By Aastha Mathur on November 30, 2021

Category : TMT

Social media marketing has disrupted traditional forms of sales promotion so much so that presently the Indian influencer market is valued at about INR 900 Crore.[1] In common parlance, an “influencer” is an individual who leverages her “followers” on platforms such as Instagram, TikTok to review, promote and endorse products or brands. Advertisers are keen on collaborating with online creators as the space offers greater brand visibility and audience engagement.

Despite its enormous reach and potential to impact purchasing decisions, influencer marketing has remained largely unregulated. While, consumers trust their favourite influencers, in the absence of appropriate disclosures, they are unable to distinguish between a genuine review of a product and paid brand promotion. This creates scope for deception, misinformation and misrepresentation. The Consumer Protection Act, 2019 (“CPA”) aims to overcome this by penalizing and prohibiting endorsers who make false or misleading representations about a product’s quality, quantity or usefulness. Simultaneously, it is also important to formulate best practices to foster transparency in the industry.

By Arya Tripathy  on October 29, 2021

Category : Corporate Laws

Conversion of different kinds of preference shares into equity is a well-recognized practice for Indian companies, and is specifically permitted under the Companies Act, 2013 (CA 2013). The reverse scenario involving conversion of equity into preference shares has been a bit of a thorny issue as there is no specific section under CA 2013 that expressly permits it. There are divergent views on why equity cannot be converted into preference. The predominant stance has been that conversion will lead to capital extinguishment, and consequently, the same can only be done through reduction of capital and court approval. On the other hand, it can be contended that conversion is a form of capital restructuring that does not equate to reduction as only the nature of share capital changes. without any financial outlay.

In a breakthrough amalgamation order that is likely to aid corporates in providing structured exit and increased flexibility in reorganising capital, the Mumbai bench of National Company Law Tribunal (NCLT) in the Scheme of Arrangement and Amalgamation of Protrans Supply Chain Management Private Limited and Ors. (Protrans Order) has taken a pro-business stance to allow conversion of equity into preference shares.

This post provides a summary of the facts and arguments advanced in Protrans Order, and analyses the legality of NCLT findings.

By Arya Tripathy  on September 28, 2021

Category : Data protection and privacy

Article 46 of the General Data Protection Regulation (GDPR) lays out the alternative grounds that would allow a controller or processor to transfer personal data (PD) to a foreign jurisdiction which is not recognised as adequate. One of them is standard data protection clauses adopted by the European Commission. On June 4, 2021, the Commission adopted a set of New Standard Contractual Clauses (New SCCs) replacing the earlier ones that were framed under the 1995 Data Protection Directive (Old SCCs). New SCCs come up with a “modular” structure, addressing certain practical issues encountered in international data transfers with the objective of catering to digital economy developments, new and more complex processing operations involving multiple levels, prolonged processing cycles, and evolving business relationships. New SCCs were implemented with effect from June 27, 2021 and provide different timelines for existing and new transfer arrangements. For the existing ones entered before June 27, 2021 that incorporate Old SCCs, parties can continue to rely on them and transfer PD till December 27, 2022. Any new arrangement after September 27, 2021 must be using New SCCs. Those which are entered into between June 27 and September 27, 2021, can still follow Old SCCs, and will be valid till December 27, 2022. With these bifurcated timelines, organisations have been provided with transition period to ensure that their transfer processes and mechanisms are upgraded to New SCCs.

As the 3 months’ window till September 27, 2021 lapses, this post provides a quick recap and overview of the New SCCs.

By Arya Tripathy  and Dhruv Suri on July 29, 2021

Category : Data protection and privacy

On May 25, 2021, the European Union General Data Protection Regulations completed 3 years. In these 3 years, multiple orders have been pronounced including some where high fines have been imposed. Article 83 of GDPR provides for two kinds of administrative fines depending on the nature of default:

  • breach of obligations relating to child’s consent for information society services (Article 8), processing without identification (Article 11), data protection by design and default (Article 25), and obligations of data protection officer (Article 39) – fines up to EUR 10 million or in case of an undertaking, up to 2% of the total worldwide turnover of the preceding fiscal, whichever is higher; and
  • breach of basic processing principles (Article 5), requirements for lawful basis of processing (Article 6), conditions for consent (Article 7), obligations for processing special categories of data (Article 9), rights of data subjects (Articles 12 to 22), and conditions for cross-border data transfer (Articles 44 to 49) – fines up to EUR 20 million or in case of an undertaking up to 4% of the total worldwide turnover of the preceding fiscal whichever is higher.

By Rishi Sehgal on June 29, 2021

Category : Fantasy Sports

Fantasy sports refer to a wide range of virtual gaming contests where typically, users create their virtual teams comprising of real-life players, and compete against teams of other users. Users act as managers and score fantasy points based on the actual performance of real players in a real-life sports match coupled with other algorithm-based determinations. Users are ranked as per their fantasy points, and consequently, they may win prizes or rewards. Such virtual games allow sports enthusiasts a safe and secure platform to enhance their sporting experience while testing their sporting knowledge against fellow enthusiasts.

In India, fantasy sport contests are played for the entire duration of the sporting season with fantasy sport operators such as Dream11, MyTeam11, My11 Circle, etc., offering either a free-to-play, or a pay-to-play format where users are charged an entry fee. Recently, the fantasy sport industry has received huge traction from the general public, investors as well as government, and is amongst the fastest growing digital sectors in India. However, at the same time the industry faces certain bottlenecks that inhibit its development.

By Dhruv Suri and Aastha Mathur on May 27, 2021

Category : Data protection and privacy

On February 25, 2021, the Ministry of Electronics and Information Technology (“MEITY”) notified the Information Technology (Guidelines for Intermediaries and Digital Media Ethics and Code) Rules, 2021[1] (“Rules”) to provide for a mechanism for redressal and speedy resolution of complaints by social media users as well as law down a self-regulatory framework for digital media platforms. While much has been written about these Rules, they were back in news recently because the 3-month timeline[2] given to “significant social media intermediaries” (“SSMI”)[3] to comply with them lapsed on May 25, 2021 and there were rumors that companies like Facebook, Twitter, etc. may get “banned”.[4]

At this stage it is important to note that there is no ban. Non-compliance with the 3-month timeline implies that pursuant to Rule 7, the SSMIs may no longer be deemed as an “intermediary” and get benefit of the safe harbor provisions under section 79(1) of the Information Technology Act, 2001 (“IT Act”). In other words, content uploaded on their platforms could be deemed to be uploaded by them, i.e. they could be treated as publishers of that content. Consequently, officials of these SSMIs can be liable for punishment and prosecuted in accordance with the IT Act read with the Indian Penal Code, 1860.

By Varun Kalsi and Rishi Sehgal on May 7, 2021

Category : Employment & Labour Law

Recently, the state of Haryana published the Haryana State Employment of Local Candidates Act, 2020 (“Act”) in the extraordinary gazette[1]. Presently, the Act has been published for general information and shall be enforced once it is notified by the state government. The Act emanates from a key election promise made by the ruling coalition to its electorate. Further, with this law, Haryana joins a group of states such as Andhra Pradesh and Madhya Pradesh, who have, or are considering taking steps towards reserving jobs for the local state population. Briefly, the Act provides for job reservation for a “local candidate” and every employer is required to employ 75% of “local candidates” for posts where the gross monthly salary does not exceed INR 50,000. This law applies to all (i) companies, societies, trusts, limited liability partnerships, partnership firms, (ii) any employer employing 10 (ten), or more persons and (iii) any other notified entities in Haryana for the purpose of manufacturing, or providing any service, except organizations owned and/or controlled by the Central and State governments. It seems the Haryana government strongly believes, that social and economic upliftment of the state population can be achieved by giving preference to local candidates in certain jobs. Additionally, the state government argues, that the law will discourage influx of migrants from neighbouring states, which creates issues such as proliferation of slums.

This post seeks to provide an overview of the legislation along with relative implications. Further, we have also examined the constitutional issues surrounding the Act and whether it can withstand judicial scrutiny.


By Arya Tripathy on April 21, 2021

Category : Data protection and privacy

The government notified the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (2021 Rules) on February 25, 2021. These have been notified under Section 87 of the Information Technology Act (IT Act), and supersede the Information Technology (Intermediary Guidelines) Rules, 2011 (2011 Rules). The change is attributed to increased misuse of social media for cyber-crimes, including fake news, pornography, defamation, hate speech, obscenity, financial frauds, incitement of violence, threat to national security and public order[1]. 2021 Rules are an outcome of inter-ministerial consultation between Ministry of Electronics and Information Technology (MeitY) and Ministry of Information and Broadcasting. They are divided into 2 key parts dealing with (i) due diligence and grievance redressal mechanism for intermediaries, and (ii) code of ethics, procedure and safeguards for digital media.

In this post, we analyse the intermediary obligations and its impact in the backdrop of 2011 Rules as well as decided jurisprudence. For our analysis, we have divided the new requirements into compliance and operation related, take down and filtering, and grievance redressal obligations.

By Arya Tripathy and Rishi Sehgal on February 8, 2021

Category : Data protection and privacy

Earlier this year, WhatsApp released an in-app notification. The notification informed users about the changes in its privacy policy (Policy). It inter alia informed users about (i) how WhatsApp handles their data, (ii) how businesses could use Facebook hosted services to store and manage consumer’s messages, and (iii) how WhatsApp partners with Facebook to offer integrations across the Facebook company products such as Instagram and Messenger. The notification further alerted users that they need to agree to the Policy by February 8, or else lose access to their accounts. Whilst the Policy isn’t much different than its previous version, significant concerns have been expressed by users, with many migrating to alternative platforms such as Telegram and Signal. Various interpretations regarding the privacy of chats and messages have been floating. As a result of the confusion and the negative user sentiment, WhatsApp pushed the acceptance date to May 15, 2021.

This blog seeks to analyse 2 contentious points in the Policy – sharing of data with Facebook companies and business accounts, followed by assessing the legality of such sharing under the current legal regime. The post shall also explore what would have been the case if the Personal Data Protection Bill, 2019 (PDP Bill) were a law as of date.

1. E2E encryption and metadata collection: Before delving into how the Policy proposes to transfer data to Facebook group companies and third-party businesses, it is essential to understand what and how data is processed by WhatsApp.

By Arya Tripathy and Aastha Mathur on January 13, 2021

Category : Employment & Labour Law

In our previous posts, we provided an overview of some of the key changes in the Code on Social Security, 2020 (here) and the Industrial Relations Code, 2020 (here).

The third in the series of labour laws notified on September 28, 2020 is the Occupational Safety, Health and Working Conditions Code, 2020 (Code). It seeks to amalgamate, simplify and rationalise the provisions of 13 existing central labour legislations[1] that relate to workplace safety and health for employees. The Code is divided into 14 chapters with 143 sections, and retains most of the key principles of the existing laws dealing with workplace safety, working conditions and provision of utilities. However, certain new aspects have been introduced and specific details are left for rulemaking by the central government (CG) or respective state governments (SG). This post aims at providing an overview of the Code with some of the key changes.

1. Establishment: The Code defines establishment as all places where any industry, trade, business, manufacture or occupation is carried on with more than 10 workers. Headcount criteria does not apply where the establishment is engaged in hazardous of life threatening activities. This includes a factory, motor transport undertaking, newspaper establishment, audio-video production, building and construction work, plantation, mine, or port where dock work is conducted. The definition is wide and will cover services sector such as IT establishments and commercial establishments, who may be obligated to factor Code’s requirements for employee’s working conditions and safety. Currently, these aspects are captured under state specific shops and establishments acts, and the Code does not repeal them. This can lead to confusion as to whether both laws will continue to apply to an establishment, and the rules should clarify this aspect.

By Arya Tripathy and Rishi Sehgal on January 11, 2021

Category : Employment & Labour Law

In our previous post, we aimed at providing an overview of some of the notable changes in Code on Social Security, 2020.

With the aim to revamp existing labour & employment laws, the government also notified the Industrial Relations Code, 2020 (“Code”) on September 28, 2020. It is likely that the Code will be implemented next year, and it will repeal 3 central labour enactments namely, Industrial Disputes, Trade Union and Industrial Employment Standing Orders acts. The Code has 14 chapters, 104 sections and 3 schedules. It aims at consolidating and amending the laws relating to trade unions, conditions of employment in industrial establishments, investigation and settlement of industrial disputes. While it retains several provisions from the existing legal framework regarding retrenchment, lay-off, closure, industrial disputes, trade union recognition, etc., new requirements have been introduced to simplify as well as add more structure to the existing regulations. This post aims at providing an overview of some of the key changes under the Code.

1. Industry: Industry is defined under the Industrial Disputes Act (ID Act) as any business, trade, undertaking, manufacture or calling of employers including any calling, service, employment, handicraft, industrial occupation, or vocation of workmen. The definition is wide enough to include every form of institutional and organized activity that results in production or supply of goods or services. Whether an organisation is industry under ID Act is fact specific and has been delved into in several court cases. In the landmark decision of Bangalore Water Supply & Sewerage Board vs. A. Rajappa & Ors.,[1] the Supreme Court held that if an institution involves co-operation between employers and employees to produce or supply good or services, it shall qualify as an industry, even where such activity is done for charitable purpose.

By Arya Tripathy and Rishi Sehgal on January 7, 2021

Category : Employment & Labour Law

The Code on Social Security, 2020 (“Code”) received Presidential assent on September 28, 2020, and is aimed to be implemented next year. Upon implementation, it will replace 9 social security legislations.[1] The underlying objective is to consolidate all social security laws with a view to provide social security to all employees and workers, either in organised or unorganised sectors. It contains 14 chapters with 164 sections and 6 schedules.[2] The Code mostly subsumes provisions and mechanisms provided under these 9 laws such as headcount thresholds, manner of computation of provident fund (PF) contributions, payment of gratuity, maternity leave entitlements, obligations for hiring inter-state migrant and building and construction workers, compensation events for work injuries, etc. However, it introduces some new concepts and requirements that could impact costs associated with employee benefits and require a deep dive into existing HR policies and compliances. This post aims at providing an overview of the Code and some of the notable changes.

1. Application: Different chapters of the Code will apply differently to organisations depending on its nature and headcount. This is similar to the approach under the existing regime. First Schedule details the application criteria in the following manner: (i) Chapter III dealing with PF shall apply to establishments with 20 or more employees, (ii) Chapter IV relating to employees’ state insurance shall apply to establishment with 10 or more employees, (iii) Chapter V pertaining to gratuity will apply to all factories and every establishment which employs 10 or more employees, (iv) Chapter VI dealing with maternity benefit will apply to every establishment employing 10 or more employees, and (v) Chapter VII concerning employee’s compensation shall apply to those entities that are not covered under employees’ state insurance. Thus, there are no changes in this regard.

By Resham Jain on 30 November, 2020

Category : Data protection and privacy

For a long time, transgender persons have been excluded from contributing towards socio-economic activities and decision-making processes. So much so that it was only during the 2011 census that, for the first time, data related to their employment, literacy and caste was collected. As per a 2017 study conducted by the Kerala Development Society for the National Human Rights Commission of India, 96% of transgender participants (including qualified and skilled persons) reported that they were discriminated and denied employment opportunities in the formal sector.

The transgender community is ubiquitous in India’s social construct. From Sathyasri Sharmila, Tamil Nadu’s first transgender lawyer to Padmini Prakash, anchor of a local Tamil news channel to Dr. Manabi Bandopadhyay, first trans-woman to become a college principal, transgender persons are gaining recognition across different sectors[2]. Yet, their presence and participation at workplaces, remains elusive. Organizations are often ill-equipped to support and integrate transgender employees into the mainstream.

By Resham Jain on 22 October, 2020

Category : Data protection and privacy

It is not unusual for Indian employers to collect extensive personal and sensitive personal data of their employees. From the more obvious personal identifiers, to sensitive information such as marital status, sexual orientation, health records, biometrics, etc, are collected and processed for various reasons, namely, pre-employment background checks, employee profiling, drug or alcohol abuse tests, and gender sensitization. Any internal or external misuse of such sensitive data can have serious ramifications for employees including identity theft, loss of employment and social discrimination. In fact, such privacy invasive practices could also expose employers to financial and reputational risks.

In a landmark decision related to unauthorized access to employee data, on October 1, 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (“Hamburg Commissioner”) imposed a fine of €35 million on Hennes & Mauritz Online Shop A.B. & Co KG (“H&M Online”), subsidiary of the Swedish multinational clothing retail chain Hennes & Mauritz AB (“H&M Group”).

By Arya Tripathy on 27 September, 2020

Category : Data protection and privacy

On August 26, 2020, the Ministry of Health & Family Welfare (MoHFW) published the draft Health Data Management Policy (Policy). MoHFW has been advocating for digitisation of health records, creation of registries, and adoption of a federated health data management structure to ensure interoperability and transferability of health data within the healthcare ecosystem. A federated structure, simply put, allows collection, processing and storage of data at all levels, instead of a centralised repository. The bigger picture – creation of a “national digital health ecosystem”, where health records can be collected, processed and transferred inter se stakeholders with patient consent for universal and continued health care (NDHE). Consequently, it is essential that a detailed data management framework is put in place to maintain confidentiality of health data and patient privacy.

The Personal Data Protection Bill, 2019 (PDP Bill) is still being debated by the parliament and is unlikely to be notified before 2021. There is absence of a comprehensive data protection framework, and minimal binding rules are prescribed under the Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data) Rules, 2011. The Policy aims at bridging the gap, and currently, pilots are being implemented in union territories. This post aims at providing an overview of the Policy while comparing it with PDP Bill, with an aim to evaluate the efficacy and necessity of a specialised health data management guideline.

By Arya Tripathy on 07 August, 2020

Category : Data protection and privacy

In the earlier post Part I, we delved into some of the recommendations made by the Committee of Experts on Non-Personal Data (NPD Committee)[1] in its report of July 12, 2020 (Report)[2]. We discussed the genesis, Committee’s rationale for regulation of non-personal data (NPD), its scope, the distinction between NPDs based on sensitive nature, and consent mechanism for anonymisation.

In this post, we continue our analysis on a few other aspects.

1. Key stakeholders: The Report contemplates 4 key stakeholders in the NPD ecosystem and processing chain – data principal, data custodian, data trustees, and data trusts.

  • Data principal: The Report observes that in NPD context, the natural person cannot be the data principal as is the case for personal data. Determining data principal will be dependent on the type of NPD. Accordingly, the data principal in case of public and private NPD will refer to the natural or legal person to whom the data relates to, such as government bodies, companies, etc. For instance, Ministry of Health will be the data principal for anonymised health data collated through Aaroogya Setu app, and Uber will be the data principal for anonymised ride data collected through Uber application. In case of community data, the community from where NPD originates will be the data principal, and will be entitled to exercise economic and other key rights vis-à-vis the community NPD.

By Arya Tripathy on 06 August, 2020

Category : Data protection and privacy

In September 2019, the Government constituted the Committee of Experts to study various issues relating to Non-Personal Data (NPD), and make recommendations for its regulation (NPD Committee)[1]. NPD Committee released its report on July 12, 2020 (Report)[2] which is open for public consultation till August 13, 2020. The Report is structured into 7 key chapters delving into rationale for the regulation of NPD, its scope, key players in NPD ecosystem, the legal basis for ownership over NPD, contours of undertaking data business, need and technology architecture for data sharing, and proposes a new regulatory framework for NPD governance. The new set of regulations will likely deal with anonymisation standards, data sharing protocols, regulation of data businesses and markets, etc. The Report also contemplates creating a new regulator – the Non-Personal Data Regulatory Authority (NPDA).

This post aims at analysing select few recommendations of the Report and evaluating the impact of the proposed NPD governance framework. In our subsequent posts, we will further continue with our analysis.

1. Genesis: Justice B.N. Srikrishna Committee Report, while laying out the norms for the Personal Data Protection law (PDP Bill), suggested regulation of community data (i.e., body of data sourced from multiple individuals) for group privacy rights, as an extension of a robust data protection framework[3]. It observed that individual control over aggregated data sets is impractical, and a suitable law should facilitate collective protection of privacy on basis of certain principles. Alongside, such protection should take into account intellectual property ownership of the entity processing the data. Thus, the Srikrishna Committee Report recommended that the government must consider promulgating a law that accords specific protection to “community” and “corporate” data.

Category : Data protection and privacy

By Arya Tripathy on 1 May, 2020

There is global consensus that COVID-19 transmission chain can be interjected with containment measures. Containment efforts require rapid identification and quarantine of potential carriers or “contacts” who may have contacted the virus through a confirmed patient. Manual tracing requires the patient to jog their memory, recollect, and identify all locations, times, duration and contacts. This process is arduous, ineffective, and inaccurate. This is where “contact tracing” through technology becomes critical. Regardless of whether countries have a codified data-protection and privacy law, most have either launched or are contemplating use of contact tracing applications. They are also keenly analysing various technology frameworks proposed by technology companies and academia for adaptation in COVID-19 tracing applications. While governments are fiercely urging people to use contact tracing technology as an essential tool to contain the virus, there is little or no discussion around their immense potential for invasive surveillance and dilution of user’s privacy.

By Nikhil Issar on 9 April, 2020

Category : Data protection and privacy

COVID-19 has brought the world to a stand-still. It is rightly being called “infodemic” due to the efflux of related (mis)information on the internet. Since January 2020, 16,000 coronavirus-related domains have been registered, with over 6,000 new domains registered last week1. There is widespread fear and panic caused by high incidences of viral fake news and constant media coverage. With organizations transitioning to compulsory work-from-home models, corporate networks and data are being accessed through not-so-secured means at the risk of unauthorized access and use. Despite deployment of effective VPNs and firewall technology, no measure can account for the weakest link in a security chain i.e., the people who use, administer and operate computer systems. This atmosphere is conducive for cybercriminals to exploit human fear and ‘phish’ for personal information. The objective is either to gain access to a computer system and its data, or defraud a person of their assets. In these desperate times, phishing e-mails have spiked by over 600%, and old malwares are getting a novel COVID-makeover for attacking curious, fearful, or empathetic humans.2 Therefore, it will not be an exaggeration to state that cybersecurity risks are at an all-time high.

This blog seeks to examine types of coronavirus related phishing scams, review applicable Indian laws, examine practicality of legal response, affix liability and enlist best practices to be followed by individuals and corporates.

1. Identifying phishing hooks: Cybercriminals are using COVID-19 related click baits for infecting computers/mobiles with malware. Malwares can access e-mail, banking login credentials and credit card information. Apart from malwares, online scammers are claiming to sell cures, face-masks, as well as elicit investment in vaccine companies. The modus operandi is to obtain credit card details through any possible means, and thereafter, either trade the information on dark-web, or commit fraud. The top originator of COVID-19 spam is Vietnam, followed by USA, China, India and Russia.3 Illustratively, cybercriminals have adopted the following COVID-19 linked phishing techniques across a pandemic and paranoid globe:

By Arya Tripathy on 30 March, 2020

Category : Data protection and privacy

COVID-19 has de-globalized the world and yet, ushered a new global citizenship, where the order is simple – solidarity in isolation. In battling the highly contagious pandemic, governments are focused on breaking the transmission chain. They are deploying old and new tracking and surveillance technologies, with minimal checks, and in certain instances, at the cost of an individual’s right to bodily and informational privacy. Indeed, desperate times call for desperate measures, but this may have significant cascading effects outlasting the pandemic.

Case in point – the Karnataka government to deter contact transmission published a consolidated list of quarantined residents’ addresses, irrespective whether covered individuals had travel history to affected areas, or tested COVID-19 positive. The proportionality of such measure probably will remain unevaluated in these dire times, even though the covered individuals can be subjected to social stigmatization, and not just social distancing.

In this post, we scrutinise the case for government deploying technology for COVID-19 surveillance, its impact on containing further spread of pandemic, the suspension of informational privacy, global approaches followed and way forward.

By Arya Tripathy on 3 March, 2020

Category : Data protection and privacy

Non-personal data broadly refers to data that standalone or in combination with other data does not directly or indirectly result in identification of a natural person (NPD). These data sets could include aggregated, derived, anonymous, and community data. They have enormous economic value for organizations. NPD often drives innovation, gives organizations a competitive edge, helps formulation of unique market and business strategies and creation of intellectual property. The Personal Data Protection Bill, 2018 did not include any provision concerning NPD processing and protection. However, Clause 91 of the Personal Data Protection Bill, 2019 (2019 Bill) empowers the central government to access NPD for policy reasons (as discussed at #4 below). Ever since its inclusion, Clause 91 has been extensively debated by stakeholders on whether and why the government reserves access rights in a law that primarily should aim at safeguarding data principal’s privacy rights while balancing it with interests of a digital economy.

In this post, we aim to understand the contours of Clause 91 in a global backdrop and analyse its potential impact.

1. Current regime: So far, India does not have comprehensive law regulating processing, use and reuse of NPD. Vast pools of NPD are contractually protected as trade secrets, know-how, and other forms of proprietary and confidential information. Government’s right to access and reuse such data is limited to a reactive access for the purposes of implementing applicable laws1 national security, public order and state sovereignty. Additionally, the government is empowered to intercept communications and access personal information under various laws including Code on Criminal Procedure, and Indian Post Office, Telegraph and Information Technology acts. Exercise of government’s access rights are often subject to judicial scrutiny and must necessarily follow due process of law that provides substantive and procedural safeguards. Thus, per se the government does not have unfettered access to an entities’ corpus of NPD.

By Arya Tripathy on 17 Feb, 2020

Category : Data protection and privacy

Regulating flow of data across national borders is increasingly viewed as an essential mechanism for implementing national data protection and privacy laws extraterritorially. Most jurisdictions impose conditions on when and how data can be transferred (commonly called as data export restrictions) and very few resort to physical data localization requirements.1 Data localization is commonly understood as regulatory and policy efforts requiring some or all aspects of personal data processing to take place in a particular jurisdiction.

Governments looking at imposing localization requirements are motivated by a variety of reasons – citizen’s privacy, data security, corporate accountability, national security, protecting local businesses, checks on freedom of speech, and surveillance. Some jurisdictions like Russia have enforced localization requirements with rigour. In 2016, a Russian court of appeal ruled that professional social network LinkedIn was in violation of the data localization requirements. Consequently, the site was blocked and approximately 6 million users overnight no longer could access the site.2 At the same time, localization can result in segregation of internet, act as entry barriers for new technology and businesses, increase network latency, hamper user experience, affect robustness of network security, and raise infrastructure and resource costs for companies. Some critiques have also urged that localization could in fact endanger privacy. For instance, where a breach incident happens, it is prudent to port the data to a safer location in order to mitigate the risks, which cannot take place where governments force localization. In similar vein, where organizations are forced to store their data in a particular jurisdiction, there will be bifurcation of their limited network security resources and lesser economies of scale, resulting in additional points for security failure and privacy breach.

By Arya Tripathy on 3 Jan, 2020

Category : Data protection and privacy

Empowering data principal to exercise certain rights vis-à-vis their personal data is a fundamental element for creation of a robust data protection framework. Exercise of data principal rights is aimed at strengthening an individual’s informational privacy, providing them with autonomy and control over the processing cycle and in turn, boosts transparency and accountability. Chapter V of the Personal Data Protection Bill, 2019 (PDP 2019) deals with data principal rights and mechanism for exercising them. This Post aims at analysing the scope of the contemplated rights regime and its potential impact for organizations.

1 Existing framework: The concept of vesting an individual with legal rights concerning the processing of personal data is not new. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules (IT Rules) permit an individual to review personal information collected and seek rectification. It states that any organization acting on its own or through a third party must permit review of personal information provided when requested by the concerned individual. Additionally, organizations must ensure that inaccurate or deficient personal information is corrected or amended as feasible. However, the IT Rules clarify that such organizations have no responsibility for ensuring authenticity of the personal information provided. This essentially means that where an individual provides updated information, organizations depending on feasibility must rectify the processed information, without any obligation of verifying the authenticity.

By Arya Tripathy on 17 Dec, 2019

Category : Data protection and privacy

In Personal Data Protection Bill 2019 versus 2018 – Part 1, we delved into the changes in concept of personal data, purpose limitation, retention period and notice requirements. In this post, we continue to analyse some additional key changes.

1. Consent: The 2019 Bill makes prior consent the primary ground for processing. Consent must be:

  • free as understood for contractual consent under the Indian Contract Act1
  • informed through the detailed notice as discussed at #4 in our previous post Personal Data Protection Bill 2019 versus 2018 – Part 1
  • specific with respect to the scope of consent factoring the processing purposes
  • clear through an affirmative action that is meaningful in given context; and
  • capable of being withdrawn as easily as is obtained.

This essentially means that consent cannot be influenced by any external factors or be conditional upon provision of goods or services, must be worded specifically with full disclosure of purposes in a simple, easy to understand language, and obtained through direct action as opposed to implied conduct.

By Arya Tripathy on 17 Dec, 2019

Category : Data protection and privacy

The Personal Data Protection Bill, 2019 was introduced in the Parliament on December 11, 2019 and has been referred to a joint select committee for further review. The committee is tasked to come out with its report on the proposed clauses, which shall be presented to the Parliament prior to its upcoming 2020 budget session. The 2019 Bill brings about significant changes over its predecessor 2018 draft.

Compared to the 2018 draft which proposed 15 chapters and 112 sections, the 2019 Bill contemplates 14 chapters and 98 sections. There are far-reaching modifications in approximately 49 clauses, some clauses of the 2018 draft have been deleted, and certain new provisions pertaining to social media intermediaries, sandbox innovations, policymaking for digital economy and processing of biometric data have also been introduced. Further, the draft available in public domain comes with an elaborate note on the statement of objects and small notes on clauses. There is scepticism that while the 2019 Bill is drafted better than the 2018 draft, grey areas continue to remain, which may not be completely without merit. This and the subsequent Post aim at providing an overview of some of the key changes in the 2019 Bill.1

Personal data: The 2019 Bill revises the scope of personal data, sensitive personal data, and anonymised data. The meaning of these concepts under the 2018 draft were analysed in our first post

By Arya Tripathy on 29 Nov, 2019

Category : Data protection and privacy

A lot has been talked about who will get impacted by the Personal Data Protection Bill. This Post aims at providing an overview of the key stakeholders involved in processing of personal data under the Bill and analysing the underlying dynamics.

1. Existing framework: Any body corporate or any person acting on its behalf, and engaged in collecting, receiving, storing or dealing with personal information in any other manner must comply with the processing requirements under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules (IT Rules). Body corporate includes all kinds of incorporated or unincorporated legal entities such as company, limited liability partnership, firm, sole proprietorship or an association of individuals engaged in commercial or professional activities. The person who processes personal information on behalf of the said body corporate is commonly referred as processor, and can be a legal or natural person. Further, the IT Rules must be complied if the personal information relates to a natural person only. While government agencies collect and process personal information, they are outside the purview of the IT Rules.

Thus, the existing framework involves 3 actors –

(i) private body corporates requiring processing of personal information,

(ii) any legal or natural person performing such processing, and

(iii) the natural person whose personal information is being processed.

By Arya Tripathy on 15 Nov, 2019

Category : Data protection and privacy

In view of the imminent Personal Data Protection Bill, Post 1 of PSA’s data protection law series aims at providing an overview of what is personal data and what it means for organizations processing such data.

Existing framework: The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules (IT Rules) define “personal information” as any information processed by computer (system/network) standalone or combined with others that leads to identification of a natural person. Additionally, the IT Rules categorise some personal information as “sensitive”. These include passwords, financial information (like account, card or other payment instrument details), physical, physiological and mental health condition, sexual orientation, medical records and biometric information. Further, it has been customary for organizations processing personal information to regard anonymized pseudonymised data as outside IT Rules’ purview, even though there is no express provision.

Personal Data under the Bill: The PDP Bill defines “personal data” as any data, alone or in combination with others that results in direct or indirect identification of a natural person. However, the Bill does not provide an illustrative list, and some examples are:

  • direct => name, phone number, e-mail ID, government ID, bank account numbers, address
  • indirect => location, purchase history, physical traits, IP address, postal code, cookie identifiers