Public Comments sought for regulations under CCPA (Californian Privacy Regulation)

The California Consumer Protection Act which has a bearing on the Indian IT industry processing personal data of Californian citizens is getting ready for implementation from 1st January 2019.

On October 13,  7 amendments have been passed for the earlier Act which was passed on June 28 2018.

More importantly, a draft regulation has also been released by the Attorney General on 10th October 2019 for public comments.

Public Comments may be filed by December 6 2019.

Interested persons may study the Act as it has now emerged and also submit their comments.  Naavi.org and FDPPI is collating views on the regulations and would submit its views.

Details of the Act and the regulations can be found here:

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

WhasApp sues NSO on Pegasus

WhatsApp has sued the Isreli Company NSO for creating and distributing the Pegasus trojan. Pegasus has been a trojan that infects mobiles (Andoriod and ios) through a mobile call even if unanswered. Once infected, it enables the hacker to silently watch the activities on the phone including reading of the messages. The virus is unremovable even with a factory reset.

It has been alleged to have been used for surveillance of Bhim Koregaon activists and their supporters in India by the Indian Government, which the Government sources predictably have denied.

This is not the first time that Israel or any other hacker group has created such tools and Governments of many countries bought the tools for their surveillance requirements. Stuxnet itself was one such example. While most of the population are not worried about Government surveillance of criminal activities, the technical possibility of a trojan that can infect mobiles through an unattended whatsapp call which can take over the mobile is alarming. If today Israel can develop Pegasus, tomorrow a criminal gang can develop a variant for similar purpose.

We already know that  a virus called Xhelper has already been infecting some of the phones with properties similar to Pegasus.

While the NSO has stated that it has sold Pegasus only to some Governments and the Indian Government has itself issued a notice to WhatsApp to explain how the virus was used to snoop on Indians, WhatsApp itself has filed a complaint against NSO.

A Copy of the Complaint available here makes an interesting academic study.

The Complaint mainly alleges that WhatsApp violated the terms of use since the planting of the virus involved creation of WhatsApp accounts and making WhatsApp calls for sending the malicious codes to target phones. This also resulted in  “Unauthorized Access” to WhatsApp servers which is an offence under Computer Abuse Act. It appears that WhatsApp has provided some evidence and the phone numbers used for infection which indicates the area code of Washington, USA.

The Complaint has been filed at the US district court, Northern District of California naming NSO group as the defendants. The telephone company which was a party to the activity has not been arraigned.

Charges have been brought under Computer Fraud and Aubse Act, California Comprehensive Computer Data Access and Fraud Act, Breach of Contract and Tresspass to Chattels.

Relief sought includes permanent injunction besides damages.

As regards the allegation that Indian Government has used Pegasus for snooping on some activists, it is a Canada based organization called Citizen’s Lab which has released a report. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.

 According to Citizenlab after the report from the Lab in May 2019, WhatsApp fixed the vulnerability. Hence the current versions of WhatsApp may not be vulnerable to this attack.

Behind this Pegasus incident lies the discussion on ethics and security. While criminals continue to make use of all the tools of crime available in the deep web to create havoc on the organized society, when the Governments try to use similar counter Cyber crime strategies, the human rights activists start complaining.

Should Human Rights be used to defend the rights of criminals? is itself a question that needs to be answered by Courts. It is not uncommon in India that a large part of the time and energy of Supreme Court is spent in hearing cases of these “Human Right Activists” who specialize in defending the criminals by invoking the human right principles. Most of the times, the beneficiaries are the inhuman terrorists and criminals.

It is time for the Courts to draw a line on who can invoke “Human right” protection before trying to adjudicate on the ethics of Governments using tools such as Pegasus as”Tools of War”. Just as weapon manufacturers need to restrict the sale of military grade weapons only to sovereign Governments, any agency developing such tools should be considered responsible to ensure that it does not fall into wrong hands.

Perhaps the Court case in USA will determine whether NSO is a “Cyber Weapon Manufacturing Company” that deals with sovereign Governments only or tries to commercialize its weapons by selling it over to criminals and terrorists.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Baba Ramdev Vs Tech Giants..at Supreme Court

The decision of the Delhi High Court in the Baba Ramdev Vs Face Book/Twitter/Google case ordering global take down of defamatory content is likely to turn out to be a landmark judgement. Though the final word on the issue will  be written by the Supreme Court when it hears the appeal, the Supreme Court has been provided with a powerful challenge if it desires to maintain judicial comity with international Courts.

Very recently, in the GDPR case of CNIL Vs Google, (2019), the EU Court of Justice had reversed an earlier ruling for global takedown and ruled in favour of Google. In this case it was held that while exercising the “Right to Forget” of a French Data Subject, it is sufficient if the data is removed from the French site of Google Search and it is not necessary to remove it from other search engines. The Court in this instance held that each country search engines are different data groups and are meant for different audiences.

Long time back, the US courts also had come to similar conclusions in the Yahoo-Nazi memorabilia case.(2006)  In this case, the US Courts implied that a website with a country code extension of say .fr should be considered as a site meant for France. If the language of the website was French, it was clear that the target audience are French people where ever they are located.

In these cases as well as the earlier cases, the Courts determined the jurisdiction based on the “Intentions” of the content provider using “Interactive nature” of the websites, “Maintenance of contact address in a jurisdiction” , “Offering of goods and services to the people of a jurisdiction”, etc as parameters to determine the application of extra territorial jurisdiction.

However,  in the case of Dow Jones Vs Gutnick (2002) the Australian High Court held that “An Australian Citizen could maintain a defamation suit in a local Australian Court for allegedly libelous statements published in a website in USA”. It was held that “Jurisdiction was proper in the place in which the article was downloaded and read and the harm caused not where the server is located or where the publisher’s principal place of business is located”.

The Dow Jones Vs Gutnick established that jurisdiction to determine the defamation and go on trial exists in the place where the harm is felt by the victim.

This has become a standard rule today and has also been adopted in the Baba Ramdev case. Hence all defendants  have not opposed the trial and have in fact even agreed to their status as “Intermediary” under Indian law and also further agreed to implement the directions to a certain extent.

Enforcement Jurisdiction outside India

What the Delhi High Court has now embarked upon is the jurisdiction to force “Enforcement Jurisdiction” outside the territory of the victim/forum.

In the appeal, the Supreme Court may have no option but to uphold the judicial jurisdiction to try the case and provide relief to the victim of defamation from a foreign company, because the defendants have admitted their responsibility under Section 79(3) of ITA 2000 at least to the extent of exposure of the objectionable content to the Indian audience through “Geo Blocking”.

The point of contention however is the decision of the High Court ordering the global take down based on its interpretation that all the servers of the defendant companies are networked to share information and hence should be considered as a “Unified Computer Network System”. Under this consideration, “Removal of Content” is not complete unless it is removed in all places where it is stored and is accessible.

The Court has made a distinction only on “Data Uploaded from India” and “Data uploaded from outside India”. As regards data uploaded from India, the Court has ordered the global take down and as regards data uploaded from outside India, the Court has ordered “Blocking access”.

This argument of determining the enforcement jurisdiction based on the place from which the content was uploaded appears to be a new thought and could come in for deeper analysis in the Supreme Court.

The second point which is likely to be contested in the Supreme Court is whether Section 79 is applicable for offences where the cause of action is not ITA 2000 but other statutes like IPC.

It is our opinion that Section 79 does not restrict itself to offences within ITA 2000 but this could be argued.

Another point which the Court could have missed is that ITA 2000 under Section 13 has given a clear indication to determine the place from which a message has been sent as the “Place of usual residence”. Hence the applicability of ITA 2000 in respect of “Message Uploaded” depends on the usual place of residence of the uploader.

If however the “uploader” is anonymous, then the system from which the uploading has taken place may become relevant. It is open to the system owner to provide the identity of the uploader and establish with evidence that the person has a place of residence outside India and hence the upload location has to be determined accordingly. If the platform owner fails to establish the identity of the uploader, then the responsibility should rest with the owner of the system.

The “Attribution” under section 11 is clear that the responsibility for any computer which works automatically is attributed to the person who caused it to behave so…which is the platform owner.  This “attribution” aspect is relevant for platforms who may claim that the system is automatic, they donot interfere in the publication etc.

Since all platforms have admitted that they are “Intermediaries” and sought the protection under Section 79 claiming “Due Diligence”, the fact whether they are really intermediaries or not did not figure in the High Court judgment. It is possible that this may not come for discussion even in the Supreme Court.

Since every platform analyses the profile of the users and determines what page has to be served to them or at least recommended to them, it is impossible to consider that any of these entities namely Face Book or Twitter or Google are actually entitled to the safe harbor provision of Section 79 which requires that these entities  shall not

a) Initiate the transmission

b) select the receiver of the transmission and

c) Select or modify the information contained in the transmission.

All of them may fail the test of the third condition above which is mandatory for invoking Section 79.

If these platforms are not considered eligible for Section 79 protection, then shall be guilty of “Defamation” irrespective of whether they remove the content now or not.In the Duffy Vs Google, the Australian Supreme Court made the following interesting observations.

“..the concept of “passive medium” was apt to mislead because the nature of electronic media is that it is pre-programmed to fulfill a purpose….”

“Google participated in the publication of the paragraphs about Dr Duffy produced by its search engine because it intended its search engine to do what it programmed it to do”

“Google’s search results are published when a person making a search sees them on the screen … It is Google which designs the programme which authors the words of the snippet paragraph. Google’s conduct is the substantial cause of the display of the search result on the screen”

“Google was liable for the republication of the Ripoff Report pages to which it provided hyperlinks.  This was because Google’s facilitation of the reading of these pages was both  substantial and proximate” 

If a similar view is taken in India, it would become irrelevant whether the Companies agree to remove the content or not. They will be directly liable to pay compensation to Baba Ramdev.

Probably Mr Ramdev’s counsel cannot raise this issue at the appeal stage but another third party intervener may raise this issue and contend that these platforms Face Book, Twitter and Google do not satisfy the requirements of Section 79 and hence should not be provided the protection under the section. In that case, the argument on removal of the content becomes secondary.

How Does the Court enforce its decision?

It is all fine to say that ITA 2000/8 has extra territorial jurisdiction under Section 75 and the Court has also recognized the personal jurisdiction based on the Victim’s right to invoke the Indian Courts etc.

Now that the Court has passed the order for removal of content, the next question that would arise is what would the victim do if the respondents don’t honour the directions of the Court.

It is possible that the Supreme Court may be obliging and grant a stay. If not, it is most likely that these platforms will do nothing to implement the directions of the High Court and will contend that the matter is sub-judice.

The High Court order therefore failed to recognize the need to impose a penalty if the respondents don’t follow the orders of the Court.

Such a direction was provided in the Yahoo -Nazi Memorabilia case by a French Court which ordered payment of a fine for every day of delay in implementing the content removal directions.

If the Court had ordered similar per-diem penalty and also indicated that failure to make the payment would lead to other consequences such as blocking the service in India, then the order would have had teeth.

Now this will be another order which is appreciated by academicians but has no immediate utility for the victim. We hope that when the Supreme Court admits the appeal, it  directs the appellants to agree to implement the High Court order forthwith or agree to pay some compensation for any delay before the appeal is admitted.

(This is for academic debate. Comments and counter views are welcome. I invite some of my students to take up a deeper analysis)

Naavi

Reference Articles

Baba Ramdev Vs FaceBook-High Court judgement

Google Vs CNIL-bbc.com

Dow Jones Vs Gutnick-judgement

Dow Jones Vs Gutnick..an analysis

Dow Jones Vs Gutnick implications

Is Google a Publisher?..Australian Case Duffy Vs Google

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , , , | Leave a comment

Early Bird Pricing of Rs 6000/-  for the Course is set to end on 3rd November

Early Bird Pricing of Rs 6000/-  for the Course is set to end on 3rd November 2019. 

Watch out for more details on Cyber Law College 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

A Profound judgement comes from Delhi High Court

The judgement  by the Delhi High Court in the Baba Ramdev Defamation case delivered on October 23, 2019 against Face Book, Google, and Twitter is a very matured and erudite interpretation of some of the provisions of Information Technology Act 2000 (ITA 2000). It will have a long term implication on the way “Intermediary Liability” is interpreted and international jurisdiction is applied in Internet related cases.

Credit is due to the counsel Mr Darpan Wadhwa and his team for bringing out some very powerful arguments as well as the honourable Justice Pratibha M Singh, for appreciating the arguments and delivering a bold and path breaking order.

The order challenges the interpretations that are derived from some of the recent international judgments such as CNIL Vs Google and will definitely be challenged in the Supreme Court for a more detailed argument and establishment of certain principles that will uphold the judicial maturity of Indian Courts.

I hope that the Supreme Court bench which will consider the appeal will be able to show the same kind of vision and technical understanding that the Delhi High Court has shown in this case and uphold some of the principles that this judgement has justified.

The judgement requires a more detailed analysis and comment which we shall do in due course.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

IAB publishes a CCPA compliance framework for public comments

The IAB (Interactive Advertising Bureau) which has a membership comprising of more than 650 leading media companies, brands and technology firms having a stake in Digital Marketing has come up with a framework for compliance with CCPA and released it for public comments.

The framework is open for public comments till 5th of November.  The framework is intended to be used by those publishers who “Sell” personal information and the “Technology Companies that  use the sold personal information”.

In the digital marketing world there are “Publishers” who publish advertisements on website and some who use other means such as E Mail marketing to publish advertisements. The product marketing  companies place their “Advertisements” in appropriate publishing channels.

Some of the publishers may occasionally use the services of intermediaries who identify target audience to whom a message can be advertised. These intermediaries collect personal data by their own means and then filter them into different categories and make it available to other publishers. There is a “Profiling” activity involved in this process which falls under the different data protection regulations.

The publishers may also be benign publishers who donot use “Targeted Advertising” on their platforms and therefore donot have responsibility for the profiling. In such cases the publishers may be simply be “Advertising Platforms”. In Indian law they will be legally “Intermediaries under Section 79 of ITA 2000”.

The difference between the “Target identifier” , “Publisher” and “Advertising platform” depends on the extent of control they exercise on the collection and processing of personal data.

For example, naavi.org is a platform on which Google Ads is the publisher, Amazon may be the advertiser. The dividing line between the Publisher and the Platform is thin. But since Naavi.org does not decide on what ads are to be presented and Google Ads is the Ad serving company taking that decision, Naavi.org becomes only a platform that lends part of its space to the Google Advertising.

The Google Ad network may sell advertising space from its clients on a Real time bidding (RTB) under which advertising inventory is bought and sold on per impression basis via progammatic instantaneous auction. The algorithm used for such advertising may incorporate profiling of a visitor to a website as well as use of AI. The platform may not have much knowledge of how the ads are chosen except to prohibit certain types of contents.

The IAB framework provides guidelines for the publisher and the advertising company on how to handle the personal data.

The “Framework” envisages that any company that engages in or supports an RTB transaction may sign the “IAB Limited Service Provider Agreement”.

The framework participants includes

a) Owners of publisher digital properties ((e.g., publishers of web pages and retailers with advertising on their sites or apps, that, in each case a California consumer (a “Consumer”) visits)

b) Downstream Framework participants(e.g., Supply side platforms or SSPs, Demand side platforms or DSPs, ad servers, and agencies)

c) Owners of Advertiser Digital properties (e.g., brand entities that also
operate/publish a web page)

d) Downstream Framework participants who receive personal information about a consumer that originates from the advertiser digital property.

The framework applies to RTB transactions involving the “Sale” of Personal Information only when all the participants in a transaction are “Framework Participants”. The digital property can however opt out of the framework. However, when the Digital Property utilizes the Framework, it will be contractually required to send the bid request and accompanying personal information only to other Downstream Framework Participants. Additionally, when a Downstream Framework Participant receives the bid request from the Digital Property, it will be contractually required to confirm that its counter parties are Framework Participants by using the Signatory Identification Solution and pass the bid request and personal information only to Framework Participants.

The guidelines cover the information to be provided to the individuals who allow their personal data to be sold through an Opt-in process, the display of “Donot Sell” button and how to handle the “Donot Sell Requests” of a person who has earlier provided a consent for selling. The framework suggests that the “Service Contracts” between the Publisher and the advertiser has to accommodate the change in consent.

Digital properties who send the signals for RTB to a participant cannot onward sell the personal information without an “Explicit Consent”. The digital property must include a “California Explicit Notice” link near te “Donot Sell” link. A sample “Explicit Notice” is also provided in the guideline.

Under CCPA, When a Consumer opts out,  it does not bar the collection of personal information or the delivery of a personalized ad but, rather, bars a “sale” of personal information related to the delivery of a personalized ad. Hence the downstream framework participants become “Limited Service Providers” on behalf of the digital properties.

The guidelines also provide technical frameworks to be used in the specified cases.

In a way, it appears that IAB is trying to set up some industry standards applicable to the participants of the framework.

The reaction of the industry needs to be watched.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment