Search Results

Posted on May 28, 2021 Co-authored by Naintara Bipin Balakrishnan and Tanya Garg* Image Source: The Jakarta Post This article is the second part of the two-part series analysing the significance of Intellectual Property (“IP”) as a strategic asset, the various types of IP-backed financing, and finally, the approach taken by India vis-a-vis other countries. In the first part, the authors explored how widening the scope of IP would change the traditional business set up and potentially inject innovation and creation into the economy. To supplement the first part of this series, this article dwells into the various advantages of IP-backed financing and sheds light on the different ways in which various jurisdictions have developed their legal framework to support this untapped area of financing. Advantages The advantages of employing IP in order to raise finances are manifold. By allowing IP to be leveraged, immediate cash flow necessities are taken care of. If leveraging IP is incentivised, an entire untapped market is opened, which in turn helps in the advancement of the Indian economy. The advantages of leveraging IP assets are as mentioned below: Boosting the Economy As the world comes face to face with the global COVID-19 pandemic, the need to encourage IP innovation arises to promote and protect creativity and to ensure financial stability. Financial stability of a company will ensure its success in the long run. Economic growth, especially long term has been driven by improved productivity. In developing countries, IP can play a pivotal role in stimulating financial health and economic certainty. A large portion of productivity growth and job creation has been credited to innovation, primarily by small and young firms. Given its powerful effect in the global marketplace, encouraging innovation and IP is essential, specifically in research-intensive sectors including health and safety and biopharmaceuticals. These industries are bearing the brunt of the pandemic in the forefront and therefore, research and development must be nurtured and promoted. In order to facilitate this, it is evident that IP professionals and experts play an indispensable role in tackling COVID-19. Creation of a New Market Place Leveraging IP will create a new marketplace which traditional asset-based lenders have not tapped into as there are a lot of restrictions when it comes to traditional asset-based lending.[1] Tapping into that will help the sector grow exponentially. Stronger Repayment Incentives Since intangible assets are fundamental and invaluable to business activity, it provides a greater incentive for borrowers to fulfil their loan commitments and obligations. This results in a more favourable environment for lending entities as the repayment will be prompt and the rate of default will be low. Therefore, this environment serves as a conductive platform for lenders and encourages banks and financial institutions to grant more loans. Wider Pool of Assets One of the problems lenders often face is where existing clients want to borrow over the prescribed lending ratios. Intangible assets contain more value, which in turn provides a means to lend more, with the addition of increased security. Value Appreciation The IP of a well-run business will appreciate over time, whereas most of their tangible assets will depreciate over time. IPR allows protection of the innovation making it impossible to replicate without an agreement with the owner. Additionally, being the first to introduce an innovation in the market, adds a higher value to the IP and gives firms a competitive advantage.[2] An Alternative to Personal Guarantees (PGs) Personal guarantees are associated with an individual whereas leveraging IP provides a sense of comfort, as it is associated directly with the business and not with the individual. Improved Security Nowadays, floating charges are placed on a business’s IP and intangible assets which in turn weakens its effect if the business gets into difficulties. IP is considered to have a greater security blanket as when defined as part of a lending agreement, the position of the bank is much greater with the administrator. Sole assets New-age companies and start-ups lean towards having a greater number of intangible assets than tangible. With shortages in cash flow in COVID-19 times, if companies are allowed to leverage IP it will help cover the immediate cash flow requirement and not end up shutting shop. Advantage to MSMEs It is common knowledge that large, well established companies tend to protect their IP as trade secrets. Additionally, due to the abundance of other assets, larger companies have an advantage to easily secure funds from mainstream financing options. However, the option of IP-backed financing will prove to be extremely beneficial for MSMEs, especially in the economic slowdown the world finds itself in due to COVID-19. Up and coming IP-rich companies, which may not have the same repute as bigger companies, would find the option of leveraging certain IP assets to raise funds in order to invest in expansion projects. Therefore, if successfully recognised and employed, IP-backed financing transactions will allow smaller firms to raise sufficient funds and have an equal opportunity for growth in the marketplace. Consequently, such actions will propel economic development and act as a catalyst for healthy competition in the marketplace. India’s approach to IP-backed financing India has undertaken several proactive measures when it comes to the commercialisation of IP by way of its policies and initiatives. Although India ranks forty-four out of fifty-three countries, there has been significant improvement in its innovation. Since the release of the IPR Policy in 2016, the Government of India has made a focused effort to support investments in innovation and creativity through increasingly robust IP protection and enforcement. Some of these initiatives taken by India in spreading awareness of IPR include: The Agreement on Trade-Related Aspects of Intellectual Property Rights (“TRIPS”); Cell for IPR Promotion and Management (“CIPAM”); and the IPR Policy. Trade-Related Aspects of Intellectual Property Rights In India, all IPR related laws are compatible with the Agreement on TRIPS. The 2005 Amendment to the Patents Act, ensured India’s compliance with the TRIPS agreement. The Department of Industrial Policy & Promotion (“DIPP”) drafted an IPR policy for India which was then adopted by the Union Cabinet in 2016. This Policy complies with the World Trade Organization’s agreement on TRIPS with the aim to encourage innovation and creativity across sectors and provide a strong vision vis-à-vis IPR issues. Cell for IPR Promotion and Management CIPAM was introduced by DIPP for the further promotion and management of IP issues. Streamlining and simplification of IP processes in addition to creating awareness and promoting commercialisation of IP are some of its main goals. National IPR Policy The IPR Policy encouraged IP to be used as collateral to raise funds for their commercial development, it is India’s first IP focused policy which specifically aims at securitisation of IPR. Furthermore, the policy suggests financial assistance to encourage the development of IP through various routes such as venture capitalists, banks, crowdfunding mechanisms and angel funds. The policy also suggests setting up an IP exchange to bring investors and IP owners together on one platform. The Hong Kong Trade Development Council developed a free online platform called Asia IP Exchange which connects players in the IP industry. Currently there are approximately 25,000 tradable IP listings and 20 countries connected through this database. The government aims to extend financial support and easily accessible loans to farmers, weavers and artisans through rural and cooperative banks under the policy. The objective of the IPR Policy is to promote and outline IPR awareness. This is done through outreach and promotions schemes, generation of IPRs, developing legal and legislative framework, administration and management; commercialisation of IPR and enforcement and adjudication. Commercialisation Commercialisation is the key to unlocking the maximum economic value of IP; it will further inject innovation in India and aid its economic growth. With the securitisation of IP, a company is able to generate more income. Following the introduction of the IPR Policy, there has been a significant rise in IP registrations. The government has made efforts to encourage IP innovation by reducing fees and providing rebates for MSME’s which has also aided to the rise in IP registrations. The ‘Digital India’, ‘Make in India’ and ‘Startup India’ initiatives have been introduced to commercialise IP and pave way for monetisation of these assets for business in India. The report published by Confederation of Indian Industry (“CII”) emphasises the use of IP as collateral for financing. Transactions where IP has been used as collateral has declined over the last five years globally but transaction financing where IP is the primary collateral which is monetised under a ‘distress situation’ have gained a lot of traction. The entire world is facing a pandemic; economies are crashing, and unemployment is at an all-time high. The need for loans has also increased tenfold. Companies need to be given the option to leverage their IP in order to stay afloat. Since India is the third largest economy for start-ups in IP-intensive industries, the report by the CII highlights that India is standing on the cusp of an IP revolution. Contrary to the Hon’ble Supreme Court’s decision in Canara Bank v. N.G. Subbaraya Shetty[3] there are multiple statutes in Indian law that provide for the securitisation of IP assets. The Securitisation and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002 defines the expression property and specifically includes intangible assets being knowhow, trademark, copyright, licence or franchise. Further “security interest” is defined as a right, title or interest of any kind upon property created in favour of a secured creditor and includes such right title or interest in intangible assets. Additionally, a “secured creditor” is defined to encompass any bank or financial institution holding any right, title or interest upon any tangible asset or intangible asset. Based on this understanding, any bank or designated financial institution which accepts the assignment of any IP as the security for an outstanding loan is the secured creditor. Therefore, such an entity has security interest over the IP and is entitled to sell or assign it for a royalty and recover the defaulted loan. The principles followed in respect of IPRs must be treated as equivalent to sale of secured assets to recover loans. Furthermore, section 6(1)(f) and (g) of the Banking Regulation Act, 1949 clearly provides for dealing with any property or any right, title or interest in such property which forms the security for the loan. The Indian government needs to take proactive steps to promote the leveraging of IP, especially when the economy is crashing, and companies are struggling to stay in business. By doing so, several companies will be able to avail economic relief, survive and therefore, boost the economic growth of the country. Around the Globe: An overview of IP-backed financing United States of America USA is considered the hub of innovation. Their thorough laws protect IPR holders and promote commercialisation. It was only a few years ago in the USA that the practise of using IP as collateral and their potential financing and leveraging options were discussed. These new avenues of financing enable access to credit facilities by optimal utilisation of both tangible and intangible assets. Asset-based lending has increasingly become a more commonly accepted practice. IP has only come into play over the last few years. There is an emerging consensus amongst academicians and experts that secured lending with patents is a form of “credit market innovation”. Since the 1970s, the largest change in the USA is the structural evolution of the US economy, which has been transitioning from a manufacturing driven economy to a service driven economy. The number of patents pledged as collateral grew from less than 10,000 in 1995 to nearly 50,000 in 2013.[4] Since 1980, 16 percent of all US patents have been pledged as collateral before their expiration. By 2013, 40 per cent of all firms with patents outstanding had pledged their patents as collateral at some point. Several technology-based firms consider IP as their most valuable assets. The rise of companies such as Google, Facebook and Twitter highlight the importance of IP in today’s economy. Singapore Singapore, recognising the importance of IP in a growing economy, launched the IP Financing Scheme (“IPFS”) in 2014 with the objective of increasing access to IP-backed financing. The initiative worked as a catalyst and allowed the IP industry to thrive. IPFS allowed companies to use IP as collateral in order to obtain loans from authorised financial institutions and the risk of the IP-backed loan will be shared with the Government of Singapore. The initiative was in place till 31 March 2018 and allowed companies to increase their capital by pledging their intangible assets. Korea The Korean Development Bank has advanced USD 100 million to eighty IP rich companies in the form of collateralised loans. In order to raise funds against IP as collateral, the valuation of IP becomes a part of the process. The valuation is subsidized by the Korean Intellectual Property Office, and the valuation activity is undertaken by other bodies such as the Korea Invention Promotion Association. Malaysia The Malaysian Government has introduced multiple schemes to help and promote the use of IP as collaterals. The Malaysian Debt Ventures Bhd (“MDV”) provides financing for companies in exchange for IP as collateral. Furthermore, MDV’s RM200 million Intellectual Property Financing Scheme was introduced in 2013 to enable the technology sector to secure funding from banks and other financial institutions. Conclusion “Development and innovation is an inalienable human right by virtue of which every human person and all peoples are entitled to participate in, and enjoy, economic, social, cultural and political development.” – United Nations Declaration on the Right to Development It is the need of the hour to proactivity commit to developing the use and ambit of IP. The world is gradually recognising the multifaceted value of IP and its benefits when monetised. However, the potential of IP-backed financing remains still unrealised. The concern is rooted in identifying the measures to overcome obstacles when it comes to standardise IP-backed transactions as well as inadequate legislative framework. It is difficult to make estimates and forecasts about the future development because forthcoming perspectives are partly consequences of the current situation which is not as rosy as one might wish. Although in the recent past the Indian Government has made significant progress in creating awareness with the introduction of the IPR Policy in 2016, it still has a way to go with regards to exploiting the full potential of IP. It is essential for lawmakers to take cognizance of the changing landscape and companies to take a more strategic and holistic view when it comes to IP-backed financing. An independent authority should be assigned to oversee transactions and bridge the gap in the existing framework and governance. The authority should also be tasked with creating a valuation technique to determine the worth of IP used for raising finance and expanding the current definition and use of IPR. MSMEs would greatly benefit from the acknowledgment and recognition of IP-backed financing options. The objective of raising funds via IP is twofold: First, to facilitate availability of credit to IPR holders to utilize when they are faced with financial difficulties; and second, to inject creativity and promote innovation in the economy. It is vital for companies to invest in research and development in order to increase their value in the market and be financially secure. Due to the lack of internal structure, India must take inspiration from countries like Singapore, USA, Malaysia and Korea who have taken concrete steps towards setting up a thriving IP financing and investment industry. Read the first part of our two-part series on IP-backed financing here. *Naintara Bipin Balakrishnan is a technology law enthusiast with a keen interest in data protection and privacy law. Tanya Garg, on the Executive Board at IntellecTech Law, completed her B.B.A. LLB. (Hons) degree from Symbiosis Law School, Pune (Batch of 2020) with specialization in dispute resolution, intellectual property, technology and antitrust laws. [1] Irfaan Khota, and Anees Stern, Leveraging Intellectual Property for Strategic Advantage in Product Development, South African Journal of Information Management Vol. 7 (2005). [2] Fatma Mrad, The Effects of Intellectual Property Rights Protection in the Technology Transfer Context on Economic Growth: The Case of Developing Countries, Journal of Innovation Economics & Management Vol. 2 (2017). [3] Canara Bank v. N.G. Subbaraya Shetty, (2018) 16 SCC 228 [4] William Mann, Creditor Rights and Innovation: Evidence from Patent Collateral, Journal of Financial Economics Vol 130 Issue 1 (2015).

Image Source: MessengerPeople The WhatsApp Privacy Policy Update (“2021 update”) released in January this year has been making many headlines consistently ever since. The said update took effect on May 15th. WhatsApp has explained that in order for users to have access to the functionality of the app, they have to accept the new terms. WhatsApp has started sending reminders to accept the new policy with the 2021 update, and after a few weeks, the company will disable some of the features for those who don’t accept the update. As explained in our earlier article on CCI’s investigation of the 2021 update, this new policy gives WhatsApp the right to share user data such as phone number, IP address and payment related data on the app with Facebook and other Facebook owned companies like Instagram. Data including messages generated from customer-business interaction on WhatsApp will also be used by Facebook to advertise to the said customer on Facebook. The 2021 update has also been scrutinized by the Competition Commission of India under the lens of antitrust law. The Delhi High Court has refused to set aside the CCI order which directed a probe into the 2021 update for being allegedly anti-competitive. In an affidavit filed before the Delhi High Court in the case of Seema Singh v. Union of India, WhatsApp submitted that the 2021 update gives its users the liberty to either accept the 2021 update or choose not to do so, and stop using the messaging platform. WhatsApp also noted that users have the option to delete their WhatsApp accounts as and when they want. Naming private companies such as Google, Microsoft, Zoom, Zomato, Republic World, Ola Cabs, True caller, Big Basket, Koo, and public companies such as Aarogya Setu, Bhim, Air India, Sandes, Government e-Marketplace (GeM) and Indian Railway Catering and Tourism Corporation (IRCTC), WhatsApp claimed that though these companies had similar privacy policies to the 2021 update, they were allowed to retain their right to collect their users’ data. In its counter-affidavit filed in the above-mentioned case, the central government asserted that until the Personal Data Protection Bill, 2019 was passed, the Information Technology Act, 2000 and the rules made thereunder would constitute the Indian data protection regime. Based on the above assertion, it claimed that the 2021 update is violative of the data protection laws in India. It further stated that the failure of the 2021 update to distinguish between personal data and sensitive personal data was problematic. Contending that the 2021 update violated the IT Rules 2011, the central government urged the Delhi High Court to restrain WhatsApp from implementing the 2021 update. On May 18th, the Ministry of Electronics and Information Technology (“Ministry”) sent a notice to WhatsApp asking it to withdraw the new privacy policy. It observed that mere deferral by WhatsApp of the last date to accept the updated terms beyond its deadline of May 15 did not absolve it from respecting informational privacy, data security and user choice for Indian users. The Ministry officials said that WhatsApp may face legal action in India by May 25 if it does not send a satisfactory reply to the said notice. This is the second communication by the Ministry to WhatsApp asking to withdraw its controversial privacy policy. In January, the Ministry had written a letter to Will Cathcart, the global Chief Executive Officer of the instant messaging platform, asking that the latest privacy and policy update be withdrawn. Some are deliberating that the Ministry’s notice to WhatsApp may also be challenged before courts. It will be interesting to see the outcome of this highly debated 2021 update. Reported by Melita Tessy, Researcher at IntellecTech Law [ORIGINALLY POSTED ON MAY 22, 2021]

Posted on May 13, 2021 Co-authored by Naintara Bipin Balakrishnan and Tanya Garg* Image Source: The One Brief Intellectual Property protection makes intangible assets a bit more tangible by turning them into valuable exclusive assets that can often be traded in the marketplace. – World Intellectual Property Organisation Introduction We entered 2020 with the speculation of another wave of recession. However, before that problem could be addressed, COVID-19 was thrown our way. After the WHO declared a pandemic, several countries sought to enforce a lockdown and caused the revenue stream of several businesses to come to an abrupt halt. Intangible assets play a vital role in determining the potential value of a company. Over the last two decades, companies have been in search of new techniques to maximize revenue generated from Intellectual Property (“IP”). In several instances across various industries, development and acquisition of Intellectual Property Rights (“IPR”) by companies has resulted in an overnight increase in their value. In times where the economy is crashing and businesses are desperately trying to stay afloat, the value of IP cannot be ignored. IP-backed financing is rising as the new trend to improve IPR holders cover cash flow shortages and improve liquidity. The fundamental characteristic behind such transactions is converting a creative idea into a financial asset. The multifaceted strategic use of IP beyond the current limited viewpoint, will assist in kickstarting a new marketplace for IP-backed financing. The article, written as a two-part series, explores how widening the scope of IP would change the traditional business set up and potentially inject innovation and creation into the economy. This two-part series aims to analyse the significance of IP as a strategic asset, the various types of IP-backed financing, and finally, the approach taken by India vis-a-vis other countries. Customarily, tangible assets have been the scale for measuring the value of a company and determining its place in the market. However, of late, this dynamic has undergone a drastic change; there is an increasing reliance on intangible assets. Intellectual capital is recognised as the most important asset of countless large and powerful companies. It is the foundation for the market dominance and continuing profitability of leading corporations. The World Intellectual Property Organisation (“WIPO”) defines IP as creations of the mind which includes inventions, literary and artistic works, and symbols and images used in commerce. Therefore, every class of IP incentivises innovation, stimulates creativity, and boosts the economy by providing rights holders with an exclusive property right. IP equips individuals and companies with the ability to capitalise any creation in the form of a work, brand, or invention by excluding others from doing so, without authorisation, for a period of time. Software codes, innovative ideas are replacing the prized warehouses and factories as a source of income. The higher importance given to IP; the higher returns can be reaped. When protected and enforced properly, the commercial value in IP can be multifarious. Globally and domestically, laws have been implemented to protect IP. The deliberate act of government policy encourages creativity and promotes fair trading and commerce which helps contribute to economic and social development. Despite the abovementioned, significant strides, the role of IPRs and intangible assets is inadequately recognised, especially in the business industry. According to the traditionalist approach, the core use of IP, in the context of businesses, is to create legal barriers and curb prospective market entrants and competitors. This outlook stems from the fundamental right of an IP owner to exclude others from exploiting the revenue from the asset without permission of the owner. Thus, IP allows businesses to increase revenue by collecting royalty and fees. The onset of the COVID-19 pandemic demands for change in the traditional outlook. Companies have been forced to halt several activities and consequently, business owners must tackle the problem of reduced cash flow and the inability to repay debts. In order to effectively overcome cash flow shortages, it is vital to develop IP beyond the confined and outdated scope of innovation, technological growth and competitive advantages. Legal framework must take a holistic approach to encompass and promote the plethora of leveraging options to employ IP assets as financial instruments and thus, an additional source of revenue. Recently, academicians, professionals and experts have discussed and debated the option of IP being used as primary collateral to avail loans. IP loans represent a complementary source of capital that can often provide greater availability for revenue. IP-backed financing refers to the utilisation of IP to raise finance by avail to credit facilities. Globally, more corporations and especially Micro, Small and Medium Sized Enterprises (“MSMEs”), are leveraging their IP in exchange for finance, and lending institutions around the world are considering IP as collateral when extending loans. IP as a Strategic Asset Generally, tangible assets such as real estate, equipment and inventory are used to procure asset-based loans. In countries around the globe, there is a paradigm shift towards a knowledge and innovation driven economy. As early as 2003, WIPO and the United Nations Commission on International Trade Law (“UNCITRAL”) have been working to modernise the existing legal provisions governing IP assets. IP is a powerful and valuable business asset and must be managed in a tactical manner. The logos of companies like Amazon, Coca Cola, BMW, etc are valued at billions of dollars. As of 2008, intangible assets have contributed to 31.2 percent of all wealth in Canada, and the proportion continues to steadily increase. In the United States, IP intensive industries account for over one-third of the national GDP. In 2017, Uber acquired eighty-seven issued patents and five patent applications from AT&T; the amount of the acquisition remains confidential. This acquisition was considered ground-breaking as the acquisition gave Uber a portfolio of patents having priority dates pre-dating Uber’s formation in 2009, as well as most of the ridesharing industry in general. Moreover, the IP covered various technologies related to messaging, call handling, routing network traffic, and billing. The prime reasons for acquisition and ownership of IP is for legal and transferable proof of ownership of the most valuable assets of a company. Exploiting IP is essential for maximising the IP’s value. Based on the desired strategic goal, a company may pick from an abundance of alternatives. Leveraging IP in exchange for finance and while extending loans, will pave the way to aid revival and injection of revenue into companies, especially MSME. Usually, tangible assets are considered to secure asset-based loans as they are considered safe and secure options. However, the collateralisation of IP will allow companies to enhance the credit pool available to an IPR holder. In situations where borrowers pledge their IP as collateral, their collateral pool increases in value and the potential for a successful loan may be increased. Licensed IPRs, where regular royalty payments are directly attributable to the licensed assets are the preferred asset category for investors since there is satisfactorily valuable collateral with ample cash flow for repayment. The UNCITRAL Legislative Guide on Secured Transactions In 2010, the UNCITRAL undertook an elaborate exercise to prepare The UNCITRAL Legislative Guide on Secured Transactions: Supplement on Security Rights in Intellectual Property (“Guide”) in order to create a substantive framework to govern secured IP transactions. At the forty-third session, held in New York, the Commission considered adopted the Supplement by consensus. Subsequently, the General Assembly and the Secretary-General recommended that all States consider becoming party to the United Nations Convention on the Assignment of Receivables in International Trade (2001) (“Convention”) and implementing the recommendations of the Guide. The USA only became a signatory to this Convention in 2019. Given the current climate across the world, the Convention is considered to have a game-changing effect as it will allow businesses of each and every size to access more funding in support of international trade. The primary aim of the Guide is to encourage transactions with secured credit with respect to businesses that own or have IPRs and promote credit at a reasonable cost. Thus, by allowing businesses to use rights pertaining to IP without interfering with the legitimate rights of the owners, licensors and licensees of the intangible property, cash flow shortages can be covered more effectively. Additionally, the UNCITRAL has also approved a model law on secured transactions for adoption by the member countries. It is vital for India to consider the adoption and enactment of the model law based on the UNCITRAL model, applicable to all secured lenders. Methods of Valuation Valuation of IP is a transdisciplinary area of study and focuses on the doctrines of finance, economics, law and competition. Traditional lenders use a market-based resale appraisal assessment to guarantee accurate valuation of IP. This method of valuation, coupled with additional methods like considering actual or potential royalties or lease streams or the outright sale of the IP or even the company to a competitor that values the IP, helps assess the accurate value. The fundamental rule of commercial valuation is that the value of something cannot be stated in abstract, it is stated with reference to the prevailing market conditions. In an ideal situation, there will be certain established and recognised universal valuation tools in order to create uniformity in various contracts. While independent experts may prefer to determine the market value by reference to comparable market transactions, it becomes challenging as two IP assets cannot be uniform, thereby making it next to impossible to have two transactions that are precisely comparable. Therefore, while determining the value of an IP the search for a comparable market transaction becomes almost futile. When undertaking IPR valuation, the context is all-important, and the valuation expert will need to assign a realistic value to the asset. The ownership and grant of an IPR is a precondition to valuation and allows monetisation of the intangible assets. Furthermore, the valuation of a company’s IP depicts the competitive advantage it holds over others in the industry. The valuation of an IP indicates the sum total cost for which the ownership of an IPR is transacted between the IP holder and buyer. Therefore, the price is the monetary amount at which an asset trades in the market. Types of IP-backed financing IP as Direct Collateral Internationally and specially during COVID-19, IP-backed financing transactions where IP is permitted to be pledged directly as collateral in a loan agreement, and monetising its value under distress situations, is being extensively advocated for. Since the IP assets will be conferred with equal status as tangible collateral, the lender of such loan will have lien on these assets. In case of the asset owner’s inability to repay or defaults on the loan, the assets can be seized or sold, in accordance with the applicable laws. Therefore, companies can secure a loan from the flow of income resulting from various IP licensing agreements. These agreements usually involve portfolios of patents and/or other classes of IP. With the introduction of the National IPR Policy (“IPR Policy”) in India in 2016, a whole new market opened as the ability of IP to be used as collateral was recognised. Securitisation Asset securitisation is the practice of converting an asset or a stream of cash flows into marketable securities; it is relatively new to the realm of IP. According to WIPO, the securitisation of IP is the new trend. In 1997, David Bowie was in search of new financing options, with an objective of raising lump sum cash. This is how Bowie Bonds were introduced. Due to this, IP securitisation gained traction and was recognised as a financing vehicle. Therefore, rather than entering into new traditional distribution agreements at the expiration of his existing one, Bowie bonds were formulated to meet the need for upfront and immediate cash. Taking inspiration from this, several others followed in Bowie’s footsteps. Several published articles have theorised that the possibilities for securitisations include portfolios of trade secrets, trademarks and domain names as well. In this kind of debt offering, the underlying IPRs would be used to secure the bonds. If there is a default on payment obligations to bondholders, the IPRs are permanently transferred to the bondholders. Subject to any conditions agreed upon or security interest held by bondholders, the IP asset(s) will remain with the IPR holder until a default occurs. Once the obligations of the bond are met, the copyright owner holds the IPR free of the security interest. However, the details of such transactions are usually kept confidential. Among the famous transactions in the field of IPR are the securitisations, the trademark of the Domino’s Pizza chain and the patent on the HIV drug developed by Yale University. Sale and Leaseback One of the lesser explored IP financing options is Sale and Leaseback. As the name suggests, under these transactions, the IP asset is sold and subsequently, leased back for use over a considerable duration. Financing transactions using sale and leaseback, allows the IP owner to achieve instantaneous liquidity and continued usage of the IP asset without being the actual or real owner. Thereafter, the company leases the same asset back to its former owner under payment of fee structure, which corresponds to the loan interest. When the leasing contract period ends, the lessee is given the opportunity to buy back the ownership of the asset at a fixed price. Sale and Leaseback is a tool that aids in securing short term funding and provides transparency as the link between the secured assets is clearly demonstrated. Venture Debt Under the Venture Debt financing model principles of debt-equity funding are employed. As of this date, the Fortress Investment Group and Silicon Valley Bank are two institutions that offer this model of financing. Just like in ordinary venture debt financing options, the IP owner’s firm, the firm requesting funding is granted capital as a loan, on which a predetermined interest rate is levied. The investment by such institutions can take on one of two forms: Equity or Debt. Equity refers to investment for stock and debt refers to collateralized loans. Collateralised loans have already been covered; therefore, this section will focus on equity. In such transactions, since the company’s assets qualify the potential value generated by IP, the relationship between the investor and the assets of the IP owner’s firm is subject to the type of investment agreed upon. When the firm issues warrants for equity in the company, they are acquired by the lender. IP represents a key asset to facilitate these deals, but this kind of loan is typically backed by a blanket lien or a claim on all the assets of the firm in case of default. Venture debts are comparatively more difficult to obtain in the IP field. While choosing between the above mentioned methods, it is prudent to establish the short-term and long-term objectives of the company. The prevailing market conditions must also be taken into consideration. Thereafter, a conscious and comprehensive decision be taken. Conclusion Assessing the value of IP assets and promoting the benefits of doing it is an exhaustive task. It will take time to spread awareness and build a comprehensive and trusted legal framework. However, it would be foolish to entirely overlook the benefits of IP valuation. IP administrators must engage banking and financial specialists in the regulation of IP asset valuation so that it becomes a widespread, standardised practice. To achieve this, a global and holistic approach to valuing IP must be developed. This will reduce the risk of these assets being overvalued by the financial sector. The next part of this two-part series shall examine the advantages of IP-backed financing and provide a comparative overview of the framework adopted across different jurisdictions. *Naintara Bipin Balakrishnan is a technology law enthusiast with a keen interest in data protection and privacy law. Tanya Garg, on the Executive Board at IntellecTech Law, completed her B.B.A. LLB. (Hons) degree from Symbiosis Law School, Pune (Batch of 2020) with specialization in dispute resolution, intellectual property, technology and antitrust laws.

Posted on May 3, 2021 Co-authored by Melita Tessy & Vivek Basanagoudar* Image source: Mashable India Introduction WhatsApp has over 2 billion users worldwide and is used in over 180 countries, making it the world’s most popular messaging app. With over 400 million users, India is WhatsApp’s biggest market. In January this year, WhatsApp released its new privacy policy (“the 2021 update”) which is scheduled to take effect from May 15th. This policy applies to non – European Region countries which are not governed by the General Data Protection Regulation (“GDPR”). WhatsApp has explained that in order for users to have access to the functionality of the app, they have to accept the new terms. The new policy gives WhatsApp the right to share user data such as phone number, IP address and payment related data on the app with Facebook and other Facebook owned companies like Instagram. Data including messages generated from customer-business interaction on WhatsApp will also be used by Facebook to advertise to the said customer on Facebook.[1] The new policy has faced severe backlash from critics as well as members of the general public who are concerned for the privacy and security of their data. The data breaches that have occurred on Facebook in the recent past have only heightened this concern. In addition to the above-mentioned privacy concerns, the new policy has also given rise to antitrust concerns in India. These concerns have been dealt with by the Competition Commission of India (“CCI”) under the provisions of the Competition Act (“CA”), 2002. In this article, the order passed by the CCI is examined and analysed. The CCI and WhatsApp’s New Privacy Policy: Background and Issues According to the CCI, its role in a data driven ecosystem is to examine “whether the excessive data collection and the extent to which such collected data is subsequently put to use or otherwise shared, have anti-competitive implications, which require antitrust scrutiny”. In light of the said role, the CCI took suo moto cognizance of the antitrust issues surrounding WhatsApp’s new privacy policy in the case of Re: Updated Terms of Service and Privacy Policy for WhatsApp Users. In this antitrust investigation, the CCI sought to examine whether the privacy policy updates issued by WhatsApp have any competition concerns which are in violation of the provisions of Section 4 of the CA. Since the privacy policy had been publicly released and the users were already getting prompts for acceptance of updated terms, the CCI acknowledged that it “is obligated to ‘prevent’ practices having adverse effect on competition”. In this vein, both WhatsApp and Facebook were arrayed as opposite parties in the case. The CCI observed that while WhatsApp’s previous privacy policies gave users the option to choose whether or not they would like to share their data with Facebook, the latest update made the said data sharing mandatory. CCI, dismissing Facebook’s contention that it is a distinct legal entity from WhatsApp, observed that since Facebook was a direct and immediate beneficiary of WhatsApp’s new policy update, it cannot feign ignorance regarding the possible impact of the said updates altogether. WhatsApp and Facebook had earlier been the subject of other antitrust investigations as well; such as, in Vinod Kumar Gupta v. WhatsApp Inc., WhatsApp and Facebook were accused of indulging in the practice of predatory pricing by not charging any subscription fee from its users in violation of the provisions of Section 4 of CA, 2002. They were also accused of abusing their dominant position in the relevant market by introducing a privacy policy that compelled users to share their account details and other information with ‘Facebook’. The CCI held that the privacy policy was not abusive since it had an opt-out option and also took the view that allegations of breach of the Information Technology Act, 2000 do not fall within its purview. WhatsApp used this observation to support its claims in the present antitrust probe. Similarly, in Harshita Chawla v. WhatsApp Inc, it was alleged that WhatsApp was abusing its dominant position in the market by providing in-app payment services. The CCI had dismissed the said allegation holding that issues related to data localization and data sharing need not be looked in under competition law. Accordingly, in the present case, WhatsApp took up a similar plea that its recent privacy policy will be under the purview of information technology laws and not under the prevailing antitrust laws. WhatsApp also claimed that since its policy update dealt with data sharing, it did not fall within the purview of the CCI. The CCI rejected the objection of WhatsApp based on the reasoning that they are free to examine the policy update from the viewpoint of competition law to ascertain whether WhatsApp’s new privacy policy is in violation of Section 4 of the CA for inter alia being exclusionary and exploitative, and having appreciable adverse effects on competition. Since WhatsApp is the most popular messaging app in India, it is in a dominant position. The CCI observed that in digital markets, extreme data collection can lead to an exclusionary effect on competitors. This aspect, therefore, comes under the purview of competition law. Prima Facie Concerns of Abuse of Dominance Before addressing the prima facie concerns, it is imperative to note that WhatsApp, in response to certain clarifications sought by the CCI stated that the 2021 update, was required to share more information with users about how WhatsApp gathers, utilizes, and exchanges information and to remind users about how optional business messaging services function when those features become accessible to them. Furthermore, it was stated by WhatsApp that they continue to honour their 2016 update (“the 2016 update”) which allowed existing users to opt-out of sharing their WhatsApp account information with Facebook companies. The company clarified that it cannot access personal conversations due to their end-to-end encryption policy. With regards to the prima facie concerns, WhatsApp submitted that there were no competition-based concerns that could have arisen from the 2021 update and the company requested the CCI to refrain from initiating an investigation. However, the CCI proceeded to examine the issue on merit and noted that it had previously established WhatsApp to be a dominant player in the ‘Over-The-Top (OTT) messaging applications via smartphones in India’ market and this was done in the Harshita Chawla case. It noted that, unlike the 2016 update, users were not given the option to opt-out, and the scope of data collected by the 2021 update was too wide and disproportionate. It includes, among other things, details about the user’s battery level, signal power, app edition, mobile operator, ISP, language, and time zone, system activity information, service-related information and identifiers, and the user’s position information, even if the user does not use location-related features. The CCI observed that details about how users “interact with others (including businesses)” aren’t specifically described, and what constitutes “service-related information“, “mobile device information“, “payments or business features“, and so on aren’t either. The CCI also noted that the policy’s list of data to be collected, which used terms like “includes“, “such as“, and “For example“, among others, was indicative rather than exhaustive, implying that the scope of sharing data may extend beyond the information categories that have been explicitly stated in the policy. The real data expense that a user incurs for using WhatsApp services is hidden by obscurity, ambiguity, open-endedness, and incomplete disclosures. It is still unclear from the policy whether users’ past data will be shared with Facebook companies, and whether data will be shared with respect to WhatsApp users who aren’t on Facebook’s other apps, such as Facebook, Instagram, and so on. Users are often unlikely to expect their personal information to be exchanged with third parties unless it is for the specific purpose of delivering or enhancing WhatsApp’s service. However, it appears that the data sharing system is often intended to ‘customize’, ‘personalize’, and ‘market’ the services of other Facebook Companies, based on the policy’s wording. Users generally have sovereign rights and power over decisions about sharing their personalised data in a competitive market. This is not the case for WhatsApp users, and there seems to be no justifiable explanation why they do not possess any influence or say over such cross-product data processing by mutual agreement rather than as a condition of using WhatsApp’s services. WhatsApp users previously had such control over sharing of their personal data with Facebook, owing to a ‘opt-out’ clause in previous policy changes that was available for 30 days. However, they no longer possess such ability in the new update. As a result, if users choose to utilise a dominant messaging app, they must embrace the platform’s arbitrarily dictated “take it or leave it” terms in their entirety, including the data sharing provisions. Such “consent” cannot be interpreted as voluntary approval to any of the policy’s particular processing or use of personalised data. They have not been given adequate options to object to or opt-out of particular data sharing terms, which tends to be unfair and unreasonable for them. After having considered the above matters, the CCI claimed that the conduct expressed by WhatsApp through its update was “neither fully transparent nor based on voluntary and specific user content” and this was claimed to be unfair to its users. The CCI also stated there was data concentration between the Facebook companies which posed to be a threat due to the degradation of non-price parameters of competition viz. quality which in-turn causes detriment to customers with no valid justification. Abuse of dominance by an individual with a dominant position in a relevant market is prohibited under Section 4 of the CA. According to Section 4(2) of the CA, a company or a group is abusing its dominant position if it imposes unequal or discriminatory conditions in the prices of purchase or sale of goods or services; restricts or limits production of goods or services in the market; or restricts or limits technological or scientific advancement relating to goods or services to the detriment of others. The CCI held that WhatsApp dominated the relevant market for OTT messaging apps via smartphones in India and thereby concluded that such acts as mentioned above, prima facie amounted to imposition of unfair terms and conditions and violated Section 4(2)(a)(i) of the CA. Additionally, the contested data sharing clause could have exclusionary effects in the display advertisement industry, potentially undermining the competitive process and creating further barriers to market entry, which was held to be in violation of Section 4(2)(c) and (e) of the CA. There was also a recognition of WhatsApp’s pronounced network effects and the lack of a credible competitor which resulted in the company being put in a power to compromise the protection of data of its users. Conclusion Due to lack of a strict data privacy regime in India, the CCI has gone beyond its role of being a competition regulator and taken the lead in protecting user privacy, thereby blurring the demarcation between antitrust laws on one hand and information technology laws on the other. In the absence of such a simple line of demarcation, courts are likely to see an increase in jurisdictional disputes resulting from the country’s changing data jurisprudence. Interestingly, both 2016 and 2021 updates have been challenged on other aspects as well. Firstly, the 2016 update was challenged in Karmanya Singh v. Union of India.[2] In this case, the Delhi High Court ordered the deletion of user data collected by WhatsApp before 25th September 2016, but allowed the retention and sharing of data post the said date. It observed that those who didn’t want to use WhatsApp could always choose to leave it. The 2021 update was challenged in Chaitanya Rohilla v. Union of India, wherein the court noted that the 2021 update violated the right to privacy. It also observed that the preferential treatment given to EU countries was concerning. In the current case, the CCI has probed into the antitrust concerns raised against WhatsApp and has clearly identified issues that could pose a threat to the data of its users. The DG has now been ordered to conduct further investigation into the new policy which may or may not result in a remedy. Instead of merely ordering an investigation, under Section 33 of the CA, 2002, the CCI could have ordered for interim relief by placing an injunction on the operation of the update itself. While WhatsApp itself has delayed the implementation of the update till the 15th of May, the lack of official action could seriously harm competition in the OTT messaging applications industry. Though the 2021 update has been subject to various contentions in the fields of data privacy and competition, WhatsApp, using its position as the dominant player was trying to find a leeway to get past them. In light of this, it is relieving to note that the Delhi High Court has refused to set aside the CCI order discussed in this article. *Melita is a Researcher at IntellecTech Law and a law student at CHRIST (Deemed to be University), with a keen interest in IP and TMT law. She published her novel ‘Battle of the Spheres’ when she was 15 and is one of India’s youngest TEDx Speakers. Vivek is a Researcher at IntellecTech Law and is a second year law student pursuing a B.A.LL.B degree from Jindal Global Law School. Having completed over 20 internships and 6 RAships in a span of one and a half years, he is determined to succeed in the fields of Intellectual Property Law, Environmental Law and Gender Justice. [1] WhatsApp Privacy Policy – Third party information: Businesses on WhatsApp, Jan 4, 2021 – “Businesses you interact with using our Services may provide us with information about their interactions with you. We require each of these businesses to act in accordance with applicable law when providing any information to us. When you message with a business on WhatsApp, keep in mind that the content you share may be visible to several people in that business. In addition, some businesses might be working with third-party service providers (which may include Facebook) to help manage their communications with their customers. For example, a business may give such third-party service provider access to its communications to send, store, read, manage, or otherwise process them for the business. To understand how a business processes your information, including how it might share your information with third parties or Facebook, you should review that business’ privacy policy or contact the business directly.” [2] UOI, 233 (2016) DLT 436.

Posted on April 23, 2021 Authored by Ritika Acharya* Image Source: WazirX Introduction The Indian cyptocurrency exchange, WazirX, recently launched India’s first blockchain-based marketplace for non-fungible tokens (“NFTs”). NFTs are crypto assets that reside on the Ethereum blockchain. Each NFT is entirely unique and inimitable. One NFT cannot be replaced with another and copies of it cannot be made after a purchase, making it an attractive one-of-a-kind trading card for buyers. WazirX’s marketplace enables Indian creators to share their intellectual property by selling their digital assets in the form of NFTs. These assets can be practically any digital goods – a tweet, GIF, sticker, music, drawings, etc. The sale of an NFT transfers ownership of the NFT to the buyer, while the creator of the NFT retains their copyright in it (unless there is a contract to the contrary). The creator is also entitled to a royalty on each subsequent sale of the NFT. WazirX mandates the exclusive use of cyptocurrencies to purchase NFTs on its platform. This poses a regulatory concern as cryptocurrency hangs in the grey zone in India. With the absence of a codified legal framework for cryptocurrency, there is a lack of clarity on what the legal status of crypto will look like in the near future. Regulatory framework In 2018, the Reserve Bank of India (“RBI”) had issued a circular (“Circular”) that prohibited banks and financial institutions from dealing in, and providing services for facilitating dealing in cryptocurrencies. However, in 2020, a three-judge bench of the Hon’ble Supreme Court in Internet and Mobile Association of India v. Reserve Bank of India[1] held the Circular to be a disproportionate regulatory action against the spirit of Article 19 of the Constitution of India. Striking down the Circular, the court opined that cryptocurrencies should be regulated, not outrightly banned. Thus, at present, cryptocurrencies are not per se illegal in India but there are apprehensions that this may change soon. Reports are rife with speculation that the government is planning another move to ban cryptocurrencies. Also see our earlier article on India’s regulatory stance on cryptocurrency. During the first Budget session of the Parliament in January 2021, the central government revealed that the inter-ministerial committee had suggested introducing a draft bill titled ‘The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021’ (“Bill”). Taking a harsh stance against the crypto industry, the Bill proposed to criminalise the ownership, issuance, mining, trading, and transfer of cryptocurrencies. It reportedly gave investors six months to liquidate their holdings, failing which they would be penalized merely for being in possession of cryptocurrency. As per the session list for Lok Sabha, the Bill aims to create a facilitative framework to enable the RBI to launch its own official digital currency. The RBI reiterated that it is exploring the possibility of creating and operationalizing a digital version of fiat currency in its Booklet on Payment Systems published on 25th January, 2021. If the Bill were passed by the Parliament, it may render useless WazirX’s NFT marketplace in India because it would prohibit crypto-asset transactions. Although NFTs are not cryptocurrencies in themselves, they are crypto assets. WazirX requires its users to open a crypto wallet on its cryptocurrency exchange as a prerequisite for buying and selling NFTs. This wallet allows the user to send, receive and store cryptocurrency. It automates the sale process, thereby removing the risk of either party defaulting on the transaction. With the Bill criminalizing the possession and use of cryptocurrencies, NFT marketplaces that use crypto to trade in NFTs may fail to sustain the resulting regulatory duress. The users of WazirX would have no choice but to liquidate their cryptocurrency holdings. As a result, every Indian investor who opened a wallet on WazirX would be forced to exit the exchange and every Indian creator would lose a source of revenue from the NFT marketplace. There are few ways to avoid this outcome. First, WazirX could alter its business model to allow the sale of NFTs with fiat money instead of cryptocurrencies, to be compliant with the Bill. Second, the Bill could stipulate that cryptocurrency exchanges that have a virtual presence in India, allow NFT marketplaces to operate using only the RBI’s official digital currency as a legal tender. The second approach does have a couple of limitations – that it hinges on the assumption that the RBI will indeed develop and launch its own digital currency before the Bill is enacted; and that those NFT marketplaces which do not have a physical presence in India, i.e. no registered office in India (like the SuperRare NFT marketplace which is headquartered in Delaware, United States), will be unlikely to submit to India’s extra-territorial jurisdiction. A third approach is that the Bill could exempt all NFT marketplaces from the ban on crypto trading in consideration of the fact that NFT marketplaces trade NFTs, and not cryptocurrencies. NFT marketplaces are a matching portal to connect buyers and sellers. NFTs, unlike cryptocurrencies, do not act as a medium of exchange, they simply represent ownership of unique digital items. Exempting NFTs would also be in line with the Bill’s objective to “allow for certain exceptions to promote the underlying technology of cryptocurrency and its uses” as stated in the Bulletin titled ‘General Information relating to Parliamentary and other matters’ published by the Lok Sabha on 29th January, 2021. Companies Act – A Saviour of Cryptos? On the bright side, there is cause for hope that the Bill, which has not yet been tabled for discussion in the Parliament, will never see the light of day. Schedule III of the Companies Act, 2013 was amended on 24th March, 2021. The Ministry of Corporate Affairs has directed companies to disclose all crypto-related transactions in their annual financial statements under the category of digital assets. The notification (“Notification”) states, “Where the Company has traded or invested in Crypto currency or Virtual Currency during the financial year, the following shall be disclosed:- profit or loss on transactions involving Crypto currency or Virtual Currency amount of currency held as at the reporting date, deposits or advances from any person for the purpose of trading or investing in Crypto Currency/ virtual currency.” The amendment is a sign that India may not shut down all avenues for crypto trade or investments. While cryptocurrencies are largely an unregulated industry in India, this move marks the first step towards the government recognising the digital assets as part of law. This is a positive development as it signifies that the governmental approach to cryptocurrency is becoming less dismissive. The government is trying to ensure that Indian companies do not fall behind their foreign counterparts in the crypto market. The Notification is binding on WazirX as it is a company incorporated under the name of ‘Zanmai Labs Private Limited’ on 12th December, 2017 with its registered office in Mumbai.[2] WazirX will accordingly have to disclose the quantum of funds their investors have deposited with them over the last year for the purpose of trading in cryptocurrencies. This will also include the amount of cryptocurrency held by investors in the WazirX crypto wallets on their NFT marketplace. WazirX’s dealings will have enhanced transparency regarding how much money it makes through its trading activities. Such transparency is expected to increase investor confidence. The Way Forward The regulation of cryptocurrency as an investment asset class is a welcome relief for crypto exchanges as it is likely to increase institutional participations in the crypto space in the country and boost the institutional adoption of crypto assets. The government should also support crypto assets to encourage the growth of Indian NFT marketplaces in the country, enabling them to compete with global marketplaces like OpenSea, Nifty Gateway and Rarible, among others. However, the forthcoming regulatory framework should not hamper on the freedom of trade or result in an outright ban on cryptocurrencies. *Ritika Acharya is a Researcher at IntellecTech Law who takes a keen interest in technology law. She is also a law student at Maharashtra National Law University (MNLU) Mumbai, with a passion for reading and writing. [1] Internet and Mobile Association of India v. Reserve Bank of India, Writ Petition (Civil) No.528 of 2018 with Writ Petition (Civil) No.373 of 2018. [2] As per the company master data available on the website of the Ministry of Corporate Affairs.

Posted on April 13, 2021 Authored by Vallari Dronamraju* Image Source: Hudson Institute Social media is a group of internet-based applications that build on the ideological and technological foundations of the internet and that allow the creation and exchange of user-generated content.[1] The Information Technology (Intermediary Guidelines and Digital Media Ethics Code), Rules, 2021 (“Rules”) enacted on February 25, 2021, have had a significant impact on entities broadly classified as ‘intermediaries’ and ‘publishers’. We have previously examined the Rules here and here. Intermediary liability stems from S. 79 of the Information Technology Act (“Act”), that exempts intermediaries from liability for third party content on their sites, as long as certain conditions are fulfilled. For an intermediary to claim immunity while discharging duties, it is essential that it observes the Rules that the Central Government specifically provides for, in terms of due diligence. An intermediary, thus, must not knowingly host information that is contrary to the said Rules and adhere to the due diligence requirements. With the onerous obligations and compliances under the new Rules, it is important to highlight the impact it may have on the rights and interests of the users. In this regard, this article analyses the key provisions of the new Rules and the impact of the same on the right to disseminate and access information on the internet. Automated filtering The requirement of automated filters to be deployed by ‘Significant Social Media Intermediaries’ (“SSMI”) to identify, moderate or remove ‘illegal’ content on any social media platform is a restriction on the constitutional guarantee of free speech and expression. Several tech giants across the globe have opposed such measures. Automated filtering may also result in pre-censorship and suppressing free speech before it is public. Further, intermediaries are also mandated to take down specific categories of content in 24 hours and share information with the law enforcement agencies within 72 hours. This, however, is not sufficient time to analyse requests, seek clarifications or remedies. It might create an incentive to takedown content and share user data without due process. These intermediaries are also to preserve content requested by law enforcement for at least 180 days. It contradicts the principle of “storage limitation” recommended by the Justice B.N. Sri Krishna Committee in the White paper on a Data Protection Framework for India. Under the Rules, the SSMI is required to deploy automated tools or other mechanisms to identify information which is exactly identical in content to information that has been previously removed or access to which has been disabled on the computer resource or that depicts any act or simulation that is sexually explicit or depicts child abuse material. Ways of expression on the internet The internet is a very important tool for disseminating information and opinions, along with serving as a platform for disseminating unlawful speech. Abusive speech or expression, as a matter of common knowledge that is inherently likely to provoke violent reaction must be avoided. Incitement is the key to determining the constitutionality of restriction on free speech. The intent of freedom of speech has always been the right of equal access to mediums of expression in a multicultural country like India. However, it is imperative that a balance is created in order to restrict the grounds for interference under grounds protecting the sovereignty of the country. Under S. 69 of the Act, the Central Government has the power to intercept, monitor, decrypt or monitor any information generated, transmitted, or received. The intermediary that fails to co-operate with the government agency may be punished with imprisonment for a term of seven years and will be liable to a fine. The intermediary will need to remove or disable access to any unlawful information. It will also have to provide information or assistance to authorised government agency for investigations and prosecution of offences under any law. In addition to this, under Rule 4(2), the SSMI must enable the identification of the first originator of the information as required by a competent authority, according to the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. In compliance with such an order, no SSMI must be required to disclose the contents of any electronic message or any other information in relation to its users. In instances of where the first originator located outside the territory of the country, the first originator shall be deemed to be the first originator of the information. Under circumstances of non-compliance with the provisions, the intermediary shall be liable for punishment under any law including the Act and the Indian Penal Code (“IPC”). Freedom of speech Human progress is impossible without freedom and it is not untrue that human progress is impossible without a measure of regulation and discipline. However, it is imperative that the freedom of speech is not exercised at the expense of the violation of other rights. Freedom of speech and expression are guaranteed by the Constitution under Article 19(1)(a) that allow citizens to express opinions and thoughts on publicly accessed platforms, that forms the essence of the constitution. It is the right to express one’s convictions and opinions freely by word of mouth, writing, printing, pictures for general discussion of public matters. Article 19(2) of the Constitution provides for the grounds of reasonable restrictions that include the security of the state, friendly relations with foreign states, public order, decency, and morality. The freedom of speech must not be seen as the anti-thesis of security of state but as one of its key features. Moreover, for a successful democracy, it is necessary that the citizens have the benefit of plurality of views and a range of opinions on public matters. The potential act and its effect on public tranquillity, may justify a restriction under Article 19(2). Diversity of ideas, views and ideologies are thus, the very essence of a people-oriented democracy. As per the Rules, the measures taken by the intermediary (with respect to deployment of technology based measures to identify specified content) must be proportionate to the interests of free speech and expression. It is also pertinent to highlight the concept of intermediary liability and freedom of speech as discussed in the case of Shreya Singhal v. Union of India, where the court held that there were three fundamental concepts in understanding the freedom of expression which include discussion, advocacy, and incitement. The law can only curtail freedom only when a discussion or advocacy amounts to incitement. Furthermore, S. 66A was held capable of imposing chilling effect on the right of freedom of expression and was therein invalidated. The Act by itself, fails to define terms such as inconvenience or annoyance and a large amount of protected and innocent speech may be curtailed on the vague grounds envisaged in the now-repealed Section 66A. Inappropriate content by users on social media Content on the internet consists of sexually explicit, violent, or inappropriate elements that might affect the society at large. India tops the list in the number of users that accessing Youtube and other social media platforms. Further, YouTube has previously removed over one lakh videos for hate speech while more than 17,000 have been terminated. This comes with the increasing importance on the minds of the youth who have regular access to social media. Challenges like fake news, child sexual abuse material and drug trade on digital platforms have increased the need for effective implementation of regulations. Some internet platforms rely on age verification system’s but these may not always be foolproof. In attempts to avoid content that is not suitable for children, social network providers need to avoid falling into the trap of restricting the freedom of expression for other members of the public. However, this must not result in over-regulation that might leave a deleterious impact on the users right to privacy and free speech. Blogs, websites, online discussion forums and other mediums of expression on the internet, have faced repercussions due to the opinions of several users. This calls for a systematic way of regulation that the Rules have tried to introduce by way of due diligence and a structured way of reporting of any cyber security incidents. The social media intermediary is also mandated to clearly identify the users as being advertised, marketed, sponsored, owned, or exclusively controlled to make it identifiable. An intermediary that engages in publishing of news and current affairs, must furnish the details of their user accounts on the services of the intermediary. Other intermediaries may also be ordered to comply with the Rules if it permits the publication or transmission of information in a manner that is harmful to the sovereignty of the country. OTT platforms and regulations The world has witnessed a spike in viewership with the increase in entertainment through over-the-top platforms (OTT). The Rules provide that the publishers of online curated content must exercise due caution and discretion while featuring activities, beliefs, practices, or views of any cultural or religious groups. For instance, video streaming mediums have stirred controversy for “hurting religious sentiments” with certain shows that were aired on their platforms. The Rules, describe the content and theme classification for online curated content and the target audience of the shows. All content that is published is categorised into ‘U’, ‘U/A 7+’, ‘U/A 13+’, ‘U/A 16+’ or ‘A’ (restricted to adults). It also elucidates the issues that may arise in varying degrees to all categories of the classification, that include discrimination, psychotropic substances, imitable behaviour and more. Though films and web-series are forms of artistic expression under Article 19, there are also certain restrictions to keep in mind. Ss. 292-294 of the IPC prohibit the import, sale and distribution of obscene books and representation in any form. S. 295A of the IPC, criminalises deliberate and malicious outrage of religious feelings of any class, by insulting its religious beliefs. Furthermore, the freedom of speech and expression includes artistic speech consisting of paint, sing, dance, poetry, and literature. Poetic license and artistic freedom would not make a person immune from prosecution if the boundary is transgressed, making the piece of writing as obscene. It is an established principle that the freedom of artistic creation cannot be claimed where the work in question constitutes a debasement and debunking of an individual’s public standing. Curbing of fake news India does not have a substantive law that penalises fake news, and as the country is becoming increasingly digital, it is further difficult to confine the prohibition to a manageable and definite standard. Provisions in the IPC, however, penalise the acts of speech that may penalise the spread of fake news. There are approximately 53 crore WhatsApp, 41 crore Facebook users, 21 crore Instagram users and 1.75 crore Twitter users. A recent study by Microsoft has found that over 64% of Indians had encountered fake news online. 52% of English using internet users get their news via WhatsApp and Facebook. Messaging platforms are usually filled with fake news and disinformation that is aimed at influencing political choices made during the Indian elections. For instance, six months before the 2014 general elections in India, 62 people were killed in sectarian violence and 50,000 were displaced from their homes in the state of UP. Through investigations, it was discovered that a fake video that was shared on WhatsApp led to this sectarian violence and triggered mob violence. Further, smaller platforms such as Sharechat which has about 40 million users operate in 14 Indian languages and target first-time internet users and have several false claims and misinformation. A rising tide of nationalism is driving Indians to share fake news that leads to polarisation and mobilisation. To curb the menace of fake news, there are two new provisions in the IPC i.e., 153C that is to be added to prohibit incitement to hatred and a section 505A that prohibits speech that causes fear, alarm, or provocation of violence. The Rules state that SSMI’s need to enable the identification of the first originator according to the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. SSMIs should strive to deploy automated tools to proactively identify information that depicts rape or related offences. WhatsApp here poses a unique problem given its encryption technology and the company’s vision for secure and private communication. An improvement in this regard, is the labelling of forwarded messages. New privacy settings also guarantee that one can be added to a group by contacts or by no-one at all. The rules do not authorise the discovery of content of messages but states the extent of double encryption. This may result in a potential breach of right of speech, and it will require updated information of each user in a manner that can be shared with the government. In the case of Antony Clement Rubin v. Union of India, the Madras High Court observed that an intermediary must provide information or any assistance in tracing the originator of the message on any messaging platform. When transferred to the Supreme court, also popularly known as ‘WhatsApp traceability case’, the court observed that it is imperative to find the originators in content comprising of pornography, drugs and other issues that are in public interest. In a report with the expert opinion submitted to the Madras HC to trace originator of WhatsApp messages, IIT Madras professor, Dr. V. Kamakoti, filed an affidavit observing that the originating information of a WhatsApp message could be traced and suggested several other models that detailed the mode of transmission of the message. He further argued that WhatsApp cannot be focussed on privacy as it has allowed forwarding of messages. However, there are several opponents of this view with regard to the freedom of speech and expression and violation of the fundamental right to privacy of the concerned individuals. Considering the report, the Supreme Court observed that the technology is evolving, and it is imperative that concrete steps are taken in order to protect the rights of the public through the implementation of the guidelines. Way forward With the freedom of speech and expression, comes the responsible use of words and any form of medium that is allowing one to express thoughts and opinions. It is an established principle, that freedom does not confer an absolute right to speak or publish, without responsibility, and an unrestricted license that gives immunity for every possible use of language and punishment for the same. It is imperative that reasonable restrictions are maintained for the freedom of speech and expression by users on social media platforms. The executive and judiciary exercise their powers in the implementation and interpretation of the law, in the regulation of free speech and expression in a way that upholds the constitutional values, integral to a multicultural country such as India. *Vallari Dronamraju is an Editor at IntellecTech Law and a penultimate year law student at the National University of Advanced Legal Studies, Kochi with a keen interest in competition law, technology law and corporate law. [1] Andreas Kaplan & Michael Haenlein, “Users of World, Unite! The Challenges and Opportunities of Social Media”, 53 Business Horizons, pp. 59-68 (2010).

Image Source: Business Insider Clubhouse is an invite-only app for social networking based on audio-chat. It allows those within the app to listen in on various conversations, discussion and interviews. On 17 March 2021, the Commission nationale de l’informatique et des libertés (“CNIL”) (the French regulatory body for data protection) announced that it opened an investigation into the app as a result of a formal complaint. On March 12, CNIL questioned the American company Alpha Exploration CO., Inc., publisher of the Clubhouse app, on the measures taken to comply with GDPR. Noting that Clubhouse is not established in the European Union, the CNIL aims to investigate whether the GDPR applies to the company. Along with this, CNIL has further taken note of a petition on the ‘Sum of Us’ website with over 10,000 signatures, calling for questioning of the Clubhouse’s use of phone contacts. The online petition points at Clubhouse’s request to access iPhone contacts of the new users. This step could be skipped, however, users are still unaware why it is requested. It has raised data privacy concerns as users would be sharing names and phone numbers of those in their contacts who may not have heard about the app in the first place. This is evident where the petition states (translated from the original language of French): “Have you heard of the new Clubhouse social network? Maybe not, but they probably already know a thing or two about you.” The petition raises concerns that the gathered contact information is being put onto a secret data base which can consequently be sold to third parties. As per CNIL’s statement, the investigation may have two possible outcomes – one outcome is if the GDPR does not apply, the French government may impose sanction or fines upon the company if there were to be any data privacy violations; and the second outcome is if the GDPR does apply, in which case, the CNIL may use its own repressive powers. Reported by Sahel Bahman, Researcher at IntellecTech Law [ORIGINALLY POSTED ON MARCH 26, 2021]

Posted on March 12, 2021 Authored by Sahel Bahman* Image Source: Aphaia Introduction The information age has paved the way for a variety of new developments in multifarious fields and thus, resulted in fast paced technological advancements.[1] While these developments have proven to be extremely beneficial, they have consequently given rise to new forms of crimes, including but not limited to, fraud and identity theft. As a result, laws governing and ensuring data privacy have become the need of the hour.[2] This article aims to examine the legal framework provided by European Union (“EU“) for the protection of data subjects with regards to cookies, specifically the General Data Protection Regulation (“GDPR“)[3] and the ePrivacy Directive, Furthermore, the landmark influential judgment by the Grand Chamber of the European Court will be elaborated upon in order to provide a holistic understanding of the protection provided by the EU. This article will also shed light on the limitations and issues pertaining to the use of cookies that are still present. What is a Cookie? A cookie is a packet of data which a website obtains from a user in order to track activity and visits to the website, allowing for gathering of user analytics.[4] They have become a common and important tool in giving business and website owners insight into their users’ activity and information. Cookies can be classified in three ways, on the basis of their purpose, their period of endurance and their provenance.[5] The danger lies in their ability to track individuals’ browsing histories, thereby creating a means for a hacker to access and hijack browsing data. Obtaining “informed” consent The GDPR sets out the legal framework regulating the collection and processing of personal information of those living in the EU[6]. In its context, the GDPR provides a right of access[7], a right to be forgotten[8] and a right not to be subject to a decision solely on automated basis[9]. Evidently, the GDPR aims to protect data subjects and provides them with legal rights to ensure this. Cookies are directly referred to in Recital 30 of the GDPR which provides that if the cookies are used to identify a user then they are considered personal data. Therefore, cookie pop-ups must comply with the GDPR. Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. Recital 30, GDPR Although the GDPR attempts to provide widespread levels of protection, data controllers often obtain weaponized consent. A comparison can be drawn with the terms and conditions applicable to online purchases. The terms and conditions associated with any virtual platform sets out a long list of information which most consumers omit to read. Instead, consumers just check a box and consent to several terms which they may not be entirely aware of. Similarly, data controllers compose their privacy policies in a manner where data subjects may have difficulty in finding the privacy-protecting options. Subsequently, on the surface, data controllers abide by privacy laws by providing protection options to their data subjects, however, in reality these options are neither explicit, nor simple for users to find. An example of this is the cookie consent notice, where a popup bar appears requiring acceptance of cookies to proceed. Sometimes the refusal of the cookies may result in the loss of access to the website, thereby creating a ‘take-it-or-leave-it scenario’ for the user. Therefore, although privacy laws are adhered to, the level of protection received is not entirely effective as data subjects do not always provide informed consent with respect to the data shared by them.[10] In addition to the GDPR, further steps have been taken to ensure privacy of data subjects, especially for the regulation of cookies. The ePrivacy Directive In 2002 (with amendments made in 2009) the EU introduced the ePrivacy Directive[11]. This directive is also known as the cookie law as it deals with cookie consent pop-ups[12]. The ePrivacy Directive required websites to exclude any cookies until consent was obtained from the user[13]. However, the pop-up banners used by most websites do not retrieve truly informed consent, as they usually state “use cookies to enhance user experience” without any further explanation. As a result, the user clicks on “agree” in order to minimise the banner and continue using the page without anything blocking its view. Therefore, the ePrivacy Directive was a step taken by the EU towards providing more protection, in order to create a safer experience for data subjects, by ensuring that a user is aware that cookies are being used. In some instances it has taken precedence the GDPR, thereby offering data subjects within the EU further protection. However, the protection is still, to some extent, limited and insufficient as data controllers still maintain the upper hand, as most users remain unaware of the contents of these cookies. The question that remains is what role have the courts play to bridge this lacuna in law and practice. The following section dwells into a case what where the court proactively took steps to rectify the situation. Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH[14] The landmark authority which may be employed to illustrate the interplay of provisions from the ePrivacy Directive and the GDPR, in addition to clarifying the requirements for informed consent under these instruments, is the Verbraucherzentrale Bundesverband eV v. Planet49 GmBH. This is a case between the Federal Union of Consumer Organization and Associations and an online gaming company. Planet49 GmbH organized a promotional lottery which resulted in the transfer of participants’ personal data to the company’s sponsors and partners. This information was stored, and access was given to the information stored in the terminal equipment of those users. The case demonstrates the EU outlook on the scope and definition of consent. The preliminary issues, relevant to cookie law, brought before the court can essentially be categorized into two questions: 1. Whether Article 2(f) and Article 5(3) of the ePrivacy Directive, read in conjunction with Article 2(h) of Directive 95/46/EC[15] and Article 6(1)(a) of Regulation 2016/679[16], must be interpreted as consent as referred to in the provision is present, in the form of cookies, if the storage and access to the stored information is permitted through a pre-checked checkbox where a user has to deselect in order to remove his consent. 2. Whether Article 5(3) of the ePrivacy Directive must be interpreted as meaning that the information that the service provider must to a website user includes the duration of the operation of cookies and whether third parties have access to it. Pursuant to Article 5(3) of the ePrivacy Directive, storing of information or gaining access to information already stored is only allowed if the concerned user has given their consent, after being provided clear and comprehensive information about the purpose of the processing in accordance with Directive 95/46. The provision itself does not provide for how this consent must be given. Recital 17[17] of the directive makes it clear that any appropriate method which allows for informed consent to be gathered freely is allowed, including ticking a box when visiting a website. The Court determined “consent” by a user or subscriber as that which corresponds to the data subject’s consent in Article 2(f) read with Article 2(h)of Directive 95/46/EC. A data subject’s consent is defined as freely given specific and informed indication of his wished by which the data subject signifies his agreement to personal data relating to him being processed. Ergo, the same definition is applicable in the ePrivacy Directive. The court found that Article 2(f) and Article 5(3) of the ePrivacy Directive, read in conjunction with Article 5(3) of Directive 95/46/EC, does not allow for storage of information or access to information already stored in a website user’s terminal equipment through a pre-ticked checkbox which must be deselected to constitute as a refusal of consent. The GDPR expressly provides for active consent. Pursuant to Recital 32, giving consent can be done through ticking a box when visiting a website however, the recital precludes “silence, pre-ticked boxes or inactivity” from being accepted as consent. “the fact that a user selects the button to participate in the promotional lottery organised by that company cannot therefore be sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.” Recital 17 of Directive 2002/58/EC, paragraph 59 Evidently, the ruling of the court provides the measures which must be taken on behalf of the data controller, to ensure that a data subject does not give their consent unknowingly. Actively having to check a checkbox is more likely to result in the user being aware that they are consenting to something, whereas if it is pre-selected, the user may not even pay attention to that fact. Therefore, the answer to the first question is no, the abovementioned articles should not be interpreted as consent, in the form of cookies, if the storage and access to the stored information is permitted through a pre-checked checkbox where a user has to deselect in order to remove his consent. With regards to the second question, the court ruled that in situations where the cookies aim to collect information for advertising purposes, as was the case here, the duration of the operation of the cookies and accessibility by third parties was part of the comprehensive information which must be provided to use in accordance with article 5(3) of the ePrivacy Directive. Article 5(3) of the ePrivacy Directive also refers to Directive 95/46/EC, specifically article 10 which lists the information which the controller has to provide to a data subject from whom data is being collected. In this list the duration of the processing of data is not included however, Article 10 states ‘at least’, meaning the list is non-exhaustive and only the minimum requirements. Therefore, the court found that Article 5(3) of the ePrivacy Directive must be interpreted as meaning that the information the service provider must give to a website user includes both the duration of the operation of cookies and whether it is accessible by third parties. In summary, the court here indicates the extent of protection provided by the ePrivacy Directive and the rights which are provided to data subjects and users of websites with regards to cookies. Consent is only accepted if it is given actively and the data subject is provided with all required information; including duration for which the cookie is operating and whether third parties have access to those cookies. Conclusion Legislators, legal officers as well as case law decisions, have attempted to ensure informed consent is provided only when informed consent to share one’s data is given. However, given the lack of awareness of data subjects vis-a-vis their rights, this is limited in nature as data controllers are still I have the upper hand. However, as provided in Case C-673/17, the rights which are invokable are vast and give extensive protection to data subjects. Complete and informed consent of a data subject is required, and a pre-checked checkbox is not sufficient and will not constitute as such, thereby ensuring that all statutory requirements regarding consent are to be met by the subject’s agreement. While precedents help establish order, national and local authorities need to ensure that data subjects are well aware of the rights and how to protect themselves while using the internet. *Sahel Bahman is a Researcher at IntellecTech Law and a second year European Law student at Maastricht University in the Netherlands. She is currently studying four jurisdictions namely; French, German, Dutch, and English whilst also taking a holistic perspective by looking at European Union law. Sahel has a keen interest in data protection and IP law and hopes to pursue a career in this field of law. [1] Declan Butler, “Technological change is accelerating today at an unprecedented speed and could create a world we can barely begin to imagine.” (Nature.com, 25 February 2016). https://www.nature.com/news/polopoly_fs/1.19431!/menu/main/topColumns/topLeftColumn/pdf/530398a.pdf?origin=ppub, accessed 14 February 2021 [2] Kurt M.Saunders & Bruce Zucker, “counteracting Identity Fraud in the Information Age: The Identity Theft and Assumption Deterrence Act” (1999), Vol 8 Issue 3, Cornell Journal of Law and Public Policy, p. 661-662. https://core.ac.uk/download/pdf/188558405.pdf, accessed 15 February 2021. [3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. [4] Jennifer L., ‘What Are Cookies?’ (privacypolicies.com, 5 January 2021). https://www.privacypolicies.com/blog/cookies/, accessed 15 February 2021 [5] Richie Koch, ‘Cookies, the GDPR, and the ePrivacy Directive’ (GDPR.eu). https://gdpr.eu/cookies/?cn-reloaded=1, accessed 18 February 2021 [6] Supra Note 3, Article 1 [7] Supra Note 3, Article 15 [8] Supra Note 3, Article 17 [9] Supra Note 3, Article 22 [10] Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub and Thortsten Holz, ‘(Un)informed Consent: Studying GDPR Consent Notices in the Field’ (2019), CCS ’19: Proccedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 973-990. [11] Directive 2009/136/EC of The European Parliament and of the Council of 25 November 2009; available here. [12] Supra Note 5. [13] Supra Note 3, Article 5. [14] Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH Case C-673/17; available here. [15] Directive 95/46/EC of the European Parliament and of the Council of 25 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; available here. [16] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; available here. [17] Recital 17 of Directive 2002/58/EC – For the purposes of this Directive, consent of a user or subscriber, regardless of whether the latter is a natural or a legal person, should have the same meaning as the data subject’s consent as defined and further specified in Directive 95/46/EC. Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website.

Image Source: Bizprospex On March 9, 2021, the Telecom Regulatory Authority of India (“TRAI”) temporarily suspended the operation of the Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCP Regulations”). The TCCCP Regulations were intended to curb the menace of Unsolicited Commercial Communication (“UCC”), which caused inconvenience and annoyance to consumers. UCC is any commercial communication which is neither as per the consent or as per registered preference of a recipient, but this does not include any transaction communication or any communication directed by the Central or State Government. Essentially, there are what we understand as “spam messages” or “spam calls” in common parlance. Earlier, all Telecom Service Providers (“TSPs”) were directed to take measures for onboarding the Principal Entities (“PE”) (senders of messages). This included informing the PEs about the provisions of the TCCCP Regulations and making them aware of the template of the message. In layman terms, the PEs sending UCCs are required to register the message header and template with TSPs as contemplated by the TCCCP Regulations. In order to allow transactional and governmental communication, blockchain platforms are used to identify them against the pre-registered template. However, it was observed that some PEs didn’t fulfill the requirements mandated as per the TCCCP Regulations, therefore, their messages were dropped due to the scrubbing of messages by the TSPs. SMS services faced major disruptions on the 7th of March and 40% delivery failure was observed. Disruptions were observed in OTP deliveries, banking communications, railway tickets and Co-Win registrations. Hence, in order to protect the interests of the customers, TRAI decided to temporarily suspend the scrubbing under the TCCCP Regulations. This suspension would enable the PEs to register the message template and give due regard to the TCCCP Regulations. Reported by Eishan Mehta, Researcher at IntellecTech Law. [ORIGINALLY POSTED ON MARCH 10, 2021]

Posted on March 8, 2021 Co-authored by Melita Tessy & Vivek Basanagoudar* Image Source: The Seattle Times Introduction In the previous blog of the series ‘Examining the Intermediary and Digital Media Rules 2021’, the author analysed the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (“IT Rules of 2021”) with a specific focus on the regulation of intermediaries including social media platforms. This article will constitute the second blog of the series and aims to outline the trains of events that eventually led to the regulation of Over The Top (“OTT”) services and digital news media. Furthermore, the authors seek to identify issues that could arise with consumer viewership, streaming platform regulation and freedom of speech and expression. OTT Regulation in India – An Overview On December 2nd of 2016, an RTI was responded to by the Ministry of Information & Broadcasting (“MIB”) wherein it conveyed that it was not the competent authority to control online content and even strayed away from the proposition of introducing a regulatory framework for OTT platforms and digital media portals.[1] Subsequently, several developments gave impetus for the reversal of MIB’s above-taken stance. In the month of October 2018, an NGO, namely, the Justice for Rights Foundation, filed a Public Interest Litigation[2] wherein they sought for independent guidelines that governed and regulated content on streaming platforms. In response, the MIB filed an affidavit wherein it claimed that there was no need for online platforms to obtain licenses for displaying their own content and thereby required no regulation. The Ministry of Electronics and Information Technology (“MeitY”) even claimed that the regulation of online content was outside its jurisdiction and there were no provisions regarding that would enable them to perform the same. After hearing the relevant stakeholders, the Court opined that there was no general power for regulation on the internet but upon its misuse, the provisions of the Information Technology Act, 2000 (“IT Act“) could be implemented. The Court also identified its inability to issue a mandamus for the framing of guidelines but stressed on the usage of the relevant provisions of the IT Act. Online streaming platforms definitely paid heed to these actions and subsequently drafted their own self-regulation codes. After a strenuous process of introducing alterations, on 4th September 2020, the Self-Regulation for Online Curated Content Providers code was unveiled and adopted by 15 streaming platforms. Shortly after, the Telecom Regulatory Authority of India (“TRAI”) in its recommendations, claimed that it was not an ‘opportune moment’ to recommend a comprehensive regulatory framework for OTT services and indicated that there were laws in place that could aid in their regulation. A month later, a PIL[3] was filed before the Supreme Court of India wherein the petitioner demanded for the creation of an autonomous regulation system for online content. A notice was issued by the Apex court and was sent to the Centre regarding the same. Having taken cognisance of the notice, an amendment was introduced through a notification on the 9th of November 2020. The President issued such notification under Article 77(3) of the Constitution[4] and thereby amended ‘The Government of India (Allocation of Business) Rules, 1961’ to add a new sub-heading VA to the second schedule, namely, “Digital/Online Media,” with the following two entries: i) films and audio-visual programmes made available by online content providers; and ii) news and current affairs content on online platforms. The MIB was provided with the power to regulate policies for OTT platforms, and this was the key takeaway from the notification. After all the above-mentioned events occurred, MeitY established the IT Rules of 2021 under Sections 87(1) & (2) of the IT Act, 2000. The rules were established in supersession of those of 2011 and they seek to regulate, online intermediaries, online streaming services and digital news media. Hereafter, the article delves into the issues faced by the relevant stakeholders. As a user, how will you watch your shows? Will the rules affect your viewing? For the purpose of this section, a user is a viewer accessing the streaming platform from India without the use of a VPN allowing him to watch content not available on the Indian version of the streaming platform. In the author’s opinion, the new rules, if properly implemented without political bias, will not negatively impact the streaming experience of the user on OTT platforms. The content classification system is clearly explained and unambiguous in the Appendix to the rules. Streaming platforms will be required to classify their originals or exclusives according to the said system which divides the classification into 5 categories: U, U/A 7+, U/A 13+, U/A 16+, A. Viewer discretion is given due importance and parents can monitor their children’s viewing experience as necessary through the use of parental controls which is made mandatory for shows that are classified U/A 13+ or higher. Till this point, parental controls were only optional on India’s most popular streaming sites. Accordingly, depending on the widely variable nature of parental oversight, the new rules have more potential to affect the viewing experience of children younger than 18 as opposed to fully grown adults. Moreover, the user now has the opportunity to file an online grievance through a grievance portal established the MIB against any of the content published by a streaming platform. The grievance will be acknowledged within 24 hours and will be decided upon within 15 days from the date of filing. If it is not decided within 15 days, it will be escalated to higher bodies. The user can also file an appeal to higher bodies. This gives the user much more agency than was available before. As a streaming platform like Netflix/Prime Video, how does it affect you? As a streaming platform such as Netflix or Prime Video, you will face additional obligations. They are listed below: You will be required to adhere to the above-explained classification system and classify all your originals and exclusives according to the same. You will need to introduce mandatory parental controls for shows classified U/A 13+ or above. You will be required to take reasonable measures to make content accessible to persons with disabilities. This provision is not explained adequately and the term ‘measures’ needs further clarification. You will need to appoint a grievance officer who will be residing in India. He will be responsible for resolving user complaints in 15 days. This is requisite under Level 1 of the three tier self regulation mechanism prescribed in the rules. You will be required to constitute a self-regulating body in association with other streaming companies. This shall be the Level 1 of the three tier self regulation mechanism to hear appeals from Level 1. The Level 1 and Level 2 authorities will be required to disclose all relevant details about the complaints and their resolution on the MIB’s Grievance Portal. You will be required to report cybersecurity incidents to the Indian Computer Emergency Response Team. These obligations will inevitably impose a financial burden on the streaming sites. The mandatory parental controls may affect viewership of content rated U/A 13+ and above negatively. One concerning provision under the rules is the General Principles for Online Curated Content. It essentially provides that streaming sites must take into consideration the multi-racial and multi-religious nature of the country. It also provides that due caution must be undertaken with respect to content that affects the sovereignty and integrity of India; security of the State; and friendly relations with foreign countries. Since the scope of interpretation for this rule is extremely wide, it could easily become prone to misuse and hinder the ability of streaming sites to make shows on certain matters of social and political importance. Online News Portals – would this have an impact on Scroll or LiveLaw? Can these rules affect the freedom of speech? According to the rules, websites such as Scroll and LiveLaw are, admittedly, online publishers of news and current affairs content. Thus, these rules would be applicable to them and they will be required to conform with the three tier self regulation mechanism prescribed under the rules just like the OTT platforms. With regards to their freedom of speech, the rules only require news portals to conform with pre-existing laws such as (i) Norms of Journalistic Conduct of the Press Council of India under the Press Council Act, 1978, and (ii) Programme Code under section 5 of the Cable Television Networks regulation) Act, 1995. Unless it can be proved that the said laws are unconstitutional, which is currently not the case, it cannot be successfully argued that the said rules are violative of the freedom of speech and expression. That being said, the online news industry has expressed that the regulation of small news sites is unnecessary and constitutes a case of over-regulation. Conclusion From the above circumstances, it can be concluded that the IT Rules of 2021 are going to bring about certain changes in the online realm and this will in turn lead to content related disputes. The Supreme Court has already expressed its dissatisfaction with the rules by claiming that they lack ‘teeth’. The former remark was made due to the lack of provisions for prosecution and the lack of fines that could be imposed accordingly.[5] Concurring with the author of the previous article, the rules mark a novel debate in public discourse concerning the regulation of online platforms and they may even spark controversies concerning the freedom of speech and expression. Only time and judicial interpretation will bring clarity to this discourse and change will occur accordingly. Disclaimer: Nothing in this article shall be construed to be legal advice. This article is purely for research and informational purposes. There is no intent to disparage any third party(s) / third party platform(s) and we do not claim to be associated with any such third party(s) / third party platform(s) referenced to in this article. *Melita is a Researcher at IntellecTech Law and a law student at CHRIST (Deemed to be University), with a keen interest in IP and TMT law. She published her novel ‘Battle of the Spheres’ when she was 15 and is one of India’s youngest TEDx Speakers. Vivek is a Researcher at IntellecTech Law and is a second year law student pursuing a B.A.LL.B degree from Jindal Global Law School. Having completed over 20 internships and 6 RAships in a span of one and a half years, he is determined to succeed in the fields of Intellectual Property Law, Environmental Law and Gender Justice. [1] RTI registration number MOIAB/R/2016/50541; MIB’s response dated December 2, 2016. [2] Justice For Rights Foundation v. Union of India, W.P 11164/2018. [3] Shashank Shekhar Jha v. Union of India, W.P. 1080/2020. [4] India Const. art. 77, cl. 3. [5] Aparna Purohit v. The State of Uttar Pradesh, SLP. 1983/2021.

Posted on March 2, 2021 Authored by Eishan Mehta* Image Source: Econsultancy On February 25th, 2021, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (“IT Rules, 2021”) were notified by the Ministry of Electronics and Information Technology (“MeitY”). The IT Rules, 2021 have been framed by the Government in exercise of the powers conferred under Sections 87(1) & (2) of the Information Technology Act, 2000 (“IT Act”) and in supersession of the Information Technology (Intermediary Guidelines) Rules, 2011 (“IT Rules, 2011”). It seeks to regulate three sectors, namely online intermediaries with specific emphasis on social media conglomerates, online streaming services (over-the-top services) and digital news media. While the Government touts the IT Rules, 2021 as empowering citizens of their digital rights and providing them redressal in case of infringements, various organisations term the rules as an impediment on the citizens’ right to free speech and their right to privacy. It has been deliberated that the Government through these rules would curb free speech and expression in the garb of ‘regulating’ social media and broadcasting platforms. In light of the aforesaid, the present article seeks to present a purely socio-legal analysis of the IT Rules, 2021 and is divided into two parts. This article forms the first part of a two-part series and deliberates upon the regulation of intermediaries including social media intermediaries which is to be administered by MeitY. Intermediaries – Due Diligence and Grievance Redressal Mechanism The IT Rules, 2021 categorize social media and significant social media intermediaries as two new classes of online platforms in contrast to its predecessor the IT Rules, 2011. As per Rule 2(w) of the IT Rules, 2021, a social media intermediary enables online interaction between users and helps them disseminate information. A significant social media intermediary, as prescribed by the Central Government, is a social media intermediary having more than 50 lakh users. With the creation of specific classes of intermediary, it is expected that the Government would have the upper hand in their regulation. Due Diligence The IT Rules, 2021 require due diligence to be observed by intermediaries, including social media and significant social media intermediaries. Publication of Rules of Policies Rule 3(1)(a) mandates all intermediaries to prominently publish on their website and mobile applications, relevant rules and regulation, privacy policies and the user agreements. Furthermore, the intermediaries are required to specifically mention that their users should not hold, display, modify or publish any information which, (i) belongs to any other person, (ii) is defamatory, obscene, pornographic or invades into another’s privacy, (iii) is harmful to child, (iv) infringes others intellectual property rights, (v) is in violation of any law in force, (vi) is deceiving or false and mislead its reader, (vii) impersonates any other person, (viii) is detrimental to the unity and integrity of the country, (ix) contains software virus, (x) is patently false and intended to harass a person or entity. Termination of Access Rule 3(1)(c) requires intermediaries to publish, at least once a year, that in case of non-compliance of the user-agreements or privacy policy, the intermediary has a right to terminate users’ access to the computer resource. Removal of Information An intermediary, who has information stored in their computer resource, on receiving “actual knowledge”, which refers to an order of the court or an appropriate government authority under Section 79(3)(b) of the IT Act, shall not host or publish any unlawful information which is detriment to the security of the country, public order or is defamatory. Additionally, the intermediaries are required to remove or disable access to any such information within thirty-six hours of the receipt of the order of the court or the competent government agency. Under sub-clause (g) of rule 3(1) intermediaries are required to preserve the disabled information for one hundred eighty days for investigative purposes. Automatic Storage of Information Sub-clause (e) of rule 3(1) clarifies that the automatic storage of information by an intermediary shall not amount to processing. Also, intermediaries are required to inform its user about the change in privacy policies or user agreements at least once a year. Retention Period The retention period under the IT Rules, 2021 has been doubled. Now, intermediaries are required to preserve user’s deleted account details for one hundred eighty days. Assistance to Government To comply with ‘written government order’ seeking assistance, intermediaries would be required to provide assistance to government agencies with the information in their possession within seventy-two hours of the receipt of such an order. Security Measures Intermediaries are required to take reasonable measures to secure their computer resource following the procedures of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011. Grievance Redressal Mechanisms The IT Rules, 2021 empower the users by mandating intermediaries to establish grievance redressal mechanisms for resolving user complaints. In this regard, similar to the IT Rules 2011, intermediaries are required to publish the name and contact details of grievance officer on their website and mobile applications. Additionally, proper mechanisms for making complaints in cases of violation of the IT Rules are to be provided on the intermediary’s website. Further, the Grievance Officers are required to acknowledge such complaints within twenty-four hours and dispose of them within fifteen days. This is in contrast with the IT Rules, 2011, which required grievance officers to resolve complaints within a month’s time. Additionally, significant intermediaries are required to take down contents which expose users to full or partial nudity, depicts sexual conduct or impersonation, within twenty-four hours of the complaint made by an aggrieved party. It is a separate requirement to be observed by intermediaries in cases of non-consensual transmissions. The provision emphasises on taking down contentious content and addresses the problem of the publication of sexual content without the subject’s consent. Presently, in major regimes, twenty-four hours or forty-eight hours takedowns operate. However, 24 hours appears to be enough time for any information to be circulated throughout the internet. In this regard, inspiration can be drawn from the European Union, where one hour limit for the takedown of extremist content is being deliberated upon. Some stake-holders had concerns with the one-hour takedown limit as it might be difficult for smaller platforms with minimal resources to comply with the obligation. Significant Social Media Intermediary Rule 2(v) of the IT Rules, 2021 define a significant social media intermediary as a social media intermediary having a minimum number of users as notified by the Central Government. As per the latest notification, any social media intermediary having more than 50 lakh (or 5 million) users would be classified as a significant social media intermediary. The IT Rules, 2021 impose additional due diligence requirements on significant social media intermediaries. Human Workforce for Ensuring Compliance A Chief Compliance Officer needs to be appointed by significant social media intermediaries to ensure compliance of the IT Act. This officer would possibly be managerial personnel of the intermediary company and would have to suffer liabilities in case of non-compliance of the due diligence requirements. Additionally, intermediaries need to appoint a nodal person for 24*7 coordination with the law enforcement agencies. The nodal person shall be required to ensure compliance of legal and other orders sent to the intermediary. Moreover, for ensuring compliance of the due diligence requirements, the appointment of a resident grievance officer has been mandated by the IT Rules. The implementation of these rules may create problems with intermediaries operating internationally. Moreover, this would be an additional financial burden on intermediaries. Compliance Reports Rule 4(d) requires significant intermediaries to publish monthly compliance reports, detailing the number of complaints received and the measures taken for their disposal, providing specific information with respect to the disabled content. This rule facilitates transparency and accountability in the content moderation practices deployed by intermediaries. Identification of First Originator One of the most controversial developments by the IT Rules is the requirement of a significant social media intermediary engaged in messaging to identify the “first originator” of information. An order to this effect can be made by a competent court or an authority competent under Section 69 of the IT Act. This category of an order can only be passed “for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years.” Additionally, it has been categorically mentioned while complying with the originator requirement that no significant intermediaries would be required to disclose information about other users. Intelligent methods to identify certain Information As per Rule 4(4) of the IT Rules, 2021, significant social media intermediaries shall endeavour to deploy technology-based measures to identify information that depicts rape, child sexual abuse or any content identical to some previously removed information. Moreover, measures taken by intermediaries should be proportionate to the users’ right to free speech and expression, right to privacy and other such interests. Grievance Redressal Significant social media intermediaries are required by Rule 4(6) to implement appropriate mechanisms for receipt of complaints and grievances. Additionally, the complainants can track the status of their complaints with a unique ticket number. Rule 4(8) of the IT Rules, 2021 requires the intermediaries to inform users about the taking down of their content along with reasons. Moreover, the content created has been provided with a reasonable opportunity to dispute such an action undertaken by an intermediary and request its reinstatement. The opportunity accorded to the users to dispute the intermediary’s claim is a forward move. This may add transparency and accountability in the take-down procedure. Moreover, inadvertent take-downs by social media intermediaries for political or other motives are not unknown. General Implications on Privacy Rights The IT Rules, 2021 also have two controversial aspects, namely ‘identification of the first originator’ and ‘the usage of intelligent systems to filter information’ on a user’s right to free speech and right to privacy. Encryption Sub-clause (2) of Rule 4 of the IT Rules, 2021 requires significant social media intermediaries engaged in “messaging” to identify the “first originator” of information. An order by a court or competent authority has to be passed to this effect. At the very outset the applicability of the provision has been limited to “messaging” social media intermediaries such as WhatsApp or Signal, therefore it is uncertain whether this rule would apply to social media platforms where the primary feature is posting, uploading and sharing content along with messaging services such as – Twitter or Facebook. Nevertheless, even if prima facie, it appears that sufficient safeguards have been provided, the Rules pose problems at several levels. The “public order” ground can be used by Government to curb “anti-government” information. Some have argued that with the advent of these rules, every WhatsApp or Signal user would have to think twice before sending a message. The public order ground appears to be a suspect and it remains to be seen how it could be used by Governments to arbitrarily restrict free speech. Irrespective of the impact on free speech, this provision is in direct violation of users’ right to privacy. In order to adhere to the requirements of the rule, intermediaries would be obligated to store data of their users as anytime a court or an appropriate government authority could pass an order requiring them to demonstrate the originator of some information. This would in turn nullify the end-to-end encryption observed by WhatsApp and Signal. Section 24(1) of the proposed Personal Data Protection Bill 2019 requires data fiduciaries and data processors to implement necessary safeguards to use de-identification and encryption methods to protect the integrity of personal data. Moreover, the Srikrishna Report on Data Protection also mentioned that low encryption standards pose threats on the safety and security of the personal data of data principals. This provision requiring the identification of the originator of information may pose a challenge to one’s free speech and privacy. It remains to be seen how its operation could be legally restricted in the absence of adequate data protection laws. Application of Intelligent Systems As per Rule 4(4) of the IT Rules, 2021 the Government requires significant social media intermediaries to use intelligent systems and automated tools to identify information that depicts rape, child sexual abuse or any content identical to some previously removed information. Moreover, the provision mentions that measures taken by intermediaries should be proportionate to the users’ right to free speech and expression, right to privacy and other such interests. This provision appears to be concerning as AI technologies used for automated filtration of objectionable content is presently in its nascent stage and such AI tools are limited. In order to develop AI censorship, machine learning would be deployed to learn about objectionable data and intermediaries would be required to store vast amounts of users’ data. In turn compromising the users’ data privacy. Additionally, AI lacks transparency and accountability and the cases of AI discrimination are not unknown [See our earlier analysis of racial bias with facial recognition technologies here]. Therefore, AI usage to monitor a user’s free speech and expression appears to be problematic. Nevertheless, the fact that the Government was prudent enough to mention, “measures taken by the intermediary under this sub-rule shall be proportionate having regard to the interests of free speech and expression, privacy of users….”. Moreover, the rule requires a significant social media intermediary to “endeavour” and deploy technology-based measures. The absence of the word ‘shall’ indicates that the provision may not be mandatory in its scope. Further, as Facebook and others have been properly using AI to censor information promoting hate speech in the EU and the US, it is expected that similar automated systems would be deployed in India too. Conclusion The IT Rules, 2021 are expected to have far-reaching consequences in the digital space. Intermediaries, including social media, would be bound by the new regulations which may have an impact on users’ free speech and privacy. Therefore, it marks a novel debate in the public discourse concerning the regulation of online intermediary. Nonetheless, in this information era it becomes as necessary to regulate free speech and expression (for instance the expeditious removal of non-consensual explicit images) as it is to promote free speech through the usage of social media. It remains to be seen how the rules are implemented and whether judicial challenge(s) are likely to bring about any change. *Eishan Mehta is an Editor at IntellecTech Law and is currently pursuing BA. LL.B. from WBNUJS, Kolkata.

Posted on February 18, 2021 Authored by Melita Tessy* Image Source: LA Times Introduction On 28 January 2021, the Council of Europe published the Guidelines for Facial Recognition (“Guidelines”) in consultation with the ‘Consultative Committee Of The Convention For The Protection Of Individuals With Regard To Automatic Processing Of Personal Data’ (“Consultative Committee”). These Guidelines were issued further to the ‘Convention for the Protection of Individuals with regard to the Processing of Personal Data’, also known as ‘Convention 108 on Data Protection’ (“Convention”). Facial Recognition Technologies (“FRT”) were first developed in the 1960s. They have rapidly improved ever since and are currently being used around the world for various reasons, both uplifting and concerning. An example of FRTs being put to good use would be the case of the New Delhi police using the technology to identify nearly 3000 missing children within a span of 4 days by checking pictures of the missing children against pictures of children found by them. Despite such success stories, however, there are valid reasons for concern with regards to FRTs. In June 2020, it was reported by the United Nations that more States are increasingly using FRTs to identify protesters and sometimes, this includes live facial recognition. What makes this deeply troubling is the fact that the technology is susceptible to errors and could lead to misidentification, misinterpretation and wrongful arrests. A landmark federal study of the United States has reported that current FRT systems misidentify people of color more often than white people. In fact, Asian and African American people were up to 100 times more likely to be misidentified than white men, depending on the particular algorithm and type of search. Native Americans and Pacific Islanders were also more predisposed to misidentification than white men. To add to this, FRTs misidentify women 18% more often than men. According to the UN High Commissioner for Human Rights, Michelle Bachelet, these errors could potentially intensify discrimination based on race and gender. A good example of a FRT error may be the 2018 case of a famous Chinese businesswoman who was issued an automated ticket for jaywalking, but surveillance cameras had actually captured her image from an advertisement on the side of a bus. The above events make it clear that there is a necessity for regulating FRTs and their use. However, the prevailing legislations across jurisdictions do not adequately address this emerging issue. In light of the said background, this article aims to provide an overview and analysis of the Guidelines. Council of Europe’s Guidelines on Facial Recognition The ‘Convention 108 on Data Protection’ is a multilateral instrument on the protection of personal data. It has 55 parties, most of which are in Europe and 25+ observers including the US, Canada, Brazil, and Australia. It has no Asian participation and extremely limited African participation. The Conventional Committee has produced various reference documents with respect to artificial intelligence, big data, internet governance, media privacy, health related data and data processing by law enforcement agencies. On 28 January 2021, a document developed by the Convention’s Consultative Committee containing the Guidelines for Facial Recognition was published by the Convention. According to these Guidelines, facial recognition refers to the automatic processing of digital images that contain the faces of individuals for the purpose of identification or verification of those individuals by using face templates. The Guidelines acknowledge that the uses of FRT are numerous and diverse. Some of these uses may seriously violate the rights of data subjects. Thus, the objectives of the Guidelines are to protect human rights and uphold the rule of law by regulating the use of FRT. The Guidelines instruct the parties to Convention 108 to facilitate the development and use of FRT in their countries in such a way that ensures the privacy rights of the data subjects are upheld. Such facilitation is expected to strengthen human rights and fundamental freedoms by implementing the principles enshrined in the Convention in the context of FRTs. Article 5 of the Guidelines provide for the protection of personal data that undergoes automatic processing, as is the case with facial recognition data. It stipulates that personal data must be obtained fairly and lawfully and that personal data so obtained must be adequate, relevant, and not excessive in relation to the purposes for which they are stored. Article 6 provides for special categories of data. This data category comprises of personal data capable of revealing racial origin, political opinions, religious or other beliefs, as well as personal data pertaining to health or sexual life. Article 6 stipulates that such data must not be processed automatically unless national legislations provide appropriate safeguards. Article 6 also applies to data regarding criminal convictions. It may be said, in the author’s opinion, that the Interpol’s use of facial recognition is in accordance with Article 6. While the Interpol makes use of automatic processing, it always makes sure to carry out a manual process to verify the results of the automatic processing. Article 9 provides for exceptions to Article 5 and 6. It allows for derogation from Article 5 and 6 for the following purposes: protecting State security, public security, the monetary interests of the State, the suppression of criminal offences, safeguarding the data subject or the rights and freedoms of others. For example, the use of covert live facial recognition technologies by law enforcement agencies would only be acceptable if it is strictly necessary and proportionate to prevent imminent and substantial risks to public security that are documented in advance. Public and Private Sector Uses of FRTs The Guidelines are divided into four parts that provide coverage for both the public sector and private sector uses of FRTs. They are as follows: Guidelines for Legislators and Decision-Makers The Guidelines state that legislation which authorises extensive surveillance of individuals without proper safeguards in place can be found contrary to the right to respect for private life. The mass camera surveillance schemes implemented in China may be a good example of this contravention. The Guidelines further require that different cases of use for FRTs should be categorised, and a legal framework applicable to the processing of biometric data through facial recognition should be established. It is interesting to note that, according to the Guidelines, consent should not, as a rule, be the legal ground used for facial recognition performed by public authorities and private entities authorised to carry out similar tasks as public authorities. This may indicate that private companies should not be permitted to use facial recognition in uncontrolled settings, such as shopping centres, for advertising or private security reasons. Another concern addressed here is with regards to ‘affect recognition’ technologies. These technologies can detect mental health and analyse personality traits. The Guidelines hold that they should be prohibited since they present significant risks in areas of employment, education and insurance. Additionally, the Guidelines propose that the usage of facial recognition for the singular objective of ascertaining a person’s skin colour, religious or other belief, sex, racial or ethnic origin, age, health or social status should be banned. Guidelines for Developers, Manufacturers and Service Providers In this part, the Guidelines direct facial recognition software developers to develop accurate systems that do not show a bias based on race or gender. It further directs that due consideration must be given to the different aspects involved such as aging, lighting and impact of face covering so as to ensure reliability. Guidelines for Entities Using Facial Recognition Technologies The term ‘entities’ refers to data controllers and data processors in both the public and private sectors. The Guidelines provide that entities using facial recognition technologies have to be able to demonstrate that this use is strictly necessary, and proportionate, in the specific context of their use and that it does not interfere with the rights of the data subjects. The entities are also required to ensure the security of the data as lapses in data security can have severe consequences on the employee. Rights of Data Subjects A data subject has the following rights with respect to their personal data: Right of information Right of access, Right to obtain knowledge of the reasoning, Right to object, Right to rectification. These rights can be restricted only when such restriction is provided by law with sufficient safeguards to protect the basic rights of the data subjects. Conclusion The European Commission’s White Paper of Artificial Intelligence also discusses the regulation of facial recognition technology and the use of artificial intelligence. The views of this section, particularly in respect of the gender and race bias, are in line with the recommendations made by the Guidelines. Though the Guidelines are not a legally binding document, it still is the most comprehensive set of proposals for regulating facial recognition technology in Europe. In the author’s opinion, the adoption of these Guidelines as a binding legislation in Europe and elsewhere will undeniably be a step towards protecting fundamental rights and freedoms of people and democracy in light of the risks posed by facial recognition technology. *Melita is a Researcher at IntellecTech Law and a law student at CHRIST (Deemed to be University), with a keen interest in IP and TMT law. She published her novel ‘Battle of the Spheres’ when she was 15 and is one of India’s youngest TEDx Speakers.