The Personal Data Protection Bill, 2019 was introduced in Lok Sabha on the 11th December 2019. This Bill brought in a number of new clauses such as compliance obligations for social media companies and enhanced State power to exempt any government agency from the purview of the Bill; relaxed some existing provisions – done away with mandatory mirroring requirements for all personal data and done away with certain offences for transferring/ selling personal data; and in some cases removed extant requirements such as the creation of the Data Protection Funds, as compared to the Draft Personal Data Protection Bill, 2018, which was released last year.
The Bill has been referred to a Joint Select Committee of the Parliament, which will review and recommend changes to it.
Key changes from previous version: https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft
The Ministry of Information and Broadcasting released the Draft Registration of Press and Periodicals Bill, 2019. This would require publishers of news on digital media to register themselves with the Registrar of Newspapers of India. It is unclear whether this would cover ordinary individuals who post news articles on blogs or social media.
The Department of Consumer Affairs released the draft Consumer Protection (E-Commerce) Rules 2019 for public consultation. The draft rules were open for consultation till December 2, 2019. The draft rules propose that e-commerce entities could not influence the price of goods and services, adopt unfair trade practices, or leave fake reviews as consumers.
The National Counter Rogue Drone Guidelines have been set in place to lay out various counter rogue drone measures and guidelines to deal with drones that indulge in harmful conduct such as reconnaissance, attacking people/property, invading people's privacy by spying on them, among other harms which affect the general public, national security concerns, etc.
The link to the National Counter Rogue Guidelines can be found here: http://www.civilaviation.gov.in/sites/default/files/Counter_rogue_drone_guidelnes_NSCS.pdf
Prakash Javadekar, Minster for Information and Broadcasting invited suggestions and recommendations regarding certification of online content.
In the new Consumer Protection Act, 2019 online platforms or marketplaces would have to disclose details of sellers such as their address, website, email, conditions related to refund, etc. They will also be responsibile for harm or injury caused by a defective product or deficient service sold on their website.
This act also permits the Central Government to prescribe rules to prevent unfair trade practices in e-commerce.
As per the new Consumer Protection Act, 2019 online platforms or marketplaces would now have to disclose details of sellers such as their address, website, email, conditions related to refund, etc. They will also be responsible for harm or injury caused by a defective product or deficient service sold on their website.
This act also permits the Central Government to prescribe rules to prevent unfair trade practices in e-commerce.
Link to the Consumer Protection Act, 2019 can be found here: http://egazette.nic.in/WriteReadData/2019/210422.pdf.
The Ministry of Health and Family Welfare released the report on National Digital Health Blueprint which sought to include establishing core digital health date infrastructure for its seamless exchange, creating a system for Electronic Health records and promoting health data analytics and medical research. This report was placed in public domain on 15 July 2019 to elicit comments/ views from the stakeholders and the general public. The report was later submitted to the Union Health Minister Harsh Vardhan.
SFLC’s comments can be found here: https://privacy.sflc.in/our-comments-on-ndhb/.
The Final Report can be found here: https://mohfw.gov.in/sites/default/files/Final%20NDHB%20report.pdf.
The National Crime Records Bureau released a request for proposal for a centralised Automated Facial Recognition System. This system would enable the creation of “a national level searchable platform of facial images”. The deadline for submission has so far been changed 5 times and is currently 31 January, 2020. The database would be creating using Passport, CCTNS [Crime and Criminal Tracking Network and Systems], ICJS [Interoperable Criminal Justice System] and Prisons, Ministry of women and child development (KhoyaPaya), and State or National Automated Fingerprint Identification System or any other image database available with police/other entity.
The Aadhaar and Other Laws (Amendment) Ordinance, 2019 amended the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the Indian Telegraph Act, 1885, and the Prevention of Money Laundering Act, 2002. The Aadhaar Act provides targeted delivery of subsidies and benefits to individuals residing in India by assigning them unique identity numbers, called Aadhaar numbers. A similar Bill had earlier been passed by Lok Sabha on January 4, 2019.
The aims of the policy are to develop India as a “Software Product Nation” and a global leader in conception, design, development and production of intellectual capital driven software products, thus, accelerating growth of entire spectrum of IT Industry of the country.
The Policy will lead to the formulation of several schemes, initiatives, projects and measures for the development of software products sector in the country. The Policy has five Missions.
1.To promote the creation of a sustainable Indian software product industry, driven by intellectual property (IP).
2.To nurture technology startups in software product industry, including in Tier-II and Tier-III towns.
3.To create a talent pool for software product industry.
4.To build a cluster-based innovation driven ecosystem by developing sectoral and strategically located software product development clusters.
5.To evolve and monitor scheme & programmes for the implementation of this policy, National Software Products Mission will be set up with participation from Government, Academia and Industry.
The aims of the policy are to create a framework for achieving holistic growth of e-commerce sector with special emphasis on the data driven ecosystem, to help stakeholders benefit from the progressive digitization of the domestic digital economy and establish a level playing field for all stakeholders in the digital economy.
It address a wide range of subjects such as - data ownership, data protection, cross-border data flow, foreign investments, competition issues, intellectual property and intermediary liability, tax etc.
The Draft Rules seek to amend existing ‘due diligence’ guidelines under The Information Technology (Intermediaries Guidelines) Rules, 2011. These Rules are to be followed by ‘intermediaries’ as per the Information Technology Act, 2000 (“IT Act”).
The Policy has been criticised for its ‘one size fits all’ approach to regulation of intermediaries. The use of vague and ambiguous terms, excessive delegation of legislative powers and lack of procedural safeguards that may to lead to violation of free speech and privacy rights.
In the exercise of powers conferred upon sub-section (1) of Section 69 of IT Act 2000 read with rule 4 of the IT Rules 2009, Ministry of Home Affairs notified the following authorities as authorised agencies to for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the Information Technology Act, 2000:
Intelligence Bureau, Narcotics Central Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, CBI, NIA, RAW, Directorate of Signal Intelligence, and Commissioner of Police, Delhi.
The Telecom Regulatory Authority of India (TRAI) had published a consultation paper for the creation of a regulatory framework for over-the-top (OTT) communication services. TRAI sought comments on suitability and extent of regulatory/ licensing norms that may be applicable to OTT providers.
We submitted comments and counter-comments on issues raised in the paper. Some of these include treating OTT at par with services provided by TSPs, requiring OTT to establish infrastructure for lawful interception and decryption of data, data localisation, registration of all OTT apps in India, revenue for TSPs from OTT services, subscriber verification, substitutability of services etc.
National Telecom Policy was re-named as the National Digital Communications Policy. Telecom Commissions was re-designated as the Digital Communications Commission.
The aim of the policy is to achieve digital empowerment and improved well-being of people through provisioning of broadband for all, creation of jobs in digital communications sector, enhancing contribution of digital communication to the GDP, ensuring digital sovereignty and increasing India’s contribution to global value chains.
The vision of the policy is to create ubiquitous, resilient, secure, accessible and affordable Digital Communications Infrastructure and Services and support India’s transition to a digitally empowered economy and society.
Three missions of the policy are:
- Create robust digital communications Infrastructure;
- Enable next generation technologies and services through investments, innovation and IPR generation; and
- Ensure sovereignty, safety and security of digital communications.
TRAI released its recommendations on Net Neutrality in November, 2017. The recommendations include:
- Prohibiting discriminatory treatment of content, updating license agreements for ISP to incorporated principles of non-discriminatory treatment of content.
- Setting up a multistakeholder watchdog under DoT for enforcing net neutrality. Website blocking by government/court orders has been kept outside the ambit while IoT has been kept within the ambit of net neutrality.
In July, 2018, the Telecom Commission approved these recommendations.
A nine-member Committee of Experts on Data Protection for India headed by retired Justice B.N. Srikrishna had released a white paper on data protection framework for India on 27th November, 2017 inviting comments from the public on 231 questions outlining areas of relevance.
A year after its constitution, on 27th July 2018, the expert committee submitted its Report along with a draft bill titled The Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology.
The Bill has recognized the right to privacy as a fundamental right and protection of personal data as an essential facet of informational privacy. It provides for data protection obligations such as purpose and collection limitation, notice and consent regime; provides stricter consent requirements for sensitive personal data and personal data of children; sets up enforcement and grievance redressal mechanism and various other provisions related to data protection. However, there are certain issues with the bill as well. These include data localisation, lack of independence in Data Protection Authority of India, wide exemptions, online surveillance, independence of data protection officers among others.
SFLC.in's posts on the topic:
- Comments on the Bill: https://privacy.sflc.in/our-comments-draft-data-protection-bill/
- Summary of the Bill: https://privacy.sflc.in/summary-of-the-personal-data-protection-bill-2018/
- Brief analysis of the Bill: https://privacy.sflc.in/brief-analysis-of-the-personal-data-protection-bill-2018/
After consultation with stakeholders, TRAI issued recommendations on "Privacy, Security and Ownership of Data in the Telecom Sector".
The recommendations dealt with certain important issues such as: control over data, data security, cross border data transfers, consent, data minimization and encryption, amongst others.
The Department of Telecommunications stated that they would currently not take up these recommendations, and they referred the same to the B.N Srikrishna Committee, a committee formed to recommend a data protection framework for India.
SFLC.in actively participated both rounds of consultation process as well as TRAI's open house discussions. Comments and counter-comments to TRAI consultation may be accessed at: https://privacy.sflc.in/our-comments-on-the-trai/ & https://privacy.sflc.in/our-counter-comments-on-the-trai-consultation-paper-on-privacy-security-and-ownership-of-data-in-the-telecom-sector/
This was a discussion paper published by NITI Aayog on June 4, 2018 by NITI Aayog. It identified 5 priority sectors for leveraging AI: Healthcare, Agriculture, Education, Smart Cities and Infrastructure and Smart Mobility and Transportation. It deliberated on challenges, and ethical, privacy and security issues related to AI and skill development.
CEO Amitabh Kant stated that a task force would be setup for speedy implementation of the suggestions; COREs (Centres Of Research Excellence) and ICTAIs (International Centers of Transformational AI) would be set up.
Our analysis of the document: https://sflc.in/welcome-ai-indian-governments-ambitious-policy-proposal
All organisations having “Protected System” (under Section 2(k) of the Information Technology Act, 2000; primarily covers government organisations) shall constitute an Information Security Steering Committee (ISSC) under the chairmanship of CEO/MD/Secretary.
Mandate of ISSC includes approving information security policies of Protected Systems; setting mechanisms for timely communication of cyber incidents; sharing information security audits etc.
Nominate Chief Information Security Officer (CISO) as provided in “Guidelines for Protection of Critical Information Infrastructure”
Establish, monitor and continually improve Information Security Management System (ISMS) of the Protected System.
The Ministry of Information and Broadcasting released a bid document (“SMCH Bid Document”). The document stated the intent to establish a Social Media Communication Hub. This would enable processes such as analyzing large volumes of data across diverse digital platforms in real time, comprehensive analytics along with monitoring and analyzing social media communications, etc.
The proposal was challenged in the Supreme Court by Mahua Moitra, Trinamool Congress MP. The project was subsequently withdrawn by the Government, as informed by the Attorney General, Mr. K.K Venugopal on August 3, 2018.
SFLC.in live tweeted the developments in the matter. There were multiple points of concern regarding the SMCH Bid Document. A few of the issues are highlighted here: https://sflc.in/social-media-communications-hub-privacy-nightmare
RBI issued a notification mandating data localisation for payment services, as a solution to ensure privacy and data protection. It required all system providers to ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details, information collected, carried, processed as part of the message / payment instruction. Moreover, the System providers were required to comply within a period of six months and report compliance of the same to the Reserve Bank by October 15, 2018.
The Bill was released for public consultation. DISHA aims to secure patient health data in India.
Its objectives are to:
standardize and regulate the processes related to collection, storing, transmission and use of digital health data;
ensure reliability, data privacy, confidentiality and security of digital health data.
Bill available at: https://mohfw.gov.in/sites/default/files/R_4179_1521627488625_0.pdf
The Ministry of Communications notified new rules for the suspension of telecom services in case of public emergency or public safety, and consequently, the suspension of Internet services in India. These rules were issued under section 7 of the Indian Telegraph Act, 1885.
For more information, please visit https://sflc.in/new-rules-temporary-suspension-telecom-services-case-public-emergency-or-public-safety
Focus of this consultation was on defining the scope of traffic management practices adopted by Internet and Telecom Service Providers, better understanding net neutrality in an Indian context, and gathering input on some key operational aspects of legal/policy frameworks around net neutrality.
Our comments highlighting, among others, the need for a robust regulatory framework on net neutrality in India can be viewed at https://sflc.in/sflc-ins-comments-on-trais-consultation-paper-on-net-neutrality
The policy makes it mandatory to formally adopt and use Open Source Software (OSS) in government organisations, as a preferred option in comparison to Closed Source Software (CSS).
The objectives of the policy are:
1.To provide a policy framework for rapid and effective adoption of OSS.
2.To ensure strategic control in e-governance applications and systems from a long-term perspective.
3.To reduce the Total Cost of Ownership (TCO) of projects.
The report covered international and national privacy principles and emerging issues along with analysis of prevailing legislations/ bill from privacy perspective. It identified a set of recommendations for a Privacy Act.
Applies to all data and information created, generated, collected and archived using public funds provided by Government of India. The Policy facilitates accessibility and easy sharing of non-sensitive data amongst the registered users and its availability for scientific, economic and social developmental purposes.