A student-run group at NALSAR University of Law
This is the second part of a 2-part post authored by Anubhuti Garg, 4th year, and Gourav Kathuria, 2nd year, of NALSAR University of Law. Part I can be found here.
The previous post analysed the laws applicable to e-pharmacies in India. The present post looks at the draft e-pharmacy rules and its implications and suggests ways to ensure the smooth application of the law in India.
This is the first part of a 2-part post authored by Anubhuti Garg, 4th year, and Gourav Kathuria, 2nd year, of NALSAR University of Law. Part II can be found here.
The growth of the Internet and rise of companies like Amazon and Flipkart has meant that e-commerce is rapidly gaining traction in India. A notable emergence in this regard has been that of e-pharmacies, which provide heft discounts and hassle-free deliveries to attract consumers. Their arrival on the scene has been acknowledged by the government which has tried to bring in a draft policy in order to regulate these entities, however it is yet to be implemented. The existing laws are inadequate when it comes to dealing with e-pharmacies and there is an urgent need for new legislation governing the issue which is precisely what the Sale of Drugs by E-Pharmacy (Draft Rules) aim to do.
Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.
The RBI on 17th September released a discussion paper on comprehensive guidelines for the activities of payment aggregators and payment gateway providers. It was acknowledged that payment aggregators and payment gateways form a crucial link in the flow of transactions and therefore need to be regulated. The RBI has suggested that these entities be governed by the Payment and Settlement Systems Act, 2007 which requires all ‘payment systems’ (as defined in the Act) to be authorised by the RBI. Additionally, different frameworks have been proposed for regulating payment aggregators and payment gateways, and full and direct regulation has been discussed in detail. This would entail payment aggregators and gateway services to fully comply with any guidelines issued by the RBI.
This quick read has been authored by Shauree Gaikwad, a 3rd year student at Maharashtra National Law University (MNLU), Aurangabad.
[Ed. Note: Since the post was written, the Bill has become law and the amendments have now come into force.]
This is the second part of a two-part post by Benjamin Vanlalvena, a final year law student at NALSAR University of Law. In this post, he critiques a recent judgement by the Supreme Court which allowed Magistrates to direct an accused to give voice samples during investigation, without his consent. Part 1 can be found here.
In the previous part, I dealt with the certain privacy concerns that may arise with respect to voice sampling and how various jurisdictions have approached the same. In this part, I will be critiquing the manner in which the Supreme Court in Ritesh Sinha has imparted legislative power onto itself, is by the terming the absence of legislative authorization for voice sampling of accused persons as a procedural anomaly, and extending its power in filling such assumed voids by invoking not only the principle of ejusdem generis, but also citing the “principle of imminent necessity”.
Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.
In 2018, Anthony Clement Rubin and Janani Krishnamurthy filed PILs before the Madras High Court, seeking a writ of Mandamus to “declare the linking of Aadhaar of any one of the Government authorized identity proof as mandatory for the purpose of authentication while obtaining any email or user account.” The main concern of the petitioners was traceability of social media users, which would be facilitated by linking their social media accounts with a government identity proof; this in turn could help combat cybercrime. The case was heard by a division bench of the Madras HC, and the scope was expanded to include curbing of cybercrime with the help of online intermediaries. In June 2019, the Internet Freedom Foundation became an intervener in the case to provide expertise in the areas of technology, policy, law and privacy. Notably, Madras HC dismissed the prayer asking for linkage of social media and Aadhaar, stating that it violated the SC judgement on Aadhaar which held that Aadhaar is to be used only for social welfare schemes.
This post has been authored by Vishal Rakhecha, currently in his 4th year at NALSAR University of Law, Hyderabad, and serves as an introduction for TLF’s upcoming blog series on Account Aggregators.
A few days back, Nandan Nilekani unveiled an ‘industry-body’ for Account Aggregators (AAs), by the name of ‘Sahamati.’ He claimed that AAs would revolutionise the field of fintech, and would give users more control over their financial data, while also making the transfer of financial information (FI) a seamless process. But what exactly are AAs, and how do they make transfer of FI seamless?
The San-Francisco cab-aggregator giant, Uber is working on to kick-start an AC bus service in India. With the introduction of AC bus service, Uber is trying to inch closer toward its goals of reducing individual car ownership, expanding transportation access and helping governments plan transportation. Pradeep Parameswaran, Uber India and South Asia head said that “we are in the process of building the product and refining that. Some pilots are live in parts of Latin America and the Middle East. So they are the archetype of markets that would look like India”.
Uber bus will allow commuters to use the Uber app and reserve their seat on an air-conditioned bus. Uber will scan other passengers travelling in the same direction as the rider and hence reaching the destination with fewer stops. Through its bus service, Uber is emphasizing on educational campuses and business centers. Earlier Ola, Uber’s direct competitor, had launched similar kind of bus service in limited cities in 2015 but was stopped in 2018. At present, Gurgaon based Shuttl provides app based bus service to offices. Uber bus service in India is expected to become a reality in mid-2020.
Further Reading:
The Israeli Research Company, Check Point recently revealed that WhatsApp could be hacked causing serious potential security risks to users at the Annual Black Hat Security Conference on 7thAugust, 2019. According to Roman Zaikin and Oded Vanunu, they were able to change the identity of a sender, alter the text of someone’s reply on a group and even send private messages to another member in the group as a public message, such that the reply is visible to all the participants of a group. They were able to exploit the weaknesses of the application, after they reverse-engineered the source code in 2018 and decrypt its traffic. Since then Check Point has stated that it found three ways to manipulate and alter conversations, all of which are exploited through its quoting feature. The creators did warn WhatsApp in 2018 that the tool could be used by ‘threat actors’ to create and spread misinformation and fake news. Facebook has responded stating that the risk is not serious, and to alter the application would mean having to store data about the sender, leading to lesser privacy for its users.
Further Reading:
Several privacy commissioners across the world raised concerns over the privacy policy of Facebook’s new Libra digital currency. The countries which have raised concerns are US, UK, EU, Australia, Canada, Albania and Burkina Faso.
Calibra is the new subsidiary of Facebook and its cryptocurrency is called Libra. Calibra hopes to build a financial service on top of the Libra Blockchain. The privacy concerns raised go beyond the question of financial security and privacy because of the expansive collection of data which Facebook accumulates and has access to. Calibra issued a statement that user information will be shared in only certain circumstances but there is no definite understanding of what such situations are.
Apart from privacy concerns, the joint statement issued by the countries includes several concerns on whether Facebook should be given the right to get involved in the banking sector. If they did, they should seek a new banking charter and should be regulated by all the banking laws. These were few of the concerns raised by privacy commissioners.
Further Reading:
University of Oxford researcher James Pavur successfully exposed a design flaw in the GDPR, as a bogus demand for data using the “right to access” feature of the regulation saw about one in four companies reveal significant information about the person regarding whom the request was made. Data provided by the companies contained significant information including credit card information, travel details, account passwords and the target’s social security number, which was used by the researcher as evidence of design flaws in the GDPR. Pavur also found that large tech companies did well when it came to evaluating the requests, whereas mid-sized business didn’t perform as well despite being aware of the coming into force of the data protection regulation.
Further Reading:
Human reviewers will no longer be used to study conversations recorded by Siri, according to a recent announcement by Apple. The move gives users a greater degree of privacy over their communications, and analysis of recordings will be suspended while the “grading” system deployed by the company is reviewed. The system refers to the manner in which contractors grade the accuracy of the digital assistant’s voice recognition system, with the primary task being to determine the phrase that triggered action by i.e. whether the user had actually said, “Hey, Siri” or if it was something else.
Further Reading:
On 28th June 2019, the National Crime Records Bureau (NCRB) released a Request for Proposal for an Automated Facial Recognition System (AFRS) which is to be used by the police officers in detecting potential criminals and suspects across the country.
The AFRS has potential use in areas like modernising the police force, information gathering, and identification of criminals, suspects, missing persons and personal verification.
In 2018, the Ministry of Civil Aviation launched a facial recognition system to be used for airport entry called “DigiYatra”. The AFRS system is built on similar lines but has a much wider coverage and different purpose. States in India have taken steps to introduce Facial Recognition Systems to detect potential criminals, with Telangana launching its system in August 2018.
The Automated Facial Recognition System (AFRS) will be a mobile and web application which will be hosted and managed by the National Crime Records Bureau (NCRB) data centre but will be used by all police stations across the country.
The AFRS works by comparing the image of an unidentified person captured through CCTV footage to the image which has been kept at the data centre of the NCRB. This will allow the data centre to match the images and detect potential criminals and suspects.
The system has the potential to match facial images with changes in facial expressions, angle, lightening, direction, beard, hairstyle, glasses, scars, tattoos and marks.
The NCRB has proposed to integrate AFRS with multiple existing databases: these include the Crime and Criminal Tracking Network & Systems (CCTNS) which was introduced post Mumbai attacks in 2009 as a nationwide integrated database to criminal incidents by connecting FIR registrations, investigations and chargesheets of police stations and higher offices, the Integrated Criminal Justice System (ICJS) which is a computer network which enables judicial practitioners and agencies to electronically access and share information and Khoya Paya Portal which is a portal used to detect missing children.
In September 2017, the Supreme Court in the historic judgment of K.S. Puttaswamy vs. Union of India declared the right to privacy as a fundamental right under Article 21 of the Indian Constitution. The Supreme Court asserted that the government must cautiously balance individual privacy and the legitimate concerns of the state, even if national security is at stake. The Court also asserted that any invasion of privacy must satisfy the triple test i.e. need (legitimate state concern), proportionality (least invasive manner) and legality (backed by law) to ensure that a fair and reasonable procedure is undertaken without any selective targeting and profiling.
Privacy infringement without legal sanction and through executive action would be violative of the fundamental right to privacy and would disregard the Supreme Court directive. Cyber experts are of the view that such a system could be used as a tool of government abuse and risk the privacy of the citizens and since the country lacks a data protection law, the citizens would become vulnerable to privacy abuse.
Moreover, investigating agencies in the United States like the FBI operate probably the largest facial recognition system in the world. Cyber experts and international institutions have criticised the Chinese government for using surveillance system and facial recognition to keep an eye on the Uighur community in China. However, there have been claims that this system has an accuracy of hardly 2%, which makes it unreliable and cities like London are facing calls to discontinue this system to safeguard the privacy of its citizens.
Finally, such a tracking system impinges upon human dignity by treating every person as a potential criminal or suspect. There are no clear guidelines as to where such cameras are to be placed. The cameras will put every individual under surveillance and even the innocent ones would be tracked. Such surveillance would create fear amongst the citizens which has long term implications.
A rise in the crime rate poses a daunting challenge in front of the investigating agencies and robust measures must be undertaken to counter it. However, such measures should be ably backed by law and should not impinge upon the dignity and the right to privacy of the citizens.
The Data Protection Law drafted by the Justice Srikrishna Committee should be enacted by the Parliament to give legal sanction to such surveillance. Furthermore, the AFRS should be used cautiously to prevent any violation of the fundamental right to privacy.
AFRS system has the potential to bring a paradigm shift in the criminal justice system if its use is well-intentioned and within the democratic framework which ensures right to privacy and limited state surveillance.
Introduction
Recently, in the Indian state of Gujarat, several Police Commissioners have issued orders restricting use of the popular game of Player Unknown’s Battleground (“PUBG”) under Section 144 of Code of Criminal Procedure, 1973 (“Cr.P.C.”). In pursuance of the same, 10 youngsters were reportedly arrested for disregarding these orders under Section 188 of Indian Penal Code, 1860 (“IPC). Subsequently, a PIL was filed in the Gujarat High Court by the Internet Freedom Foundation challenging the ban orders & arrests made by Gujarat Police. However, it was dismissed on the ground that the scope of the said petition does not fall under the ambit of “public interest litigation”.
In contrast, another PIL was filed in Bombay High Court by an 11-year old through his father, praying for initiation of PUBG ban, on the grounds that it promotes immoral conduct such as violence, aggression, gaming addiction, cyber-bullying etc. Following this, a Bench of the court directed the Secretary of IT Ministry to review the game and take actions if any ‘objectionable content’ is found in it. The matter is presently pending before the court.
The questions that arise here whether the orders of the Gujarat Police to ban PUBG are arbitrary or not; and whether the arrests made by the police in this regard are illegal or not. The present post shall first address and answer the above questions. This shall be followed by the analysis on the interplay between the judicial and executive process of banning the game. Subsequently, the post will put forth recommendations based on the overall discussion.
Why the Orders on PUBG Are Arbitrary & Unreasonable?
It is S. 37(3) of Gujarat Police Act, 1951 (“GP Act”) and S. 144 of Cr.P.C. that provides power to the Police to issue orders in urgent cases of nuisance or apprehended danger. The English translation of concerned orders states:
“…it comes to our knowledge that due to games like PUBG GAME/MOMO CHALLENGE violent traits are shown to be increased in youth and children. Due to these games, the education of children and youth are being affected and it affects the behaviour, manners, speech and development…”
A perusal of the order shows that the police had issued it without any substantive evidence to prove PUBG provoking violent traits. In fact, the order was issued based on mere knowledge and perception of threat without adequate evidentiary substantiation. This is in complete violation of the Ramlila Maidan Incident, In Re [(2012) 5 SCC 1] case, where the Supreme Court of India held that Section 144 cannot be invoked in case of mere apprehension, without any material facts to indicate that the apprehension is imminent or genuine.
Secondly, orders can be issued under Section 144 if there exists an urgent situation which could result in grave consequences as held in the case of Madhu Limaye v. SDM Monghyr [(1971) AIR SC 2486]. Certainly, playing PUBG does not constitute any urgent or grave consequences and is merely a game for the purpose of entertainment. Moreover, the allegation on PUBG having violent traits to cause grave consequences, was recently rejected by the Nepal Supreme Court on April’19, who stayed the PUBG ban imposed by Nepal’s government.
Lastly, the Police orders have imposed restriction on the right of free speech & expression under Article 19 of our Constitution by banning PUBG, and has thereby disregarded the ‘test of proportionality’, as applied by A.K.Sikri J. in K.S. Puttaswamy v. Union of India [(2019) 1 SCC 1, p. 132]. As per this test, the state can impinge a right (i) if there exists a law for it; (ii) such that the restriction must have a legitimate state aim; (iii) and should not have any disproportionate impacts on the right’s holder. In relation to (i), it is true that the Cr.P.C. contemplates statutory provisions to restrict such rights. However, in the present case, the Police officials have not properly adhered to it while imposing the ban, as has been discussed above. As for (ii), a ‘legitimate’ aim for the state entails making a lawful approach to maintain players’ health and tranquillity. Apparently, the police’s order does not constitute a legitimate aim as it was based on the rationale of controlling moral panic (and not health), and is bad in law. The aim pf “moral panic” is subjective and discretionary as what is moral for one, may not be moral for other. Moreover, in relation to (iii), the arrests of students made by the virtue of the said orders will have disproportionate impacts on them as they were arrested for merely playing a game. These arrests will in harm the students’ reputation at school, college and office, having a deeply negative impact on them. A proportionate approach would be psychological counselling & social support and not criminal prosecution or imprisonment initiated by the ban. Hence, the orders of the Police Commissioners are arbitrary and unreasonable.
Why the Arrests Made by Police are Illegal?
Statutorily, an arrest can be made under Section 188 of IPC for violating Section 144 of Cr.P.C. A person could be arrested only if he disobeys the order duly promulgated by a public servant, and if such disobedience causes, tends to cause, or risks obstruction, annoyance or injury, to any person lawfully employed. However, a mere disobedience of Section 144, without the aforesaid elements, is not a ground for arrest under Section 188 and the same was observed by the court in the case of Ramlila Maidan. Interestingly, Mumbai police used PUBG to promote helmet necessity for riders by sharing an image of a character of the game wearing helmet on their Twitter handle. Such promotion of game by public servants reflects that even the state’s own machinery does not apprehend any ‘obstruction, annoyance or injury’ being caused by playing PUBG. Certainly, the arrest made are illegal as it was done beyond the scope of the concerned provision.
Moreover, in the case of Gulam Abbas v. State of Uttar Pradesh [AIR 1981 SC 2198], the Supreme Court held that the purpose of Section 144 is to provide adequate, reasonable and temporary remedy to ‘emergency cases’ of nuisance or apprehended danger. Similarly, in Acharya Jagdishwarand Avadhuta v. Police Commissioner, Calcutta [AIR 1984 SC 512], the Supreme Court held that the nature of the order under Section 144, Cr.P.C. is intended to meet ‘emergent’ situation. In the present case, the Police orders gave reasons that the education of children are being affected through PUBG. This effect on their studies does not constitute any ‘emergent’ situation under which there exist any risk of apprehended danger.
Thus, the ban orders as well as the arrests made by the Gujarat Police are unreasonable, arbitrary, illegal and are exercised beyond the permissible limits of the statutory provisions. If at all, a PUBG ban is found to be required, there is a proper procedure that has been statutorily stipulated to initiate it, as has been explained below:
How to Initiate A Ban On PUBG?
The Information & Technology Act, 2000 (“IT Act”) has set out the complete process of blocking Apps or online games under the Procedure and Safeguards for Blocking for Access of Information by Public Rules, 2009 (‘Rules’). Such blocking can be done either by the officers defined under the IT Act [I] or by any order issued by the court of law [II].
I. By the Executive
Rule 4 states that a “Nodal Officer” should be compulsorily be appointed by the organisation (mainly the state-government) to whom a citizen can submit his/her request for blocking any electronic information. After examining the request, the Nodal Officer transfers the application of request to the “Examination Committee” headed by the “Designated Officer”. As per the Rules, the Designated Officer is appointed by the Central government along with other representatives of Ministry of I&B, Law & Justice and Home Affairs, who are not below the rank of a Joint Secretary. This Committee checks whether the application is in accordance with Section 69A of IT Act or not and in turn submits a recommendation to the Secretary, Dept. of IT though the Designated Officer.
The direction of blocking the information is passed after the approval of the recommendation by the Secretary. This direction should also provide the reasons for blocking the game. A Review Committee, set up by the Central government, further validates this direction by setting up meetings after every 2 months and may set aside the blocking orders (if direction is not in conformity with Section 69A of the IT Act), as prescribed under Rule 14.
II. By the Court
The Rule 10 authorizes the court to block any electronic information and bounds the Designated Officer to implement the same as soon as he receives the copy of that order. Section 79(3)(b) of the IT Act holds intermediaries liable for non-compliance of the court’s order. For example, the Court in 2017 took suo moto cognizance to ban the Blue Whale Game and directed the government & intermediaries like Google Play, Apple Store etc to remove the said game from their domains.
Further, as mentioned above, any such ban must be in conformity with Section 69A of the IT Act, which provides a list of grounds based on which any electronic information may be blocked. This list includes reasons such as security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence. The potentially suitable ground in the PUBG case, namely ‘preventing incitement to the commission of any cognizable offence’ has itself been interpreted as cognizable offence by the Indian courts. Therefore, the court can initiate a ban on the PUBG only after it is proved by the authorities that such game contains content which can led to the commission of any cognizable offence. Similarly, the concerned authorities defined under the Rules, 2009 can impose a ban only if they find the working of the App in contradiction to the Section 69A of the IT Act, 2000. Although Bombay High Court has made an effort to adhere to rules set out under IT Act, 2000 by approaching the Secretary of IT Ministry, yet both Gujarat Police and Gujarat HC have miserably failed to acknowledge the banning procedures under IT Act, 2000. Moreover, the Gujarat Police have processed ban which do not met the requirements of Section 69A of IT Act, 2000.
Recommendations
In view of the above discussion and analysis, the author would like to propose following recommendations: