2021: Bringing public policy closer to the public

tl;dr

Throughout 2021, we have tried to respond to the various policy initiatives and projects launched by the Central and State governments with meaningful and privacy-respecting policy analysis. We have also utilized the Right to Information Act, 2005 to bring accountability in the working of every public authority.

Consultations

Date	Consultation	IFF’s comments
Jan 18, 2021	Unconstitutional draft report on non-personal data ignores concerns about privacy and data monopolies	We raised four concerns: firstly, that the definition of non-personal data contains significant ambiguities and is based on an unconstitutional approach; secondly, that the risks surrounding de-anonymization haven’t been adequately addressed; thirdly, that the proposed framework may lead to data maximisation, monopoly formation, and the exploitation of citizens; and, lastly, that the consultation process may be becoming superficial and opaque.
Jan 25, 2021	The Science, Technology, and Innovation Policy needs more Innovation!	We highlighted several issues, including the need to expand STI capacity by increasing R&D spending, improving inclusion and access, and promoting open science.
May 13, 2021	Ensuring Equity, Accessibility and Transparency in Court: Our Comments on the Supreme Court's Draft Vision Document	We highlighted: firstly, that algorithmic governance must be accompanied by robust measures for accountability; secondly, that increased digitisation should be complemented with increased transparency; thirdly, the digital technology must not be deployed in a way that causes exclusion and depends the digital divide; fourthly, that technology feasibility studies and impact assessment be carried out before implementation; and lastly, that the value of judicial federalism should be promoted.
June 28, 2021	Striking the balance between privacy and public interest in judicial proceedings: Our comments to the Supreme Court’s Draft Live Streaming Rules	We welcomed the Rules and expressed support for their implementation. However, at the same time, we suggested that the Rules in their final form can strike a better balance between litigant/witness privacy and the public interest in disclosure.
June 30, 2021	A Thoroughly Bad IDEA: Our comments on the Agristack Consultation Paper	Our core suggestion is that all implementation with regards to the Agristack be halted till extensive consultations with farmers have been carried out. Beyond this, we have addressed issues of data localisation, federalism, data protection, user rights, the need for public investment, and the necessity of robust data standards.
August 24, 2021	IFF's recommendations for the United Health Interface	We have focused on five key issues, namely: the need for more diverse feedback, the risk of market capture by the private sector, the risk of digital exclusion, financial exploitation and service pricing, and the need for public digital infrastructure.
October 6, 2021	IFF submits its comments on the Draft Aadhaar (Pricing of Aadhaar Authentication Services) Regulations	We have called attention to significant issues of exclusion, privacy and surveillance that exist with the Aadhaar programme and highlighted non-compliance with the Supreme Court’s decision in the Puttaswamy judgement. Finally, we recommend that Aadhaar authentication charges be scrapped and private entities be barred from acting as ‘requesting entities’ for authentication.
November 12, 2021	IFF submits its comments on the Draft Approach Paper for creating a Digital Address Code	We have tried to highlight the governance issues around geospatial data, data protection issues around the use of geospatial data, and potential surveillance and function creep challenges which will arise from DAC. Finally, we recommend that a comprehensive grievance redressal mechanism be provided for complaints against geospatial mapping, that robust security standards and user rights be specified for the DAC database, and that the principle of purpose limitation be followed.

Parliamentary engagement

The importance of digital rights has grown leaps and bounds in recent times. As such it is anticipated that the Parliament will deliberate upon some of the most important concerns related to digital rights. To highlight important areas of concern, we released our legislative brief for the monsoon session and the winter session, as well as a session review for the Budget, monsoon, and winter session.

After the Union cabinet reshuffle, we wrote to the new ministers, welcoming them to their new role and highlighting key areas that need to be addressed.

Elections are the soul of a democracy. To help voters make an informed choice, we analyzed the manifestos of political parties across the spectrum focussing on digital rights to understand how political parties are looking at these issues.

We also wrote about The Standing Committee on Communication and Information Technology’s report on ‘Suspension of telecom services/internet and its impact” which acknowledged our submissions highlighting the ill effects of internet shutdowns.

Privacy and the Personal Data Protection Bill

After almost two years, the report of the Joint Parliamentary Committee (‘JPC’) on the Personal Data Protection Bill, 2019 was finally released on December 16, 2021. We extensively covered all aspects of the report before and after it was laid in the parliament.

Leading up to the submission of the JPC report we looked at the possible ways forward for the Bill, highlighting some of the issues that may emerge, and provided recommendations for addressing them.
After the JPC report was tabled, we published our key takeaways from the report.
We have also compared the Draft Personal Data Protection Bill, 2021 with its predecessors.
We looked at Dissent notes filed by members against the JPC report.

Throughout this year, we have extensively analysed the PDPB. From understanding the basic concepts in the bill, looking at the key issues with the bill, and its impact on various segments of the society.

Our #StartFromScratch series, which was a short introduction to the Bill which included some historical and legislative context, a summary of the Bill, an overview of the issues with the Bill, and possible alternative paradigms for data protection.
Through our #DataProtectionTop10 series, wherein we analysed the top 10 issues with the Bill in detail.
Currently, through our #PrivacyOfThePeople series, which looks at how the Bill will impact our daily lives by focusing on its impact on different sections of society. We have looked at its impact on gig and app-based workers, ASHA and Anganwadi workers, farmers, social media users, medical patients, students, and dating app users. We have also looked at the privacy implications of society and community management apps and digital lending apps.

Regulatory Frameworks

In February of this year, there were media reports stating that the Ministry of Information and Broadcasting (MIB) may be considering guidelines for regulating online content on Over-The-Top (OTT) platforms. This was a key area of concern for us as it affected free speech and creativity on the internet.

We wrote a letter to the Ministry in which we detailed potential harms that may arise from such regulations, and asked for clarity regarding any potential regulation. Subsequently, On February 25, 2021, the Ministry of Electronics and Information Technology (MeitY) and the MIB issued the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the new IT Rules).
We wrote about how the new IT Rules are unconstitutional, undemocratic, and negatively change the way we use the internet in India.
We also wrote an explainer on the Internet and Mobile Association of India's toolkit on the implementation of their Code on self-regulation for Online Curated Content providers.
We further wrote to MeitY urging them to withdraw the new IT Rules, and also wrote to the Standing Committee on IT detailing the list of issues and recommendations we have and asking the Committee to put the same before the representatives of the ministries.
Significant Social Media companies were given three months to comply with the rules, leading up to which we took a look at what compliance will mean for significant social media intermediaries, and how it will stifle producer and user innovation and creativity.

After media reports and parliamentary responses revealing that MeitY has initiated work on revamping the IT act, we wrote to the Ministry of Electronics and Information Technology asking them to publicly detail any potential amendments to the IT Act, 2000 and engage in extensive consultations over the changes. We wrote to the Parliamentary Standing Committee urging them to include the revision of the IT Act in its agenda for the upcoming parliamentary session.

Apropos the blocking of pro-farmer protests twitter accounts, we wrote to the Ministry asking them to make the orders publicly available so as to increase transparency.

Lastly, We wrote to the Indian Computer Emergency Response Team regarding a provision in their new Responsible Vulnerability Disclosure and Coordination Policy that penalises cybersecurity researchers for vulnerability disclosures. CERT-In responded to our representation about the issues with their Responsible Vulnerability Disclosure and Coordination Policy, explaining that the Policy is an executive decision and so must follow the existing provisions of the law. So we wrote to MeitY, asking them to amend the Information Technology Act, 2000 to provide a safe harbour for genuine security researchers.now

Internet Access: Net neutrality

In September 2020, the Telecom Regulatory Authority of India (TRAI) had forwarded a set of extremely meaningful recommendations to the Department of Telecommunications (DoT) regarding the enforcement of net neutrality principles by the Internet Service Providers (ISPs) and telecom networks. On June 25, 2021 The DoT expressed disinclination to implement these recommendations citing Covid-19 related ‘budgetary constraints’.

We wrote about the need for DoT to implement these recommendations.
We also wrote to the Minister for Telecommunications, Ashwini Vaishnaw to highlight the lack of implementation of TRAI’s recommendations by the DoT despite the fact that the cited ‘budgetary constraints’ no longer apply as the Ministry of Finance has removed the expenditure curbs.

After news reports stating that the Telegraph Act, 1885 will be updated to include net neutrality considerations

we wrote to the DoT highlighting key issues that still persist and urged that they shall be considered by the Ministry while drafting the new bill.

Lastly, we wrote to BSNL about the code injections that continue to persist on their network. And also to the Ministry of Home Affairs (MHA), highlighting why VPNs are important and asking for the committee’s proposal to block VPNs be put through a public consultation.

Internet Access: Digital Infrastructure

A significant digital divide still persists to this date and its effects can range from halting education to malnutrition as a result of bad internet at PDS shops. To address the digital divide:

We highlighted the digital divide in the country as revealed by the National Family Health Survey, and also explained the various executive and policy measures taken to expand India's digital infrastructure and improve internet access.
We wrote about TRAI final recommendations on the Roadmap to promote broadband connectivity and enhanced broadband speed.
To map India’s digital divide, we introduced the first version of our Connectivity tracker where we compile available data related to connectivity each quarter, including data on telecom subscriptions, internet connections, urban and rural penetration rates, average data usage per user etc.
We wrote an explainer on the PM-WANI scheme, announced by the DoT, which aims to increase internet connectivity across the country by implementing a decentralised system of public access points.
Lastly, we wrote to the NIC regarding vulnerabilities in the National Portal for Transgender Persons.

Emerging data paradigm across sectors and digital welfare

The Government recently announced that Microsoft would be conducting a pilot programme to implement the Agristack across 100 villages of India.

Along with several other organisations, we wrote a letter to the Union Minister for Agriculture, in which we asked for further consultations with all stakeholders, highlighted the need for statutory backing, and demanded greater transparency with regards to the financial details of the project.
On 19th May, 2021, in response to an RTI query by us, the Ministry of Agriculture provided us a Memorandum of Understanding between the Department of Agriculture and Microsoft, and a document titled “Standard Operating Procedure (SOP) for verifying Farmer’s Database (100 Villages)”.
Response to our RTI also revealed that our submissions to the Agristack consultation paper were not received. Together with the All India Kisan Sabha, we wrote to the Agristack Working Group and the Department of Agriculture, Cooperation & Farmers Welfare, re-submitting our suggestions and asking why they were not received in the first place.
Lastly, we analyzed the 4 MoUs signed by the Ministry of Agriculture with Cisco, Ninjakart, ITC Limited, and Jio, and explained the issues that arise as a result.

Over the last few years, there has been a strong push by the government towards digitization in the health sector which only grew stronger this year. Digital technology in public health is a key area of concern. We analysed the National Digital Health MIssion’s Health Data Management Policy, the Health ID framework, and the DNA Technology (Use and Application) Regulation Bill, 2019, and looked back on Aarogya Setu to assess its outcomes.

We, along with the Centre for Health Equity, Law, and Policy, have drafted a working paper analysing the National Digital Health Mission’s Health Data Management Policy (HDMP).
We analyzed the HDM in a two part series. The first post provides an introduction to the issue, discusses the various prerequisites required for implementing a robust digital health records system, and looks at the governance structure underlying the Policy
In the second post, we looked at some of the key issues that plague the HDMP, such as concerns about consent and confidentiality, data privacy and security, exclusion, and private sector access to health data.
We wrote an explainer on the Health ID framework hoping to contribute to evidence and fact lead public discussion on the use of digital technology in public health.
The Standing Committee on Science and Technology recently submitted its report on the DNA Technology (Use and Application) Regulation Bill, 2019. Several concerns have been raised over the report, with two members of the Committee filing dissent notes. Thus, we decided to provide this explainer that breaks down the key issues with both the report and the original Bill.
We looked back at Aarogya Setu a year after its launch and documented not only the impact of Aarogya Setu on user privacy and informational privacy but also any intended benefits it may have offered.

Finance is another area that is facing increasing digitization.

We wrote an explainer to help people understand the nature of the e-rupi programme and the attendant concerns that arise from the use of such schemes, and also wrote to the Department of Financial Services regarding the lack of consultation about the E-Rupi programme.
We also wrote an explainer on the RBI’s Account Aggregator framework which claims to have a transformative impact on the financial ecosystem.

Other areas of welfare are facing a similar process of digitalisation: for example, the education sector is going through a digital transformation with the National Digital Education Architecture. We wrote an explainer on the NDEAR, exploring issues of a lack of internet access, low digital literacy, and an inadequate consent framework in the proposed architecture. Worker welfare has also witnessed something similar with the implementation of the E-Shram portal, which aims to help unorganised workers receive social security benefits. Closely linked to such programmes are the Aadhaar Good Governance Rules, which were tabled in Parliament on 5th January, 2021. We have written to Parliamentary Committees on Subordinate Legislation on how the Rules are unconstitutional in how they exceed the limits of the parent Act and violate the Puttaswamy judgement and proportionality test, and are vague and non-voluntary.

Targeted Surveillance: The Pegasus Revelations

In 2021, we saw the proliferation of surveillance technologies reach new heights, with both targeted and mass surveillance being (allegedly) used against Indian citizens. One of the foremost issues which rocked India were the revelations made under the Pegasus Project. The project revealed that numerous Indian citizens were potentially targeted through the use of the illegal Pegasus spyware. Our response to the Pegasus revelations consisted of:

initial statement in which we argued for surveillance reform to protect citizens against the use of such invasive technologies, and urged the government to stand by democratic commitments and reject the use of spyware in their pursuit of social objectives of policing and security.
a letter to the Standing Committee on Information Technology which had a sitting on the subject of citizens data security and privacy. We posed specific questions to Ministries of Home Affairs (MHA), Electronics & Information Technology (MeitY) and Communications (MoC).
Letters to the State governments of Chhattisgarh and Maharashtra to institute investigations into the use of spyware against citizens.
a line-by-line verification of the IT Minister's statement on the Pegasus hacks in Parliament.
a submission to the Commission of Inquiry set up by the Government of West Bengal.
a statement on the Committee of Experts appointed by the Supreme Court to examine the allegations of unauthorised surveillance using the Pegasus spyware.
and an in-depth look at the progress made by other countries on investigating the pegasus revelations.

You can access all our work related to the Pegasus spyware here.

Mass Surveillance

IFF’s Project Panoptic, which tracks the spread of facial recognition technology through the country, completed one year since launch in November. Under the project, we added 46 new projects to the tracker in the past year, bringing the total number of projects tracked to 76. We also filed 31 RTI requests for gaining more information around these projects. In addition to this, we have also conducted in-depth research on how different jurisdictions are regulating FRT by taking a look at FRT laws in the US, Europe & China and on how the Police uses FRT. We joined a global call to ban biometric surveillance along with Access Now, Amnesty, EDRi, Human Rights Watch, & others which was released during the 2021 RightsCon and launched the #BanTheScan campaign in India. You can read our year in review post for Project Panoptic here.

In addition to these specific issues, we also tackled concerns related to:

excessive CCTV deployment in Delhi by writing to the Hon’ble Chief Minister of Delhi, Arvind Kejriwal and the PWD Minister, Satyender Jain, and to Hon’ble Lt. Governor of Delhi to highlight our concerns and to ask them to take necessary steps to protect the privacy of the citizens of Delhi.
exam proctoring technology being used by various universities. We wrote to the University Grants Commission (UGC) and the Ministry of Education highlighting the shortcomings of this technology and asking them to issue detailed guidelines for conducting online examinations.
the Ministry of Home Affairs’ Cyber Crime Volunteers Program which will allow citizens to register themselves as "unlawful content flaggers" to report online content for removal, we wrote to the MHA highlighting our concerns related to the programme.
UP Police’s Humari Suraksha Programme by writing to the UP Police highlighting our concerns.
emotion recognition technology. We looked at how emotion recognition technology works, the rights which are affected by it, and whether there are any laws in place to regulate its use and misuse.
the Sulli Deals incident by writing to the Delhi Police asking them to expeditiously investigate the incident to provide closure and support to those targeted.
the Arsenal reports, which revealed that malware was used to surveil and plant evidence on the computers of two of the accused in the Bhima Koregaon case. We looked at these reports closely to provide an informed basis for commentary on digital evidence, forensics, and ongoing conversations on the use of malware such as Pegasus.
and vaccine passports. We looked at the ethical, legal and privacy concerns surrounding vaccine passports and whether their use for international travel should be allowed.

Now that the JPC has presented its report on the Personal Data Protection Bill, 2019 in Parliament, it is up to the government to present the modified Bill on the basis of the recommendations of the JPC. Thus, India is likely to finally have data protection legislation enacted. We will continue to track and analyse this space to ensure that the final Bill is comprehensive legislation that protects informational privacy and respects constitutional values. We will also continue to engage with any other regulatory changes, such as the updating of the Information Technology Act, 2000, as they come.

Key sectors such as health and agriculture are also likely to make significant progress in the level of digitalisation, which we will keenly monitor. The effective digitalisation of such key sectors can only be built on the back of robust national digital infrastructure, for which the bridging of India’s digital divide is imperative. We hope to shed further light on trends in internet connectivity and access by expanding the scope of our community tracker over the course of the next year.

Do you have suggestions on what we can do better? Reach out to us by filling in this form and letting us know what we should focus towards in 2022, or let us know how we can make our existing work more effective.