Facial Recognition and Data Protection: A Comparative Analysis of laws in India and the EU (Part I)

Posted on April 3, 2021April 3, 2021 by Tech Law Forum NALSAR

[This two-part post has been authored by Riddhi Bang and Prerna Sengupta, second year students at NALSAR University of Law, Hyderabad. Part II can be found here]

With the wave of machine learning and technological development, a new system that has arrived is the Facial Recognition Technology (FRT). From invention to accessibility, this technology has grown in the past few years. Facial recognition comes under the aegis of biometric data which includes distinctive physical characteristics or personal traits of a person that can be used to verify the individual. FRT primarily works through pattern recognition technology which detects and extracts patterns from data and matches it with patterns stored in a database by creating a biometric ‘template’. This technology is being increasingly deployed, especially by law enforcement agencies and thus raises major privacy concerns. This technology also attracts controversy due to potential data leaks and various inaccuracies. In fact, in 2020, a UK Court of Appeal ruled that facial recognition technology employed by law enforcement agencies, such as the police, was a violation of human rights because there was “too broad a discretion” given to police officers in implementing the technology. It is argued that despite the multifarious purposes that this technology purports to serve, its use must be regulated.

Facial Recognition and Data Protection: A Comparative Analysis of laws in India and the EU (Part II)

Posted on April 2, 2021April 3, 2021 by Tech Law Forum NALSAR

[This two-part post has been authored by Riddhi Bang and Prerna Sengupta, second year students at NALSAR University of Law, Hyderabad. Part I can be found here]

Procuring Data from Private Entities

Metadata by TLF: Issue 6

Posted on October 10, 2019December 20, 2020 by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.

Delhi HC orders social media platforms to take down sexual harassment allegations against artist

The Delhi High Court ordered Facebook, Google and Instagram to remove search result, posts and any content containing allegations of sexual harassment against artist Subodh Gupta. These include blocking/removal of social media posts, articles and Google Search result links. The allegations were made about a year ago, by an unknown co-worker of Gupta on an anonymous Instagram account ‘Herdsceneand’. These allegations were also posted on Facebook and circulated by news reporting agencies. An aggrieved Subodh Gupta then filed a civil defamation suit, stating these allegations to be false and malicious. Noting the seriousness of the allegations, the Court passed an ex-parte order asking the Instagram account holder, Instagram, Facebook and Google to take down this content. The Court has now directed Facebook to produce the identity of the person behind the account ‘Herdsceneand’ in a sealed cover.

Further Reading:

Trisha Jalan, Right to be Forgotten: Delhi HC orders Google, Facebook to remove sexual harassment allegations against Subodh Gupta from search results, Medianama (1 October 2019).
Akshita Saxen, Delhi HC Orders Facebook, Google To Take Down Posts Alleging Sexual Harassment by Artist Subodh Gupta [Read Order], LiveLaw.in (30 September 2019).
Aditi Singh, Delhi HC now directs Facebook to reveal identity of person behind anonymous sexual harassment allegations against Subodh Gupta, Bar & Bench (10 October 2019).
The Wire Staff, Subodh Gupta Files Rs. 5-Crore Defamation Suit Against Anonymous Instagram Account, The Wire (1 October 2019)
Dhananjay Mahapatra, ‘MeToo’ can’t become a ‘sullying you too’ campaign: Delhi HC, Times of India (17 May 2019).
Devika Agarwal, What Does ‘Right to be Forgotten’ Mean in the Context of the #MeToo Campaign, Firstpost (19 June 2019).

Petition filed in Kerala High Court seeking a ban on ‘Telegram’

A student from National Law School of India, Bengaluru filed a petition in the Kerala high court seeking a ban on the mobile application – Telegram. The reason cited for this petition is that the app has no checks and balances in place. There is no government regulation, no office in place and the lack of encryption keys ensures that the person sending the message can not be traced back. It was only in June this year that telegram refused to hand over the chat details of the ISIS module to the National Investigation Agency. As compared to apps such as Watsapp, Telegram has a greater degree of secrecy. One of the features Telegram boasts of is the ‘secret chat’ version which notifies users if someone has taken a screenshot, disables the user from forwarding of messages etc. Further, there are fewer limits on the number of people who can join a channel and this makes moderation on the dissemination of information even more difficult. It is for this reason that telegram is dubbed as the ‘app of choice’ for many terrorists. It is also claimed that the app is used for transmitting vulgar and obscene content including child pornography. Several countries such as Russia and Indonesia have banned this app due to safety concerns.

Further Reading:

Soumya Tiwari, Petition in Kerala High Court seeks ban on Telegram, cites terrorism and child porn, Medianama (7 October 2019).
Brenna Smith, Why India Should Worry About the Telegram App, Human Rights Centre (17 February 2019).
Benjamin M., Why Are So Many Countries Banning Telegram?, Dogtown Media (11 May 2019).
Vlad Savov, Russia’s Telegram ban is a big convoluted mess, The Verge (17 April 2018).
Megha Mandavia, Kerala High Court seeks Centre’s views on plea to ban Telegram app, The Economic Times (4 October 2019).
Livelaw News Network, Telegram Promotes Child Pornography, Terrorism’ : Plea In Kerala HC Seeks Ban On Messaging App, Livelaw.in (2 October 2019).

ECJ rules that Facebook can be ordered to take down content globally

In a significant ruling, the European Court of Justice ruled that Facebook can be ordered to take down posts globally, and not just in the country that makes the request. It extends the reach of the EU’s internet-related laws beyond its own borders, and the decision cannot be appealed further. The ruling stemmed from a case involving defamatory comments posted on the platform about an Austrian politician, following which she demanded that Facebook erase the original comments worldwide and not just from the Austrian version worldwide. The decision raises the question of jurisdiction of EU laws, especially at a time when countries are outside the bloc are passing their own laws regulating the matter.

Further Reading:

Adam Satariano, Facebook Can Be Forced to Delete Content Worldwide, E.U.’s Top Court Rules, The New York Times (3 October 2019).
Chris Fox, Facebook can be ordered to remove posts worldwide, BBC News (3 October 2019).
Makena Kelly, Facebook can be forced to remove content internationally, top EU court rules, The Verge (3 October 2019).
Facebook must delete defamatory content worldwide if asked, DW (3 October 2019).

USA and Japan sign Digital Trade Agreement

The Digital Trade Agreement was signed by USA and Japan on October 7, 2019. The Agreement is an articulation of both the nations’ stance against data localization. The trade agreement cemented a cross-border data flow. Additionally, it allowed for open access to government data through Article 20. Articles 12 and 13 ensures no restrictions of electronic data across borders. Further, Article 7 ensures that there are no customs on digital products which are electronically transmitted. Neither country’s parties can be forced to share the source code while sharing the software during sale, distribution, etc. The first formal articulation of the free flow of digital information was seen in the Data Free Flow with Trust (DFFT), which was a key feature of the Osaka Declaration on Digital Economy. The agreement is in furtherance of the Trump administration’s to cement America’s standing as being tech-friendly, at a time when most other countries are introducing reforms to curb the practices of internet giants like Google and Facebook, and protect the rights of the consumers. American rules, such as Section 230 of the Communications Decency Act shields companies from any lawsuits related to content moderation. America, presently appears to hope that their permissive and liberal laws will become the framework for international laws.

Further Reading:

Aditi Agarwal, USA, Japan sign Digital Trade Agreement, stand against data localisation, Medianama (9 October 2019).
U.S.-Japan Digital Trade Agreement Text, Office of the United States Trade Representative (7 October 2019).
Paul Wiseman, US signs limited deal with Japan on ag, digital trade,Washington Post (8 October 2019).
FACT SHEET U.S.-Japan Digital Trade Agreement, Office of the United States Trade Representative (7 October 2019).
David McCabe and Ana Swanson, U.S. Using Trade Deals to Shield Tech Giants From Foreign Regulators, The New York Times (7 October 2019).

Automated Facial Recognition System and The Right To Privacy: A Potential Mismatch

Posted on August 3, 2019August 4, 2019 by Tech Law Forum @ NALSAR

This post has been authored by Ritwik Sharma, a graduate of Amity Law School, Delhi and a practicing Advocate. In a quick read, he brings out the threat to privacy posed by the proposed Automated Facial Recognition System.

On 28th June 2019, the National Crime Records Bureau (NCRB) released a Request for Proposal for an Automated Facial Recognition System (AFRS) which is to be used by the police officers in detecting potential criminals and suspects across the country.

The AFRS has potential use in areas like modernising the police force, information gathering, and identification of criminals, suspects, missing persons and personal verification.

In 2018, the Ministry of Civil Aviation launched a facial recognition system to be used for airport entry called “DigiYatra”. The AFRS system is built on similar lines but has a much wider coverage and different purpose. States in India have taken steps to introduce Facial Recognition Systems to detect potential criminals, with Telangana launching its system in August 2018.

What is Automated Facial Recognition System and how does it work?

The Automated Facial Recognition System (AFRS) will be a mobile and web application which will be hosted and managed by the National Crime Records Bureau (NCRB) data centre but will be used by all police stations across the country.

The AFRS works by comparing the image of an unidentified person captured through CCTV footage to the image which has been kept at the data centre of the NCRB. This will allow the data centre to match the images and detect potential criminals and suspects.

The system has the potential to match facial images with changes in facial expressions, angle, lightening, direction, beard, hairstyle, glasses, scars, tattoos and marks.

The NCRB has proposed to integrate AFRS with multiple existing databases: these include the Crime and Criminal Tracking Network & Systems (CCTNS) which was introduced post Mumbai attacks in 2009 as a nationwide integrated database to criminal incidents by connecting FIR registrations, investigations and chargesheets of police stations and higher offices, the Integrated Criminal Justice System (ICJS) which is a computer network which enables judicial practitioners and agencies to electronically access and share information and Khoya Paya Portal which is a portal used to detect missing children.

State Surveillance vs. Right to Privacy

In September 2017, the Supreme Court in the historic judgment of K.S. Puttaswamy vs. Union of India declared the right to privacy as a fundamental right under Article 21 of the Indian Constitution. The Supreme Court asserted that the government must cautiously balance individual privacy and the legitimate concerns of the state, even if national security is at stake. The Court also asserted that any invasion of privacy must satisfy the triple test i.e. need (legitimate state concern), proportionality (least invasive manner) and legality (backed by law) to ensure that a fair and reasonable procedure is undertaken without any selective targeting and profiling.

Privacy infringement without legal sanction and through executive action would be violative of the fundamental right to privacy and would disregard the Supreme Court directive. Cyber experts are of the view that such a system could be used as a tool of government abuse and risk the privacy of the citizens and since the country lacks a data protection law, the citizens would become vulnerable to privacy abuse.

Moreover, investigating agencies in the United States like the FBI operate probably the largest facial recognition system in the world. Cyber experts and international institutions have criticised the Chinese government for using surveillance system and facial recognition to keep an eye on the Uighur community in China. However, there have been claims that this system has an accuracy of hardly 2%, which makes it unreliable and cities like London are facing calls to discontinue this system to safeguard the privacy of its citizens.

Finally, such a tracking system impinges upon human dignity by treating every person as a potential criminal or suspect. There are no clear guidelines as to where such cameras are to be placed. The cameras will put every individual under surveillance and even the innocent ones would be tracked. Such surveillance would create fear amongst the citizens which has long term implications.

Conclusion

A rise in the crime rate poses a daunting challenge in front of the investigating agencies and robust measures must be undertaken to counter it. However, such measures should be ably backed by law and should not impinge upon the dignity and the right to privacy of the citizens.

The Data Protection Law drafted by the Justice Srikrishna Committee should be enacted by the Parliament to give legal sanction to such surveillance. Furthermore, the AFRS should be used cautiously to prevent any violation of the fundamental right to privacy.

AFRS system has the potential to bring a paradigm shift in the criminal justice system if its use is well-intentioned and within the democratic framework which ensures right to privacy and limited state surveillance.

Conundrum of Right to Be Forgotten: An Analysis of The Slippery Slope: To Forgive, Forget or Re-Write History

Posted on May 5, 2019May 5, 2019 by Tech Law Forum @ NALSAR

[Ed Note : In a slightly longer read, Pranay Bhattacharya, a second year student of Maharashtra National Law University (MNLU) Aurangabad talks about the origins and development of the “Right to be Forgotten,”, using this as a background to critically analyze this right as present in India’s Draft Personal Data Protection Bill 2018.]

“Blessed are the forgetful, for they get the better even of their blunders.”

Friedrich Nietzsche

Comments on the Srikrishna Committee Report and the Draft Data Protection Bill 2018 – I

Posted on October 14, 2018December 4, 2020 by Tech Law Forum @ NALSAR

[Ed Note : The following series of posts contain comments on the Srikrishna Committee Report and the Draft Data Protection Bill, 2018 made and compiled by students from NALSAR University of Law -Ankush Rai, Ashwin Murthy, Arvind Pennathur, Namratha Murugesan, Priyamvadha Shivaji, Shweta Rao, Sriram Kashyap, Vishal Rakhecha and Tanvi Apte. The comments have been uploaded on the Ministry of Electronics and Information Technology (MeitY) website.

The present post deals with comments made in relation to four issues that arise in relation to the Report and Draft Bill – a) vagueness, b) government interference, c) the data protection authority and d) surveillance.

TechLaw Symposium at NALSAR University of Law, Hyderabad – Press Note

Posted on October 4, 2018December 4, 2020 by Tech Law Forum @ NALSAR

[Ed Note : The following press note has been authored by Shweta Rao and Arvind Pennathur from NALSAR University of Law. Do watch this space for more details on the symposium!]

On the 9^th of September NALSAR University of Law’s Tech Law Forum conducted its first ever symposium with packed panels discussing a variety of issues under the broad theme of the Right to Privacy. This symposium took place against the backdrop of the recent draft Data Protection Bill and Report released by the Srikrishna Committee.

The Right to Be Forgotten – An Explanation

Posted on September 24, 2016 by Balaji Subramanian

Ed. Note.: This post, by Ashwin Murthy, is a part of the NALSAR Tech Law Forum Editorial Test 2016.

The right to be forgotten is the right of an individual to request search engines to take down certain results relating to the individual, such as links to personal information if that information is inadequate, irrelevant or untrue. For example, if a person’s name is searched on Google and certain information appears relating to that person, the person can request Google to remove that information from the search results. This has its largest application in crime and non-consensual pornography (revenge porn or the distribution of sexually explicit material depicting a person without their consent). If X committed a petty crime and a person searching X’s name finds this petty crime, it leads to an obvious negative impact to X, in terms of job prospects as well as general social stigmatisation. X can ask the providers of the search engine to remove this result, claiming his right to be forgotten. The right is not necessarily an absolute right – in its current stage of discussion it merely applies to information that is inadequate, irrelevant or untrue and not any and all information relating to the person. Further there lies a distinction between the right to privacy and the right to be forgotten – the right to privacy is of information not available to the public while the right to be forgotten is removal of information already available publicly.

The Right to Be Forgotten – An Explanation

Posted on September 28, 2014 by Veera Mahuli

(Image Source: https://flic.kr/p/9RovZB)

This is the first in a two-part post on the Right to be Forgotten. This post is part of our 101 series of posts, which seek to explain the issue at hand, and the next post shall address the issue and the debate surrounding it in more detail.

In 2010, a Spanish citizen filed a complaint against a Spanish newspaper, Google Spain and Google Inc. with the national Data Protection Agency. The complaint objected to an auctioned notice of his repossessed home that kept coming up on Google’s search results. The proceedings against the petitioner had been fully resolved and he claimed the reference to the proceedings on Google to be entirely redundant and a violation of his privacy rights. The Spanish court referred the case to the Court of Justice of the European Union.