[This piece has been authored by Anushruti Shah, a fourth-year law student at the Hidayatullah National Law University, Raipur]
Introduction
Category: Right to Privacy
Duty of a Data Fiduciary to Report a Breach: Part II
[This post has been authored by Ms. Vasundhara, Managing Partner, Verum Legal and Mr. Mudit Kaushik, Counsel, Zeus IP. Part One can be found here]
International Precedents and Comparison
While every nation in the world strives to ensure the digital security of its citizens, there are very few legislative developments to back up the claim. The General Data Protection Regulations of the European Parliament that became effective from May 2018, is a unique legal framework that enforces a unilateral form of data security laws that all EU members comply with, to ensure the protection of the European market as a whole.
Breaking Encryption and Violating User Privacy: Is there a Way Out?
[This post has been authored by Shamik Datta and Shikhar Sharma, first year students at NALSAR University of Law and National Law School India University respectively.]
How the IT Rules break End-to-End Encryption
End-to-end encryption ensures that intermediaries or third parties don’t have access to the content of the message and identity of the communicating parties. However, Rule 4 (2) of the new Informational Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules 2021 specifies that all ‘significant social media intermediaries’ must enable the traceability of the first originator of a message. The collected information may be used if and when required by a court of competent jurisdiction or competent authority under Section 69A of the Information Technology Act, 2000. The information derived via the breaking of end-to-end encryption may be used to investigate offences abetted or caused by the spread of fake news. This includes open-ended offences like disturbing ‘public order’, which are broad in their scope, and thus, leave a wide scope for their blatant misuse and arbitrary interpretation. The proviso to Rule 4(2) states that intermediaries are not required to reveal the content of the message, or any other related information. However, under Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption) Rules, 2009, the government possesses the power to demand the revelation of the content of electronic messages. The government could, upon identifying the user under the 2021 Rules, ask the intermediary to decrypt the content of other messages of the same user under the 2009 IT Rules citing “public order” (for example, citing the history of the user as a fake news spreader). This would render the proviso to Rule 4(2) of the 2021 Rules meaningless. Therefore, when the information about the first originator is gathered via enabling traceability and powers to disclose the content of the message is exercised, it leads to a break in end-to-end encryption. This destroys the very purpose of the cryptographic keys and encryption protocols developed over the years to encode the messages and safeguard the identity of their sender.
Facial Recognition and Data Protection: A Comparative Analysis of laws in India and the EU (Part I)
[This two-part post has been authored by Riddhi Bang and Prerna Sengupta, second year students at NALSAR University of Law, Hyderabad. Part II can be found here]
With the wave of machine learning and technological development, a new system that has arrived is the Facial Recognition Technology (FRT). From invention to accessibility, this technology has grown in the past few years. Facial recognition comes under the aegis of biometric data which includes distinctive physical characteristics or personal traits of a person that can be used to verify the individual. FRT primarily works through pattern recognition technology which detects and extracts patterns from data and matches it with patterns stored in a database by creating a biometric ‘template’. This technology is being increasingly deployed, especially by law enforcement agencies and thus raises major privacy concerns. This technology also attracts controversy due to potential data leaks and various inaccuracies. In fact, in 2020, a UK Court of Appeal ruled that facial recognition technology employed by law enforcement agencies, such as the police, was a violation of human rights because there was “too broad a discretion” given to police officers in implementing the technology. It is argued that despite the multifarious purposes that this technology purports to serve, its use must be regulated.
Facial Recognition and Data Protection: A Comparative Analysis of laws in India and the EU (Part II)
A Surveillance Story
[This post has been authored by Ada Shaharbanu and Reuel Davis Wilson.]
Our familiarity with surveillance generally brings to mind the methods adopted in the 20th century. Common among these are the tapping of telephone lines, stakeouts and the interception of postal services. However, it becomes difficult to keep a track of the multiplicity of ways in which surveillance is presently conducted. Advanced technology has barely allowed us to familiarize ourselves with one thing before the next comes along.
Data Protection in EdTech Start-ups: An Analysis
[This post is authored by Oshi Priya, a third-year student at the National Law University of Study and Research in Law, Ranchi.]
Education technology (EdTech) is the means to facilitate e-learning through the combination of software and computer hardware along with educational theory. Though still in its early stages of development, it’s a $700 million industry today in India and is headed for 8-10 times the growth in the next 5 years. Some of the popular EdTech companies in India include Unacademy, BYJU’S, and Toppr, etc.
Metadata by TLF: Issue 15
Welcome to our fortnightly newsletter, where our reporters Kruttika Lokesh and Dhananjay Dhonchak put together handpicked stories from the world of tech law! You can find other issues here.
PIL filed seeking identities of content moderation officers
Former RSS ideologue K N Govindacharya filed a public-interest litigation in the High Court of Delhi to prompt Google, Twitter and Facebook to disclose identities of designated content moderation officers on the basis of the Information Technology Rules. In response, Google submitted that the officers worked with government authorities to remove illegal content. Govindacharya claimed that without disclosure of the officers’ identities, no mechanisms to enforce obligations could not be adequately instituted. However, Google responded by stating that revealing the identities of officers would jeopardize their capacity to work efficiently with the government, as they would be exposed to public scrutiny and criticism.
The Conundrum of Compelled Decryption Vis-À-Vis Self-Incrimination
[This post has been authored by Shivang Tandon, a fourth year student at Faculty of Law, Banaras Hindu University.]
The ‘self-incrimination’ doctrine is an indispensable part of the criminal law jurisprudence of a civilized nation. Article 20(3) of the Indian Constitution and the Fifth Amendment of the Constitution of the United States provide protection against self-incrimination.
How Facial Recognition Systems Threaten the Right to Privacy
[This post has been authored by Prajakta Pradhan, a 1st year student at Dr. Ram Manhar Lohiya National Law University (RMLNLU), Lucknow.]
Facial recognition involves the use of face mapping techniques to identify an individual’s facial features and compares it with available databanks. The facial recognition market is expected to grow to $7.7 billion in 2022 from $4 billion in 2017. The reason for this stellar growth is the varied application of facial recognition technology in both private and public sectors, with governments of many countries using facial recognition for law enforcement and surveillance.