The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
WSIS+10 High Level Event: A Bird's Eye Report
http://editors.cis-india.org/internet-governance/blog/wsis-10-high-level-event-a-birds-eye-report
<b>The WSIS+10 High Level was organised by the ITU and collaborative UN entities on June 9-13, 2014. It aimed to evaluate the progress on implementation of WSIS Outcomes from Geneva 2003 and Tunis 2005, and to envision a post-2015 Development Agenda. Geetha Hariharan attended the event on CIS' behalf.</b>
<p style="text-align: justify; "><span>The World Summit on Information Society (WSIS) +10 </span><a href="http://www.itu.int/wsis/implementation/2014/forum/">High Level Event</a><span> (HLE) was hosted at the ITU Headquarters in Geneva, from June 9-13, 2014. The HLE aimed to review the implementation and progress made on information and communication technology (ICT) across the globe, in light of WSIS outcomes (</span><a href="http://www.itu.int/wsis/index-p1.html">Geneva 2003</a><span> and </span><a href="http://www.itu.int/wsis/index-p2.html">Tunis 2005</a><span>). Organised in three parallel tracks, the HLE sought to take stock of progress in ICTs in the last decade (High Level track), initiate High Level Dialogues to formulate the post-2015 development agenda, as well as host thematic workshops for participants (Forum track).</span><span> </span></p>
<h3 style="text-align: justify; ">The High Level Track:</h3>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/internet-governance/blog/copy2_of_HighLevelTrack.jpg/@@images/be5f993c-3553-4d63-bb66-7cd16f8407dc.jpeg" alt="High Level Track" class="image-inline" title="High Level Track" /></p>
<p style="text-align: justify; "><i>Opening Ceremony, WSIS+10 High Level Event </i>(<a class="external-link" href="https://twitter.com/ITU/status/334587247556960256/photo/1">Source</a>)</p>
<p style="text-align: justify; ">The High Level track opened officially on June 10, 2014, and culminated with the endorsement by acclamation (as is ITU tradition) of two <a href="http://www.itu.int/wsis/implementation/2014/forum/inc/doc/outcome/362828V2E.pdf">Outcome Documents</a>. These were: (1) WSIS+10 Statement on the Implementation of WSIS Outcomes, taking stock of ICT developments since the WSIS summits, (2) WSIS+10 Vision for WSIS Beyond 2015, aiming to develop a vision for the post-2015 global information society. These documents were the result of the WSIS+10 <a href="http://www.itu.int/wsis/review/mpp/">Multi-stakeholder Preparatory Platform</a> (MPP), which involved WSIS stakeholders (governments, private sector, civil society, international organizations and relevant regional organizations).</p>
<p style="text-align: justify; ">The <strong>MPP</strong> met in six phases, convened as an open, inclusive consultation among WSIS stakeholders. It was not without its misadventures. While ITU Secretary General Dr. Hamadoun I. Touré consistently lauded the multi-stakeholder process, and Ambassador Janis Karklins urged all parties, especially governments, to “<i>let the UN General Assembly know that the multi-stakeholder model works for Internet governance at all levels</i>”, participants in the process shared stories of discomfort, disagreement and discord amongst stakeholders on various IG issues, not least human rights on the Internet, surveillance and privacy, and multi-stakeholderism. Richard Hill of the Association for Proper Internet Governance (<a href="http://www.apig.ch/">APIG</a>) and the Just Net Coalition writes that like NETmundial, the MPP was rich in a diversity of views and knowledge exchange, but stakeholders <a href="http://www.ip-watch.org/2014/06/16/what-questions-did-the-wsis10-high-level-event-answer/">failed to reach consensus</a> on crucial issues. Indeed, Prof. Vlamidir Minkin, Chairman of the MPP, expressed his dismay at the lack of consensus over action line C9. A compromise was agreed upon in relation to C9 later.<span> </span></p>
<p style="text-align: justify; ">Some members of civil society expressed their satisfaction with the extensive references to human rights and rights-centred development in the Outcome Documents. While governmental opposition was seen as frustrating, they felt that the <strong><span style="text-decoration: underline;">MPP had sought and achieved a common understanding</span></strong>, a sentiment <a href="https://twitter.com/covertlight/status/476748168051580928">echoed</a> by the ITU Secretary General. Indeed, even Iran, a state that had expressed major reservations during the MPP and felt itself unable to agree with the text, <a href="https://twitter.com/covertlight/status/476748723750711297">agreed</a> that the MPP had worked hard to draft a document beneficial to all.</p>
<p style="text-align: justify; ">Concerns around the MPP did not affect the <strong><span style="text-decoration: underline;">review of ICT developments</span></strong> over the last decade. High Level Panels with Ministers of ICT from states such as Uganda, Bangladesh, Sweden, Nigeria, Saudi Arabia and others, heads of the UN Development Programme, UNCTAD, Food and Agriculture Organisation, UN-WOMEN and others spoke at length of rapid advances in ICTs. The focus was largely on ICT access and affordability in developing states. John E. Davies of Intel repeatedly drew attention to innovative uses of ICTs in Africa and Asia, which have helped bridge divides of affordability, gender, education and capacity-building. Public-private partnerships were the best solution, he said, to affordability and access. At a ceremony evaluating implementation of WSIS action-lines, the Centre for Development of Advanced Computing (C-DAC), India, <a href="https://twitter.com/covertlight/status/476748723750711297">won an award</a> for its e-health application MOTHER.</p>
<p style="text-align: justify; "><span>The Outcome Documents themselves shall be analysed in a separate post. But in sum, the dialogue around Internet governance at the HLE centred around the success of the MPP. Most participants on panels and in the audience felt this was a crucial achievement within the realm of the UN, where the Tunis Summit had delineated strict roles for stakeholders in paragraph 35 of the </span><a href="http://www.itu.int/wsis/docs2/tunis/off/6rev1.html">Tunis Agenda</a><span>. Indeed, there was palpable relief in Conference Room 1 at the </span><a href="http://www.cicg.ch/en/">CICG</a><span>, Geneva, when on June 11, Dr. Touré announced that the Outcome Documents would be adopted without a vote, in keeping with ITU tradition, even if consensus was achieved by compromise.</span></p>
<h3 style="text-align: justify; ">The High Level Dialogues:</h3>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/internet-governance/blog/HighLevelDialogues.jpg/@@images/3c30d94f-7a65-4912-bb42-2ccd3b85a18d.jpeg" alt="High Level Dialogues" class="image-inline" title="High Level Dialogues" /></p>
<p style="text-align: justify; "><i>Prof. Vladimir Minkin delivers a statement.</i> (<a class="external-link" href="https://twitter.com/JaroslawPONDER/status/476288845013843968/photo/1">Source</a>)</p>
<p style="text-align: justify; ">The High Level Dialogues on developing a post-2015 Development Agenda, based on WSIS action lines, were active on June 12. Introducing the Dialogue, Dr. Touré lamented the Millennium Development Goals as a “<i>lost opportunity</i>”, emphasizing the need to alert the UN General Assembly and its committees as to the importance of ICTs for development.</p>
<p style="text-align: justify; ">As on previous panels, there was <strong><span style="text-decoration: underline;">intense focus on access, affordability and reach in developing countries</span></strong>, with Rwanda and Bangladesh expounding upon their successes in implementing ICT innovations domestically. The world is more connected than it was in 2005, and the ITU in 2014 is no longer what it was in 2003, said speakers. But we lack data on ICT deployment across the globe, said Minister Knutssen of Sweden, recalling the gathering to the need to engage all stakeholders in this task. Speakers on multiple panels, including the Rwandan Minister for CIT, Marilyn Cade of ICANN and Petra Lantz of the UNDP, emphasized the need for ‘smart engagement’ and capacity-building for ICT development and deployment.</p>
<p style="text-align: justify; ">A crucial session on cybersecurity saw Dr. Touré envision a global peace treaty accommodating multiple stakeholders. On the panel were Minister Omobola Johnson of Nigeria, Prof. Udo Helmbrecht of the European Union Agency for Network and Information Security (ENISA), Prof. A.A. Wahab of Cybersecurity Malaysia and Simon Muller of Facebook. The focus was primarily on building laws and regulations for secure communication and business, while child protection was equally considered.<span> </span></p>
<p style="text-align: justify; ">The lack of laws/regulations for cybersecurity (child pornography and jurisdictional issues, for instance), or other legal protections (privacy, data protection, freedom of speech) in rapidly connecting developing states was noted. But the <strong><span style="text-decoration: underline;">question of cross-border surveillance and wanton violations of privacy went unaddressed</span></strong> except for the customary, unavoidable mention. This was expected. Debates in Internet governance have, in the past year, been silently and invisibly driven by the Snowden revelations. So too, at WSIS+10 Cybersecurity, speakers emphasized open data, information exchange, data ownership and control (the <a href="http://editors.cis-india.org/internet-governance/blog/ecj-rules-internet-search-engine-operator-responsible-for-processing-personal-data-published-by-third-parties">right to be forgotten</a>), but did not openly address surveillance. Indeed, Simon Muller of Facebook called upon governments to publish their own transparency reports: A laudable suggestion, even accounting for Facebook’s own undetailed and truncated reports.</p>
<p style="text-align: justify; ">In a nutshell, the post-2015 Development Agenda dialogues repeatedly emphasized the importance of ICTs in global connectivity, and their impact on GDP growth and socio-cultural change and progress. The focus was on taking this message to the UN General Assembly, engaging all stakeholders and creating an achievable set of action lines post-2015.</p>
<h3 style="text-align: justify; ">The Forum Track:</h3>
<p><img src="http://editors.cis-india.org/internet-governance/blog/copy_of_ForumTrack.jpg/@@images/dfcce68a-18d7-4f1e-897b-7208bb60abc9.jpeg" alt="Forum Track" class="image-inline" title="Forum Track" /></p>
<p><i>Participants at the UNESCO session on its Comprehensive Study on Internet-related Issues</i> (<a class="external-link" href="https://twitter.com/leakaspar/status/476690921644646400/photo/1">Source</a>)</p>
<p style="text-align: justify; ">The HLE was organized as an extended version of the WSIS Forum, which hosts thematic workshops and networking opportunities, much like any other conference. Running in parallel sessions over 5 days, the WSIS Forum hosted sessions by the ITU, UNESCO, UNDP, ICANN, ISOC, APIG, etc., on issues as diverse as the WSIS Action Lines, the future of Internet governance, the successes and failures of <a href="http://www.internetgovernance.org/2012/12/18/itu-phobia-why-wcit-was-derailed/">WCIT-2012</a>, UNESCO’s <a href="http://www.unesco.org/new/internetstudy">Comprehensive Study on Internet-related Issues</a>, spam and a taxonomy of Internet governance.<span> </span></p>
<p style="text-align: justify; ">Detailed explanation of each session I attended is beyond the scope of this report, so I will limit myself to the interesting issues raised.<span> </span></p>
<p style="text-align: justify; ">At ICANN’s session on its own future (June 9), Ms. Marilyn Cade emphasized the <strong><span style="text-decoration: underline;">importance of national and regional IGFs</span></strong> for both issue-awareness and capacity-building. Mr. Nigel Hickson spoke of engagement at multiple Internet governance fora: “<i>Internet governance is not shaped by individual events</i>”. In light of <a href="http://www.internetgovernance.org/2014/04/16/icann-anything-that-doesnt-give-iana-to-me-is-out-of-scope/">criticism</a> of ICANN’s apparent monopoly over IANA stewardship transition, this has been ICANN’s continual <a href="https://www.icann.org/resources/pages/process-next-steps-2014-06-06-en">response</a> (often repeated at the HLE itself). Also widely discussed was the <strong><span style="text-decoration: underline;">role of stakeholders in Internet governance</span></strong>, given the delineation of roles and responsibilities in the Tunis Agenda, and governments’ preference for policy-monopoly (At WSIS+10, Indian Ambassador Dilip Sinha seemed wistful that multilateralism is a “<i>distant dream</i>”).<span> </span></p>
<p style="text-align: justify; ">This discussion bore greater fruit in a session on Internet governance ‘taxonomy’. The session saw <a href="https://www.icann.org/profiles/george-sadowsky">Mr. George Sadowsky</a>, <a href="http://www.diplomacy.edu/courses/faculty/kurbalija">Dr. Jovan Kurbalija</a>, <a href="http://www.williamdrake.org/">Mr. William Drake</a> and <a href="http://www.itu.int/wsis/implementation/2014/forum/agenda/session_docs/170/ThoughtsOnIG.pdf">Mr. Eliot Lear</a> (there is surprisingly no official profile-page on Mr. Lear) expound on dense structures of Internet governance, involving multiple methods of classification of Internet infrastructure, CIRs, public policy issues, etc. across a spectrum of ‘baskets’ – socio-cultural, economic, legal, technical. Such studies, though each attempting clarity in Internet governance studies, indicate that the closer you get to IG, the more diverse and interconnected the eco-system gets. David Souter’s diagrams almost capture the flux of dynamic debate in this area (please see pages 9 and 22 of <a href="http://www.internetsociety.org/sites/default/files/ISOC%20framework%20for%20IG%20assessments%20-%20D%20Souter%20-%20final_0.pdf">this ISOC study</a>).</p>
<p style="text-align: justify; ">There were, for most part, insightful interventions from session participants. Mr. Sadowsky questioned the effectiveness of the Tunis Agenda delineation of stakeholder-roles, while Mr. Lear pleaded that techies be let to do their jobs without interference. <a href="http://internetdemocracy.in/">Ms. Anja Kovacs</a> raised pertinent concerns about <strong><span style="text-decoration: underline;">including voiceless minorities in a ‘rough consensus’ model</span></strong>. Across sessions, <strong><span style="text-decoration: underline;">questions of mass surveillance, privacy and data ownership rose</span></strong> from participants. The protection of human rights on the Internet – especially freedom of expression and privacy – made continual appearance, across issues like spam (<a href="http://www.itu.int/ITU-D/CDS/sg/rgqlist.asp?lg=1&sp=2010&rgq=D10-RGQ22.1.1&stg=1">Question 22-1/1</a> of ITU-D Study Group 1) and cybersecurity.</p>
<h3 style="text-align: justify; ">Conclusion:</h3>
<p style="text-align: justify; ">The HLE was widely attended by participants across WSIS stakeholder-groups. At the event, a great many relevant questions such as the future of ICTs, inclusions in the post-2015 Development Agenda, the value of muti-stakeholder models, and human rights such as free speech and privacy were raised across the board. Not only were these raised, but cognizance was taken of them by Ministers, members of the ITU and other collaborative UN bodies, private sector entities such as ICANN, technical community such as the ISOC and IETF, as well as (obviously) civil society.<span> </span></p>
<p style="text-align: justify; ">Substantively, the HLE did not address mass surveillance and privacy, nor of expanding roles of WSIS stakeholders and beyond. Processually, the MPP failed to reach consensus on several issues comfortably, and a compromise had to be brokered.</p>
<p style="text-align: justify; "><span>But perhaps a big change at the HLE was the positive attitude to multi-stakeholder models from many quarters, not least the ITU Secretary General Dr. Hamadoun Touré. His repeated calls for acceptance of multi-stakeholderism left many members of civil society surprised and tentatively pleased. Going forward, it will be interesting to track the ITU and the rest of UN’s (and of course, member states’) stances on multi-stakeholderism at the ITU Plenipot, the WSIS+10 Review and the UN General Assembly session, at the least.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/wsis-10-high-level-event-a-birds-eye-report'>http://editors.cis-india.org/internet-governance/blog/wsis-10-high-level-event-a-birds-eye-report</a>
</p>
No publishergeethaWSIS+10PrivacyCybersecurityHuman Rights OnlineSurveillanceFreedom of Speech and ExpressionInternet GovernanceFacebookData ProtectionMulti-stakeholderICANNInternet AccessITUInternet StudiesE-GovernanceICT2014-06-20T15:57:32ZBlog EntryUnpacking Data Protection Law: A Visual Representation
http://editors.cis-india.org/internet-governance/blog/unpacking-data-protection-law-a-visual-representation
<b>This visual explainer unpacking data protection law was developed by Amber Sinha (research) and Pooja Saxena (design), and published as part of the Data Privacy Week celebrations on the Privacy International blog. Join the conversation on Twitter using #dataprivacyweek.</b>
<p> </p>
<h4>Cross-posted from <a href="https://medium.com/@privacyint/unpacking-data-protection-300e51c5f9b5" target="_blank">Privacy International blog</a>.</h4>
<h4>Credits: Flag illustrations, when not created by the authors, are from <a href="http://www.freepik.com/" target="_blank">Ibrandify / Freepik</a>.</h4>
<hr />
<img src="https://github.com/cis-india/website/blob/master/img/AS-PS_UnpackingDataProtectionLaw_2018_01.png?raw=true" alt="Data protection law systems are usually seen as a dichotomy between the United State of America and the European Union" width="80%" />
<img src="https://github.com/cis-india/website/blob/master/img/AS-PS_UnpackingDataProtectionLaw_2018_02.png?raw=true" alt="This dichotomy is not an accurate representation of the issue. Today, close to a hundred countries follow the omnibus approach, while less than a dozen, including the US, use the sectoral approach." width="80%" />
<img src="https://github.com/cis-india/website/blob/master/img/AS-PS_UnpackingDataProtectionLaw_2018_03.gif?raw=true" alt="If too many laws apply to the same actor, compliance becomes difficult. As a result, the sectoral approach to data protection is becoming less relevant." width="80%" />
<img src="https://github.com/cis-india/website/blob/master/img/AS-PS_UnpackingDataProtectionLaw_2018_04.png?raw=true" alt="Data protection regulation involve interaction between regulators and industry." width="80%" />
<img src="https://github.com/cis-india/website/blob/master/img/AS-PS_UnpackingDataProtectionLaw_2018_05.gif?raw=true" alt="To be an effective data protection regulator, an entire range of regulatory tools are required, which the regulator can use to reward, support and sanction." width="80%" />
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/unpacking-data-protection-law-a-visual-representation'>http://editors.cis-india.org/internet-governance/blog/unpacking-data-protection-law-a-visual-representation</a>
</p>
No publisheramberData GovernanceInternet GovernanceData ProtectionPrivacy2018-02-15T13:22:00ZBlog EntryUnpacking Algorithmic Infrastructures: Mapping the Data Supply Chain in the Healthcare Industry in India
http://editors.cis-india.org/raw/unpacking-algorithmic-infrastructures
<b>The Unpacking Algorithmic Infrastructures project, supported by a grant from the Notre Dame-IBM Tech Ethics Lab, aims to study the Al data supply chain infrastructure in healthcare in India, and aims to critically analyse auditing frameworks that are utilised to develop and deploy AI systems in healthcare. It will map the prevalence of Al auditing practices within the sector to arrive at an understanding of frameworks that may be developed to check for ethical considerations - such as algorithmic bias and harm within healthcare systems, especially against marginalised and vulnerable populations. </b>
<p style="text-align: justify; ">There has been an increased interest in health data in India over the recent years, where health data policies encourage sharing of data with different entities, at the same time, there has been a growing interest in deployment of Al in healthcare from startups, hospitals, as well as multinational technology companies.</p>
<p style="text-align: justify; ">Given the invisibility of algorithmic infrastructures that underlie the digital economy and the important decisions these technologies can make about patients' health, it's important to look at how these systems are developed, how data flows within them, how these systems are tested and verified and what ethical considerations inform their deployment.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/ResearchersWork.png/@@images/00a848c7-b7f7-41b4-8bd9-45f2928fd44e.png" alt="Researchers at Work" class="image-inline" title="Researchers at Work" /></p>
<p style="text-align: justify; "><strong>The </strong><strong>Unpacking Algorithmic Infrastructures</strong> project, supported by a grant from the Notre Dame-IBM Tech Ethics Lab, aims to study the Al data supply chain infrastructure in healthcare in India, and aims to critically analyse auditing frameworks that are utilised to develop and deploy AI systems in healthcare. It will map the prevalence of Al auditing practices within the sector to arrive at an understanding of frameworks that may be developed to check for ethical considerations - such as algorithmic bias and harm within healthcare systems, especially against marginalised and vulnerable populations.</p>
<h3 style="text-align: justify; ">Research Questions</h3>
<ol>
<li style="text-align: justify; ">To what extent organisations take ethical principles into account when developing AI , managing the training and testing dataset, and while deploying the AI in the healthcare sector.</li>
<li style="text-align: justify; ">What best practices for auditing can be put in place based on our critical understanding of AI data supply chains and auditing frameworks being employed in the healthcare sector.</li>
<li style="text-align: justify; ">What is a possible auditing framework that is best suited to organisations in the majority world.</li>
</ol>
<h3>Research Design and Methods</h3>
<p>For this study, we will use a comprehensive mixed methods approach. We will survey professionals working towards designing, developing and deploying AI systems for healthcare in India, across technology and healthcare organizations. We will also undertake in-depth interviews with experts who are part of key stakeholder groups.</p>
<p>We hereby invite researchers, technologists, healthcare professionals, and others working at the intersection of Artificial Intelligence and Healthcare to speak to us and help us inform the study. You may contact Shweta Monhandas at <a href="mailto:shweta@cis-india.org">shweta@cis-india.org</a></p>
<ol> </ol>
<hr />
<p>Research Team: Amrita Sengupta, Chetna V. M., Pallavi Bedi, Puthiya Purayil Sneha, Shweta Mohandas and Yatharth.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/unpacking-algorithmic-infrastructures'>http://editors.cis-india.org/raw/unpacking-algorithmic-infrastructures</a>
</p>
No publisherAmrita Sengupta, Chetna V. M., Pallavi Bedi, Puthiya Purayil Sneha, Shweta Mohandas and YatharthHealth TechRAW BlogResearchData ProtectionHealthcareResearchers at WorkArtificial Intelligence2024-01-05T02:38:22ZBlog EntryTrans Pacific Partnership and Digital 2 Dozen: Implications for Data Protection and Digital Privacy
http://editors.cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy
<b>In this essay, Shubhangi Heda explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations.</b>
<p> </p>
<p>1. <strong><a href="#1">Introduction</a></strong></p>
<p>2. <strong><a href="#2">Analysis of TPP and D2D</a></strong></p>
<p>2.1. <strong><a href="#2-1">Trans Pacific Partnership (TPP)</a></strong></p>
<p>2.2. <strong><a href="#2-2">Digital 2 Dozen (D2D)</a></strong></p>
<p>3. <strong><a href="#3">Major Criticisms of the Digital Agenda of TPP</a></strong></p>
<p>3.1. <strong><a href="#3-1">Data Protection</a></strong></p>
<p>3.2. <strong><a href="#3-2">Digital Privacy</a></strong></p>
<p>4. <strong><a href="#4">Implications of TPP for RCEP</a></strong></p>
<p>5. <strong><a href="#5">Implications of TPP in the Context of EU Safe Harbour Judgement</a></strong></p>
<p>6. <strong><a href="#6">Implications of TPP for India after US-India Cyber Relationship Agreement</a></strong></p>
<p>7. <strong><a href="#7">Conclusion</a></strong></p>
<p>8. <strong><a href="#8">Endnotes</a></strong></p>
<p>9. <strong><a href="#9">Author Profile</a></strong></p>
<hr />
<h2 id="1">1. Introduction</h2>
<p>This essay explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia <strong>[1]</strong>. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations. TPP requires the member countries to facilitate unhindered digital data flow across nations, for commercial and governmental purposes, which evidently have major implications for national and regional data protection and privacy regimes. These implications must also be seen in the context the recent judgement by the EU Court of Justice against the validity of the EU-USA data transfer agreement of 2000. Further, the essay discusses the potential impacts that TPP/D2D might have on India, in the context of the ongoing USA-India Cyber Relationship dialogue. If the privacy concerns are not raised right now TPP might act as a model framework for future FTAs which will fail to encompass proper data protection and digital privacy regime within it.</p>
<h2 id="2">2. Analysis of TPP and D2D</h2>
<h3 id="2-1">2.1. Trans Pacific Partnership (TPP)</h3>
<p>Trans Pacific Partnership (TPP) is a large multi-partner free trade agreement amongst twelve Asia-Pacific countries, which is closely led by geo-political and economic strategies of the USA. Countries started the negotiation of TPP in 2008 when USA joined Pacific Four (P-4) negotiations and in 2015 negotiations of TPP was concluded and text was released. Ministers from the member countries signed the agreement on February 4, 2016 <strong>[2]</strong>. The main aim of TPP is to liberalise trade and investment beyond what is provided for within the WTO. It is also considered to be a strategic move by the US to counter the trade linkages that are being established in the Asian region. TPP largely covers topics of market access, and rules on various related issues such as intellectual property rights, labour laws, and environment standards <strong>[3]</strong>.</p>
<p>Between 1992 -2012 there has been an upsurge in bilateral trade agreements being signed in Asia from 25 to 103 and the effect of these FTAs is called the ‘noodle bowl effect’. TPP is seen as framework which will replace these FTAs which are causing the ‘noodle bowl effect’.While these FTAs are being replaced but with TPP being signed there are various bilateral arrangements signed along with TPP. USA has also stated that TPP will not affect the already existing NAFTA <strong>[4]</strong>. While TPP is being concluded there is another free trade agreement being negotiated between USA and EU , which is Trans Trade and Investment Partnership (TTIP). Both TPP and TTIP and are considered to be serving similar objective which is to deal with new and modern trade issues. Also both the agreements are US led and since negotiation for TPP are now finalised it may have a significant impact on TTIP <strong>[5]</strong>.</p>
<p>TPP is one of the first document which deals specifically with digital economy and applies across borders. The main aims of TPP are to promote free flow of data across borders without data localisation. It aims to remove national clouts and regional internets. It also includes provisions to combat theft of trade secrets. It allows you to create transparent regulatory process with inputs from various stakeholders. It also aims to provide access to tools and procedures for conduct of e-commerce <strong>[6]</strong>.</p>
<p>Some of the major criticism to TPP were regarding the issues related to <strong>[7]</strong>:</p>
<ul><li>environment, wherein it does not address the issue of climate change and the language used in the agreement is very weak;</li>
<li>labour rights provision mandates parties to adhere to the ILO provision but it does not seem to provide for effective framework and might not bring the desired change;</li>
<li>investment chapter is seen to be controversial because of the investor state dispute settlement clause which will allow foreign investor to sue government over policies that might cause harm to them;</li>
<li>e-commerce and telecommunication chapter raises major privacy concerns;</li>
<li>intellectual property chapter wherein it includes controversial rules regarding pharmaceutical companies and data exclusivity apart from the privacy concerns.</li></ul>
<h3 id="2-2">2.2 Digital 2 Dozen (D2D)</h3>
<p>D2D is set of rules and aims which is specifically drafted to be followed for the trade agreements related to open internet and digital economy. More specific aims of TPP as provided within the ‘Digital 2 Dozen,’ aiming for more liberalised trade in digital goods and services, are <strong>[8]</strong>:</p>
<ul><li>promoting free and open internet,</li>
<li>prohibiting digital custom duties,</li>
<li>securing basic non-discrimination principles,</li>
<li>enabling cross-border data flows,</li>
<li>preventing localization barriers,</li>
<li>barring forced technology transfers,</li>
<li>advancing innovative authentication methods,</li>
<li>delivering enforceable consumer protections,</li>
<li>safeguarding network competition,</li>
<li>fostering innovative encryption products, and</li>
<li>building an adaptable framework.</li></ul>
<p>Strategic goal of the US in introducing D2D as goals of TPP has been to set up a trend within Asian region for all the trade agreements. It is expected to ensure that if TPP is a success, similar goals and policy frameworks will be followed for other trade agreements as we. For example, the USA-India partnership also enshrines similar aims and so does the USA-Korea partnership. Hence while India is not part of TPP, USA is nonetheless trying to get India into a partnership which is similar to the TPP. The language proposed by the USA in TPP negotiations has always been supportive for cross border data flows as it claims that companies have mechanism to keep a privacy check and privacy would not be undermined, but countries like New Zealand and Australia which have strong privacy protection laws nationally have raised concerns which will be discussed in further sections <strong>[9]</strong>. Also not only in privacy rights but Digital Dozen initiative also affects other digital rights related to - excessive copyright terms TPP proposed to extend the term of copyright to hundred years which deprive access to knowledge; as in the U.S motive to give more power to private entities , the ISP obligations enumerated within TPP which puts freedom of expression and privacy at risk as ISPs are allowed to check for copyright infringement and TPP does not put any privacy restriction in this regard; introduction of new fair use rules; ban on circumvention of digital locks or DRMs; no compulsory limitation for persons with disabilities; lack of fair use for journalistic right; while net neutrality is major issue is many developing nations in Asia no effective provision for net neutrality is aimed at in the D2D initiative; prohibits open source mandates which puts barrier for countries which want to release any software as open source as a policy decision <strong>[10]</strong>.</p>
<h2 id="3">3. Major Issues Related to Data Protection and Privacy in the TPP</h2>
<h3 id="3-1">3.1. Data Protection</h3>
<p>One of the major concern raised against TPP is regarding data protection provisions that have been integrated within the E- Commerce chapter of the agreement. Article 14.11 and Article 14 .13 are the ones that deal with data flow related to consumer information.Article 14.11 in the agreement puts a requirement on the member states to allow transfer of data across border and Article 14.13 does not allow the companies to host data on local servers. Concerns were raised in few member states for instance, Australian Privacy Foundation raised concerns over Article 14.11 which requires transfers to be allowed in context of business activities of service suppliers. It claimed that exception to this provision is very narrow and the repercussion for not following the exception is that investor state dispute settlement proceedings can be initiated, which is not sufficient to protect privacy. Also, it highlighted the issue that with the narrow exception provided under Article 14.13 which relates to prohibition on data localisation, it might have adverse effect on the implementation of national privacy laws within Australia <strong>[11]</strong>.</p>
<p>Another provision which is of major concern is Article 14.13 which prohibit data localisation. It will raise problems for countries like Indonesia and China which will have to change their local laws to implement the provision <strong>[12]</strong>. Since there already has been a major concern with regard to USA- EU Safe Harbour Agreement which was later made subject to the ECJ’s ruling on data protection, which invalidated any arrangement which provides voluntary enterprises responsibility to enforce privacy. But both the USA and EU are in process of renegotiating the agreement.The major concern was that in EU data protection is a fundamental right while in USA data protection is more consumer centric. When similar concerns were raised in TPP negotiations, they were rebutted as USA claimed that FTA does not concern itself with data protection <strong>[13]</strong>.</p>
<p>In 2012 Australia proposed an alternative language to TPP which allowed countries to place restriction on data flow as long as it was not a barrier to trade. U.S responded to concerns raised by the Australia through a side letter which ensured Australia that U.S and Australia have a mutual understanding in relation to privacy and U.S will ensure the privacy of data with regards to Australia. While Australia’s concern was given acknowledgement other countries which raised similar issues were not given any assurances <strong>[14]</strong>. US instead proposed ad- hoc strategy that gave private companies power to form privacy policy with implementation through state machinery <strong>[15]</strong>.</p>
<h3 id="3-2">3.2. Digital Privacy</h3>
<p>Article 14.8 in the E- Commerce chapter of the agreement states that countries can form legal framework for the protection of rights but the kind of ‘legal framework’ is not defined. Also, nowhere it states that the privacy protection or data protection laws are expressly exempted, rather it states that any such policy implemented by member states will be put under review of TPP standards. The standards which TPP proposes to follow are based on the underlying idea that any such policy should not hinder free trade in any way. This test will be applied by tribunals which are experts in trade and investment and not on data protection or human rights <strong>[16]</strong>. While Article 14.8 provides for protection of private information of consumers but the footnote to the provision renders it ineffective. The footnote states that member countries can adopt legal framework for the protection of data which can be done by self-regulation by industry and does not provide for any comprehensive data protection obligation upon the member states <strong>[17]</strong>. Similar to this Article 13.4 of the telecommunications chapter under TPP also states that the countries can apply regulation regarding confidentiality of the messages as long as it is not “a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services" <strong>[18]</strong>.</p>
<p>Another chapter which raises major concerns about the privacy rights is intellectual property. It affects privacy through the provisions related to technological protective measures and the provision that regulate ISP’s liability. Regarding the TPM provision, the TPP follows the DMCA model whereby the exception to anti- circumvention provision is very narrow and does not apply to anti- trafficking provision. The exception allows user to circumvent TPM if it affect the user's privacy in any way, although this provision does not apply to ant- trafficking of TPM. The provision regarding ISP’s liability states that there should be cooperation between ISPs and rights holders and it does not prohibit ISPs to monitor its users. Also TPP proposes the notice for takedown and identification of the infringer by the ISP but this provision is not in consonance with laws of member states, like that of Peru which does not have any copyright law on ISP . Also many countries have tried to introduce proper privacy laws along with implementation of ISP liability but that is not done within the TPP <strong>[19]</strong>. TPP as whole aims to give greater power to private regulators without providing for minimum standard for protection of privacy.</p>
<p>Although TPP is not a data protection agreement but it consequently deals with various aspects of data protection, hence it is prospective model for privacy and data protection practices in future trade agreements. If positive obligations are included within the free trade agreements it will have an advancing impact on the data protection regime.</p>
<h2 id="4">4.Implications of TPP for RCEP</h2>
<p>While TPP has such lacunas similar provision are proposed in RCEP to which India is a party and which will have serious implication as many of the countries have inadequate data protection laws nationally and with the introduction of such an FTA the exploitation of privacy rights will be rampant <strong>[20]</strong>. To avoid this EU directive on data protection should be taken into consideration in the negotiations of such FTAs. But for the RCEP negotiations are still going on and in India many companies like Flipkart, Snapdeal etc. have started preparing for the changing norms. The government claims that it is going to accept best practices in the region which indicates that it is going to have same policies as that of TPP. Although people from industry have raised concerns that while there are national laws but it is difficult to check third party involvement within the business and it is becoming increasingly difficult to keep the consumer data confidential <strong>[21]</strong>.</p>
<h2 id="5">5. Implications of TPP in the Context of EU Safe-Harbour Judgement</h2>
<p>Mr. Maximillian Schrems, an Austrian National residing in Austria, has been a user of the Facebook social network since 2008. Any person residing in EU who wishes to use Facebook is required to conclude, at the time of his registration, a contract with Facebook Ireland (a subsidiary of Facebook Inc. which itself is established in Unites States). Some or all of the personal data of the Facebook Ireland’s users who residing in EU is transferred to servers belonging to Facebook Inc. that are located in United States, where it undergoes processing. On 25 June 2013 Mr Schrems made a complaint to the commissioner by which he in essence asked the latter to exercise his statutory powers by prohibiting Facebook Ireland from transferring his personal data to Unites States, and this led to the <em>Maximillian Schrems v Data Protection Commissioner</em> case <strong>[22]</strong>. He contended that in his complaint that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in thereby by the public authorities. Mr Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the NSA.(para 26, 27, 28). The case came in the court ruled that “that a third country which ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of the EU 94/46 directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection. The ruling implies that personal data cannot be transferred to third country which does not provide adequate level of protection.</p>
<p>EU safe harbour judgment and EU directive on privacy provide contrasting rules related to privacy. While TPP gives power to private entities to formulate rules regarding privacy while the recent ECJ judgment invalidated giving such power to private entities under EU-US Safe Harbour Agreement. Also in context of the same judgment Hamburg’s Commissioner for Data Privacy And Freedom of Information announced an investigation into the data transfer taking place through Facebook and Google to U.S. Hence in the light of the recent judgment member states within EU are not allowed to permit cross border data flow, in contrast to this one of the main goals of TPP is to maintain free flow of data across border <strong>[23]</strong>. EU is this regard has also set forth the proposal to introduce General Data Protection Regulation. (GDPR). Although U.S and EU are trying to renegotiate the agreement but the privacy concerns raised cannot be ignored. Hence following the same model as was invalidate under the ECJ judgment lets US exploit privacy of member states under TPP. Similar concerns as raised within the judgment are also raised in India as it also following the same model within U.S-India Cyber Relationship Agreement and in RCEP negotiations.</p>
<h2 id="6">6. Implications of TPP in the context of USA-India Cyber Relationship</h2>
<p>While India is not part of TPP but it might have an effect on the U.S India Cyber Relationship Agreement. In August 2015 there was re- initiation of the India-U.S cyber dialogue to address common concerns related to cybersecurity and to develop better partnerships between public and private sector for betterment of digital economy <strong>[24]</strong>. One of the key aim of this agreement is free flow of information between two nations, which suffers from similar problem that it will put privacy of the citizens at risk. Also India does not have any bilateral treaty which ensures cyber data protection in such a scenario the only solution is data localisation, but this agreement will put data at risk <strong>[25]</strong>. Hence while the TPP negotiations were going on and also RCEP is being discussed the concerns about privacy and data protection need to be raised as mention in earlier section regarding implications of TPP on RCEP, the USA-India Cyber Relationship also faces the same implications..Although the aim of USA-India Cyber Relationship is to ensure cybersecurity. After the cases of Muzaffarnagar riots, upheaval in North -Eastern states and Gujarat riots, India has realised it is important to ensure compliance from the social media companies. India sees the USA-India Cyber Relationship as an opportunity to achieve this goal. The Google Transparency Report states that that India made around three thousand requests to Google for user data <strong>[26]</strong>, which indicate at the country's interest in having a common data understanding with the major social media companies (almost all of which are located in USA) about requesting and sharing of user activity data. While this concern is being addressed through the agreement, it is difficult to ignore the clause related to free flow of information, and if the meaning of the term is extended and adopted from TPP itself will put digital privacy of Indian citizens at risk <strong>[27]</strong>.</p>
<h2 id="7">7. Conclusion</h2>
<p>Even though TPP negotiation are completed but the ratification of the agreement is still underway. TPP is being seen as one of a kind trade agreement because it is the first time that countries across the globe have come together as a whole to address concerns of modern trade. Although it fails to address some of the key concerns related to privacy and data protection which are becoming increasingly important. Data protection and privacy issues cannot be seen in isolation and needs to merged within the modern day trade agreements. The D2D component by the USA is strategic move to have trade dominance in Asia and to compete with China’s growth . TPP has privacy and data protection lacunae within the e- commerce , telecommunications and intellectual property discussion.Although it might have serious implications on RCEP negotiation and USA- India Cyber Relationship Dialogue. Similar concern regarding data protection has already been addressed by ECJ judgment invalidating USA-EU Safe Harbour Agreement but the similar ad - hoc strategy has been incorporated within TPP. Since TPP might be considered as best practice model for future FTAs in the Asian region it is important to raise and address these privacy concerns now.</p>
<h2 id="8">8. Endnotes</h2>
<p><strong>[1]</strong> The signatory countries include Australia, Canada, Japan, Malaysia, Mexico, Peru, United States of America, Vietnam, Chile, Brunei, Singapore, New Zealand. "The Trans-Pacific Partnership,"
<a href="http://www.ustr.gov/tpp">http://www.ustr.gov/tpp</a> (last visited Jul 7, 2016).</p>
<p><strong>[2]</strong> "The Origins and Evolution of the Trans-Pacific Partnership (TPP)," Global Research, <a href="http://www.globalresearch.ca/the-origins-and-evolution-of-the-trans-pacific-partnership-tpp/5357495">http://www.globalresearch.ca/the-origins-and-evolution-of-the-trans-pacific-partnership-tpp/5357495</a> (last visited Jul 7, 2016).</p>
<p><strong>[3]</strong> Fergusson, Ian F., Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP): In Brief," (2015), <a href="http://digitalcommons.ilr.cornell.edu/key_workplace/1477/">http://digitalcommons.ilr.cornell.edu/key_workplace/1477/</a> (last visited Jul 1, 2016).</p>
<p><strong>[4]</strong> Gajdos, Lukas, <em>The Trans-Pacific Partnership and its impact on EU trade</em>, Policy Department, Directorate-General for External Policies, Policy Briefing (2013), <a href="http://www.europarl.europa.eu/RegData/etudes/briefing_note/join/2013/491479/EXPO-INTA_SP(2013)491479_EN.pdf">http://www.europarl.europa.eu/RegData/etudes/briefing_note/join/2013/491479/EXPO-INTA_SP(2013)491479_EN.pdf</a>.</p>
<p><strong>[5]</strong> Twining, Daniel, Hans Kundnani & Peter Sparding, <em>Trans-Pacific Partnership: geopolitical implications for EU-US relations</em>, Policy Department, Directorate-General for External Policies, June 24 (2016), <a href="http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535008/EXPO_STU(2016)535008_EN.pdf">http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535008/EXPO_STU(2016)535008_EN.pdf</a>.</p>
<p><strong>[6]</strong> USTR, "Remarks by Deputy U.S. Trade Representative Robert Holleyman to the New Democrat Network," <a href="https://ustr.gov/about-us/policy-offices/press-office/speechestranscripts/2015/may/remarks-deputy-us-trade">https://ustr.gov/about-us/policy-offices/press-office/speechestranscripts/2015/may/remarks-deputy-us-trade</a> (last visited Jul 4, 2016).</p>
<p><strong>[7]</strong> Murphy, Katharine, "Trans-Pacific Partnership: four key issues to watch out for," The Guardian, November 6, 2015, <a href="https://www.theguardian.com/business/2015/nov/06/trans-pacific-partnership-four-key-issues-to-watch-out-for">https://www.theguardian.com/business/2015/nov/06/trans-pacific-partnership-four-key-issues-to-watch-out-for</a> (last visited Jul 7, 2016).</p>
<p><strong>[8]</strong> USTR, "The Digital 2 Dozen" (2016), <a href="https://ustr.gov/sites/default/files/Digital-2-Dozen-Final.pdf">https://ustr.gov/sites/default/files/Digital-2-Dozen-Final.pdf</a> (last visited Jul 1, 2016).</p>
<p><strong>[9]</strong> Fergusson, Ian F.m Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP) negotiations and issues for congress," (2015), <a href="http://digitalcommons.ilr.cornell.edu/key_workplace/1412/">http://digitalcommons.ilr.cornell.edu/key_workplace/1412/</a> (last visited Jul 8, 2016).</p>
<p><strong>[10]</strong> "How the TPP Will Affect You and Your Digital Rights," Electronic Frontier Foundation (2015), <a href="https://www.eff.org/deeplinks/2015/12/how-tpp-will-affect-you-and-your-digital-rights">https://www.eff.org/deeplinks/2015/12/how-tpp-will-affect-you-and-your-digital-rights</a> (last visited Jul 7, 2016).</p>
<p><strong>[11]</strong> Australian Privacy Foundation (APF), <em>Trans Pacific Partnership Agreement</em> (2016), <a href="https://www.privacy.org.au/Papers/Parlt-TPP-160310.pdf">https://www.privacy.org.au/Papers/Parlt-TPP-160310.pdf</a>.</p>
<p><strong>[12]</strong> Greenleaf, Graham, "The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?," SSRN (2016), <a href="http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732386">http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732386</a> (last visited Jul 1, 2016).</p>
<p><strong>[13]</strong> "GED-Project: Transatlantic Data Flows and Data Protection," GED Blog (2015), <a href="https://ged-project.de/topics/competitiveness/transatlantic-data-flows-and-data-protection-the-state-of-the-debate/">https://ged-project.de/topics/competitiveness/transatlantic-data-flows-and-data-protection-the-state-of-the-debate/</a> (last visited Jul 1, 2016).</p>
<p><strong>[14]</strong> Geist, Michael, "The Trouble with the TPP, Day 14: No U.S. Assurances for Canada on Privacy," (2016), <a href="http://www.michaelgeist.ca/2016/01/the-trouble-with-the-tpp-day-14-no-u-s-assurances-for-canada-on-privacy/">http://www.michaelgeist.ca/2016/01/the-trouble-with-the-tpp-day-14-no-u-s-assurances-for-canada-on-privacy/</a> (last visited Jul 4, 2016).</p>
<p><strong>[15]</strong> Aaronson, Susan Ariel, "What does TPP mean for the Open Internet?" From <em>Policy Brief on Trade Agreements and Internet Governance Prepared for the Global Commission on Internet Governance</em> (2015), <a href="https://www.gwu.edu/~iiep/events/DigitalTrade2016/TPPPolicyBrief.pdf">https://www.gwu.edu/~iiep/events/DigitalTrade2016/TPPPolicyBrief.pdf</a> (last visited Jul 5, 2016).</p>
<p><strong>[16]</strong> Lomas, Natasha, "TPP Trade Agreement Slammed For Eroding Online Rights," TechCrunch, <a href="http://social.techcrunch.com/2015/11/05/tpp-vs-privacy/">http://social.techcrunch.com/2015/11/05/tpp-vs-privacy/</a> (last visited Jun 30, 2016).</p>
<p><strong>[17]</strong> "Q&A: The Trans-Pacific Partnership," Human Rights Watch (2016), <a href="https://www.hrw.org/news/2016/01/12/qa-trans-pacific-partnership">https://www.hrw.org/news/2016/01/12/qa-trans-pacific-partnership</a> (last visited Jul 1, 2016).</p>
<p><strong>[18]</strong> "TPP Full Text Released," People Over Politics (2015), <a href="http://peopleoverpolitics.org/2015/11/07/tpp-just-as-bad-as-you-thought/">http://peopleoverpolitics.org/2015/11/07/tpp-just-as-bad-as-you-thought/</a> (last visited Jul 7, 2016).</p>
<p><strong>[19]</strong> "Right to Privacy in Trans-Pacific Partnership (TPP ) Negotiations," Knowledge Ecology International, <a href="http://keionline.org/node/1164">http://keionline.org/node/1164</a> (last visited Jul 1, 2016).</p>
<p><strong>[20]</strong> Asian Trade Centre, "E-Commerce and Digital Trade Proposals for RCEP (2016)," <a href="http://static1.squarespace.com/static/5393d501e4b0643446abd228/t/575a654c86db438e86009fa1/1465541967821/RCEP+E-commerce+June+2016.pdf">http://static1.squarespace.com/static/5393d501e4b0643446abd228/t/575a654c86db438e86009fa1/1465541967821/RCEP+E-commerce+June+2016.pdf</a> (last visited Jul 1, 2016).</p>
<p><strong>[21]</strong> "E-commerce companies like Flipkart, Snapdeal to beef up data security to meet RCEP norms," The Economic Times, <a href="http://economictimes.indiatimes.com//articleshow/49068419.cms">http://economictimes.indiatimes.com//articleshow/49068419.cms</a> (last visited Jul 1, 2016).</p>
<p><strong>[22]</strong> ECLI:EU:C:2015:650 (C -362/14)</p>
<p><strong>[23]</strong> King et al., "Privacy law, cross-border data flows, and the Trans Pacific Partnership Agreement: what counsel need to know," Lexology, <a href="http://www.lexology.com/library/detail.aspx?g=b5c0b400-8161-4439-a4b7-131552ad5209">http://www.lexology.com/library/detail.aspx?g=b5c0b400-8161-4439-a4b7-131552ad5209</a> (last visited Jul 4, 2016).</p>
<p><strong>[24]</strong> "U.S.-India Business Council Applauds Resumption of Cybersecurity Dialogue," U.S.-India Business Council (2015), <a href="http://www.usibc.com/press-release/us-india-business-council-applauds-resumption-cybersecurity-dialogue">http://www.usibc.com/press-release/us-india-business-council-applauds-resumption-cybersecurity-dialogue</a> (last visited Jul 5, 2016).</p>
<p><strong>[25]</strong> Sukumar, Arun Mohan, "India Is Coming up Against the Limits of Its Strategic Partnership With the United States," The Wire (2016), <a href="http://thewire.in/40403/india-is-coming-up-against-the-limits-of-its-strategic-partnership-with-the-united-states/">http://thewire.in/40403/india-is-coming-up-against-the-limits-of-its-strategic-partnership-with-the-united-states/</a> (last visited Jul 4, 2016).</p>
<p><strong>[26]</strong> Countries – Google Transparency Report, <a href="https://www.google.com/transparencyreport/userdatarequests/countries/">https://www.google.com/transparencyreport/userdatarequests/countries/</a> (last visited Jul 8, 2016).</p>
<p><strong>[27]</strong> Sukumar, Arun Mohan, "A case for the Net’s Ctrl+Alt+Del," The Hindu, September 5, 2015, <a href="http://www.thehindu.com/opinion/op-ed/a-case-for-the-nets-ctrlaltdel/article7616355.ece">http://www.thehindu.com/opinion/op-ed/a-case-for-the-nets-ctrlaltdel/article7616355.ece</a> (last visited Jul 5, 2016).</p>
<h2 id="9">9. Author Profile</h2>
<p><strong>Shubhangi Heda</strong> is a Student of Jindal Global Law School, O.P Jindal Global University. She has completed her fourth year. She gives due importance to popular culture in her life and loves to read fiction and like to watch TV-shows, her favorite being 'White Collar'.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy'>http://editors.cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy</a>
</p>
No publisherShubhangi HedaTrans Pacific PartnershipPrivacyFree Trade AgreementDigital EconomyInternet GovernanceData Protection2016-07-12T07:56:24ZBlog EntryThe Wolf in Sheep's Clothing: Demanding your Data
http://editors.cis-india.org/internet-governance/blog/the-wolf-in-sheeps-clothing-demanding-your-data
<b>The increasing digitalization of the economy and ubiquity of the Internet, coupled with developments in Artificial Intelligence (AI) and Machine Learning (ML) has given rise to transformational business models across several sectors.</b>
<p> </p>
<p>This piece was originally published in <a class="external-link" href="https://telecom.economictimes.indiatimes.com/tele-talk/the-wolf-in-sheep-s-clothing-demanding-your-data/4497">The Economic Times Telecom</a>, on 8 September, 2020.<span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"></span></p>
<p>The increasing digitalization of the economy and ubiquity of the <a href="https://telecom.economictimes.indiatimes.com/tag/internet">Internet</a>, coupled with developments in <a href="https://telecom.economictimes.indiatimes.com/tag/artificial+intelligence">Artificial Intelligence</a>
(AI) and Machine Learning (ML) has given rise to transformational
business models across several sectors. These developments have changed
the very structure of existing sectors, with a few dominant firms
straddling across many sectors. The position of these firms is
entrenched due to the large amounts of data they have, and usage of
sophisticated algorithms that deliver very targeted service/content and
their global nature.<br /><br /></p>
<p>Such data based network businesses
are generally multi-sided platforms subject to network effects and
winner takes all phenomena, often, making traditional competition
regulation inappropriate. In addition, there has been concern that such
companies hurt competition as they are owners of large amounts of data
collected globally, the very basis on which new services are predicated.
Also since users have an inertia to share their data on multiple
platforms, new companies find it very challenging to emerge. Several of
the large companies are of US origin. Several regions/countries such as
EU, UK, India are concerned that while these companies benefit from the
data of their citizens or their <a href="https://telecom.economictimes.indiatimes.com/tag/devices">devices</a>,
SMEs and other companies in their own countries find it increasingly
difficult to remain viable or achieve scale. With the objective of
supporting enterprises, including SMEs in their own countries, Europe,
UK India are in different stages of data regulation initiatives.<br /><br /></p>
<p>In India, the <a href="https://telecom.economictimes.indiatimes.com/tag/personal+data+protection">Personal Data Protection</a>
(PDP) Bill, 2019 deals with the framework for collecting, managing and
transferring of Personal Data of Indian citizens, including mandating
sharing of anonymized data of individuals and non-personal data for
better targeting of services or policy making. In addition, the Report
by the Committee of Experts (CoE) on Non Personal Data (NPD) came up
with a Framework for Regulating NPD. Since the NPD Report is a more
recent phenomenon, this articles analyzes some aspects of it.<br /><br /></p>
<p>According
to CoE, non-personal data could be of two types. First, data or
information which was never about an individual (e.g. weather data).
Second, data or information that once was related to an individual (e.g.
mobile number) but has now ceased to be identifiable due to the removal
of certain identifiers through the process of ‘anonymisation’. However,
it may be possible to recover the personal data from such anonymized
data and therefore, the distinction between personal and non-personal is
not clean. In any case, the PDP bill 2019 deals with personal data. If
the CoE felt that some aspect of personal data (including anonymized
data) were not adequately dealt with, it should work to strengthen it.
The current approach of the CoE is bound to create confusion and
overlapping jurisdiction. Since anonymized data is required to be
shared, there are disincentives to anonymization, causing greater risk
to individual privacy.<br /><br /></p>
<p>A new class of business based on a “<em>horizontal classification cutting across different industry sectors</em>” is defined. This refers to any business that derives “<em>new or additional economic value from data, by collecting, storing, processing, and managing data</em>”
based on a certain threshold of data collected/processed that will be
defined by the regulatory authority that is outlined in the report. The
CoE also recommends that “<em>Data Businesses will provide, within India, open access to meta-data and regulated access to the underlying data</em>” without any remuneration. Further, “<em>By
looking at the meta-data, potential users may identify opportunities
for combining data from multiple Data Businesses and/or governments to
develop innovative solutions, products and services. Subsequently, data
requests may be made for the detailed underlying data</em>”.<br /><br /></p>
<p>With
increasing digitalization, today almost every business is a data
business. The problem in such categorization will be with the definition
of thresholds. It is likely that even a small video sharing app or an
AR/VR app would store/collect/process/transmit more data than say a
mid-sized bank in terms of data volumes. Further, with increasing
embedding of <a href="https://telecom.economictimes.indiatimes.com/tag/iot">IoT</a>
in various aspects of our lives and businesses (smart manufacturing,
logistics, banking etc), the amount of data that is captured by even
small entities can be huge.<br /><br /></p>
<p>The private sector, driven by
profitability, identifies innovative business models, risks capital and
finds unique ways of capturing and melding different data sets. In
order to sustain economic growth, such innovation is necessary. The
private sector would also like legal protection over these aspects of
its businesses, including the unique IPR that may be embedded in the
processing of data or its business processes. But mandating such onerous
requirements on sharing by the CoE is going to kill any private
initiative. Any regulatory regime must balance between the need to
provide a secure environment for protecting data of incumbents and
making it available to SMEs/businesses.<br /><br /></p>
<p>Meta data
provides insights to the company’s databases and processes. These are
source of competitive advantage for any company. Meta data is not
without a context. The basis of demanding such disclosure is mandated
with the proposed NPD Regulator who would evaluate such a purpose. In
practice, purposes are open to interpretation and the structure of
appeal mechanism etc is going to stall any such sharing. Would such
mandates of sharing not interfere with the existing Intellectual
Property Rights? Or the freedom to contract? Any innovation could easily
be made available to a competitor that front-ends itself with a
start-up. To mandate making such data available would not be fair.
Further, how would the NPD regulator even ensure that such data is used
for the purpose (which the proposed regulator is supposed to evaluate)
that it is sought for? In Europe, where such <a href="https://telecom.economictimes.indiatimes.com/tag/data+sharing">data sharing</a>
mandates are being considered, the focus is on public data. For private
entities, the sharing is largely based on voluntary contributions.
Compulsory sharing is mandated only under restricted situations where
market failure situations are not addressed through Competition Act and
provided legitimate interest of the data holder and existing legal
provisions are taken into account.<br /><br /></p>
<p>Further, the
compliance requirements for such Data Businesses is very onerous and
makes a mockery of “minimum government” framework of the government. The
CoE recommends that all Data Businesses, whether government NGO, or
private “<em>to disclose data elements collected, stored and processed, and data-based services offered</em>”. As if this was not enough, the CoE further recommends that “<em>Every
Data Business must declare what they do and what data they collect,
process and use, in which manner, and for what purposes (like disclosure
of data elements collected, where data is stored, standards adopted to
store and secure data, nature of data processing and data services
provided). This is similar to disclosures required by pharma industry
and in food products</em>”. Such disclosures are necessary in these
industries as the companies in this sector deal with critical aspects of
human life. But are such requirements necessary for all activities and
businesses? As long as organizations collect and process data, in a
legal manner, within the sectoral regulation, why should such
information have to be “reported”? Further, such bureaucratic processes
and reporting requirements are only going to be a burden to existing
legitimate businesses and give rise to a thriving regulatory license
raj.<br /><br /></p>
<p>Further questions that arise are: How is any
compliance agency going to make sure that all the underlying metadata is
made available in a timely manner? As companies respond to a dynamic
environment, their analysis and analytical tools change and so does the
metadata. This inherent aspect of businesses raises the question: At
what point in time should companies make their meta-data available? How
will the compliance be monitored?<br /><br /></p>
<p>Conclusion: The CoE
needs to create an enabling and facilitating an environment for data
sharing. The incentives for different types of entities to participate
and contribute must be recognized. Adequate provisions for risks and
liabilities arising out data sharing need to be thought through.
National initiatives on data sharing should not create an onerous
reporting regime, as envisaged by the CoE, even if digital.<br /><br /></p>
<p class="article-disclaimer"><em>DISCLAIMER:
The views expressed are solely of the author and ETTelecom.com does not
necessarily subscribe to it. ETTelecom.com shall not be responsible for
any damage caused to any person/organisation directly or indirectly.</em></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-wolf-in-sheeps-clothing-demanding-your-data'>http://editors.cis-india.org/internet-governance/blog/the-wolf-in-sheeps-clothing-demanding-your-data</a>
</p>
No publisherRekha JainInternet GovernanceData ProtectionArtificial Intelligence2020-11-10T17:44:13ZBlog EntryThe PDP Bill 2019 Through the Lens of Privacy by Design
http://editors.cis-india.org/internet-governance/blog/the-pdp-bill-2019-through-the-lens-of-privacy-by-design
<b>This paper evaluates the PDP Bill based on the Privacy by Design approach. It examines the implications of Bill in terms of the data ecosystem it may lead to, and the visual interface design in digital platforms. This paper focuses on the notice and consent communication suggested by the Bill, and the role and accountability of design in its interpretation. </b>
<h2>Background</h2>
<div> </div>
<p>The Personal Data Protection (PDP) Bill, 2019 was introduced in the Lok Sabha on December 11, 2019 by the Minister of Electronics and Information Technology. The Bill aims to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same <a class="external-link" href="https://www.prsindia.org/billtrack/personal-data-protection-bill-2019">[1]</a>. The PDP Bill, 2019 contains several clauses that have implications on the visual design of digital products. These include the specific requirements for communication of notice and consent at various stages of the product. The Bill also introduces the Privacy by Design policy. Privacy by Design (PbD), as a concept, was proposed by Ann Cavoukian in the 1990s, with the purpose of approaching privacy from a design-thinking perspective <a class="external-link" href="https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf">[2]</a>. She describes this perspective to be holistic, interdisciplinary, integrative, and innovative. The approach suggests that privacy must be incorporated into networked data systems and technologies, by default <a class="external-link" href="https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf">[3]</a>. It challenges the practice of enhancing privacy as an afterthought. It expects privacy to be a default setting, and a proactive (not reactive) measure that would be embedded into a design in its initial stage and throughout the life cycle of the product <a class="external-link" href="https://www.smashingmagazine.com/2019/04/privacy-ux-aware-design-framework/">[4]</a>. While PbD is a conceptual framework, it’s application can change the way digital platforms are created and the way in which people interact with them. From devising a business model, to making technological decisions, PbD principles can make privacy integral to the processes and standards of a digital platform.</p>
<p><br />The PDP Bill states that data fiduciaries are required to prepare a Privacy by Design policy and have it certified by the Data Protection Authority. According to the Bill, the policy would contain the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal <a class="external-link" href="http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf">[5]</a>. It would mention if the technology used in the processing of personal data is in accordance with the certified standards. It would also comprise of the ways in which privacy is being protected throughout the stages of processing of personal data, and that the interest of the individual is accounted for in each of these stages. Once certified by the Data Protection Authority, the data fiduciaries are also required to publish this policy on their website <a class="external-link" href="https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft">[6]</a>. This forces the data fiduciaries to envision privacy as a fundamental requirement and not an afterthought. Such a policy would have a huge impact in the way digital platforms are conceptualised, both from the technological and the design point of view. The adoption of this policy by digital platforms would enable people to know if their privacy is protected by the companies, and what are the various steps being taken for this purpose. Besides the explicit Privacy by Design policy, the PDP Bill, 2019, also recommends the regulations for data minimisation, establishment of the Data Protection Authority (DPA), and the development of a consent framework. These steps are also part of the Privacy by Design approach.</p>
<p><br />This paper evaluates the PDP Bill based on the Privacy by Design approach. The Bill’s scope includes both the conceptual and technological aspects of a digital platform, as well as the interface aspect that the individual using the platform faces. The paper will hence analyse how PbD approach is reflected in both these aspects. At the conceptual level, it will look at the data ecosystem that the Bill unwittingly creates, and at the interface level, it will critically analyse the Bill’s implication on the notice and consent communication in the digital products. This includes the several points of communication or touchpoints between a company and an individual using their service, as dictated by the Bill, and how they would translate into visual design. Visual design forms an integral part of digital platforms. It is the way in which the platforms interact with the individuals. The choices made by individuals are largely driven by the visual structuring and presentation of information on these platforms. Presently, the interface design in several platforms is being used to perpetuate unethical data practices in the form of dark patterns. Dark Patterns are deceptive user interface interactions, designed to mislead or trick users to make them do something they don’t want to do<a class="external-link" href="https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c"> [7]</a>. The design of the notice and consent touchpoints can significantly influence the enforcement of this Bill, and how it benefits individuals. Moreover, digital platforms may technically follow the regulations but can still be manipulative through their interface design. Thus, the role and accountability of design becomes crucial in the interpretation of the data protection regulations.</p>
<p> </p>
<p>The full paper can be read <a href="http://editors.cis-india.org/internet-governance/the-pdp-bill-2019-through-the-lens-of-privacy-by-design/at_download/file" class="external-link">here</a>.</p>
<p>[1] <a class="external-link" href="https://www.prsindia.org/billtrack/personal-data-protection-bill-2019">https://prsindia.org/billtrack/personal-data-protection-bill-2019</a> </p>
<p>[2] <a class="external-link" href="https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf">https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf</a></p>
<p>[3] <a class="external-link" href="https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf">https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf</a></p>
<p>[4] <a class="external-link" href="https://www.smashingmagazine.com/2019/04/privacy-ux-aware-design-framework/">https://www.smashingmagazine.com/2019/04/privacy-ux-aware-design-framework/</a></p>
<p>[5] <a class="external-link" href="http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf">http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf</a></p>
<p>[6] <a class="external-link" href="https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft">https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft</a></p>
<p>[7] <a class="external-link" href="https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c">https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-pdp-bill-2019-through-the-lens-of-privacy-by-design'>http://editors.cis-india.org/internet-governance/blog/the-pdp-bill-2019-through-the-lens-of-privacy-by-design</a>
</p>
No publisherSaumyaa Naidu, Akash Sheshadri, Shweta Mohandas, and Pranav M Bidare; Edited by Arindrajit Basu, Shweta Reddy; With inputs from Amber SinhaDesignInternet GovernanceData ProtectionPrivacy2020-11-13T07:51:03ZBlog EntryThe National Privacy Principles
http://editors.cis-india.org/internet-governance/blog/the-national-privacy-principles
<b>In this infographic, we try to break down the National Privacy Principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012.</b>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p><img alt="" /></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-national-privacy-principles'>http://editors.cis-india.org/internet-governance/blog/the-national-privacy-principles</a>
</p>
No publisherPooja Saxena and Amber SinhaData ProtectionPrivacy2016-03-21T09:48:23ZBlog EntryThe Fundamental Right to Privacy - A Visual Guide
http://editors.cis-india.org/internet-governance/blog/the-fundamental-right-to-privacy-a-visual-guide
<b>Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. This visual guide to the story of privacy law in India and the recent judgement of the Puttaswamy v.
Union of India case is developed by Amber Sinha (research and content) and Pooja Saxena (design and conceptualisation).
</b>
<p> </p>
<h4>The Fundamental Right to Privacy - A Visual Guide: <a href="https://cis-india.org/internet-governance/files/amber-sinha-and-pooja-saxena-the-fundamental-right-to-privacy-a-visual-guide/at_download/file">Download</a> (PDF)</h4>
<hr />
<iframe src="//www.slideshare.net/slideshow/embed_code/key/1MMYCXyxa2YBip" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" height="485" width="595"> </iframe>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-fundamental-right-to-privacy-a-visual-guide'>http://editors.cis-india.org/internet-governance/blog/the-fundamental-right-to-privacy-a-visual-guide</a>
</p>
No publisheramberPrivacyInternet GovernanceFeaturedData GovernanceData Protection2018-02-16T05:31:37ZBlog EntryThe Competition Law Case Against Whatsapp’s 2021 Privacy Policy Alteration
http://editors.cis-india.org/internet-governance/blog/the-competition-law-case-against-whatsapp2019s-2021-privacy-policy-alteration
<b>Having examined the privacy implications of Whatsapp's changes to its privacy policy in 2021, this issue brief is the second output in our series examining the effects of those changes. This brief examines the changes in the context of data sharing between Whatsapp and Facebook as being an anticompetitive action in violation of the Indian Competition Act, 2002. </b>
<span id="docs-internal-guid-2e4a5c52-7fff-f416-6970-948314f0b524">
<p style="text-align: justify;" dir="ltr"> </p>
<h3 style="text-align: justify;">Executive Summary</h3>
<p style="text-align: justify;" dir="ltr">On January 4, 2021, Whatsapp announced a revised privacy policy through an in-app notification. It highlighted that the new policy would impact user interactions with business accounts, including those which may be using Facebook's hosting services. The updated policy presented users with the option of either accepting greater data sharing between Whatsapp and Facebook or being unable to use the platform post 15th May, 2021. The updated policy resulted in temporarily slowed growth for Whatsapp and increased growth for other messaging apps like Signal and Telegram. While Whatsapp has chosen to delay the implementation of this policy due to consumer outrage, it is important for us to unpack and understand what this (and similar policies) mean for the digital economy, and its associated competition law concerns. Competition law is one of the sharpest tools available to policy-makers to fairly regulate and constrain the unbridled power of large technology companies.</p>
<p style="text-align: justify;" dir="ltr">While it is evident the Indian competition landscape will benefit from revisiting the existing law and policy framework to reign in Big technology companies, we argue that the change in Whatsapp’s privacy policy in 2021 can be held anti-competitive using legal provisions as they presently stand. Therefore, in this issue brief, we largely limit ourselves to evaluating the legality of Whatsapp’s privacy policy within the confines of the present legal system. </p>
<p style="text-align: justify;" dir="ltr">First, we dive into an articulation of the present abuse of dominance framework in Indian Competition Law. Second, we analyze whether there was abuse of dominance-bearing in mind an economic analysis of Whatsapp’s role in the relevant market by using tests laid out in previous rulings of the CCI</p>
<br />
<p style="text-align: justify;" dir="ltr">The framework for determining abuse of dominance as per The Competition Act is based on three factors:</p>
<p style="text-align: justify;" dir="ltr">1. Determination of relevant market</p>
<p style="text-align: justify;" dir="ltr">2. Determination of dominant position</p>
<p style="text-align: justify;" dir="ltr">3. Abuse of the dominant position</p>
<br />
<p style="text-align: justify;" dir="ltr">In two previous orders in 2016 and 2020, CCI has held that Whatsapp is dominant in its relevant market based on several factors which we explore. These include:</p>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Advantage in user base, usage and reach,</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Barriers to entry for other competitors</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Power of acquisition over competitors.</p>
</li></ol>
<br />
<p style="text-align: justify;" dir="ltr">However, in both orders, CCI held that Whatsapp did not abuse its dominance by arguing that the practices in question allowed for user choice. We critique these judgments for not reflecting the market structures and exploitative practices of large technology companies. We also argue that even if we use the test of user choice laid down by the CCI in its previous orders concerning Whatsapp and Facebook, the changes made to the privacy policy in 2021 did abuse dominance,and should be held guilty of violating competition law standards.</p>
<p style="text-align: justify;" dir="ltr">Our analysis revolves around examining the explicit and implicit standards of user choice laid out by the CCI in its 2016 and 2020 judgements as the standard for evaluating fairness in an Abuse of Dominance claim.We demonstrate how the 2021 changes failed to meet these standards. </p>
<p style="text-align: justify;" dir="ltr">Finally, we conclude by noting that the present case offers a crucial opportunity for India to take a giant step forward in its regulation of big tech companies and harmonise its rulings with regulatory developments around the world.</p>
<p style="text-align: justify;" dir="ltr">The full issue brief can be found <a href="https://cis-india.org/internet-governance/whatsapp-privacy-policy-2021-issue-brief-competition-law">here</a></p>
<div> </div>
<p style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr"> </p>
<div> </div>
</span>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-competition-law-case-against-whatsapp2019s-2021-privacy-policy-alteration'>http://editors.cis-india.org/internet-governance/blog/the-competition-law-case-against-whatsapp2019s-2021-privacy-policy-alteration</a>
</p>
No publisherAman Nair and Arindrajit BasuConsumer RightsDigital EconomyData ProtectionFacebookCompetitionWhatsAppCompetition Law2021-03-24T16:12:09ZBlog EntryThe Centre for Internet and Society’s comments and recommendations to the: The Digital Data Protection Bill 2022
http://editors.cis-india.org/internet-governance/blog/cis-comments-recommendations-to-digital-data-protection-bill
<b>The Centre for Internet & Society (CIS) published its comments and recommendations to the Digital Personal Data Protection Bill, 2022, on December 17, 2022.</b>
<div class="WordSection1" style="text-align: justify; ">
<p class="MsoNormal"><span> </span></p>
<p align="center" class="MsoNormal" style="text-align:center; "><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<p align="right" class="MsoNormal" style="text-align:right; "><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<h1><span>High Level Comments</span></h1>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><b><span>1.<span> </span></span></b><b><span>Rationale for removing the distinction between personal data and sensitive personal data is unclear.</span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><span>All the earlier iterations of the Bill as well as the rules made under Section 43A of the Information Technology Act, 2000<a href="#_ftn1" name="_ftnref1"><sup><sup><span>[1]</span></sup></sup></a> had classified data into two categories; (i) personal data; and (ii) sensitive personal data. The 2022 version of the Bill has removed this distinction and clubbed all personal data under one umbrella heading of personal data. The rationale for this is unclear, as sensitive personal data means such data which could reveal or be related to eminently private data such as financial data, health data, sexual orientations and biometric data. Considering the sensitive nature of the data, the data classified as sensitive personal data is accorded higher protection and safeguards from processing, therefore by clubbing all data as personal data, the higher protection such as the need for explicit consent to the processing of sensitive personal data, the bar on processing of sensitive personal data for employment purposes has also been removed. </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><b><span>2.<span> </span></span></b><b><span>No clear roadmap for the implementation of the Bill</span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><span>The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified.<a href="#_ftn2" name="_ftnref2"><sup><sup><span>[2]</span></sup></sup></a> It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified. </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within which the Board shall be established and specific Rules and regulations notified. Considering that certain provisions have been deferred to Rules that have to be framed by the Central government, the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill. Provisions such as Section 10(1) which deals with verifiable parental consent for data of children, Section 13 (1) which states the manner in which a Data Principal can initiate a right to correction, the process of selection and functioning of consent manager under </span><span>3(7)</span><span> are few such examples, that when the Act becomes applicable, the data principal will have to wait for the Rules to Act of these provisions, or to get clarity on entities created by the Act. </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017. </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Board. This is important to give full and effective effect to the right of privacy of the individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries. </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>The Board must ensure that Data Principals and Fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment into force. This will allow the Data Fiduciaries to align their practices with the provisions of this new legislation and the Board will also have time to define and determine certain provisions that the Bill has left the Board to define. Additionally enforcing penalties for offenses initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders which now could include data principals as well, from paying a high price. This will relieve the fear of smaller companies and startups and individuals who might fear processing data for the fear of paying penalties for offenses.</span></p>
<p class="MsoNormal"><span> </span></p>
<h3><a name="_kn12ecl3pdrp"></a><span>3.<span> </span></span><span>Independence of Data Protection Board of India.</span></h3>
<p class="MsoNormal"><span>The Bill proposes the creation of the Data Protection Board of India (Board) in place of the Data Protection Authority. In comparison with the powers of the Board with the 2018 and 2019 version of Personal Data Protection Bill, we witness an abrogation of powers of the Board to be created, in this Bill. Under Clause 19(2), the strength and composition of the Board, the process of selection, the terms and conditions of appointment and service, and the removal of its Chairperson and other Members shall be such as may be prescribed by the Union Government at a later stage. Further as per Clause 19(3), the Chief Executive of the Board will be appointed by the Union Government and the terms and conditions of her service will also be determined by the Union Government. The functions of the Board have also not been specified under the Bill, the Central Government may assign the functions to be performed by the Board.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate, ability to act swiftly, and resources. The political nature of personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Board are independent of the Executive. </span></p>
<h1><a name="_n9jzjnvile8f"></a><span>Chapter Wise Comments and Recommendations </span></h1>
<h2><a name="_chp7y0vgrjqa"></a><span>CHAPTER I- PRELIMINARY</span></h2>
<p class="MsoNormal"><span><span> </span>●<span> </span></span><b><span>Definition:</span></b><span> While the Bill has added a few new definitions to the Bill including terms such as gains, loss, consent manager etc. there are a few key definitions that have been removed from the earlier versions of the Bill. The removal of certain definitions in the Bill, eg. sensitive personal data, health data, biometric data, transgender status, creating a legal uncertainty about the application of the Bill. </span></p>
<p class="MsoNormal"><span>With respect to the existing definitions as well the definition of the term ‘harm’ has been significantly reduced to remove harms such as surveillance from the ambit of harms. In addition, with respect of the definition of the term of harms also, the 2019 version of the Bill under Clause 2 (20) the definition provides a non exhaustive list of harms, by using the phrase “harms include”, however in the new definition the phrase has been altered to “harm”, in relation to a Data Principal, means”, thereby removing the possibility of more harms that are not apparent currently from being within the purview of the Act. We recommend that the definition of harms be made into a non-exhaustive list.<br /> <br /> </span></p>
<h2><a name="_nhwnuzprx0ir"></a><span>CHAPTER II - OBLIGATIONS OF DATA FIDUCIARY</span></h2>
<p class="MsoNormal"><b><span>Notice: </span></b><span>The revised Clause on notice does away with the comprehensive requirements which were laid out under Clause 7 of the PDP Bill 2019. The current clause does not mention in detail what the notice should contain, while stating that that the notice should be itemised. While it can be reasoned that the Data Fiduciary can find the contents of the notice throughout the bill, such as with the rights of the Data Principal, the removal of a detailed list could create uncertainty for Data Fiduciaries. By leaving the finer details of what a notice should contain, it could cause Data Fiduciaries from missing out key information from the list, which in turn provide incomplete information to the Data Principal. Even in terms of Data Fiduciaries they might not know if they are complying with the provisions of the bill, and could result in them invariably being penalised. In addition to this by requiring less work by the Data Fiduciary and processor, the burden falls on the Data Principal to make sure they know how their data is processed and collected. The purpose of this legislation is to create further rights for individuals and consumers, hence the Bill should strive to put the individual at the forefront.</span></p>
<p class="MsoNormal"><span>In addition to this Clause 6(3) of the Bill states <i>“The Data Fiduciary shall give the Data Principal the option to access the information referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution of India.”</i> While the inclusion of regional language notices is a welcome step, we suggest that the text be revised as follows <i>“The Data Fiduciary shall give the Data Principal the option to access the information referred to in sub-sections (1) and (2) in English<b> and in</b> any language specified in the Eighth Schedule to the Constitution of India.” </i>While the main crux of notice is to let the person know before giving consent, notice in a language that a person cannot read would not lead to meaningful consent.</span></p>
<p class="MsoNormal"><b><span>Consent <br /> <br /> </span></b><span>Clause 3 of the Bill states <i>“request for consent would have the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.” </i>Ideally this provision should be a part of the notice and should be mentioned in the above section. This is similar to Clause 7(1)(c) of the draft Personal Data Protetion Bill 2019 which requires the notice to state <i>“the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;”. </i></span></p>
<p class="MsoNormal"><b><span>Deemed Consent</span></b></p>
<p class="MsoNormal"><span>The Bill introduces a new type of consent that was absent in the earlier versions of the Bill. We are of the understanding that deemed consent is used to redefine non consensual processing of personal data. The use of the term deemed consent and the provisions under the section while more concise than the earlier versions could create more confusion for Data Principals and Fiduciaries alike. The definition and the examples do not shed light on one of the key issues with voluntary consent - the absence of notice. In addition to this the Bill is also silent on whether deemed consent can be withdrawn or if the data principal has the same rights as those that come from processing of data they have consented to. </span></p>
<p class="MsoNormal"><b><span>Personal Data Protection of Children </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><span>The age to determine whether a person has the ability to legally consent in the online world has been intertwined with the age of consent under the Indian Contract Act; i.e. 18 years. The Bill makes no distinction between a 5 year old and a 17 year old- both are treated in the same manner. It assumes the same level of maturity for all persons under the age of 18. It is pertinent to note that the law in the offline world does recognise that distinction and also acknowledges the changes in the level of maturity. As per Section 82 of the Indian Penal Code read with Section 83, any act by a child under the age of 12 shall not be considered as an offence. While the maturity of those aged between 12–18 years will be decided by court (individuals between the age of 16–18 years can also be tried as adults for heinous crimes). Similarly, child labour laws in the country allow children above the age of 14 years to work in non-hazardous industry</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>There is a need to evaluate and rethink the idea that children are passive consumers of the internet and hence the consent of the parent is enough. Additionally, the bracketing of all individuals under the age of 18 as children fails to look at how teenages and young people use the internet. This is more important looking at the 2019 data which suggests that two-thirds of India’s internet users are in the 12–29 years age group, with those in the 12–19 age group accounting for about 21.5% of the total internet usage in metro cities. Given that the pandemic has compelled students and schools to adopt and adapt to virtual schools, the reliance on the internet has become ubiquitous with education. Out of an estimated 504 million internet users, nearly one-third are aged under 19. As per the Annual Status on Education Report (ASER) 2020, more than one-third of all schoolchildren are pursuing digital education, either through online classes or recorded videos.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Instead of setting a blanket age for determining valid consent, we could look at alternative means to determine the appropriate age for children at different levels of maturity, similar to what had been developed by the U.K. Information Commissioner’s Office. The Age Appropriate Code prescribes 15 standards that online services need to follow. It broadly applies to online services "provided for remuneration"—including those supported by online advertising—that process the personal data of and are "likely to be accessed" by children under 18 years of age, even if those services are not targeted at children. This includes apps, search engines, social media platforms, online games and marketplaces, news or educational websites, content streaming services, online messaging services. </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>The reservation to definition of child under the Bill has also been expressed by some members of the JPC through their dissenting opinion. MP Ritesh Pandey stated that keeping in mind the best interest of the child the Bill should consider a child to be a person who is less than 14 years of age. This would ensure that young people could benefit from the advances in technology without parental consent and reduce the social barriers that young women face in accessing the internet. Similarly Manish Tiwari in his dissenting note also observed that the regulation of the processing of data of children should be based on the type of content or data. The JPC Report observed that the Bill does not require the data fiduciary to take fresh consent of the child, once the child has attained the age of majority, and it also does not give the child the option to withdraw their consent upon reaching the majority age. It therefore, made the following recommendations:</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Registration of data fiduciaries, exclusively dealing with children’s data. Application of the Majority Act to a contract with a child. Obligation of Data fiduciary to inform a child to provide their consent, three months before such child attains majority Continuation of the services until the child opts out or gives a fresh consent, upon achieving majority. However, these recommendations have not been incorporated into the provisions of the Bill. In addition to this the Bill is silent on the status of non consensual processing and deemed consent with respect to the data of children.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>We recommend that fiduciaries who have services targeted at children should be considered as significant Data Fiduciaries. In addition to this the Bill should also state that the guardians could approach the Data Protection Board on behalf of the child. With these obligations in place, the age of mandatory consent could be reduced and the data fiduciary could have an added responsibility of informing the children in the simplest manner how their data will be used. Such an approach places a responsibility on Data Fiduciaires when implementing services that will be used by children and allows the children to be aware of data processing, when they are interacting with technology.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><b><span>Chapter III-RIGHTS AND DUTIES OF DATA PRINCIPAL</span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span>Rights of Data Principal</span></b></p>
<p class="MsoNormal"><span>Clause 12(3) of the Bill while providing the Data Principal the right to be informed of the identities of all the Data Fiduciaries with whom the personal data has been shared, also states that the data principal has the right to be informed of the categories of personal data shared. However the current version of the Bill provides only one category of data that is personal data. </span></p>
<p class="MsoNormal"><span>Clause 14 of the Bill talks about the Right of Grievance Redressal, and states that the Data Principal has the right to readily available means of registering a grievance, however the Bill does not provide in the Notice provisions the need to mention details of a grievance officer or a grievance redressal mechanism. It is only the additional obligations on significant data fiduciary that mentions the need for a Data Protection officer to be the contact for the grievance redressal mechanism under the provisions of this Bill. The Bill could ideally re-use the provisions of the IT Act SPDI Rules 2011 in which Section 5(7) states <i>“Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances or provider of information expeditiously but within one month ' from the date of receipt of grievance.”<br /> </i><br /> The above framing would not only bring clarity to the data fiduciaries on what process to follow for a grievance redressal, it also would reduce the significant burden of theBoard. </span></p>
<p class="MsoNormal"><b><span>Duties of Data Principals</span></b></p>
<p class="MsoNormal"><span>The Bill while entisting duties of the Data Principal states that the “Data Principal shall not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board”, however it is very difficult for a Data Principal to and even for the Board to determine what constitutes a “frivolous grievance”. In addition to this the absence of a defined notice provision and the inclusion of deemed consent would mean that the Data Fiduciary could have more information about the matter than the Data Principal. This could mean that the fiduciary could prove that a claim was false or frivolous. Clause 21(12) states that “<i>At any stage after receipt of a complaint, if the Board determines that the complaint is devoid of merit, it may issue a warning or impose costs on the complainant.” </i>In addition to this Clause 25(1) states that “ <i>If the Board determines on conclusion of an inquiry that non- compliance by <b>a person </b>is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance.” </i>The use of the term “person” in this case includes data which could mean that they could be penalised under the provisions of the Bill, which could also include not complying with the duties.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><b><span>CHAPTER IV- SPECIAL PROVISIONS</span></b></p>
<p class="MsoNormal"><b><span>Transfer of Personal Data outside India</span></b></p>
<p class="MsoNormal"><span>Clause 17 of the Bill has removed the requirement of data localisation which the 2018 and 2019 Bill required. Personal data can be transferred to countries that will be notified by the central government. There is no need for a copy of the data to be stored locally and no prohibition on transferring sensitive personal data and critical data. Though it is a welcome change that personal data can be transferred outside of India, we would highlight the concerns in permitting unrestricted access to and transfer of all types of data. Certain data such as defence and health data do require sectoral regulation and ringfencing of the transfer of data. </span></p>
<p class="MsoNormal"><b><span>Exemptions</span></b></p>
<p class="MsoNormal"><span>Clause 18 of the Bill has widened the scope of government exemptions. Blanket exemption has been given to the State under Clause 18(4) from deleting the personal data even when the purpose for which the data was collected is no longer served or when retention is no longer necessary. The requirement of <i>proportionality, reasonableness and fairness</i> have been removed for the Central Government to exempt any department or instrumentality from the ambit of the Bill.</span><span> </span><span>By doing away with the four pronged test, this provision is not in consonance with test laid down by the Supreme Court and are also incompatible with an effective privacy regulation. There is also no provision for either a prior judicial review of the order by a district judge as envisaged by the Justice Srikrishna Committee Report or post facto review by an oversight committee of the order as laid down under the Indian Telegraph Rules, 1951<a href="#_ftn3" name="_ftnref3"><sup><sup><span>[3]</span></sup></sup></a> and the rules framed under Information Technology Act<a href="#_ftn4" name="_ftnref4"><sup><sup><span>[4]</span></sup></sup></a>. The provision states that such processing of personal data shall be subject to the procedure, safeguard and oversight mechanisms that may be prescribed.</span></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><b><span> </span></b></p>
<p class="MsoNormal"><span> </span></p>
</div>
<div style="text-align: justify; "><br clear="all" />
<hr align="left" size="1" width="100%" />
<div id="ftn1">
<p class="MsoNormal"><a href="#_ftnref1" name="_ftn1"><sup><span><sup><span>[1]</span></sup></span></sup></a><span> Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011</span><span>.</span></p>
</div>
<div id="ftn2">
<p class="MsoNormal"><a href="#_ftnref2" name="_ftn2"><sup><span><sup><span>[2]</span></sup></span></sup></a><span> Clause 97 of the 2018 Bill states<i>“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6) The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f) security safeguards under section 31; (g) research purposes under section 45;(h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”</i></span></p>
</div>
<div id="ftn3">
<p class="MsoNormal"><a href="#_ftnref3" name="_ftn3"><sup><span><sup><span>[3]</span></sup></span></sup></a><span> </span><span>Rule 419A (16): The Central Government or the State Government shall constitute a Review Committee. </span></p>
<p class="MsoNormal"><span>Rule 419 A(17): The Review Committee shall meet at least once in two months and record its findings whether the directions issued under sub-rule (1) are in accordance with the provisions of sub-section (2) of Section 5 of the said Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above it may set aside the directions and orders for destruction of the copies of the intercepted message or class of messages.</span></p>
<p class="MsoNormal"><span> </span></p>
</div>
<div id="ftn4">
<p class="MsoNormal"><a href="#_ftnref4" name="_ftn4"><sup><span><sup><span>[4]</span></sup></span></sup></a><span> </span><span>Rule 22 of Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009: The Review Committee shall meet at least once in two months and record its findings whether the directions issued under rule 3 are in accordance with the provisions of sub-section (2) of section 69 of the Act and where the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and issue an order for destruction of the copies, including corresponding electronic record of the intercepted or monitored or decrypted information.</span></p>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cis-comments-recommendations-to-digital-data-protection-bill'>http://editors.cis-india.org/internet-governance/blog/cis-comments-recommendations-to-digital-data-protection-bill</a>
</p>
No publisherShweta Mohandas and Pallavi BediInternet GovernanceDigital GovernanceData ProtectionPrivacy2023-01-20T02:35:30ZBlog EntryThe 2010 Special 301 Report Is More of the Same, Slightly Less Shrill
http://editors.cis-india.org/a2k/blogs/2010-special-301
<b>Pranesh Prakash examines the numerous flaws in the Special 301 from the Indian perspective, to come to the conclusion that the Indian government should openly refuse to acknowledge such a flawed report. He notes that the Consumers International survey, to which CIS contributed the India report, serves as an effective counter to the Special 301 report.</b>
<h1>Special 301 Report: Unbalanced Hypocrisy</h1>
<p>The United States Trade Representative has put yet another edition of the Special 301 report which details the copyright law and policy wrongdoings of the US's trading partners. Jeremy Malcolm of Consumers International notes that the report this year claims to be "well-balanced assessment of intellectual property protection and enforcement ... taking into account diverse factors", but:</p>
<blockquote>
<p>[I]n fact, the report largely continues to be very one-sided. As in previous editions, it lambasts developing countries for failing to meet unrealistically stringent standards of IP protection that exceed their obligations under international law.</p>
</blockquote>
<p>More the report changes, <a href="http://cis-india.org/advocacy/ipr/blog/consumers-international-ip-watch-list-2009">the more it stays the same</a>. <a href="http://www.michaelgeist.ca/content/view/4684/195/">Despite having wider consultations</a> than just the International Intellectual Property Alliance (IIPA, consisting of US-based IP-maximalist lobbyists like the Motion Picture Association of America, Recording Industry Association of America, National Music Publishers Association, Association of American Publishers, and Business Software Alliance) and the Pharmaceutical Research and Manufacturers of America (PhRMA, consisting of US-based pharma multinationals), things haven't really changed much in terms of the shoddiness of the Special 301 report.</p>
<h1>India and the 2010 Special 301 Report</h1>
<p>The Special 301 report for 2010 contains the following assessment of India:</p>
<blockquote>
<p>India will remain on the Priority Watch List in 2010. India continues to make gradual progress on efforts to improve its legislative, administrative, and enforcement infrastructure for IPR. India has made incremental improvements on enforcement, and its IP offices continued to pursue promising modernization efforts. Among other steps, the United States is encouraged by the Indian government’s consideration of possible trademark law amendments that would facilitate India’s accession to the Madrid Protocol. The United States encourages the continuation of efforts to reduce patent application backlogs and streamline patent opposition proceedings. Some industries report improved engagement and commitment from enforcement officials on key enforcement challenges such as optical disc and book piracy. However, concerns remain over India’s inadequate legal framework and ineffective enforcement. Piracy and counterfeiting, including the counterfeiting of medicines, remains widespread and India’s enforcement regime remains ineffective at addressing this problem. Amendments are needed to bring India’s copyright law in line with international standards, including by implementing the provisions of the WIPO Internet Treaties. Additionally, a law designed to address the unauthorized manufacture and distribution of optical discs remains in draft form and should be enacted in the near term. The United States continues to urge India to improve its IPR regime by providing stronger protection for patents. One concern in this regard is a provision in India’s Patent Law that prohibits patents on certain chemical forms absent a showing of increased efficacy. While the full import of this provision remains unclear, it appears to limit the patentability of potentially beneficial innovations, such as temperature-stable forms of a drug or new means of drug delivery. The United States also encourages India to provide protection against unfair commercial use, as well as unauthorized disclosure, of undisclosed test or other data generated to obtain marketing approval for pharmaceutical and agricultural chemical products. The United States encourages India to improve its criminal enforcement regime by providing for expeditious judicial disposition of IPR infringement cases as well as deterrent sentences, and to change the perception that IPR offenses are low priority crimes. The United States urges India to strengthen its IPR regime and will continue to work with India on these issues in the coming year. </p>
</blockquote>
<p>This short dismissal of the Indian IPR regime, and subsequent classification of India as a "Priority Watch List" country reveals the great many problems with the Special 301.</p>
<h2>On Copyrights</h2>
<ol>
<li>
<p>The report notes that there are "concerns over India's inadequate legal framework and ineffective enforcement". However, nowhere does it bother to point out precisely <em>how</em> India's legal framework is inadequate, and how this is negatively affecting authors and creators, consumers, or even the industry groups (MPAA, RIAA, BSA, etc.) that give input to the USTR via the IPAA. Nor does it acknowledge the well-publicised fact that the statistics put out by these bodies have time and again <a href="http://www.cis-india.org/a2k/blog/fallacies-lies-and-video-pirates">proven to be wrong</a>:</p>
</li>
<li>
<p>Apart from this bald allegation which has not backing, there is a bald statement about India needing to bring its copyright law "in line with international standards" including "the WIPO Internet Treaties". The WIPO Internet Treaties given that more than half the countries of the world are not signatories to either of the WIPO Internet Treaties (namely the WIPO Copyright Treaty and the WIPO Performance and Phonograms Treaty), calling them 'international standards' is suspect. That apart, both those treaties are TRIPS-plus treaties (requiring protections greater than the already-high standards of the TRIPS Agreement). India has not signed either of them. It should not be obligated to do so. Indeed, Ruth Okediji, a noted copyright scholar, <a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1433848">states</a>:</p>
</li>
</ol>
<blockquote>
<p>Consistent with their predecessors, the WIPO Internet Treaties marginalize collaborative forms of creative engagement with which citizens in the global South have long identified and continue in the tradition of assuming that copyright’s most enduring cannons are culturally neutral. [...] The Treaties do not provide a meaningful basis for a harmonized approach to encourage new creative forms in much the same way the Berne Convention fell short of embracing diversity in patterns and modes of authorial expression.</p>
</blockquote>
<ol>
<li>
<p>Some of the of the 'problems' noted in the report are actually seen as being beneficial by many researchers and scholars such as Lawrence Liang, Achal Prabhala, Perihan Abou Zeid <a href="https://sites.google.com/site/iipenforcement/bibliography">and others</a>, who argue that <a href="http://www.altlawforum.org/intellectual-property/publications/articles-on-the-social-life-of-media-piracy/reconsidering-the-pirate-nation">lax enforcement has enabled access to knowledge and promotion of innovation</a>. In a panel on 'Access to Knowledge' at the Internet Governance Forum, <a href="http://a2knetwork.org/access-knowledge-internet-governance-forum">Lea Shaver, Jeremy Malcolm and others</a> who have been involved in that Access to Knowledge movement noted that lack of strict enforcement played a positive role in many developing countries. However, they also noted, with a fair bit of trepidation, that this was sought to be changed at the international level through treaties such as the Anti-Counterfeiting Treaty Agreement (ACTA).</p>
</li>
<li>
<p>The scope of an optical disc law are quite different from copyright law. The report condemns "unauthorized manufacture and distribution of optical discs", however it does not make it clear that what it is talking about is not just unlicensed copying of films (which is already prohibited under the Copyright Act) but the manufacture and distribution of blank CDs and DVDs as well. The need for such a law is assumed, but never demonstrated. It is onerous for CD and DVD manufacturers (such as the Indian company Moserbaer), and is an overbearing means of attacking piracy.</p>
</li>
<li>
<p>The report calls for "improve[ment] [of India's] criminal enforcement regime" and for "deterrent" sentences and expeditious judicial disposition of IPR infringement cases. While we agree with the last suggestion, the first two are most unacceptable. Increased criminal enforcement of a what is essentially a private monopoly right is undesirable. Copyright infringment on non-commercial scales should not be criminal offences at all. What would deter people from infringing copyright laws are not "deterrent sentences" but more convenient and affordable access to the copyright work being infringed.</p>
</li>
</ol>
<h2>On Patents</h2>
<p>Thankfully, this year the Special 301 report does not criticise the Indian Patent Act for providing for post-grant opposition to patent filings, as it has in previous years. However, it still criticises section 3(d) of the Patent Act which ensures that 'evergreening' of drug patents is not allowed by requiring for new forms of known substances to be patented only if "the enhancement of the known efficacy of [the known] substance" is shown. Thus, the US wishes India to change its domestic law to enable large pharma companies to patent new forms of known substances that aren't even better ("enhancement of the known efficacy"). For instance, "new means of drug delivery" will not, contrary to the assertions of the Special 301 report and the worries of PhRMA, be deemed unpatentable.</p>
<p>The United States has been going through much turmoil over its patent system. Reform of the patent system is currently underway in the US through administrative means, judicial means, as well as legislative means. One of the main reasons for this crumbling of the patent system has been the low bar for patentability (most notably the 'obviousness' test) in the United States and the subsequent over-patenting. An <a href="http://supreme.justia.com/us/447/303/case.html">American judgment</a> even noted that "anything under the sun that is made by man" is patentable subject matter. It is well-nigh impossible to take American concerns regarding our high patent standards seriously, given this context.</p>
<h2>Miscellanea</h2>
<p>The harms of counterfeit medicine, as <a href="http://www.cis-india.org/a2k/blog/fallacies-lies-and-video-pirates">we have noted earlier</a>, are separate issues that are best dealt under health safety regulations and consumer laws, rather than trademark law.</p>
<p>Data exclusivity has been noted to be harmful to the progress of generics, and seeks to extend proprietary rights over government-mandated test data. It is [clear from the TRIPS Agreement][de-trips] that data exclusivity is not mandatory. There are clear rationale against it, and the Indian pharmaceutical industry [is dead-set against it][de-india]. Still, the United States Trade Representative persists in acting as a corporate shill, calling on countries such as India to implement such detrimental laws.</p>
<h2>Conclusion</h2>
<p>Michael Geist, professor at University of Ottowa <a href="http://www.michaelgeist.ca/content/view/4997/125">astutely notes</a>:</p>
<blockquote>
<p>Looking beyond just Canada, the list [of countries condemned by the Special 301 report] is so large, that it is rendered meaningless. According to the report, approximately 4.3 billion people live in countries without effective intellectual property protection. Since the report does not include any African countries outside of North Africa, the U.S. is effectively saying that only a small percentage of the world meet its standard for IP protection. Canada is not outlier, it's in good company with the fastest growing economies in the world (the BRIC countries are there) and European countries like Norway, Italy, and Spain.
In other words, the embarrassment is not Canadian law. Rather, the embarrassment falls on the U.S. for promoting this bullying exercise and on the Canadian copyright lobby groups who seemingly welcome the chance to criticize their own country. </p>
</blockquote>
<p>His comments apply equally well for India as well.</p>
<h1>IIPA's Recommendation for the Special 301 Report</h1>
<p>Thankfully, this year <a href="http://www.iipa.com/rbc/2010/2010SPEC301INDIA.pdf">IIPA's recommendations</a> have not been directly copied into the Special 301 report. (They couldn't be incorporated, as seen below.) For instance, the IIPA report notes:</p>
<blockquote>
<p>The industry is also concerned about moves by the government to consider mandating the use of open source software and software of only domestic origin. Though such policies have not yet been implemented, IIPA and BSA urge that this area be carefully monitored.</p>
</blockquote>
<p>Breaking that into two bit:</p>
<h2>Open Source</h2>
<p>Firstly, it is curious to see industry object to legal non-pirated software. Secondly, many of BSA's members (if not most) use open source software, and a great many of them also produce open source software. <a href="http://hp.sourceforge.net/">HP</a> and <a href="http://www-03.ibm.com/linux/ossstds/">IBM</a> have been huge supporters of open source software. Even <a href="http://www.microsoft.com/opensource/">Microsoft has an open source software division</a>. [Intel][intel], <a href="http://www.sap.com/usa/about/newsroom/press.epx?pressid=11410">SAP</a>, <a href="http://www.cisco.com/web/about/doing_business/open_source/index.html">Cisco</a>, <a href="http://linux.dell.com/projects.shtml">Dell</a>, <a href="http://www.sybase.com/developer/opensource">Sybase</a>, <a href="http://www.entrust.com/news/index.php?s=43&item=702">Entrust</a>, <a href="http://about.intuit.com/about_intuit/press_room/press_release/articles/2009/IntuitPartnerPlatformAddsOpenSourceCommunity.html">Intuit</a>, <a href="http://www.synopsys.com/community/interoperability/pages/libertylibmodel.aspx">Synopsys</a>, <a href="http://www.apple.com/opensource/">Apple</a>, <a href="http://www.theregister.co.uk/2005/04/22/jbuilder_eclipse/">Borland</a>, <a href="http://w2.cadence.com/webforms/squeak/">Cadence</a>, <a href="http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=6153839">Autodesk</a>, and <a href="http://news.cnet.com/8301-13505_3-9967593-16.html">Siemens</a> are all members of BSA which support open source software / produce at least some open source software. And <em>all</em> BSA members rely on open source software (as part of their core products, their web-server, their content management system, etc.) to a lesser or greater extent. BSA's left hand doesn't seem to know what its right hand -- its members -- are doing. Indeed, the IIPA does not seem to realise that the United States' government itself uses [open source software], and has been urged to <a href="http://news.bbc.co.uk/2/hi/7841486.stm">look at FOSS very seriously</a> and is doing so, especially under CIO Vivek Kundra. And that may well be the reason why the USTR could not include this cautionary message in the Special 301 report.</p>
<h2>Domestic Software</h2>
<p>As <a href="http://arstechnica.com/tech-policy/news/2010/04/indias-copyright-proposals-are-un-american-and-thats-bad.ars">this insightful article by Nate Anderson in Ars Technica</a> notes:</p>
<blockquote>
<p>Open source is bad enough, but a "buy Indian" law? That would be <a href="http://www.canadainternational.gc.ca/sell2usgov-vendreaugouvusa/procurement-marches/buyamerica.aspx?lang=eng">an outrage</a> and surely something the US government would not itself engage in <a href="http://www.canadainternational.gc.ca/sell2usgov-vendreaugouvusa/procurement-marches/ARRA.aspx?lang=eng">as recently as last year</a>. Err, right?</p>
</blockquote>
<p>Furthermore, the IIPA submission do not provide any reference for their claim that "domestic origin" software is being thought of being made a mandatory requirement in governmental software procurement.<br />
</p>
<h2>WCT, WPPT, Camcording, and Statutory Damages</h2>
<p>The IIPA submission also wish that India would:</p>
<ol>
<li>Adopt a system of statutory damages in civil cases; allow compensation to be awarded in criminal cases;</li>
<li>Adopt an optical disc law;</li>
<li>Enact Copyright Law amendments consistent with the WCT and WPPT;</li>
<li>Adopt an anti-camcording criminal provision.</li>
</ol>
<p>Quick counters:</p>
<ol>
<li>Statutory damages (that is, an amount based on statute rather than actual loss) would result in ridiculousness such as the $1.92 million damages that the jury (based on the statutory damages) slapped on Jammie Thomas. The judge in that case <a href="http://arstechnica.com/tech-policy/news/2010/01/judge-slashes-monstrous-jammie-thomas-p2p-award-by-35x.ars">called the damage award</a> "monstrous and shocking" and said that veered into "the realm of gross injustice."</li>
<li>The reasons against an optical disc law are given above. Quick recap: it is a) unnecessary and b) harmful.</li>
<li>India has not signed the WCT and the WPPT. Indian law satisfies all our international obligations. Thus enacting amendments consistent with the WCT and the WPPT is not required.</li>
<li>Camcording of a film is in any case a violation of the Copyright Act, 1957, and one would be hard-pressed to find a single theatre that allows for / does not prohibit camcorders. Given this, the reason for an additional law is, quite frankly, puzzling. At any rate, IIPA in its submission does not go into such nuances.</li>
</ol>
<h2>Further conclusions</h2>
<p><a href="http://spicyipindia.blogspot.com/2010/05/us-special-301-report-and-not-so.html">Shamnad Basheer</a>, an IP professor at NUJS, offer the following as a response:</p>
<blockquote>
<p>"Dear USA,</p>
<p>India encourages you to mind your own business. We respect your sovereignty to frame IP laws according to your national priorities and suggest that you show us the same courtesy. If your grouse is that we haven't complied with TRIPS, please feel free to take us to the WTO dispute panel. Our guess is that panel members familiar with the English language will ultimately inform you that section 3(d) is perfectly compatible with TRIPS. And that Article 39.3 does not mandate pharmaceutical data exclusivity, as you suggest!
More importantly, at that point, we might even think of hauling you up before the very same body for rampant violations, including your refusal to grant TRIPS mandated copyright protection to our record companies, despite a WTO ruling (Irish music case) against you.</p>
<p>Yours sincerely,</p>
<p>India."</p>
</blockquote>
<p>Basheer's suggestion seems to be in line with that Michael Geist who believes that other countries should join Canada and Israel in openly refusing to acknowledge the validity of the Special 301 Reports because they lack ['reliable and objective analysis'][geist-reliable]. And that thought serves as a good coda.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/a2k/blogs/2010-special-301'>http://editors.cis-india.org/a2k/blogs/2010-special-301</a>
</p>
No publisherpraneshDevelopmentConsumer RightsAccess to KnowledgeCopyrightPiracyAccess to MedicineIntellectual Property RightsData ProtectionFLOSSTechnological Protection MeasuresPublications2011-10-03T05:37:27ZBlog EntrySurvey on Data Protection Regime
http://editors.cis-india.org/internet-governance/blog/survey-on-data-protection-regime
<b>We request you to take part in this survey aimed at understanding how various organisations view the changes in the Data Protection Regime in the European Union. Recently the General Data Protection Regulation (EU) 2016/679 was passed, which shall replace the present Data Protection Directive DPD 95/46/EC. This step is likely to impact the way of working for many organisations. We are grateful for your voluntary contribution to our research, and all information shared by you will be used for the purpose of research only. Questions that personally identify you are not mandatory and will be kept strictly confidential. </b>
<p> </p>
<h4>The survey form below can also be accessed <a href="https://goo.gl/forms/61d4W0kPQ8SqNaMO2" target="_blank">here</a>.</h4>
<hr />
<iframe src="https://docs.google.com/forms/d/e/1FAIpQLSepvhTUkkc7s3jFDfJZ90wFJAIuVexrbVSO5icV4kW0-1uyNA/viewform?embedded=true" frameborder="0" marginwidth="0" marginheight="0" height="800" width="600">Loading...</iframe>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/survey-on-data-protection-regime'>http://editors.cis-india.org/internet-governance/blog/survey-on-data-protection-regime</a>
</p>
No publisherAditi Chaturvedi and Elonnai HickokGeneral Data Protection RegulationInternet GovernanceFeaturedData ProtectionHomepage2017-02-10T10:47:00ZBlog EntrySubmission to the Committee of Experts on a Data Protection Framework for India
http://editors.cis-india.org/internet-governance/submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india
<b>This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ (“White Paper”) released by the Ministry of Electronics and Information Technology. The White paper was drafted by a Committee of Expert (“Committee”) constituted by the Ministry. CIS has conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. The submission was made on January 31, 2018.</b>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india'>http://editors.cis-india.org/internet-governance/submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india</a>
</p>
No publisheramberData GovernanceInternet GovernanceData ProtectionPrivacy2018-02-05T13:39:00ZFileSFLC Round Table Discussion on Personal Data Protection Bill
http://editors.cis-india.org/internet-governance/news/sflc-round-table-discussion-on-personal-data-protection-bill
<b>Shweta Mohandas participated in a Round Table Discussion on Personal Data Protection Bill, orgnanised by SFLC on September 25, 2018 in Bangalore. She also moderated the first session - Data Protection Principles (Rights and Obligations).</b>
<p>See the agenda of the <a class="external-link" href="http://cis-india.org/internet-governance/files/agenda-for-round-table-for-data-protection">event here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/sflc-round-table-discussion-on-personal-data-protection-bill'>http://editors.cis-india.org/internet-governance/news/sflc-round-table-discussion-on-personal-data-protection-bill</a>
</p>
No publisherAdminInternet GovernanceData ProtectionPrivacy2018-10-02T03:16:19ZNews ItemResponse Submission on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector
http://editors.cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector
<b>CIS submitted its comments on the consultation paper on privacy, security and ownership of data in telecom sector which was published by the Telecom Regulatory Authority of India on August 9, 2017.
</b>
<p style="text-align: justify;">The submission is divided in four parts. The first part introduces the document, the second part gives an overview of CIS and its work, the third part contains general comments on the consultation paper and the fourth part contains specific comments on questions posed in the consultation paper. Click to read the <strong><a class="external-link" href="http://cis-india.org/telecom/files/submission-to-trai-november-6-2017">full submission</a></strong> made to the Telecom Regulatory Authority of India on November 6, 2017.<br /><br /><br /><br /></p>
<p>
For more details visit <a href='http://editors.cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector'>http://editors.cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector</a>
</p>
No publisherAmber Sinha, Elonnai Hickok and Udbhav TiwariTelecomData ProtectionData ManagementPrivacy2019-03-13T00:27:30ZBlog Entry