Welcome to our fortnightly newsletter, where our reporters Kruttika Lokesh and Dhananjay Dhonchak put together handpicked stories from the world of tech law! You can find other issues here.
Aarogya Setu raises serious privacy concerns
TLF is proud to bring you a two-part guest post authored by Ms. Malavika Raghavan, Head, Future of Finance Initiative and Ms. Anubhutie Singh, Policy Analyst, Future of Finance Initiative at Dvara Research. This is the second part of a two-part series that undertakes an analysis of the technical standards and specifications present across publicly available documents on Account Aggregators. Previously, the authors looked at the motivations for building AAs and some consumer protection concerns that emerge in the Indian context.
Account Aggregators (AA) appear to be an exciting new infrastructure, for those who want to enable greater data sharing in the Indian financial sector. The key data being shared will extensive personal information about individuals like us – detailing our most intimate and sensitive financial transactions and potentially non-financial data too. This places individuals at the heart of these technical systems. Should the systems be breached, misused or otherwise exposed to unauthorised access the immediate casualty will be the privacy of the people whose information is compromised. Of course, this will also have an impact on data quality across the financial sector.
TLF is proud to bring you a two-part guest post authored by Ms. Malavika Raghavan, Head, Future of Finance Initiative and Ms. Anubhutie Singh, Policy Analyst, Future of Finance Initiative at Dvara Research. Following is the first part of a two-part series that undertakes an analysis of the Account Aggregator system. Click here for the second part.
The Reserve Bank of India (RBI) released Master Directions on Non-Banking Financial Companies – Account Aggregators (Master Directions) in September 2016, and licences for India’s first Account Aggregators (AAs) were issued last year. From these guidelines and related documents, we understand that the purpose of Account Aggregator (AA) is to collect and share:
Israel spyware ‘Pegasus’ used to snoop on Indian activists, journalists, lawyers
In a startling revelation, Facebook owned messaging app WhatsApp revealed that a spyware known as ‘Pegasus’ has been used to target and surveil Indian activists and journalists. The revelation came to light after WhatsApp filed a lawsuit against the Israeli NSO Group, accusing it of using servers located in the US and elsewhere to send malware to approximately 1400 mobile phones and devices. On its part, the NSO group has consistently claimed that it sells its software only to government agencies, and that it is not used to target particular subjects. The Indian government sought a detailed reply from WhatsApp but has expressed dissatisfaction with the response received, with the Ministry of Electronics and Information Technology stating that the reply has “certain gaps” which need to be further investigated.
RBI raises concerns over WhatsApp Pay
Adding to the WhatsApp’s woes in India, just after the Israeli spyware Pegasus hacking incident, The RBI has asked the National Payments Corporation of India (NPCI) not to permit WhatsApp to go ahead with the full rollout of its payment service WhatsApp Pay. The central bank has expressed concerns over WhatsApp’s non-compliance with data processing regulations, as current regulations allow for data processing outside India on the condition that it returns to servers located in the country without copies being left on foreign servers.
Kenya passes new Data Protection Law
The Kenyan President, Uhuru Kenyatta recently approved a new data protection law in conformity with the standards set by the European Union. The new bill was legislated after it was found that existing data protection laws were not at par with the growing investments from foreign firms such as Safaricom and Amazon. There was growing concern that tech giants such as Facebook and Google would be able to collect and utilise data across the African subcontinent without any restrictions and consequently violate the privacy of citizens. The new law has specific restrictions on the manner in which personally identifiable data can be handled by the government, companies and individuals, and punishment for violations can to penalties of three million shillings or levying of prison sentences.
Google gains access to healthcare data of millions through ‘Project Nightingale’
Google has been found to have gained access data to the healthcare data of millions through its partnership with healthcare firm Ascension. The venture, named ‘Project Nightingale’ allows Google to access health records, names and addresses without informing patients, in addition to other sensitive data such as lab results, diagnoses and records of hospitalisation. Neither doctors nor patients need to be told that Google an access the information, though the company has defended itself by stating that the deal amounts to “standard practice”. The firm has also stated that it does not link patient data with its own data repositories, however this has not stopped individuals and rights groups from raising privacy concerns.
Law professor files first ever lawsuit against facial recognition in China
Law professor Guo Bing sued the Hangzhou Safari Park after it suddenly made facial recognition registration a mandatory requirement for visitor entrance. The park had previously used fingerprint recognition to allow entry, however it switched to facial recognition as part of the Chinese government’s aggressive rollout of the system meant to boost security and enhance consumer convenience. While it has been speculated that the lawsuit might be dismissed if pursued, it has stirred conversations among citizens over privacy and surveillance issues which it is hoped will result in reform of existing internet laws in the nation.
Twitter to ban all political advertising
Twitter has taken the decision to ban all political advertising, in a move that increases pressure on Facebook over its controversial stance to allow politicians to advertise false statements. The policy was announced via CEO Jack Dorsey’s account on Wednesday, and will apply to all ads relating to elections and associated political issues. However, the move may only to prove to have symbolic impact, as political ads on Twitter are just a fraction of those on Facebook in terms of reach and impact.
The previous post analysed the laws applicable to e-pharmacies in India. The present post looks at the draft e-pharmacy rules and its implications and suggests ways to ensure the smooth application of the law in India.
On August 28, 2018, the government came out with the Sale of Drugs by E-Pharmacy (Draft Rules) for regulating the sale of drugs through e-pharmacies. These Rules aim to put in place an extensive regulatory regime for e-pharmacies and are important in light of the concerns that e-pharmacies pose. Given below are the salient features of the Rules:
Firstly, it will fill the regulation gap that currently exists and will put into place a robust framework to deal with e-pharmacies. Existing laws are inadequate when it comes to addressing the requirements of e-pharmacies, however, the Rules will resolve the issue and prevent misuse of medicines and data.
Secondly, sales of conventional brick and mortar outlets will be adversely affected due to competitive pricing offered by e-pharmacies. Conventional stores may fail to compete with online pharmacies which provide substantial discounts as a result of which offline stores will suffer due to loss of business.
Thirdly, the question of jurisdictional conflicts remains unaddressed as it remains to be seen which law holds the field in case of legal inconsistencies. Several inconsistencies may be spotted in the Draft Rules which need to be resolved if a solution to this issue is to be found.
Privacy forms an important concern for consumers. There need to be adequate safeguards regarding how the data given by a customer is protected and this warrants heavy regulatory compliances in addition to strict penalties in cases of violations. The recent Aadhar judgment also brought to light numerous concerns regarding privacy which need to be kept in mind when implementing a regulatory framework for e-pharmacies.
The Draft Rules prescribe that e-pharmacies would keep data confidential and localized, however, state and central governments can secure access to the data for “public health purposes”. No criterion is prescribed for what would constitute such a purpose and the Rules also fail to mention which authority can compel e-pharmacies to share health information. Such ambiguities pose a threat of misuse of data by government.
Further, the Draft Rules come in direct conflict with the draft of the Personal Data Protection Bill, 2018, which allows for the transfer of data outside India where the patient has expressed his/her consent or where the transfer is necessary for prompt action. The conflict between the two needs to be resolved before the Draft Rules can be implemented.
In conclusion, it can be said that the e-pharmacy regime is changing slowly but steadily. The government has taken cognizance of the fact that there are many health concerns surrounding the sale of medicines online and accordingly has formulated a policy which address these concerns. India is taking a step forward in terms of drafting a full-fledged policy exclusively for e-pharmacies; this is sure to make the lives of a lot of citizens easier.
There is no doubt that the proposed Rules are progressive in nature. By making regulations that stand in conformity with global best practices the government is providing impetus to the continued growth of the e-pharmacy industry. However, there exist issues that need to be resolved sooner rather than later, such as the tendency of the government to misuse data and the conflicting nature of its provisions with those of the IT Act, 2000.
India has a long way to go in governing e-pharmacies and there are a lot of loopholes that need to be plugged. Currently, there is no law governing the actions of drug companies and as a result they are operating with little regard to the consequences of their actions. There is a need to bring the Rules into force as quickly as possible, and despite the government’s promise to implement them within 100 days of the elections they are yet to act in this matter.
It is hoped that concerns about consumer privacy are addressed in a more stringent manner by the government and that provisions are put in place which ensure that misuse of the data of the customers is strictly prohibited. The government should address loopholes in the policy and examine how they come into conflict with existing rules and amend them to resolve such contentious issues.
The growth of the Internet and rise of companies like Amazon and Flipkart has meant that e-commerce is rapidly gaining traction in India. A notable emergence in this regard has been that of e-pharmacies, which provide heft discounts and hassle-free deliveries to attract consumers. Their arrival on the scene has been acknowledged by the government which has tried to bring in a draft policy in order to regulate these entities, however it is yet to be implemented. The existing laws are inadequate when it comes to dealing with e-pharmacies and there is an urgent need for new legislation governing the issue which is precisely what the Sale of Drugs by E-Pharmacy (Draft Rules) aim to do.
The present post aims to analyse the laws currently applicable to e-pharmacies in India, and Part II will look at the consequences of implementing the proposed policy. The focus is on highlighting the lacunae in existing laws and providing suggestions with a view to implementing a better solution.
India does not have a special law dedicated to governing e-pharmacies. Most of the laws which are applicable to e-pharmacies were made at a time when computers did not exist and consequently, they are incapable of addressing the issues faced by e-pharmacies.
The Drugs and Cosmetics Act, 1940 and the Drugs and Cosmetics Rules, 1945 regulate the sale, distribution and storage of drugs and other pharmaceutical products in India. According to the law pharmacies need to necessarily comply with two conditions: first, they need to acquire a license from the state food and drugs authority, and secondly, specified medicines can only be sold on the basis of a prescription provided by a medical practitioner. Recently, a notification passed by the Office of Drugs Controller General clarified that the present law did not distinguish between online and offline pharmacies; which implies that the present Act would govern e-pharmacies as well.
The Information Technology Act, 2000, does not contain specific references to e-pharmacies. In general, any transaction happening on the internet falls within the ambit of the Act and as a result e-pharmacies will be governed by its provisions.
Firstly, the current laws are inadequate when it comes to governing the functioning of e-pharmacies. For instance, the Drugs and Cosmetics Act and Rules mandate that a physical pharmacy have proper storage facilities for the medicines with special requirements pertaining to hygiene etc. However, in the case of e-pharmacies it becomes very difficult to assess where the medicines are stored or obtained from, which increases the possibility of the medicine being of below the required quality.
Secondly, the possibility of repeated use of prescriptions gives rise to the risk drug misuse and addiction. There is a need to regulate the manner in which e-pharmacies sell these drugs as restrictions applicable to conventional drug stores cannot be applied in the case of e-pharmacies.
Thirdly, there exist pertinent concerns regarding the privacy of online customers and the confidentiality of their data which need to be addressed. This aspect is not governed by any law and storage of customers’ data by e-pharmacies could prove to be problematic in the long run.
Fourthly, accountability of e-pharmacies is an increasing concern as some pharmacies claim that by virtue of their position as “intermediaries” they should not be held accountable for any problems that may arise in the future. Intermediaries are governed by the IT Act and Section 2(w) classifies online market places like Amazon and Flipkart as intermediaries. Section 79 provides them with immunity from liability for third party information provided they conform to the requirements of Section 79(2). Rule 3 of the Information Technology (Intermediaries Guidelines) Rules 2011 makes intermediaries responsible for informing the users about its policies and provides for a redressal mechanism. However, it fails to impose a high enough burden on information uploaded to the portal, as a result of which serious liability cannot be imposed on e-pharmacies.
The picture that emerges is that of inadequate laws governing the functioning of e-pharmacies, with the varied approaches taken by courts posing another problem. The Madras High Court had earlier imposed an interim ban on e-pharmacies, which was later reversed by a division bench order. Similarly, the Delhi High Court had also banned e-pharmacies however this was overturned by the government’s legislation which was upheld in a later order.
It was to deal with the confusion existing over e-pharmacies that the government came up with draft policy, however this is yet to be implemented. The next part will analyse the draft rules and highlight some concerns surrounding the legislation and will attempt to show the way forward for the regulation of e-pharmacies in India.
The RBI on 17th September released a discussion paper on comprehensive guidelines for the activities of payment aggregators and payment gateway providers. It was acknowledged that payment aggregators and payment gateways form a crucial link in the flow of transactions and therefore need to be regulated. The RBI has suggested that these entities be governed by the Payment and Settlement Systems Act, 2007 which requires all ‘payment systems’ (as defined in the Act) to be authorised by the RBI. Additionally, different frameworks have been proposed for regulating payment aggregators and payment gateways, and full and direct regulation has been discussed in detail. This would entail payment aggregators and gateway services to fully comply with any guidelines issued by the RBI.
Political turmoil and instability in countries is majorly aggravated by the internet and various portals online. In light of this crisis, Twitter has decided to remove more than ten thousand accounts across six countries. These accounts were found to be actively spreading unrest in countries which were already in the wrath of a political turmoil. Twitter removed more than four thousand accounts in United Arab Emirates and China, around thousand in Ecuador, and more than two hundred in Spain.
Twitter has been making an active effort since the past one year to identify and remove accounts which were agitating sensitive issues in countries facing crisis. Online portals even have the power to sway the election processes in Democratic countries. In order to curb these impending threats, Twitter has been removing certain accounts on its platform. Even though thousands of new accounts are created everyday and several people have termed this removal process as arduous and never ending, these measures have to be taken.
California legislators approved a landmark Bill on 11 September, 2019 that has the potential to disrupt the gig economy. The Bill known as “AB 5” requires companies like Uber and Lyft to treat contract workers as employees, which gives hundreds of thousands of California workers basic labour rights for the first time. Apart from its immediate impact, the move by the California legislature might set off a domino effect in New York, Washington State and Oregon, where stalled moves to reclassify drivers might witness renewed momentum. The move has been criticised by ride-hailing firms Uber and Lyft which built their businesses on inexpensive labour, and the companies have warned that recognizing drivers as employees could destroy their businesses.
Microsoft has stated that most large tech law companies, will change the manner in which content is moderated on their social media platforms, irrespective of the US Congress implementing new laws. Their Chief Legal Officer and President, Brad Smith has indicated that most companies will take initiative, irrespective of U.S. Lawmakers. The statement has been made in light of the recent Christchurch shootings which were livestreamed on most social media platforms. Further, major tech companies are responding to the changes in laws around the world. S. 230 of the U.S. Communications Decency Act, 1996 presently protects these companies from being sued on the basis of the content that is uploaded by its users. Microsoft itself has claimed that it has refused the government’s requests for facial recognition software due to the fear that it may be misused. The President of Microsoft has called for other tech companies as well to stop following the “if it’s legal, its acceptable approach” since companies need to start refusing selling their products to certain clients, irrespective of the legality of the action. However, ACLU, senior legislative council has accused Microsoft of continuing to sell software that can track faces and fear in real-time, leading to violation of privacy.
[Ed. Note: Since the post was written, the Bill has become law and the amendments have now come into force.]
With the progress in technology and the advent of cab-aggregator platforms such as Ola and Uber in India, an amendment to the Motor Vehicles Act was long due. As a result of the Motor Vehicles (Amendment) Bill, 2019 (“2019 Amendment”) being passed, Ola and Uber will have to comply with the Motor Vehicles Act, 2000. The Bill has amended Section 93 of the Motor Vehicles Act, 2000 (“Principal Act”) by adding the term “aggregator” to the existent terms “agent” and “canvasser” to the section. The term “aggregator” has been defined as “a digital intermediary or marketplace for a passenger to connect with a driver for the purpose of transportation”, to be added under Section 1A of the principle Act. Cab-hailing platforms are now recognized as a marketplace, allowing the Centre and States to regulate and penalize Ola and Uber for non-compliance.
The 2019 Amendments which would be directly applicable to Ola and Uber once it becomes a law are:
Until now, Ola and Uber were not governed directly by any legislation. But the Motor Vehicles (Amendment) Bill, 2019 makes the Information Technology Act, 2000 directly applicable to Ola and Uber through their recognition as digital intermediaries. As a result, Ola and Uber can be penalised for offences such as breach of data privacy under Section 66E and 72 of the IT Act. Hence, the emphasis is laid on preventing the misuse of personal data of consumers such as date of birth, debit card details, UPI number, phone number shared with Ola and Uber in order to use their services. Additionally, under Section 85 of the IT Act, companies who don’t comply with the Act shall be penalised. Further, Ola and Uber will have to compulsorily obtain a license from the State authorities, which will be subject to the guidelines laid down by the Centre. In case of non-compliance, a fine ranging from Rs. 25,000 to Rs. 1,00,000 can be levied against aggregators, according to the new Section 193(2) inserted by the Amendment.
The principal Act also empowers the State authorities to attach conditions in the form of guidelines, for obtaining a license that can differ between states, customizable to the local needs. In case of a conflict between central guidelines and the state rules, central guidelines will prevail as the principal Act falls under the concurrent list in the 7th Schedule of the Constitution.
Ola and Uber will have to comply with the directions issued by the Centre such as “the promotion of effective competition, passenger convenience and safety, competitive fares and prevention of overcrowding” under Section 96(2) Clause (xxxiib) of the Motor Vehicles Act, 2000. Until now, Ola and Uber independently decided the number of passengers a car could accommodate, according to their pricing and categories such as micro, mini, Ola share (Ola) and pool, Uber-go and premium (Uber). But now, as Ola and Uber have to comply with the principle Act, the number of people a cab can accommodate as well as whether differential pricing by Ola and Uber might be liable to change due to the compulsory competitive pricing clause, and in turn affects the revenue of Ola and Uber.
The 2019 Amendment envisages a uniform license rule by making obtaining of license by Ola and Uber a strict norm with hefty fines and makes state authorities responsible for their implementation. Prior to the 2019 Amendment, the surcharge fees and the limit of the number of passengers that a car can accommodate were decided by Ola and Uber. Now, Section 96 of the principal Act, which emphasizes fair pricing and passenger convenience, will bind these cab-aggregator services.
The 2019 Amendment Act also brings in stricter penalties for using hand-held devices. Section 184 of the principal Act penalized the driver for driving dangerously but failed to define acts that constitute dangerous. With the insertion of an explanation clause in Section 184 by S.67(iv) of the 2019 Amendment, drivers can be charged for using mobiles and tablets with a fine ranging from Rs. 1000 to Rs. 5000, instead of the previous fine of Rs. 1000.
Ola and Uber operate through digital platforms, and their business model is heavily dependant upon the use of mobile phones and GPS technology, for navigation and booking and accepting rides. Therefore, the applicability of a strict penal provision for the use of mobile phones may be harmful to their business model. With the increase in the penalty for using a mobile phone while driving and the necessity for Ola and Uber drivers to use mobile phones as a part of their job, there is a degree of uncertainty as to the extent to which usage of technology is acceptable.