DigiTrade Digest # 101


Data Protection Bill passed in Lok Sabha: What it says about privacy, Centre’s powers, right to info

Indian Express: The Bill has retained the contents of the original version of the legislation proposed last November, including those that were red-flagged by privacy experts.

The Digital Personal Data Protection Bill, 2023 was passed in Lok Sabha on Monday by a voice vote. The Bill has retained the contents of the original version of the legislation proposed last November, including those that were red-flagged by privacy experts, such as exemptions for the Centre. In its new avatar, the proposed law has also accorded virtual censorship powers to the Centre.

This is India’s second attempt at framing a privacy legislation, and comes after at least three previous iterations of a data protection law have been considered, and shelved, by the government. Next, the Bill will have to be passed by the Rajya Sabha before it becomes law.

According to the Bill, the central government will have the right to exempt “any instrumentality of the state” from adverse consequences citing national security, relations with foreign governments, and maintenance of public order, among other things.

Responding to concerns raised on various accounts, IT Minister Ashwini Vaishnaw said that exemptions to the Centre were needed. “If there is a natural disaster like an earthquake, will the government have time to seek consent for processing their data or have to act quickly to ensure their safety? If the police are conducting an investigation to catch an offender, should their consent be taken,” Vaishnaw asked.

The Bill also states that if an entity is penalized on more than two instances, the central government– after hearing the entity – can decide to block their platform in the country. This is a new addition to the measure, which was not present in the 2022 draft.

Experts have said that the proposal could add to the pre-existing online censorship regime already administered under Section 69 (A) of the Information Technology Act, 2000. The highest prescribed penalty has been capped at Rs 250 crore for not having enough safeguards against data breaches.

The Bill, while laying down consent norms for entities’ collecting personal data of individuals, also allows for a leeway for certain “legitimate uses,” both by the government itself, and private entities.

As per the final version, the Centre can process data of citizens without expressly seeking their consent for national security reasons and to offer other services such as subsidies, benefits, certificates, license or permit. Private companies have been afforded the privilege to deal with employment-related matters, including corporate espionage.

It has also addressed two key long-standing demands of the industry – by allowing relaxations around the age of consent for children, and by significantly easing cross-border data flows, both of which were reported by The Indian Express earlier. One of the key flailings of earlier iterations was that they were seen as too compliance-intensive by the industry, especially smaller businesses. However, with this Bill, the government’s objective has been to balance privacy and innovation.

The Bill gives powers to the central government to prescribe a lower age of consent than 18 years for accessing Internet services without parental consent if the platform they are using can process their data in a “verifiably safe manner”. This would essentially mean a white-listing approach for companies in the edtech sector, and for medical purposes, among other things.

The Centre has proposed to significantly ease cross-border data flows to international jurisdictions – by moving away from a whitelisting approach to a blacklisting mechanism. Earlier, the government had said that it would issue a list of countries where data flows would be allowed. However, the final change means that data flows are allowed by default to all regions unless prohibited by the government – a move that is being seen as a measure to ensure business continuity.

The government could notify entities as “significant data fiduciaries,” after considering factors such as the volume of personal data they possess, the risks they could pose to electoral democracy, and their impact on national security and public order, among other things. Social media platforms like Facebook, YouTube and WhatsApp are likely to be clubbed under this category. These entities are required to appoint a data protection officer for grievance redressal and carry out periodic data protection impact assessments.

The proposed law will apply to the processing of digital personal data within India; and to data processing outside the country if it is done for offering goods or services, or for profiling individuals in India.

India to require import licenses for laptops, tablets, PCs

IUST: India has announced that laptops, tablets, and all-in-one personal computers will now be categorized as "restricted imports" and subject to licensing requirements. The decision was initially put into effect immediately but later deferred until November 1.

The Directorate General of Foreign Trade issued a notification without specifying the exact reason for this restriction. India’s 2023 Foreign Trade Policy provides 17 potential reasons for classifying goods as "prohibited" or "restricted" imports, which includes goals like promoting the growth of specific industries.

Promoting domestic computer manufacturing has been a longstanding objective of the Indian government. In 2021, India introduced a production-linked incentive scheme aimed at boosting domestic production in various sectors, including electronics. This scheme was updated in May, offering over $2 billion in incentives to domestic manufacturers of laptops, tablets, all-in-one PCs, and servers over a six-year period.

Former Indian Commerce and Industry Minister Ajay Dua indicated that while promoting domestic manufacturing was one factor behind the new restrictions, the government is also concerned about India’s overall current account deficit. The country’s imports, particularly in electronics, have been rapidly increasing, with projected imports of electronics reaching $80 billion.

The announcement of the licensing requirement comes after the U.S. and India held their inaugural Strategic Trade Dialogue in Washington, DC. During the meeting, both nations agreed to establish a monitoring group to review progress in enhancing cooperation in high-tech trade and technology partnership. A joint statement issued after the meeting between President Biden and Indian Prime Minister Narendra Modi emphasized their commitment to addressing export controls, boosting high technology commerce, and facilitating technology transfer between the two countries.


U.S. tech companies say U.K. privacy bill poses ‘serious threat’ to communication

Washington Post: Major tech companies in Silicon Valley are opposing a proposed safety bill in the United Kingdom, contending that the new legislation could compromise the security of popular messaging apps, infringe upon user privacy worldwide, and even lead some apps to exit the UK entirely.

Scheduled for a third vote in September, the Online Safety Bill would require companies to proactively report illegal activities on their platforms, such as child abuse. However, numerous widely-used messaging apps like iMessage, WhatsApp, and Signal utilize end-to-end encryption, meaning the companies themselves lack access to private communications on their services.

If the bill becomes law, it would impose some of the strictest content policing regulations on tech firms globally. In a joint statement, companies including Meta’s WhatsApp asserted that the law would compel them to monitor communications within their products to report harmful content. They raised concerns that this "back door" access to encryption could be exploited by malicious actors and hostile governments.

Apple, which provides widely-used encrypted apps, expressed its worry about the bill’s impact on privacy. The company’s spokesperson, Fred Sainz, highlighted the significance of end-to-end encryption in safeguarding journalists, activists, diplomats, and ordinary citizens from surveillance, fraud, and identity theft. Sainz argued that the bill might heighten risks for UK citizens.

This debate occurs amidst a broader trend of tech companies actively enhancing encryption on their platforms, asserting that users should trust that their communications remain completely private. Facebook, for instance, plans to implement end-to-end encryption across all its platforms, and Elon Musk, owner of the rebranded Twitter (X), has advocated for encrypting direct messages.

UK officials from the Department for Science, Innovation, and Technology contend that tech firms should only adopt end-to-end encryption if they can simultaneously prevent heinous instances like child sexual abuse on their platforms. They maintain that the bill doesn’t prohibit end-to-end encryption and doesn’t necessitate weakening encryption measures.

Proponents of the bill in the UK argue that end-to-end encryption presents a significant privacy trade-off. While users might feel safer using such platforms, critics say this also enables companies to evade responsibility for illegal activities, effectively shielding criminal behavior on their platforms.

Privacy experts and digital rights organizations warn that creating a government-accessible back door sets a concerning precedent for tech companies. They assert that this sweeping legislation by a Western democracy might encourage similar efforts from governments globally, including those of the United States.


The elephant in the room in the AI debate: China

The Washington Post: As discussions about artificial intelligence (AI) legislation intensify among lawmakers, concerns regarding potential setbacks against China are becoming a significant focus within Congress.

For years, leaders in the tech industry have cautioned that imposing extensive new regulations on emerging technologies might put the United States at a disadvantage compared to China. This argument is now gaining traction in Congress as the debate over AI gains momentum.

The House select committee on China’s leaders emphasized this concern in advance of a recent hearing dedicated to securing U.S. dominance in 21st-century emerging technologies, including AI.

Representative Raja Krishnamoorthi, the committee’s leading Democrat, stressed the need for a balanced approach in legislative principles. He emphasized the importance of transparency regarding algorithms and safeguards for data that AI practitioners may collect. He also underscored the necessity of establishing a liability framework for instances where AI systems cause harm.

Representative Mike Gallagher, the Republican chair of the China panel, expressed his view that it is crucial not to overregulate AI innovation and lose the competitive edge. He advocated for a more focused and measured approach to regulating AI technology.

Krishnamoorthi acknowledged that striking the right equilibrium between fostering innovation and enforcing regulation is a complex challenge. However, he emphasized that Congress should not shy away from addressing the issue. He acknowledged that excessive regulation could stifle innovation and hinder the U.S.’s leadership in AI, but at the same time, a lack of regulation could result in nontransparent algorithms with inherent biases.

In summary, as Congress delves into AI legislation, concerns about potential challenges posed by China are influencing discussions and prompting lawmakers to seek a balanced approach that encourages innovation while addressing the risks associated with AI technology.