Category: GDPR

Geospatial Data Deregulation and Personal Data Protection

Posted on by Tech Law Forum NALSAR

[This post has been authored by Varsha Rajesh, a final year law student at School of Law, Christ University, Bangalore.]

In February 2021, the Department of Science and Technology of the Government of India issued the Guidelines for acquiring and producing geospatial data and geospatial data services including Maps which applies to entities collecting geospatial data, mapping and other allied products and services which are offered by the Government and privately-owned bodies.

Read more

Facial Recognition and Data Protection: A Comparative Analysis of laws in India and the EU (Part I)

Posted on by Tech Law Forum NALSAR

[This two-part post has been authored by Riddhi Bang and Prerna Sengupta, second year students at NALSAR University of Law, Hyderabad. Part II can be found here]

With the wave of machine learning and technological development, a new system that has arrived is the Facial Recognition Technology (FRT). From invention to accessibility, this technology has grown in the past few years. Facial recognition comes under the aegis of biometric data which includes distinctive physical characteristics or personal traits of a person that can be used to verify the individual. FRT primarily works through pattern recognition technology which detects and extracts patterns from data and matches it with patterns stored in a database by creating a biometric ‘template’. This technology is being increasingly deployed, especially by law enforcement agencies and thus raises major privacy concerns. This technology also attracts controversy due to potential data leaks and various inaccuracies. In fact, in 2020, a UK Court of Appeal ruled that facial recognition technology employed by law enforcement agencies, such as the police, was a violation of human rights because there was “too broad a discretion” given to police officers in implementing the technology. It is argued that despite the multifarious purposes that this technology purports to serve, its use must be regulated.

Read more

Blockchain in the paradigm of GDPR (Part II)

Posted on by Tech Law Forum @ NALSAR

[This is the second part of a two-part article by Muskan Agarwal (National Law Institute University, Bhopal) and Arpita Pandey (National Law Institute University, Bhopal). Part 1 can be found here.]

Previously, the authors looked at the contradictions between blockchain and GDPR with regard to the principal obligations enlisted in GDPR. In this post, the authors will carry out a feasibility assessment of the solutions proposed.

Read more

Blockchain in the Paradigm of GDPR (Part I)

Posted on by Tech Law Forum @ NALSAR

[This is the second part of a two-part article by Muskan Agarwal (National Law Institute University, Bhopal) and Arpita Pandey (National Law Institute University, Bhopal).]

This is the first part of a two-part post that undertakes an analysis of the points of friction present between the fundamentals of blockchain technology and GDPR and of the various solutions that have been proposed to address the inconsistencies.

Read more

Metadata by TLF: Issue 7

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.

Israel spyware ‘Pegasus’ used to snoop on Indian activists, journalists, lawyers

In a startling revelation, Facebook owned messaging app WhatsApp revealed that a spyware known as ‘Pegasus’ has been used to target and surveil Indian activists and journalists. The revelation came to light after WhatsApp filed a lawsuit against the Israeli NSO Group, accusing it of using servers located in the US and elsewhere to send malware to approximately 1400 mobile phones and devices. On its part, the NSO group has consistently claimed that it sells its software only to government agencies, and that it is not used to target particular subjects. The Indian government sought a detailed reply from WhatsApp but has expressed dissatisfaction with the response received, with the Ministry of Electronics and Information Technology stating that the reply has “certain gaps” which need to be further investigated.

Further reading:

  1. Sukanya Shantha, Indian Activists, Lawyers Were ‘Targeted’ Using Israeli Spyware Pegasus, The Wire (31 October 2019).
  2. Seema Chishti, WhatsApp confirms: Israeli spyware was used to snoop on Indian journalists, activists, The Indian Express (1 November 2019).
  3. Aditi Agrawal, Home Ministry gives no information to RTI asking if it bought Pegasus spyware, Medianama (1 November 2019).
  4. Shruti Dhapola, Explained: What is Israeli spyware Pegasus, which carried out surveillance via WhatsApp?, The Indian Express (2 November 2019).
  5. Akshita Saxena, Pegasus Surveillance: All You Want To Know About The Whatsapp Suit In US Against Israeli Spy Firm [Read Complaint], LiveLaw (12 November 2019).

RBI raises concerns over WhatsApp Pay

Adding to the WhatsApp’s woes in India, just after the Israeli spyware Pegasus hacking incident, The RBI has asked the National Payments Corporation of India (NPCI) not to permit WhatsApp to go ahead with the full rollout of its payment service WhatsApp Pay. The central bank has expressed concerns over WhatsApp’s non-compliance with data processing regulations, as current regulations allow for data processing outside India on the condition that it returns to servers located in the country without copies being left on foreign servers.

Further Reading:

  1. Karan Choudhury & Neha Alawadhi, WhatsApp Pay clearance: RBI raises concerns data localisation concerns with NPCI, Business Standard (7 November 2019).
  2. Aditi Agarwal, ‘No payment services on WhatsApp without data localisation’, RBI to SC, Medianama (9 October 2019).
  3. Sujata Sangwan, WhatsApp can’t start payments business in India, YOURSTORY (9 November, 2019).
  4. Yatti Soni, WhatsApp Payments India Launch May Get Delayed Over Data Localisation Concerns, Inc42 (9 October 2019).
  5. Priyanka Pani, Bleak future for messaging app WhatsApp’s payment future in India, IBS Intelligence (9 November 2019).

Kenya passes new Data Protection Law

The Kenyan President, Uhuru Kenyatta recently approved a new data protection law in conformity with the standards set by the European Union. The new bill was legislated after it was found that existing data protection laws were not at par with the growing investments from foreign firms such as Safaricom and Amazon. There was growing concern that tech giants such as Facebook and Google would be able to collect and utilise data across the African subcontinent without any restrictions and consequently violate the privacy of citizens. The new law has specific restrictions on the manner in which personally identifiable data can be handled by the government, companies and individuals, and punishment for violations can to penalties of three million shillings or levying of prison sentences.

Further reading:

  1. Duncan Miriri, Kenya Passes Data Protection Law Crucial for Tech Investments, Reuters (8 November 2019).
  2. Yomi Kazeem, Kenya’s Stepping Up Its Citizens’ Digital Security with a New EU-Inspired Data Protection Law, Quartz Africa (12 November 2019).
  3. Kenn Abuya, The Data Protection Bill 2019 is Now Law. Here is What that Means for Kenyans, Techweez (8 November 2019).
  4. Kenya Adds New Data Regulations to Encourage Foreign Tech Entrants, Pymnts (10 November 2019).

Google gains access to healthcare data of millions through ‘Project Nightingale’

Google has been found to have gained access data to the healthcare data of millions through its partnership with healthcare firm Ascension. The venture, named ‘Project Nightingale’ allows Google to access health records, names and addresses without informing patients, in addition to other sensitive data such as lab results, diagnoses and records of hospitalisation. Neither doctors nor patients need to be told that Google an access the information, though the company has defended itself by stating that the deal amounts to “standard practice”. The firm has also stated that it does not link patient data with its own data repositories, however this has not stopped individuals and rights groups from raising privacy concerns.

Further reading:

  1. Trisha Jalan, Google’s Project Nightingale collects millions of Americans health records, Medianama (12 November 2019).
  2. Ed Pilkington, Google’s secret cache of medical data includes names and full details of millions – whistleblower, The Guardian (12 November 2019).
  3. James Vincent, The problem with Google’s health care ambitions is that no one knows where they end, The Verge (12 November 2019).
  4. Rop Copeland & Sarah E. needlemen, Google’s ‘Project Nightingale’ Triggers Federal Inquiry, Wall Street Journal (12 November 2019).

Law professor files first ever lawsuit against facial recognition in China

Law professor Guo Bing sued the Hangzhou Safari Park after it suddenly made facial recognition registration a mandatory requirement for visitor entrance. The park had previously used fingerprint recognition to allow entry, however it switched to facial recognition as part of the Chinese government’s aggressive rollout of the system meant to boost security and enhance consumer convenience. While it has been speculated that the lawsuit might be dismissed if pursued, it has stirred conversations among citizens over privacy and surveillance issues which it is hoped will result in reform of existing internet laws in the nation.

Further reading:

  1. Xue Yujie, Chinese Professor Files Landmark Suit Against Facial Recognition, Sixth Tone (4 November 2019).
  2. Michael Standaert, China wildlife park sued for forcing visitors to submit to facial recognition scan, The Guardian (4 November 2019).
  3. Kerry Allen, China facial recognition: Law professor sues wildlife park, BBC (8 November 2019).
  4. Rita Liao, China Roundup: facial recognition lawsuit and cashless payments for foreigners, TechCrunch (10 November 2019).

Twitter to ban all political advertising

Twitter has taken the decision to ban all political advertising, in a move that increases pressure on Facebook over its controversial stance to allow politicians to advertise false statements. The policy was announced via CEO Jack Dorsey’s account on Wednesday, and will apply to all ads relating to elections and associated political issues. However, the move may only to prove to have symbolic impact, as political ads on Twitter are just a fraction of those on Facebook in terms of reach and impact.

Further reading:

  1. Julie Wong, Twitter to ban all political advertising, raising pressure on Facebook, The Guardian (30 October 2019).
  2. Makena Kelly, Twitter will ban all political advertising starting in November, The Verge (30 October 2019).
  3. Amol Rajan, Twitter to ban all political advertising, BBC (31 October 2019).
  4. Alex Kantrowitz, Twitter Is Banning Political Ads. But It Will Allow Those That Don’t Mention Candidates Or Bills., BuzzFeed News (11 November 2019).

Read more

Metadata by TLF: Issue 3

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our editors put together handpicked stories from the world of tech law! You can find other issues here.

Uber likely to start bus service in India

The San-Francisco cab-aggregator giant, Uber is working on to kick-start an AC bus service in India. With the introduction of AC bus service, Uber is trying to inch closer toward its goals of reducing individual car ownership, expanding transportation access and helping governments plan transportation. Pradeep Parameswaran, Uber India and South Asia head said that “we are in the process of building the product and refining that. Some pilots are live in parts of Latin America and the Middle East. So they are the archetype of markets that would look like India”.

Uber bus will allow commuters to use the Uber app and reserve their seat on an air-conditioned bus. Uber will scan other passengers travelling in the same direction as the rider and hence reaching the destination with fewer stops. Through its bus service, Uber is emphasizing on educational campuses and business centers. Earlier Ola, Uber’s direct competitor, had launched similar kind of bus service in limited cities in 2015 but was stopped in 2018. At present, Gurgaon based Shuttl provides app based bus service to offices. Uber bus service in India is expected to become a reality in mid-2020.

Further Reading:

  1. Moupiya Dutta, Uber will be starting a bus service in India by 2020, TechGenyz (8 August 2019).
  2. Shreya Ganguly, Uber mulls launching bus service in India, Medianama (9 August 2019).
  3. Tenzim Norzom, Ride-hailing major Uber to soon launch bus service in India, Yourstory (7 August 2019).
  4. Hans News Service, Uber to start bus service in India, The Hans India (8 August 2019).
  5. Priyanka Sahay, India may see Uber buses plying on roads in a year, Moneycontrol (8 August 2019).

WhatsApp Hack Can Alter Messages and Spread Misinformation

The Israeli Research Company, Check Point recently revealed that WhatsApp could be hacked causing serious potential security risks to users at the Annual Black Hat Security Conference on 7thAugust, 2019. According to Roman Zaikin and Oded Vanunu, they were able to change the identity of a sender, alter the text of someone’s reply on a group and even send private messages to another member in the group as a public message, such that the reply is visible to all the participants of a group. They were able to exploit the weaknesses of the application, after they reverse-engineered the source code in 2018 and decrypt its traffic. Since then Check Point has stated that it found three ways to manipulate and alter conversations, all of which are exploited through its quoting feature. The creators did warn WhatsApp in 2018 that the tool could be used by ‘threat actors’ to create and spread misinformation and fake news. Facebook has responded stating that the risk is not serious, and to alter the application would mean having to store data about the sender, leading to lesser privacy for its users.

Further Reading:

  1. Davey Winder, WhatsApp Hack Attack Can Change Your Messages, Forbes (7 August 2019).
  2. ET Bureau, WhatsApp hack attack can change your messages, says Israeli security firm, The Economic Times (7 August 2019).
  3. Shreya Ganguly, Messages and identity on WhatsApp can be manipulated if hacked: Check Point Research, Medianama (9 August 2019).
  4. Mike Moore, Hackers can alter WhatsApp chats to show fake information, Tech Radar (9 August 2019).

Facebook’s new entity Calibra raises attention of privacy commissioners

Several privacy commissioners across the world raised concerns over the privacy policy of Facebook’s new Libra digital currency. The countries which have raised concerns are US, UK, EU, Australia, Canada, Albania and Burkina Faso.

Calibra is the new subsidiary of Facebook and its cryptocurrency is called Libra. Calibra hopes to build a financial service on top of the Libra Blockchain. The privacy concerns raised go beyond the question of financial security and privacy because of the expansive collection of data which Facebook accumulates and has access to. Calibra issued a statement that user information will be shared in only certain circumstances but there is no definite understanding of what such situations are. 

Apart from privacy concerns, the joint statement issued by the countries includes several concerns on whether Facebook should be given the right to get involved in the banking sector. If they did, they should seek a new banking charter and should be regulated by all the banking laws. These were few of the concerns raised by privacy commissioners.

Further Reading:

  1. Soumyarendra Barik, Privacy commissioners from across the world raise concerns over Facebook Libra’s privacy risk, Medianama (6 August 2019).
  2. Nick Statt, Facebook’s Calibra is a secret weapon for monetizing its new cryptocurrency, The Verge (18 June 2019).
  3. Reuters, Facebook’s cryptocurrency project raises privacy concerns, asked to halt programme, tech2 (19 June 2019).
  4. Jon Fingas, US, UK regulators ask Facebook how Libra will protect personal data, engagdet (8 May 2019).
  5. Harper Neidig, Global privacy regulators raise concerns over Libra, The Hill (8 May 2019).

EU General Data Protection Regulation exploited to reveal personal data

University of Oxford researcher James Pavur successfully exposed a design flaw in the GDPR, as a bogus demand for data using the “right to access” feature of the regulation saw about one in four companies reveal significant information about the person regarding whom the request was made. Data provided by the companies contained significant information including credit card information, travel details, account passwords and the target’s social security number, which was used by the researcher as evidence of design flaws in the GDPR. Pavur also found that large tech companies did well when it came to evaluating the requests, whereas mid-sized business didn’t perform as well despite being aware of the coming into force of the data protection regulation.

Further Reading:

  1. Leo Kelion, Black Hat: GDPR privacy law exploited to reveal personal data, BBC (8 August 2019).
  2. Sead Fadilpasic, GDPR requests exploited to leak personal data, IT ProPortal (9 August 2019).
  3. John E Dunn, GDPR privacy can be defeated using right of access requests, Naked Security by SOPHOS (12 August 2019).
  4. Understanding the GDPR’s Right of Access, Siteimprov (14 June 2019).

Apple to suspend human review of Siri requests

Human reviewers will no longer be used to study conversations recorded by Siri, according to a recent announcement by Apple. The move gives users a greater degree of privacy over their communications, and analysis of recordings will be suspended while the “grading” system deployed by the company is reviewed. The system refers to the manner in which contractors grade the accuracy of the digital assistant’s voice recognition system, with the primary task being to determine the phrase that triggered action by i.e. whether the user had actually said, “Hey, Siri” or if it was something else.

Further Reading:

  1. Hannah Denham and Jay Greene, Did you say, ‘Hey, Siri’? Apple and Amazon curtail human review of voice recordings., Washington Post (2 August 2019).
  2. Jason Cross, So Apple’s going to stop listening in on your Siri requests. Now what?, Macworld (2 August 2019).
  3. Rob Marvin, Apple to Halt Human Review of Siri Recordings, PC Mag (2 August 2019).
  4. Kate O’Flaherty, Apple Siri Eavesdropping Puts Millions Of Users At Risk, Forbes (28 July 2019).

Read more