How Facial Recognition Systems Threaten the Right to Privacy

Posted on June 27, 2020November 1, 2020 by Tech Law Forum @ NALSAR

[This post has been authored by Prajakta Pradhan, a 1st year student at Dr. Ram Manhar Lohiya National Law University (RMLNLU), Lucknow.]

Facial recognition involves the use of face mapping techniques to identify an individual’s facial features and compares it with available databanks. The facial recognition market is expected to grow to $7.7 billion in 2022 from $4 billion in 2017. The reason for this stellar growth is the varied application of facial recognition technology in both private and public sectors, with governments of many countries using facial recognition for law enforcement and surveillance.

Abrogating Self-Regulation of E-Commerce Marketplaces: An Analysis of CCI’s Market Study

Posted on June 17, 2020November 1, 2020 by Tech Law Forum @ NALSAR

[This post has been authored by Urmil Shah and Vishwa Mukhtyar, 3rd year students at Auro University, Surat.]

With the growth in economic activities in digital space, the e-commerce industry has gained traction in the last decade and revenue from the sector is expected to shoot USD 120 billion by 2020. Realizing the anti-competitive concerns arising out of the inventory model of e-commerce, whereby the platforms can hold inventory and sell directly to consumers, the DPIIT has disallowed FDI and permitted 100% FDI under automatic route for marketplace model. The Indian anti-trust regulator CCI, in January 2020, released a detailed report on understanding the modus operandi of e-commerce operations in India and the anti-trust ramifications in the market. The focus of the study was on e-commerce marketplace platforms in sector of goods food delivery and accommodation service. Certain competition issues are akin to this sector, which creates a novel groundwork for regulatory supervision for competition authorities includes:

Examining Artificial Intelligence and Privacy in the light of COVID-19

Posted on May 13, 2020November 1, 2020 by Tech Law Forum @ NALSAR

[This post has been authored by Suvam Kumar, a 3rd year student at National Law University, Jodhpur.]

The COVID-19 pandemic has exposed the frailty of mankind’s societies and systems. In spite of tremendous progress made by humans in several fields of life, we are rendered helpless by the rapid and uncontrolled spread of the coronavirus. In these crucial times, the role of Artificial intelligence (“AI”) becomes very important and countries like China, USA, Canada, Australia, and India have leaned on AI to fight the pandemic. The use of AI has also been approved by the World Economic Forum (“WEF”) which has emphasized the role of AI as a panacea to fight this pandemic. However, the widespread use of AI is not without its own challenges and risks. There are serious concerns regarding the application of AI in the health sector especially during a pandemic like COVID-19; however, they can be mitigated by utilizing a legal regime that regulating AI effectively and conscientiously.

Welcoming The Era of Technology Friendly Laws in India

Posted on January 2, 2020November 1, 2020 by Tech Law Forum @ NALSAR

This brief introduction to regulation of autonomous vehicles has been authored by Khushi Sharma and Aarushi Kapoor, second year students of Hidayatullah National Law University (HNLU), Raipur. [Ed. Note: This article was written before the 2019 Personal Data Protection Bill had been made public. Click here for the new Bill.]

India being the 7^th largest manufacturer of commercial vehicles in the year 2017-18, coupled with its automobile sector which is the 4^th largest in the world, are key factors driving India’s economic growth. Technological advancement is both a cause and effect of this growth. Innovative minds rule India and the world today to such an unimaginable extent that the very idea of acar running by itself with onejust sitting back and relaxing, now seems a reality. The debut of driverless vehicles in India was at Defexpo 2016 in New Delhi where Novus Drive, a driverless shuttle was introduced. However, a recurring question is ‘Are we really ready yet?’

E-Pharmacy and Tech Law: An Interface (Part II)

Posted on October 2, 2019 by Tech Law Forum NALSAR

This is the second part of a 2-part post authored by Anubhuti Garg, 4th year, and Gourav Kathuria, 2nd year, of NALSAR University of Law. Part I can be found here.

The previous post analysed the laws applicable to e-pharmacies in India. The present post looks at the draft e-pharmacy rules and its implications and suggests ways to ensure the smooth application of the law in India.

Draft E-Pharmacy Rules

On August 28, 2018, the government came out with the Sale of Drugs by E-Pharmacy (Draft Rules) for regulating the sale of drugs through e-pharmacies. These Rules aim to put in place an extensive regulatory regime for e-pharmacies and are important in light of the concerns that e-pharmacies pose. Given below are the salient features of the Rules:

According to the Rules the definition of e-pharmacy includes within its ambit sales made through websites as well as through mobile phone apps termed ‘e-pharmacy portals’.
Mandatory registration is prescribed for all e-pharmacies and sales have to be routed through specified portals. A registration application must be reviewed within 30 days.
Mandatory uploading of prescription by the customer is recommended which must specify the prescribed drugs and quantity thereof. This does not apply to over-the-counter drugs.
All generated data must be kept confidential and localized.
An e-pharmacy cannot sell drugs covered by the Narcotic Drugs and Psychotropic Substances Act, 1985 or and the restriction extends to those listed under Schedule X of the Drugs and Cosmetics Rules.
An e-pharmacy has to comply with the provisions of the Information Technology Act, 2000 and the associated Rules.

Implications of the Policy

Firstly, it will fill the regulation gap that currently exists and will put into place a robust framework to deal with e-pharmacies. Existing laws are inadequate when it comes to addressing the requirements of e-pharmacies, however, the Rules will resolve the issue and prevent misuse of medicines and data.

Secondly, sales of conventional brick and mortar outlets will be adversely affected due to competitive pricing offered by e-pharmacies. Conventional stores may fail to compete with online pharmacies which provide substantial discounts as a result of which offline stores will suffer due to loss of business.

Thirdly, the question of jurisdictional conflicts remains unaddressed as it remains to be seen which law holds the field in case of legal inconsistencies. Several inconsistencies may be spotted in the Draft Rules which need to be resolved if a solution to this issue is to be found.

Impact on the Right to Privacy

Privacy forms an important concern for consumers. There need to be adequate safeguards regarding how the data given by a customer is protected and this warrants heavy regulatory compliances in addition to strict penalties in cases of violations. The recent Aadhar judgment also brought to light numerous concerns regarding privacy which need to be kept in mind when implementing a regulatory framework for e-pharmacies.

The Draft Rules prescribe that e-pharmacies would keep data confidential and localized, however, state and central governments can secure access to the data for “public health purposes”. No criterion is prescribed for what would constitute such a purpose and the Rules also fail to mention which authority can compel e-pharmacies to share health information. Such ambiguities pose a threat of misuse of data by government.

Further, the Draft Rules come in direct conflict with the draft of the Personal Data Protection Bill, 2018, which allows for the transfer of data outside India where the patient has expressed his/her consent or where the transfer is necessary for prompt action. The conflict between the two needs to be resolved before the Draft Rules can be implemented.

Conclusion

In conclusion, it can be said that the e-pharmacy regime is changing slowly but steadily. The government has taken cognizance of the fact that there are many health concerns surrounding the sale of medicines online and accordingly has formulated a policy which address these concerns. India is taking a step forward in terms of drafting a full-fledged policy exclusively for e-pharmacies; this is sure to make the lives of a lot of citizens easier.

There is no doubt that the proposed Rules are progressive in nature. By making regulations that stand in conformity with global best practices the government is providing impetus to the continued growth of the e-pharmacy industry. However, there exist issues that need to be resolved sooner rather than later, such as the tendency of the government to misuse data and the conflicting nature of its provisions with those of the IT Act, 2000.

India has a long way to go in governing e-pharmacies and there are a lot of loopholes that need to be plugged. Currently, there is no law governing the actions of drug companies and as a result they are operating with little regard to the consequences of their actions. There is a need to bring the Rules into force as quickly as possible, and despite the government’s promise to implement them within 100 days of the elections they are yet to act in this matter.

It is hoped that concerns about consumer privacy are addressed in a more stringent manner by the government and that provisions are put in place which ensure that misuse of the data of the customers is strictly prohibited. The government should address loopholes in the policy and examine how they come into conflict with existing rules and amend them to resolve such contentious issues.

Explainer on Account Aggregators

Posted on August 15, 2019December 4, 2020 by Tech Law Forum @ NALSAR

This post has been authored by Vishal Rakhecha, currently in his 4th year at NALSAR University of Law, Hyderabad, and serves as an introduction for TLF’s upcoming blog series on Account Aggregators.

A few days back, Nandan Nilekani unveiled an ‘industry-body’ for Account Aggregators (AAs), by the name of ‘Sahamati.’ He claimed that AAs would revolutionise the field of fintech, and would give users more control over their financial data, while also making the transfer of financial information (FI) a seamless process. But what exactly are AAs, and how do they make transfer of FI seamless?

Article 13 of the EU Copyright Directive: A license to gag freedom of expression globally?

Posted on August 9, 2019August 4, 2019 by Tech Law Forum @ NALSAR

The following post has been authored by Bhavik Shukla, a fifth year student at National Law Institute University (NLIU) Bhopal. He is deeply interested in Intellectual Property Rights (IPR) law and Technology law. In this post, he examines the potential chilling effect of the EU Copyright Directive.

Freedom of speech and expression is the bellwether of the European Union (“EU”) Member States; so much so that its censorship will be the death of the most coveted human right. Europe possesses the strongest and the most institutionally developed structure of freedom of expression through the European Convention on Human Rights (“ECHR”). In 1976, the ECHR had observed in Handyside v. United Kingdom that a “democratic society” could not exist without pluralism, tolerance and broadmindedness. However, the recently adopted EU Copyright Directive in the Digital Single Market (“Copyright Directive”) seeks to alter this fundamental postulate of the European society by introducing Article 13 to the fore. Through this post, I intend to deal with the contentious aspect of Article 13 of the Copyright Directive, limited merely to its chilling impact on the freedom of expression. Subsequently, I shall elaborate on how the Copyright Directive possesses the ability to affect censorship globally.

Collateral censorship: Panacea for internet-related issues in the EU

The adoption of Article 13 of the Copyright Directive hints towards the EU’s implementation of a collateral censorship-based model. Collateral censorship occurs when a state holds one private party, “A” liable for the speech of another private party, “B”. The problem with such model is that it vests the power to censor content primarily in a private party, namely “A” in this case. The implementation of this model is known to have an adverse effect on the freedom of speech, and the adoption of the Copyright Directive has contributed towards producing such an effect.

The Copyright Directive envisages a new concept of online content sharing service providers (“service providers”), which refers to a “provider… whose main purpose is to store and give access to the public to significant amount of protected subject-matter uploaded by its users…” Article 13(1) of the Copyright Directive states that such service providers shall perform an act of “communication to the public” as per the provisions of the Infosoc Directive. Further, Article 13(2a) provides that service providers shall ensure that “unauthorized protected works” shall not be made available. However, this Article also places service providers under an obligation to provide access to “non-infringing works” or “other protected subject matter”, including those covered by exceptions or limitations to copyright. The Copyright Directive’s scheme of collateral censorship is evident from the functions entrusted to the service providers, wherein they are expected to purge their networks and websites of unauthorized content transmitted or uploaded by third parties. A failure to do so would expose service providers to liability for infringement of the content owner’s right to communication to the public, as provided in the Infosoc Directive.

The implementation of a collateral censorship model will serve as a conduit to crackdown on the freedom of expression. The reason for the same emanates from the existence of certain content which necessarily falls within the grey area between legality and illegality. Stellar examples of this content are memes and parodies. It is primarily in respect of such content that the problems related to censorship may arise. To bolster this argument, consider Facebook, the social media website which boasts 1.49 billion daily active users. As per an official report in 2013, users were uploading 350 million photos a day, the number has risen exponentially today. When intermediaries like Facebook are faced with implementation of the Copyright Directive, it will necessarily require them to employ automated detecting mechanisms for flagging or detecting infringing material, due to the sheer volume of data being uploaded or transmitted. The accuracy of such software in detecting infringing content has been the major point of contention towards its implementation. Even though content like memes and parodies may be flagged as infringing by such software, automated blocking of content is prohibited under Article 13(3) of the Copyright Directive. This brings up the question of human review of such purportedly infringing content. In this regard, first, it is impossible for any human agency to review large tracts of data even after filtration by an automatic system. Second, in case such content is successfully reviewed somehow, a human agent may not be able to correctly decide the nature of such content with respect to its legality.

This scenario shall compel the service providers to resort to taking down the scapegoats of content, memes and parodies, which may even remotely expose them to liability. Such actions of the service providers will certainly censor freedom of expression. Another problem arising from this framework is that of adversely affecting net neutrality. Entrusting service providers with blocking access to content may lead to indiscriminate blocking of certain type of content.

Though the Copyright Directive provides certain safeguards in this regard, they are latent and ineffective. For example, consider access to a “complaints and redress mechanism” provided by Article 13(2b) of the Copyright Directive. This mechanism offers a latent recourse after the actual takedown or blocking of access to certain content. This is problematic because the users are either oblivious to/ unaware of such mechanisms being in place, do not have the requisite time and resources to prove the legality of content or are just fed up of such repeated takedowns. An easy way to understand these concerns is through YouTube’s current unjustified takedown of content, which puts the content owners under the same burdens as expressed above. Regardless of the reason for inaction by the content owners, censorship is the effect.

The EU Copyright Directive’s tryst with the world

John Perry Barlow had stated in his Declaration of the Independence of Cyberspace that “Cyberspace does not lie within your borders”. This statement is true to a large extent. Cyberspace and the internet does not lie in any country’s border, rather its existence is cross-border. Does this mean that the law in the EU affects the content we view in India? It certainly does!

The General Data Protection Regulation (“GDPR”) applies to countries beyond the EU. The global effect of the Copyright Directive is similar, as service providers do not distinguish European services from those of the rest of the world. It only makes sense for the websites in this situation to adopt a mechanism which applies unconditionally to each user regardless of his/ her location. This is the same line of reasoning which was adopted by service providers in order to review user and privacy policies in every country on the introduction of the GDPR. Thus, the adoption of these stringent norms by service providers in all countries alike due to the omnipresence of internet-based applications may lead to a global censorship motivated by European norms.

The UN Special Rapporteur had envisaged that Article 13 would have a chilling effect on the freedom of expression globally. Subsequent to the Directive’s adoption, the Polish government protested against its applicability before the CJEU on the ground that it would lead to unwarranted censorship. Such action is likely to be followed by dissenters of the Copyright Directive, namely Italy, Finland, Luxembourg and the Netherlands. In light of this fierce united front, hope hinges on these countries to prevent the implementation of censoring laws across the world.

Automated Facial Recognition System and The Right To Privacy: A Potential Mismatch

Posted on August 3, 2019August 4, 2019 by Tech Law Forum @ NALSAR

This post has been authored by Ritwik Sharma, a graduate of Amity Law School, Delhi and a practicing Advocate. In a quick read, he brings out the threat to privacy posed by the proposed Automated Facial Recognition System.

On 28th June 2019, the National Crime Records Bureau (NCRB) released a Request for Proposal for an Automated Facial Recognition System (AFRS) which is to be used by the police officers in detecting potential criminals and suspects across the country.

The AFRS has potential use in areas like modernising the police force, information gathering, and identification of criminals, suspects, missing persons and personal verification.

In 2018, the Ministry of Civil Aviation launched a facial recognition system to be used for airport entry called “DigiYatra”. The AFRS system is built on similar lines but has a much wider coverage and different purpose. States in India have taken steps to introduce Facial Recognition Systems to detect potential criminals, with Telangana launching its system in August 2018.

What is Automated Facial Recognition System and how does it work?

The Automated Facial Recognition System (AFRS) will be a mobile and web application which will be hosted and managed by the National Crime Records Bureau (NCRB) data centre but will be used by all police stations across the country.

The AFRS works by comparing the image of an unidentified person captured through CCTV footage to the image which has been kept at the data centre of the NCRB. This will allow the data centre to match the images and detect potential criminals and suspects.

The system has the potential to match facial images with changes in facial expressions, angle, lightening, direction, beard, hairstyle, glasses, scars, tattoos and marks.

The NCRB has proposed to integrate AFRS with multiple existing databases: these include the Crime and Criminal Tracking Network & Systems (CCTNS) which was introduced post Mumbai attacks in 2009 as a nationwide integrated database to criminal incidents by connecting FIR registrations, investigations and chargesheets of police stations and higher offices, the Integrated Criminal Justice System (ICJS) which is a computer network which enables judicial practitioners and agencies to electronically access and share information and Khoya Paya Portal which is a portal used to detect missing children.

State Surveillance vs. Right to Privacy

In September 2017, the Supreme Court in the historic judgment of K.S. Puttaswamy vs. Union of India declared the right to privacy as a fundamental right under Article 21 of the Indian Constitution. The Supreme Court asserted that the government must cautiously balance individual privacy and the legitimate concerns of the state, even if national security is at stake. The Court also asserted that any invasion of privacy must satisfy the triple test i.e. need (legitimate state concern), proportionality (least invasive manner) and legality (backed by law) to ensure that a fair and reasonable procedure is undertaken without any selective targeting and profiling.

Privacy infringement without legal sanction and through executive action would be violative of the fundamental right to privacy and would disregard the Supreme Court directive. Cyber experts are of the view that such a system could be used as a tool of government abuse and risk the privacy of the citizens and since the country lacks a data protection law, the citizens would become vulnerable to privacy abuse.

Moreover, investigating agencies in the United States like the FBI operate probably the largest facial recognition system in the world. Cyber experts and international institutions have criticised the Chinese government for using surveillance system and facial recognition to keep an eye on the Uighur community in China. However, there have been claims that this system has an accuracy of hardly 2%, which makes it unreliable and cities like London are facing calls to discontinue this system to safeguard the privacy of its citizens.

Finally, such a tracking system impinges upon human dignity by treating every person as a potential criminal or suspect. There are no clear guidelines as to where such cameras are to be placed. The cameras will put every individual under surveillance and even the innocent ones would be tracked. Such surveillance would create fear amongst the citizens which has long term implications.

Conclusion

A rise in the crime rate poses a daunting challenge in front of the investigating agencies and robust measures must be undertaken to counter it. However, such measures should be ably backed by law and should not impinge upon the dignity and the right to privacy of the citizens.

The Data Protection Law drafted by the Justice Srikrishna Committee should be enacted by the Parliament to give legal sanction to such surveillance. Furthermore, the AFRS should be used cautiously to prevent any violation of the fundamental right to privacy.

AFRS system has the potential to bring a paradigm shift in the criminal justice system if its use is well-intentioned and within the democratic framework which ensures right to privacy and limited state surveillance.