Tag Archives: TRAI

Data Protection and the many facets of it: Inter-collegiate Essay Competition

NovoJuris Legal is proud to announce the Inter-collegiate Essay Competition on Data Protection and its various facets. 

Data Protection has taken very high importance not only in India but across the World. The Personal Data Protection Bill, 2018 (“Bill”) and the Data Protection Committee’s (“Committee”) Report (released on 27 July 2018) provides for the framework and the policymakers’ insight on protection of individual’s privacy and personal data in India. The Bill has set high expectations particularly after the European Union’s General Data Protection Regulation (“GDPR”) came into force on 25 May 2018. It is also essential to note the important judgments including the now famous “Aadhar case” of Justice Puttaswamy (Retd.) V. Union of India.

Reserve Bank of India (RBI) in April this year has mandated that all data generated by the payment systems in India, is to be stored in India. The Ministry of Health and Welfare has also published the draft legislation called Digital Information Security in Healthcare Act, to safeguard e-health records and patients’ privacy.

Thus, all these new rules/policies/regulations (collectively referred as “the Data Protection Framework”) indicate a very strong direction that the Government wishes to undertake on protection of data including but not limited to data localisation, which helps in enforcing data protection, nation’s security and protect its citizen’s data, better control on transmission of data outside the country and more.

Topics for the Essay Competition:

The following sub-themes have been identified as requiring academic consideration:

  1. General Data Protection Regulation in European Union has raised the bar on legislation on data protection across the world. Would this be beneficial or would it stunt technological growth and innovation?
  2. Is our Privacy safe under the Aadhar scheme? A critical analysis of change in the privacy law regime post Aadhar case in India.
  3. Implication and critical analysis of the Data (Privacy and Protection) Bill, 2017.
  4. Do we need a stronger consumer centric data protection law in India like the Customer Online Notification for Stopping Edge – Provider Network Transgressions (CONSENT Act), USA in the aftermath of the Facebook data breach incident?
  5. With all the industry specific regulator (RBI, TRAI, MHoW and etc.) providing various regulations, guidelines and draft policy notes with regards to Data Protection Framework in India, what do you think the outcome will be? Is India formalizing a uniform law for data protection?

Important Dates

▪ Submission Date – The essays must be submitted on or before 11:59 PM on 30 January 2019.

▪ Declaration of the Result on 31 March 2019.  – The winners of the competition shall be notified by email and by declaration of results of the competition on this website.

Details about the prizes, guidelines for submission and other details can be found here.  Intercollegiate-Data Privacy Essay-Competition-NovoJuris

 

Advertisements

Telecom regulatory Authority of India (TRAI) – Certificate of compliance

TRAI vide its direction no F. No 123-1/2018 NSL-II dated 7 September 2018 has withdrawn the Direction No. 101-41/2006-MN dated 21 August 2006 which had directed all the telecom service providers to furnish a certificate of compliance to TRAI by 31 July every year in respect of the following:

  1. Direction dated 28 October to all Universal Access Service Providers (UASPs) and M/s Bharat Sanchar Nigam Limited (BSNL) regarding posting of information to Universal Service Obligation (USO) related activities on their website;
  2. Direction dated 6 January 2005 to all service providers on opening of allotted codes;
  3. Direction dated 16 June 2004 to all the Cellular Mobile Service Providers (CMSPs) on auto-roaming services to all pre-paid subscribers; and
  4. Direction dated 11 July  2002 to all CMSPs to include standard terms and conditions in all tariff-plans for pre-paid cards.

A committee was formed comprising of officers of TRAI as representatives of the telecom service providers and associations, to identify the infructuous/redundant regulations and amendments and it was observed that the obligations of the above cited directions are no longer required.

Available at: https://www.trai.gov.in/sites/default/files/Direction07092018_0.pdf

Personal Data Protection Bill, 2018 – An overview with brief analysis

Justice BN Srikrishna Committee (“Committee”) which was formed with an intent to have a highly effective data protection law in India has finally submitted the draft bill to the Ministry of Electronic and Information Technology (“Ministry”) on 27 July 2018. The draft bill namely Personal Data Protection Bill, 2018 (“Draft Bill”) is a great expectation particularly after the European Union’s General Data Protection Regulation (“GDPR”) came into force on 25 May 2018. The Draft Bill is introduced at very important juncture, especially after recent judicial orders and judgments in the Aadhar case and in Justice Puttaswamy (Retd.) V. Union of India and Others.

Trust: The Draft Bill introduces concepts of ‘Data Fiduciary’, ‘Data Principal’ and ‘Data Processors’ are akin to concepts of ‘data controller’ and ‘data subjects’ in GDPR. The underpinnings as per Chapter 1, Part C, of the Committee report is of “trust” between a Data Fiduciary and a Data Principal.

data protection

Extra- territorial: Like GDPR, the Draft Bill provides for protection extending beyond India. Section 2(2) states that the legislation shall apply to the processing of personal data by data fiduciaries or data processors not present with in the territory of India, if they process data in connection with business in India, goods or services offered in India, profiling of data principals in India. This may not be applicable for processing anonymised data.

It is interesting to note that State as well as the private and public private sector, come within the ambit of the legislation.

Data: Data under the Draft Bill has been defined broadly to include information, facts, concepts, opinion or instructions whether processed by humans or automated means. It is not just personally identifiable information. The Draft Bill covers issues and matters relating to data protection, collection of data, storage, purpose of collection. Section 8 of the Draft Bill lays out procedure for collection of data, notice / intimation to be provided to the Data Principal (ie., the natural person’s data) while collecting any and all kinds of data.

Disclosures: Under Section 8, there are mandatory disclosures that the Data Fiduciary (ie, any person such as State, juristic entity, individual who determine the purpose and means of processing personal data), has to provide to the Data Principal for collecting the Data. Some of them are (i) the purpose for which the Data is being collected, (ii) categories, (iii) identity and contact information of Data Fiduciary, (iv) the Data Fiduciary will have to compulsorily inform the Data Controller about the right to withdraw consent, (v) Period for which the Personal Data will be retained. It is in this regard that the Data Fiduciary while collecting such Data, shall provide the information in a clear and concise manner, and this would include giving such information to the Data Principals in “multiple languages” where necessary and practicable. The use of multiple languages to provide information would aid such Data Principals who are only familiar with their vernacular language.

Storage: Section 10 has laid down that the Data Fiduciary shall retain the Personal Data only as may be reasonably necessary to satisfy the purpose for which it is processed.  Some of the fintech companies have raised a concern that they use the data collected on regular intervals to keep a track of their customers, even after the purpose is fulfilled, as part of their business offerings itself. Data storage should be read in conjunction with various legislations which provide for data retention, for example, records supporting financial statements of a company has to be retained for 8 years.

Kinds of data:

  • Personal Data;
  • Sensitive Personal Data (“SPD”);
  • Biometric Data;
  • Financial Data;
  • Genetic Data; and
  • Health data.

Section 3 (35) defines religious and political beliefs, caste or tribe, intersex status, transgender status as SPD. Even passwords, financial data and health data fall under SPD. Certain sections of the society have opined that passwords should not be part of SPD and that it is a stretch. What perhaps should be included is a higher level of protection to the Data Principal from instances of profiling, discrimination, and infliction of harm that is identity driven.

Consent: Consent forms the basis for processing Personal Data or SPD. Section 12 details the way to obtain consent from the Data Principal, no later than prior to processing. Shouldn’t it be prior to collection? Collection and processing of SPD has a higher rigour, including explicit consent to be obtained by Data Fiduciary for processing

The consent should be free, informed, specific, clear, and capable of being withdrawn.  It is crucial to note that when the Data Principal withdraws her consent, which was necessary for the performance of the contract to which the Data Principal is a party, then all the legal consequences for the effects of such withdrawal shall be borne by the Data Principal. Wouldn’t this be a burden on the Data Principal? Opinions are also raised that such consent should not be unilaterally withdrawn by the Data Principal and such withdrawal should only be permitted in the context of the Personal Data.

Further, additional grounds have been laid down for the processing of Personal Data which includes: (i) processing for the functions of the State;(ii) processing in compliance with law or any order of the tribunal; (iii) processing which is necessary for prompt action; (iv) processing for the purpose related to employment; and (v) processing for reasonable purpose. Processing of Personal Data for the purpose for reasonable purpose, as mentioned in Section 17, is a bit wide and allows the data privacy authorities to specify the purposes on which such processing can take place. This includes a broad range of activities such as whistle blowing, mergers and acquisitions, recovery of debt, credit scoring, fraud, publicly available personal data, etc. This would need a balance of a very effective right for data erasure, which is not provided in the Draft Bill.

Data Principal Rights: Chapter VI contains the rights to the Data Principal such as (i) Right to confirmation and access; (ii) Right to correction; (iii) Right to Data Portability; and (iv) Right to be forgotten. These are similar to the rights under GDPR. However, the Right to be forgotten which is provided under Section 27 of the Draft Bill only entitles the Data Principal(s) to have the right to restrict or prevent continuous disclosure of Personal Data.  The Right to be forgotten does not include within its ambit the right of data erasure, which allows the Data Principal to erase his personal data as mentioned in GDPR. On one hand, we can interpret that a Data Principal does not have a right to erasure but on the other hand, a Data Fiduciary is mandated to retain the Personal Data only as may be reasonably necessary to satisfy the purpose for which it is processed.

Transparency and accountability measures:  Ample safeguards have been provided to ensure that the Data provided by the Data Principals should be processed in a transparent manner and the Data Fiduciary be held accountable for its action. Chapter VII of the Draft Bill provides for mechanisms to ensure transparency, security safeguards, Data protection impact assessment, Data audits, record keeping, Data protection officer, etc.

Section 32 makes it clear that the Data fiduciary shall notify the Authority of any Personal Data breach where such breach is “likely to cause harm” to any Data Principal. So, the burden of proof seems to be on the Data Fiduciary which is good, so that in a large nation like India where the Data Principal may or may not be aware of her rights, this is helpful. Should the Data Principal have this right as well, along with the Data Fiduciary included in section 32?

Significant Data Fiduciaries: Based on the factors such as volume, sensitivity, turnover, risk of harm, the Data Fiduciaries are classified as Significant Data Fiduciaries. Section 38 obligates data protection impact assessment, record-keeping, data audits and data protection officer on Significant Data Fiduciaries. Some of these obligations are necessary for other Data Fiduciaries as well.

Data localisation: Section 40 mandates that every Data Fiduciary shall store the data on a server or a data centre located in India. Some of them have opined that this may lead to State surveillance. But perhaps, this may help in better control over data breaches or emboldening the steps towards artificial intelligence.

Exceptions: One of the most talked about and discussed section of the Draft Bill is Chapter IX. It relates to many exceptions to the Data Privacy obligations for the State / Government in order to protect the national security of the State.

The argument of surveillance is not new. In the year 2007 Indian Telegraph Rules, 1951 were amended and Rule 419A was inserted in the Rules. Rule 491 A was inserted so as to provide the Government with powers under the Act and the Rules to do surveillance, intercept any message and such other powers so as to safeguard the sovereignty of our country. Then in the years 2009 and 2011 respectively, under the Information Technology Act, 2000, The Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009 and The Information Technology (Procedures and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2011 were added. These set of rules, deal in depth, with how the Government can intercept, monitor and decrypt computer systems, computer networks, internet messages basically any transmission made through Internet to safeguard our country. National security, is of-course one of the primary roles of the Government.

The Draft Bill also provides wide, discretionary and unfettered powers to the Government and the Data Privacy obligations is sub-servient to the Government’s obligations of security of the State and prevention, detection, investigation and prosecution for contravention of law.

Data Protection Authority of India: The independent regulatory body for data protection, has the power to issue directions, conduct inquiry, call for information, and conduct search and seizure, monitoring and enforcement; legal affairs, policy and standard setting; research and awareness; conducting inquiries, grievance handling and adjudication.

While this is “the” legislation for Data Protection, Section 67 envisages situations of concurrent jurisdiction and provides for a consultative approach in resolving such disputes. Therefore, the Authority has to take into considerations other laws and recommendations provided by other regulators, for example, Ministry of Information and Broadcasting or TRAI (for instance the recommendation published by TRAI on Privacy, Security and Ownership of the Data in the Telecom Sector- Dated 16 July, 2018).

Grievance handling and adjudication:  The proposal of having Appellate Tribunal as a special court, is helpful in a speedy disposal of disputes. The proposal perhaps might have come by, since the Courts are already over-burdened. Every Data Fiduciary should have proper procedures and effective mechanisms to address the grievance of Data Principal which should be resolved in an expeditious manner within a period of 30 (thirty) days. It is heartening to see time-bound approach for resolving disputes.

Penalties and remedies

The Draft Bill provides for penalties which are in consonance with GDPR and the quantum of penalty acts as a deterrent to engage in wrongful acts. It should be seen over time if this deterrence is helpful in mitigating occurrences of breaches or would it increase litigation.  Penalties have been imposed on the following activities:

  • Penalty for failure to comply with Data Principal’s requests under chapter VI of the Draft Bill,
  • Penalty for failure to furnish report, information, etc.
  • Penalty for failure to comply with the directions or orders issued by the Authority
  • Penalty for contravention when no separate penalty has been provided.

Further Section 69 (1), also makes the Data Fiduciary liable if it fails to fulfil the obligations relating to taking prompt action related to data breach or undertaking a data protection impact assessment, or conducting a data audit by a significant data fiduciary or failing to register with the authority. The penalty for Data Fiduciary under this sub-section extends to Rs. 5,00,00,000/- (Rupees Five Crore Only) or 2 (two) per cent of the total worldwide turnover of the preceding financial year, whichever is higher.

Section 69 (2) makes the Data Fiduciary liable for a penalty when it contravenes of any of the requirements as mentioned under this sub-section. The penalty may extend to Rs. 15,00,00,000/- (Rupees Fifteen Crore only) or 4 (four) percent of the total worldwide turnover of the preceding financial year, whichever is higher.

Criminal liability: Not only penalties but imprisonment has also been prescribed. For instance, any person who obtains, transfers or sells personal data which is contrary to the provisions of the Draft Bill would be liable for an imprisonment of not exceeding 3 (three) years or shall be liable for a fine which may extend up to Rs 2,00,000/- ( Rupees Two Lakhs Only) or both.  Further any person who obtains, transfers or sells SPD, would be liable for an imprisonment not exceeding 5 (five) years or shall be liable for a fine which may extend up to Rs 3,00,000/- ( Rupees Three Lakhs Only) or both. There is imprisonment for a term not exceeding 3 (three) years or a fine which may extend to Rs 2,00,000 (Rupees Two Lakhs Only) or both, when any person re-identifies the Personal Data which has been de-identified by the Data Fiduciary or Data Processor or re-identifies and processes such Personal Data without the consent of the Data Fiduciary or Data Processor.

The Draft Bill has made suitable provisions whereby the company and its directors, officers, as well as Central or State Governments along with its head of departments, officers could be made liable for offences committed under this Draft Bill.

Compensation: The Data Principal also has a right to claim compensation from the Data Fiduciary and Data Processor if it contravenes with any provisions of the Draft Bill. Section 76 states that any compensation awarded or penalty imposed under this Draft Bill would not prevent the award of compensation or imposition of any other penalty or punishment under any law for the time being in force.

We have added our thoughts as we discuss the Draft Bill above. The dynamics of this digital economy are changing rapidly, people are using more and more innovative technologies to disrupt the industry and in all of this, the most crucial element is Data. It is rightly said that data is the new oil of this digital economy and therefore this much anticipated Draft Bill is, though late, a step towards regulating use of Data.

Authors: Mr. Manas Ingle and Mr. Anuj Maharana

Regulatory Update: Telecom Regulatory Authority of India : “Next Generation Public Protection and Disaster Relief (PPDR) communication networks”.

The Telecom Regulatory Authority of India via Press Release No. 61/2018 dated 4th June, 2018 released recommendations on “Next Generation Public Protection and Disaster Relief (PPDR) communication networks”.

PPDR supports a wide range of services such as maintenance of law and order, protection of life and property, disaster relief and emergency responses.  Broadband PPDR supports wide range of applications such as sending live images, videos and texts apart from voice communication. In order to keep a robust policy framework for broadband PPDR communication systems in the country, the Authority under section 11(1)(a)(ii) and (vii) of the TRAI Act, 1997 (as amended), had Sou-moto on 9th October, 2017 issued a consultation paper (CP) on “Next Generation Public Protection and Disaster Relief (PPDR) communication networks’

Written comments and counter comments on Consultation Paper were invited from the stakeholders by 4th December, 2017 and 18th December 2017 respectively. An open house discussion was also convened on 15th February, 2018.

The Authority has formulated its recommendations based on inputs received from shareholders and have placed the recommendations on TRAI website. The salient features of the recommendations are:

  • Government to set up pan-India integrated Broadband PPDR (BB-PPDR) to be called as ‘National BB-PPDR Network’ based on 3GPP PS-LTE technology.
  • Dedicated network for BB-PPDR communication funded by government be created in metro cities, border districts, disaster prone areas and sensitive areas like J&K and North East by PSU like BSNL/MTNL.
  • Setting up a Special purpose Vehicle (SPV) under Ministry of Home affairs to plan and coordinate the nationwide BB-PPDR communication facilities for PPDR agencies.
  • SPV to coordinate with DoT for allocation of spectrum and other issues.
  • Pilot testing of BB-PPDR dedicated network at five zones identified as disaster prone/ sensitive areas to evaluate the efficacy of the proposed network.
  • 2×10 MHz of dedicated spectrum should be allocated nationwide to the SPV on no-cost basis for LTE based broadband PPDR networks.
  • 814-824/859-869 MHz should be assigned for nationwide BB-PPDR services as per APT Frequency Arrangement number G 3-1-4.
  • 20 MHz of spectrum in the frequency range 440-470 MHz (preferably 450-470 MHz) should be allocated for future evolution of broadband PPDR.

Source: http://www.trai.gov.in/sites/default/files/RecommendationsPPDR04062018_0.pdf

And   http://www.trai.gov.in/sites/default/files/PRNo6104062018.pdf