Tag Archives: IOT

Draft E-commerce Policy: The dawn of a new beginning

Data is the basic building block of everything we are trying to do in this age of Industry 4.0. Data is a valuable resource for any individual, corporation or the Government. Data can be used for analytical, statistical, business, security purposes among various other things. Keeping ‘data’ central to the idea of governing the e-Commerce industry in India the Department for Promotion of Industry and Internal Trade on February 23, 2019, published the ‘Draft e-Commerce Policy’ (“Draft Policy”).

The overall objective of the Draft Policy is to prepare and enable stakeholders to fully benefit from the opportunities that would arise from progressive digitalization of the domestic digital economy. The Draft Policy focuses on data protection, the State’s paternalistic attitude towards the use of the citizen’s data and cross border transactions. The Draft Policy intends to regulate some things beyond e-commerce i.e. it proposes to regulate technologies like AI, IoT, Cloud computing and Cloud-as-a-Service etc. On a holistic level, it is understood that these technologies empower e-commerce industry currently and are integral to its growth and therefore the Government intends to bring these technologies under the purview of the Draft Policy. The Draft Policy is a mix of visionary thought process, advanced technological solutions, putting in place digital infrastructure to support India’s digital economy etc.

DATA

The Draft Policy resonates the idea and intent of the legislature that is formulated under the Data Protection Bill, 2018 as far as the rights over data of an individual is concerned. The collective idea of the Draft Policy is to streamline the protection of personal data and empowerment of the users/consumers with respect to the data they generate and own. Though the question to be assessed here is whether this is the real intent of the Draft Policy?

The Draft Policy recognises the rights of an individual over its data by stating that “An Individual owns the right to his data” and therefore the use of an individual’s personal data shall be made only upon seeking his/her express consent. It further states that the data of a group is a collective data and therefore a collective property of that particular group; it extends this rationale to state that “Thus, the data that is generated in India belongs to Indians, as do the derivatives there from”. But the Draft Policy ends up categorising data of Indians as a collective resource and therefore a “national resource”.

The abovementioned intent of the Draft Policy is fair and strives to achieve the greater good of the country, but at what stake? If personal data belongs to an individual then this objective appears that the State wants to interfere with the personal rights of a person. The Draft Policy clearly states that “All such data stored abroad shall not be made available to other business entities outside India, for any purpose, even with the customer’s consent”, what follows this point in the Draft Policy, restricts sharing of data with any third party in a foreign country even if the individual has consented to such sharing of the data.

The intent behind such restriction is that currently, India lacks stringent laws regarding cross-border flow of data. If there are no strict restrictions on cross-border flow of data Indian stakeholders will merely be engaged in back end processing of data for the EU / US based e-commerce entities without having the ability to create any high-value digital products. While the Government considers data as a national resource and compares it with coal, telecom spectrums etc. it ignores the fact that the inherent nature of personal data is that it belongs to an individual and not to the State, unlike coal.

The obvious reason as to why the State is taking such a stance is to eliminate issues related to consent asymmetry. But is this paternalistic attitude warranted?

If the Government is worried about foreign countries using our national resource i.e. data to their advantage it should put in place stringent data privacy and protection laws in India taking inferences from other countries.

DATA INFRASTRUCTURE

The Draft Policy takes forward the digital India initiative and intends put in place secure and digital infrastructure and encourage the development of data –storage facilities/ infrastructure including data centres, server farms, towers, tower stations, equipment, optical wires, signal transceivers, antenna etc.

The Government will add the above-mentioned infrastructure facilities in the  ‘Harmonized Master List’. This will enable regulation of the listed infrastructure in a more streamlined manner. Whereas the infrastructure will be put in place by various implementing agencies, while financing agencies may identify these as infrastructure that they may intend to support. This will facilitate achieving last mile connectivity across urban and rural India.

The Government by developing such data/digital infrastructure wishes to support India’s fast-growing digital economy and create employment.

EASE OF REGULATION

Given the interdisciplinary nature of e-commerce, it is important for the Government to tackle various regulatory challenges. The Draft Policy suggests formulating a Standing Group of Secretaries on e-Commerce (SGoS), which shall be an important body for tackling various legal issues emerging from various statutes such and Information Technology Act, 2000 and rules thereunder, the Competition Act, 2002 and the Consumer Protection Act, 1986.

Additionally, the Draft Policy states that “All e-Commerce websites and application available for downloading in India must have a registered business entity in India as the importer on record or the entity through which all sales in India are transacted”.

SIGNIFICANT HIGHLIGHTS OF THE DRAFT POLICY

  • The Government intends to continue charging custom tariffs on any digital goods being traded electronically (imposing custom duties on electronic transmissions). Whereas the Government is strict on its stance of not accepting the permanent moratorium on custom tariffs for goods (including digital goods) traded electronically as proposed by the WTO.
  • The Draft Policy states that there should technological standards put in place for emerging technologies like IoT, AI etc.
  • The Draft Policy introduces a term, namely ‘Infant Industry’ under which small scale entities facing entry barriers to enter the market will be integrated with market keeping data as a central to this integration. This will also help strengthen platforms like ‘e-lala’ and ‘Tribes India’.
  • The Government intends to establish technology wings in each Government department.
  • The Government intends to streamline the process of importing goods in India and harmonise the functions of various administrative bodies involved in the process of import of goods in India.
  • A body of industry stakeholders will be created that shall identify ‘rogue websites’. These rogue websites will be added to ‘Infringing Website List’ (IWL). IWL will enable the ISPs to remove or disable these websites. It will also enable payment gateways to curtail the flow of payments to or from such rogue websites. Search engines will be able to efficiently remove such rogue websites identified in the IWL.
  • There shall be no trade mark infringement and customers at large shall not be deceived by using deceptively similar trademarks. In case an e-Commerce entity receives a complaint about a counterfeit/fake product which is manufactured with intent to deceive the customers. The e-Commerce entity shall convey such misuse of the trademark within 12 hours from receiving the complaint to the trade mark owner. Whereas in case any prohibited goods/products have been sold on any e-commerce platform the entity operating such e-Commerce platform shall delist such products within 24 hours from receiving such complaint.
  • Any non-compliant e-Commerce entity will be not be given access to operate in India.
  • All e-Commerce sites/apps available to Indian consumers shall display prices in INR and must have MRPs on all packaged products, physical products and invoices generated.
  • In the view of misuse of ‘gifting’ route, as an interim measure, all such parcels shall be banned, with exception of life-saving drugs.
  • Details of sellers shall be available for all the products sold online.
  • Sellers shall provide undertaking regarding genuineness of any product sold online.
  • In case of a counterfeit product is sold to a consumer, the primary onus to resolve such an issue will be of the seller but the intermediaries shall return the money paid to them by the customer and the marketplace shall seize to host such products on their platforms.
  • The intermediaries shall curtail piracy on their platforms.
  • An integrated system that connects Customs, RBI and India Post to be developed to better track imports.
  • The Draft Policy also intends to simplify the processes involved in export of goods by doing away with redundant requirements such as the need to procure Bank Realisation Certification

Once the final e-Commerce policy is enacted what will be interesting to see is whether Government opts for ease of governance or ease of doing business.

Overall this Draft Policy is a positive step towards making India one of the most prominent digital economies in the world, especially considering the strict stance the Government has taken during the WTO negotiations by not accepting the permanent moratorium on waiving custom duties on digital goods sold through electronic transmission. The Government intends to boost the local and home grown e-Commerce business entities and to provide a level playing field for MSMEs by retaining the rights to impose tariffs on electronic transmission through e-Commerce. Certain issues regarding data/personal data of an individual still needs a deep intellectual thinking, integrated with a practical approach from the Government before implementing a sector-wide policy, especially keeping in mind that at the end of the day personal data belongs to an individual and the use of such personal data shall be the decision of the respective individuals and not of the State.

Author: Manas Ingle, Associate, NovoJuris Legal

Advertisements

DATA SECURITY AND PRIVACY IN MEDICAL DEVICES

Medical devices have seen quantum leaps in terms of functionality, intelligence, and usefulness in the last decade. Improved design, better and cheaper production materials, and more sophisticated software, and have all contributed to this improvement. However, perhaps the biggest recent development that has greatly enhanced the ability and uses of medical devices, is the use of technology to connect medical devices (including those implanted in humans) to the internet, to hospital systems, and to other devices. This makes it possible to make these devices smarter, to control them remotely if required, to monitor their activity and functioning, and to pause or alter their operation without having to remove them from the human body.

However, like all devices that come with internet connectivity, these connected medical devices come with one major potential harm – the vulnerability to hacking, malware, and/or viruses. Potentially, this could create havoc for health care providers and patients, as third-parties may be able to break into and dictate the functioning of medical devices such as drips or other implanted devices. This problem is not new either. Since 2012, the Food and Drug Administration of the USA (the “FDA”) has been increasing security infrastructure standards for all connected medical devices, and has been constantly warning manufacturers of potential threats.

Sure enough, a short while ago, the first major medical device manufacturer in the USA suffered from the threat of security breaches. On August, 30, 2017, the FDA announced the recall of approximately 465,000 pacemakers manufactured by Abbot (previously St. Jude Medical), due to the fear of security vulnerabilities being exploited by hackers. As per the FDA, if the vulnerabilities were left unremedied, hackers could reprogram the pacemakers to alter the heart rate of the patient and/or to drain the batteries quickly. Both scenarios could have potentially catastrophic effects.

Fortunately for Abbot, the vulnerabilities could be fixed via a firmware update that could be installed by health care providers in just 3 minutes. The pacemakers did not need to be removed from the patients’ bodies, as the update could be installed wirelessly. Further, Abbot was able to report that there had been no incidents of a security breach/hack before the firmware update was rolled out. Yet, this should not detract from the seriousness of the situation and the extent of the harm that could have been suffered by both the manufacturer and the patients. In light of this, we find it pertinent to take a deeper look at the different minds of medical devices available today, and the potential harm that can be caused through them if the current security infrastructure is not in place.

Medical Devices and Their Potential Harms

Medical devices, apart from being controlled remotely, are also great repositories of data. In order to be able to automatically adjust their own functionality, alert users/controllers at times of low battery, and to be able to provide efficient statistics as to the health of a patient, they have to constantly collect, monitor and analyse data from the patient’s body. This means that they contain sensitive personal information regarding patients’ medical conditions, bringing in the important aspect of data privacy.

Medical devices have been used for a variety of purposes – from diagnosis of multiple diseases, to studying patient’s conditions during treatment of diseases, and to ensuring patient adherence to a prescribed treatment plan. Perhaps, given the wide range of uses for connected medical devices, it will be easier to understand the problems that they may face, by taking a few examples:

  1. OpenAPS – Closed loop insulin delivery – This software, which can be used along with standard medical devices, allows patients to track data from their CGM (continuous glucose monitor), and use it to control/trigger their insulin pump whenever glucose levels demand the same. The patients PII is not owned by any third party here, but if hacked, this system could not only give hackers access to this information, but could also allow hackers to alter the trigger mechanism/program that controls when insulin is released to
  2. Activity trackers during cancer treatment – These devices are used to gather lifestyle data regarding patients, during their treatment from various forms of cancer. These are wearable devices (like many other activity trackers/smart watches), but they track the patient’s energy levels, fatigue, and appetite automatically. The data generated via these devices is usually accessible and analysed by doctors and other health care providers. In a disease where the treatment is actively changed depending on the patient’s reaction to the ongoing medication/therapy, such a device is extremely important. Additionally, it aids doctors to keep track of a patient’s lifestyle, to ensure that patients are taking care of themselves appropriately. Thus, this device places data privacy and security restrictions on doctors etc., with respect to the PII that they hold. Additionally, there is a responsibility on the manufacturers of such devices to ensure that the security infrastructure of the device is strong enough to protect it against hacks/malware. If hacked, not only will the critical data regarding a patient’s current condition be available to the hacker, but they can also alter the functioning of the device to change the readings. This could potentially prevent a cancer patient from receiving the correct follow-on treatment, which is critical to their health.
  • Connected inhalers – Devices like Propeller’s Breezhaler connect wirelessly to a digital platform available on the patient’s mobile phones and with the doctors as well. This helps in tracking the usage of the inhaler, sending reminders to the patient in case of sporadic usage, and ensuring patient adherence to a treatment plan. If such systems are hacked, patients and doctors could stop receiving accurate data regarding inhaler usage, potentially leading to non-adherence to treatment plans and a worsening of existing breathing problems.
  1. Parkinson’s – Pfizer and IBM have collaborated on Project Blue Sky, a planned clinical trial involving the use of a system of sensors, mobile devices, and machine learning to provide round-the-clock monitoring of the symptoms, development and progression of Parkinson’s in patients. Though more research oriented, such a system could potentially be extremely important in discovering a cure for Parkinson’s.

The above are only a few examples of connected medical devices available today. Yet some common themes run through all of them – (a) they all record and store sensitive personal information regarding patients in order to function; (b) they are all accessible remotely; and (c) this makes them vulnerable to hacking/malware etc. Considering the nature of the information stored on the devices, it becomes even more important for the manufacturers to ensure data security of the devices, and for the doctors/other entities storing and analysing the data to ensure its privacy and non-disclosure. No data security infrastructure is fool proof or completely protected from hackers. However, increased standards and more robust protection techniques could help in ensuring that these devices remain protected in the near future.

Author: Madhav Rangrass is an Associate with NovoJuris Legal.