India is adapting to a new normal. Technological way of conducting business by web/video conferencing, which till recently was slowly making a way in our lives, suddenly became a necessity because of Covid 19 pandemic. India’s legal framework, which at present is primarily based on the territorial jurisdictional concept, is not equipped to address such sudden and disruptive way of conducting business which disregards national boundaries. This article is an attempt to evaluate existing legal framework concerning web conferencing, resultant areas of concern and way forward in adopting to web-based conducting of business and professional pursuit in a post-Covid India.
Web or Video conferencing facility is a platform for Audio and video conferencing, document and screen sharing while connecting participants at different locations. Audio/video facility consist of many elements including the use of CODEC which stands for coder-decoder. Codec is a device, which converts and compresses an analog audio-video signal into digital data and then sends it over a digital line. The decoder reverses the processes at the receiving end and this compression and decompression allows large amount of data to be transferred across a network at close to real time. A simplified example is a zip file which sender compresses while sending, and receipt again unzip the same to original size after its receipt.
While providing above facilities, conferencing systems make use of various end points in participant’s computer/device such as video input consisting of camera, video output in the form of microphones and speakers etc. This functionality involve permitted access to participant’s camera and micro phone and data, therebyopen legal and regulatory challenges.
This new normal of conducting business through web conferencing facilities have many challenges which are bound to ignite public and legal debate in the country. Some of the challenges are absence of a regulatory and legal framework to deal with such offerings, possible privacy and data violation, one-sided contractual control with the service provider, and concerns issues relating to national security.
During my research, I found that End User Licence Agreement (“EULA”) which participants are made to sign as a pre-condition to avail such services, not only carry a right to process participant’s personal data but also right to share the same with third-party vendors for further processing with or without masking of such data.
India does not have any dedicated regulation to deal with challenges to a possible data breach. In order to deal with potential data breach related to web conferencing services, one has to refer to Information Technology Act, 2000 (“IT Act”) more specifically section 6A, 13(3), 13(4), 13(5) and section 75 are one set of provisions which extend limited jurisdiction to Indian authorities to deal with web conferencing service providers who have their server outside the conventional territorial jurisdiction of India. Other relevant provisions of IT Act are Section 43A read with Section 72A, which provides for compensation and punishment of contractual data breaches.
Under section 69(2) of the IT Act, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 were made. However, all the preventive provisions under these rules refer any violation of privacy to be dealt as per theapplicable law. Resultantly, these rules remain inadequate to have any check on the misuse of the user’s data. After that, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 which were issued under Section 43A of the IT Act, put additional obligations on the service provider concerning collection and disclosure of sensitive personal data or information.
Besides above relatively new provisions, Section 179 of the Indian Penal Code (“IPC”) provide power to an investigating officer to force co-operation if any such service provider is not cooperating and responding to the investigator. Since these rules and regulations were unable to meet up with the pace, this led to Personal Data Protection Bill, 2019 (“PDP Bill”).
PDP Bill, by all means is a mammoth effort towards having a comprehensive data protection policy and authority in place. Divided into fourteen chapters, PDP Bill intends to create protection for the individual whose data is processed against unauthorised and harmful processing. This is to be done by creating a relationship of trust between individual and processor of data by making flow and usage of personal data regulated. Check and balances are ensured by fixing accountability and by establishing data processing authority.
However, in current shape and form, it is not expected that the PDP bill will work as a solution. Despite being pending before select committee of Parliament, there are inherent issues which may cause a delay before PDP Bill can become a law and a solution. Confining evaluation of PDP Bill to web-conferencing, the first difficulty is in exercising extraterritorial jurisdiction under Section 2(A) (a) which provides applicability of Act on Personal Data which is collected, disclosed, shared or otherwise processed within the territory of India. Similarly, section 2(b) read with Section 91 of the PDP bill is a self-imposed restriction assumed by us. Considering web conferencing services are beyond political boundaries, it would have been appropriate if the territorial jurisdictional clause would have assumed jurisdiction for processing of personal data of individual who is present and subject to Indian territory.
Another area of concern is the consent of data Principal (user) by the service provider (Data fiduciary). As per Section 11(1) the personal data shall not be processed, except on the consent given by the data principal (user) at the commencement of its processing. Now whether this processing is one time at the time of taking web conferencing facility software downloading or every time data fiduciary intend to process is not clarified. On a brighter side, Section 57 of the PDP Bill, proposes substantial penalty for violating this provision may extend to fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher of data fiduciary. Such strict penal provisions will be a perfect deterrent against a possible violation of privacy by any web conferencing service provider.
A contract according to which web conferencing services are offered is one-sided and virtually absolve service provider from all possible legal and contractual responsibilities. With such inadequate legal framework, if India require access from any US-based Company, even while resorting to Indo-US Mutual Legal Assistance Treaty in Criminal Matters, it will take up to three years for accessing such data if shared at all. During April 2020, when one leading web conferencing facility was facing repeated data breeches coverage across the world, the only thing India could do was the issuance of two advisories in quick succession on April 12, 2020 and April 16, 2020 to its citizens.
It seems that PDP Bill is some time away. Besides, in present shape and form, unless the Data Processing Authority as envisaged under Chapter IX of the PDP Bill is in place, the applicability of PDP Bill shall remain elusive. So the remedy to regulate web conferencing services is through judicial pronouncements by the Courts only. Next logical question is as to what should be the guiding factors for Courts in doing so.
In a celebrated five judge’s bench case of National Textile Workers' Union i, delivering through Justice Bhagwati observed that Law cannot stand still; it must change with the changing social concepts and values. If the bark that protects the tree fails to grow and expand along with the tree. It will either choke the tree or if it is a living tree, it will shed that bark and grow a new living bark for itself.
In another celebrated judgment Justice K.S. Puttaswamy and Ors ii., nine judges Supreme Court bench concluded that the right of privacy is a fundamental right. It is a right which protects the inner sphere of the individual from interference from both State and non-State actors and allows the individuals to make autonomous life choices.
So the duel cardinal principle for the road ahead is that privacy of Indian citizen should be protected by adopting to new normal, which is the advent of technology in conducting business regardless of territorial boundaries.
In the State of Maharashtra and P.C. Singh.,iii Apex Court allowed Video conferencing in a criminal trial. In case tilted as Malthesh Gudda Pooja, iv Supreme Court held that the review petitions could be heard by using the medium of video conferencing. Similarly, while deciding a matrimonial dispute in Krishna Veni Nagam, v Court held that wherever one or both the parties request use of video conference, proceedings may be conducted on video conferencing. In Mahender Chawla and Ors. vi, Apex Court approved Witness Protection Scheme, 2018 and permitted recording evidence of a vulnerable witness in specially designed courtrooms which have special arrangements like live video links, with an option to modify the image of the face of the witness and to modify the audio feed of the witness' voice, so that he/she is not identifiable. In Swapnil Tripathi and Ors. vii, Hon’ble Supreme Court issued model guidelines for the broadcasting of the proceedings and other judicial events of the Supreme Court of India.
Above-referred case law establishes that the Courts always remained the first protocol when there is urgent need to adopt, adjudicate and regulate advent of technology.
In March 2018, the United States was amidst a legal battle with Microsoft concerning extraterritorial access to data stored in Ireland. Before the pronouncement of judgment, the United State passed Clarifying Lawful Overseas Use of Data (“Cloud Act”). Cloud Act provides extraterritorial access to the United States on such data concerning criminal law enforcement and Investigation. All major web offering companies are compliant with a Privacy Shield programme, which is a self-certification for a company if it intends to deal with EU subjective data. This provision was pushed under Article 45 of the GDPR, to ensure the protection of data of EU citizens.
At present India is not having any law which can regulate and work as a deterrent against an extremely aggressive way of conducting business in Covid 19 situation via web conferencing. With such background all stakeholders, Government, Courts and Citizen Groups, should come forward and play their part to ensure that powerful tool like web conferencing should not become a threat to national security and the fundamental right of privacy of an Individual.
Till the time, PDP bill becomes law, and Data Protection Authority is in place, India should immediately come up with self-certification guidelines for any web service provider who wishes to host web conferencing services in India. Considering the size and opportunity, every web conferencing International companies will accept such guidelines to tap vast Indian customer base. Also noteworthy is that such self-certification guidelines should have provision to conduct periodical reviews also more so because such web service providers keep their contractual terms frequently changed.
In addition to addressing shortcoming of PDP bill, there should be a robust provision to allow class-action suits against those guilty web conferencing service providers, who violate the privacy of the citizens for commercial gains. All Citizen Groups should come forward and create democratic pressure for the government to carry further changes in PDP bill. The government should also put the bill again in the public domain and seek comments again so that current realities and challenges posed by technology can be accommodated in a comprehensive legal effort in the form of PDP bill.
Till the time, PDP bill and self-certification guidelines are in place; the judiciary has to regulate increasing web-conferencing activities. For this Courts have to come up with innovative, trendsetting judicial pronouncements so that legal provisions can match up with web conferencing technology with respect no territorial boundaries. A perfect way to end this article is with the ever-important words of Justice Bhagwati in earlier stated National Textile Workers' Union judgment that
“Law must therefore constantly be on the more adapting itself to the fast-changing society and not lag behind”.