online, the time limit of 36 hours for their removal after due process is reasonable. Similarly, the time limit of 72 hours for providing information for investigation in response to lawful requests in writing from government agencies is entirely reasonable. The Rule 3(2) also provides for establishing a grievance redressal mechanism by the intermediaries and resolution of user complaints within 15 days. However, content in the nature of ‘revenge porn’ must be removed within 24 hours. Again, given the potential of immense personal damage that such acts can cause to the dignity of women and children, this time limit is reasonable.

The liability of the Chief Compliance Officer under Rule 4(1) of a significant social media intermediary is not arbitrary. He or she can be held liable in any proceeding only after a due process of law. This has been clearly specified in the rule itself.

The apprehensions about the Rules harming privacy are also misplaced. The Rule 4(2) requires the significant social media intermediaries to provide only the metadata about the first originator of a viral message that may be required for investigation of a serious crime relating to sovereignty and integrity of India, public order, rape, child sexual abuse, etc. that are punishable with a minimum term of five years. This again is after a lawful order is passed by a court or a competent authority and where there is no other less intrusive means of obtaining such information. There is no provision to ask the intermediary to break any encryption to obtain the contents of the message. In fact, the content is provided by the law enforcement agencies to the intermediary. Lawful investigation of crimes cannot be termed as harmful to privacy. Several countries, such as the US, UK and Australia have enacted laws that allow for far more intrusive interception of encrypted messages, including their decryption.

The concerns with regard to media freedom are also misplaced. The section 5 of the UN’s Joint Declaration on Freedom of Expression and “Fake News”, specifically enjoins upon the media outlets to provide for self-regulation at the individual media outlet level and/or at the media sector level. The IT Rules provide for a three-tier system of regulation, in which the government oversight mechanism comes in at the third level only after the first two tiers of self-regulation have failed to produce a resolution. The rules clearly specify the due process for the government oversight mechanism.

India is a vibrant democracy with a long tradition of rule of law and respect for freedom of expression and privacy. The IT Rules aim at empowering the users to enable them to exercise their right to freedom of expression responsibly and prevent the misuse of these platforms for unlawful purposes. The selective interpretation of the provisions of the IT Rules by the UN Rapporteurs is, at best, disingenuous.

(The above article appeared in The Economic Times on July 11, 2021 and is available at https://economictimes.indiatimes.com/opinion/et-commentary/unduly-worried-over-new-rules/articleshow/84323812.cms?from=mdr. The views expressed by the author are personal.)