IT Rules 2021 - Social Media & OTT Rules

Social media, OTT Platforms, online news websites regulation in india (Information Technology Rules, 2021 )

This are the Rules framed pursuant to the powers conferred by Section 79(2)(c) and Section 69A(2) of the Information Technology Act, 2000 provides for classification of films and other entertainment programmes, including web series, bring digital news platforms within the ambit of regulations covering print and electronic media and attempts to rein in social media intermediaries. 

Guidelines for intermediary and social media intermediary 

The Rules define 'significant social media intermediary' as social media with users above the threshold notified by the Central government. 

The Rules mandate that social media intermediary should 'enable the identification of the first originator of the information on its computer, as "may be required by a judicial or or an order passed by the Competent authority" and such an order shall only be passed for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order.

If has also been provided that the significant social media intermediary "shall have a physical contact address in India published on its website or mobile based Internet application or both, as the case may be, for the purposes of receiving the communication addressed to it."

The rules and regulations, privacy policy or user agreement of the intermediary should inform the user of computer resource not to host, display, upload, modify, publish, transmit, store, update or share any information that is inter alia, obscene, pornographic, paedophilic, threatens the unity, integrity, defence, security or Sovereignty of India, friendly relations with foreign States, or public order, or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any foreign States. 

No such information should be published which is patently false and untrue, and is written or published in any form, with the intent to mislead or harass a person, entity or agency for financial gain or to cause any injury to any person.

Self-Regulatory Body

It has been notified that would be one or more self-regulatory bodies of publishers. Such a body shall be headed by a retired judge of the Supreme Court, a High Court or independent eminent person and have not more than six members. The concerned Regulatory body will have to register with the Ministry of Information and Broadcasting. This body will oversee the adherence by the publisher to the Code of Ethics and address grievances that have not be been resolved by the publisher within 15 days.

Disposing a grievance

It has been laid down that a self-regulating body while disposing a grievance or an appeal will issue guidance or advisories to the applicable publisher/entities: 

(a) warning, censuring, admonishing or reprimanding such entity; 

(b) requiring an apology by such entity; or 

(c) requiring such entity to include a warning card or a disclaimer; or 

(d) in case of online curated content, direct such entity to (i) reclassify ratings of relevant content; (ii)make appropriate modification in the content descriptor, age classification and access control measures; (iii) edit synopsis of relevant content; 

Code of Ethics and Procedure/safeguards for Digital/Online media

Part III of the Rules state that digital and online media will be governed by Code of Ethics. The Code of Ethics which in turn is given in the appendix make the Programme Code under under section 5 of the Cable Television Networks regulation) Act, 1995 and norms of Journalistic Conduct of the Press Council of India under the Press Council Act, 1978 applicable to digital media. 

The Code of Ethics is applicable to those entities who are operating within the territory of India and such entity conducts the systematic business activity of making its content available in India, which is targeted at Indian users. The code of ethics will cover the following entities:

• 1. Publishers of news and current affairs content; 

• intermediaries which primarily enable the transmission of news and current affairs content; 

• 2. Publishers of online curated content.

• intermediaries which primarily enable the transmission of online curated content.

Monthly compliance report

The rules require the concerned body/entity to publish a monthly compliance reportmentioning the details of complaints received and action taken on the complaints as well as details of contents removed proactively by the significant social media intermediary.

Such entities should not publish content which affects the sovereignty and integrity of India, jeopardises security of State or which is detrimental to India’s friendly relations with foreign countries. Further, online content should be classified based on the nature of the content 'U', 'UA', 'A' etc

They should also take into consideration India’s multi-racial and multi-religious context and exercise due caution and discretion when featuring the activities, beliefs, practices, or views of any racial or religious group.

A three tier structure has been notified to address the grievances made by various users. 

(a) Level I - Self-regulation by the applicable entity; 

(b) Level II — Self-regulation by the self-regulating bodies of the applicable entities 

(c) Level III - Oversight mechanism by the Central Government.

Establishment of "Grievance Portal"

It has been laid down that the concerned Ministry shall establish an online Grievance Portal, as the central repository for receiving and processing all grievances from the public in respect of the Code of Ethics, within three months of the commencement of the rules.

• If a person is having a grievance against any 'content published by an applicable entity'then the same may register its grievance on the Grievance Portal.

• The Portal shall generate and issue an acknowledgement of the grievance a the benefit of the complainant within 24 hours of its registration, and electronically direct the grievance to the applicable entity for addressing the grievance, and also refer such grievance to the Ministry and the self-regulating body for information and record.

Mandatory Notification by the Significant publishers and 'content' creators 

It has been stated that it shall be mandatory for 'significant publisher' of news and current affairs content to notify the Broadcast Seva that - it is operating in the territory of India, by furnishing the information that may be required on the Broadcast Seva by the Ministry, for the purpose of enabling communication and coordination with such publisher. 

The explanation reads that - for the purposes of this rule, a publisher of news and current affairs content shall be a significant publisher of news and current affairs content if it: 

(a) publishes news and current affairs content as a systematic business activity. 

(b) operates in the territory of India.

(c) has not less than five lakh subscribers, or fifty lakh followers on the services of any significant social media intermediary, as the case may be.

"Publisher/entities shall take into consideration India’s multi-racial and multi-religious context and exercise due caution and discretion when featuring the activities, beliefs, practices, or views of any racial or religious group.” reads out the general principles of the code of conduct 

Self-Classification of Content

The rules state that the OTT platforms, which have been regulating their content through various, would be self-classifying the content into five age based categories- U (Universal), U/A 7+, U/A 13+, U/A 16+, and A (Adult). The concerned online platforms would be required to implement parental locks for content classified as U/A 13+ or higher, and reliable age verification mechanisms for content classified as “A”.

My Views :

Government has played a carrot and stick, while adamant social media gets the stick as it gets in other countries too, OTT platforms and Online news gets the carrot of self regulation. Now, within 3 months, WhatsApp has too ready their software to pinpoint originator of message so fake news peddler’s will be behind the bars quickly . Now US IT behemoths like Google and Facebook need to appoint compliance officers responsible towards Indian law and enforcement and these officers can face jail like the impending Amazon Prime lady with any Anticipatory bail for tandav Web-series. I think next now we can wait for media bargaining code like the one in EU, UK and Australia . Indian cyberspace is now governed cyberspace moving an inch towards Internet Balkanisation, which remains inevitable .

Brazilian LGPD & European GDPR Compared

Brazilian LGPD & European GDPR Compared 

Brazilian LGPD & European GDPR Compared Brazilian General Data Protection Law (Lei Geral de Protecao de Dados or LGPD), a law with many similarities to the European Union’s General Data Protection Regulation (the “GDPR”) is now effective.  On April 29 of this year, Brazil’s President issued Provisional Measure 959 that, amongst other things, postponed the effective date of the LGPD, which was originally set to be effective August 2020, to May 3, 2021.  Brazil’s Chamber of Deputies amended the measure so that the LGPD would take effect in December 2020.  The Senate then decided that any postponement was void because the effective date had already been decided by Congress.  The amended measure was sent to the President for his signature, providing him with the date of September 17, 2020 to sign the measure, which would make the law effective as of the original effective date, or veto it.  The President sanctioned the law and the LGPD is now effective.  Although the law has taken effect, the LGPD’s enforcement provisions take effect August 1, 2021 (in Portuguese), and the provisions will be enforced by Brazil’s data protection authority, a Autoridade Nacional de Proteção Dados Pessoais (the “ANPD”), which the President established by decree in August (in Portuguese).  However, the LGPD’s private right of action for violations of data subjects’ rights is effective now.  Businesses should continue to take steps to comply with the statute given its effective date and private right of action and should prepare now for when administrative sanctions become enforceable next year.

Businesses that are GDPR compliant may be well on their way to achieving compliance with the LGPD given the similarities between the legal frameworks.  Yet, businesses should be mindful of several differences that may impact how they adjust their GDPR compliance programs to meet the requirements of the LGPD to the extent that businesses process data applicable to both regimes.

At a glance. This post highlights some of the material provisions of the LGPD and compares them to their equivalents in the GDPR.

Applicability.  Similar to the GDPR, the LGPD applies broadly to a wide range of data processing activities, data subjects, and their information.

• The GDPR applies to the processing of personal data if such data is processed in the EU or if the purpose of the processing is to offer goods or services to or monitor the behavior of EU residents.  Arts. 2 and 3 GDPR.
• The LGPD applies to the processing of personal data if such data is processed in Brazil, the purpose of the processing is to offer or provide goods or services to Brazil residents or the personal data processed belongs to Brazilian residents or was collected in Brazil.  Art. 3 LGPD.

Lawful Processing of Non-Special Categories of Personal Data.  Businesses likely will be able to process data under the same legal bases provided under the LGPD and the GDPR.

• Under the GDPR, the processing is lawful if the data subject has consented or processing is necessary to perform a contract, comply with legal obligations, protect a natural person’s vital interests, act in the public interest, or achieve a legitimate interest of the controller or third party under certain conditions.  Art. 6 GDPR.
• The LGPD includes all of the legal bases for processing listed under the GDPR.  In addition, the LGPD provides that controllers may process personal data specifically to exercise rights in judicial, administrative or arbitration procedures and to protect credit.  Art. 7 LGPD.

Lawful Processing of Special or Sensitive Categories of Personal Data.  Although the LGPD and the GDPR share several legal bases for processing sensitive information, the LGPD does not allow businesses to process such data under the bases identified under GDPR for legitimate activities of nonprofit entities and public data.

• Under the GDPR, the processing of special categories of personal data is prohibited unless (i) the data subject has consented; (ii) data is processed under certain conditions in the course of legitimate activities of nonprofit entities in connection with their purposes; (iii) processing relates to data made public by the data subject; or (iv) processing is necessary to comply with employment, social security or social protection law, to protect the vital interest of natural persons, to exercise or defend legal claims or for public interest reasons, including those related to public health or research purposes.  Art. 9 GDPR.
• The LGDP allows processing of sensitive categories of personal data if the data subject consents or processing is necessary for (i) the controller to comply with a legal obligation; (ii) shared processing of data when necessary by the public administration for the execution of public policies; (iii) research purposes, (iv) exercising rights, including in connection with a contract and in a judicial, administrative and arbitration proceeding, (v) protecting vital interests of a data subject or a third party, including health in a medical procedure, or (vi) preventing fraud and protect the security of the data subject.  Art. 11 LGPD.

Data Subject Rights.  The LGPD provides to data subjects the right to data anonymization in addition to the other rights provided under the GDPR and requires businesses to respond to rights requests within fifteen (15) days.

• Under the GDPR, data subjects have the right to access, rectification, erasure, restriction, data portability, and objection, and the right against automated decision-making.  Chp. 3 GDPR.
• In addition to the rights provided under the GDPR, the LGPD provides data subjects the right to request that their data be anonymized.  Art. 18 LGPD.  However, in response to a request to delete under the GDPR, controllers may anonymize data because, similar to the LGPD, anonymized data is not considered personal data under the GDPR.

Children’s Personal Data.  The LGPD has a broader requirement than the GDPR to obtain consent for processing children’s personal data and extends heightened protection to children whose personal data is processed similar to the GDPR.

• Before collecting personal data of children who are younger than sixteen (16) years of age, the GDPR requires controllers to obtain the consent of a child’s legal guardian subject to certain exceptions.  Any information directed to children should be provided using clear and plain language.  Art. 8 GDPR.
• The LGPD broadly requires controllers to obtain the consent of a legal guardian before processing children’s data.  Information directed towards children needs to be appropriate for the children’s understanding.  Art. 14 LGPD.

International Transfer of Data.  The LGPD provides similar mechanisms to the GDPR for transferring personal data to third countries and international organizations.  Unlike the GDPR, the LGPD does not provide a list of specific derogations but many are covered by the law.

• The GDPR allows the transfer of personal data to a third country or an international organization on the bases of (i) an adequacy decision, (ii) appropriate safeguards such as binding corporate rules, standard contractual clauses, and approved codes of conduct and certification mechanisms, (iii) an international agreement; and (iv) derogations for specific situations, which includes when the transfer is made from a register intended to provide information to the public or by any person on the basis of legitimate interests.  Chp. 5 GDPR.
• The LGPD allows the international transfer of personal data on the bases of (i) an adequacy decision, (ii) compliance with the LGPD as shown through contractual clauses, global corporate rules, and stamps, certificates and codes of conduct, (iii) international agreements and cooperation, (iv) the vital interest of the data subject or a third party; (v) ANPD approval, (vi) public interest; and (vii) data subject consent.  Art. 33 LGPD.  Unlike the GDPR, the LGPD does not provide for international transfers on the basis of a register intending to provide information to the public or legitimate interests as provided under the GDPR.

Controller and Processor Obligations.  Generally, the LGDP has similar controller and processor obligations to the GDPR with differences in data record maintenance, data protection impact assessment, and the appointment of data protection officers.

• Under the GDPR, controllers and processors are required to maintain records of processing data activities; implement appropriate and technical measures, including data protection policies, to protect personal data; conduct data protection impact assessments in certain circumstances; provide notice of data breaches to supervisory authorities and data subjects; and designate a data protection offer under certain conditions.  Chp. 4 GDPR.
• Similarly, the LGPD requires controllers and processors to maintain processing records; adopt security, technical and administrative measures to protect personal data; conduct data protection impact reports upon the ANPD’s request; provide notice of certain security incidents; and appoint a data protection officer.  Chp. IV §§ I and II; Chp. VII §§ I and II; and Art. 41 LGPD.

Security Breach Notifications.  The LGPD has a lower threshold than the GDPR for providing notice of security incidents and a potentially longer timeframe than the GDPR in which to provide notice to regulators.

• Under the GDPR, controllers are required to provide notice (a) to supervisory authorities within seventy-two (72) hours unless the security incident is unlikely to result in a risk to data subjects and (b) to data subjects without undue delay if the security incident is likely to result in a high risk to the data subjects.  Arts. 33 and 34 GDPR.
• The LGPD requires businesses to notify within a reasonable amount of time the ANPD and affected data subjects if the incident may cause harm to data subjects.  Art. 48 LGPD.

Administrative Sanctions.  The LGPD imposes significantly less severe fines than the GDPR since they are based on businesses’ revenue in Brazil as compared to fines based on businesses’ revenue worldwide as provided under the GDPR.

• Under the GDPR, controllers and processors may be subject to a fine of two percent (2%) of worldwide revenue up to 10,000,000 EUR for lower-level violations and four percent (4%) of worldwide revenue up to 20,000,000 EUR for higher-level violations.  Art. 83 GDPR.
• Under the LPGD, controllers and processors may be subject to a fine of up to two percent (2%) of revenues in Brazil up to a total of R$ 50,000,000.  Art. 52 LGPD.

Law enforcement

In the case of Brazilian law, the supervisory authority is referred to as the ANPD (National Data Protection Authority) (Article 55). In the case of GDPR, it's the European Data Protection Board (Article 68).

To Conclude

In practice, if your company is already GDPR compliant, it can easily be LGPD compliant as well; and vice versa. There's a very visible convergence between LGPD and GDPR. But a Privacy Expert Lawyer or Law firm needs to evaluate your legal risk and compliance based on emerging case laws. Also, the fact is that both laws still need time to gain maturity and to be better evaluated. 

For training on LGPD in comparison with GDPR or any privacy or Data Protection Laws with case studies around the World email: info@cyberlawcosulting.com

 

Strategic Cybersecurity Thinking

Strategic Cybersecurity Thinking

The ability to come up with effective plans in line with an organization's objectives within a particular cybersecurity situation. Strategic thinking helps cybersecurity managers review policy issues, perform long term planning, set goals and determine priorities, and identify potential risks and opportunities.

Clearly, there needs to be a clear strategy as to what needs to be done with respect to security. Such a strategy should determine the policies and procedures. However in practice rarely a strategy for security is created. Most emphasis is placed on policies, implementation of which is generally relegated to the lowest levels. Rather it is assumed that most people will follow the policy that is created. 

A strategic cybersecurity programme does not begin with tools and tactics, but with an articulation of one or more programme goals. Sun Tzu once said in The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Essentially this means that before you start with strategic planning you have to know what you are and what you are not because the way you operate can either make or break a successful execution. First, the strategy-minded CISO gets executive buy-in to those goals. To that end, the CISO must incorporate all levels of strategic thought, starting with the board and CEO – everyone must feel ownership and participation. 

The smart CISO recognises that security is a journey, not a destination, and that relationship building requires an ability to translate between technical and non-technical vocabularies. The CISO ensures that the programme goals accurately govern the objectives of the enterprise’s digital security programme. In our scenario, the CISO, board, and CEO all agree that, with respect to intellectual property, trade secrets, and sensitive data, the new policy goal is to minimise loss due to intrusion. 

This statement implies that everyone understands that stopping all adversaries and all attacks is simply not possible, especially when dealing with nation-state actors and some advanced criminal groups. The primary objective of this exercise is to achieve consensus on a simply stated, non-technical programme goal. No in-depth technical discussion is needed to achieve consensus, although the CISO must ensure that all goals, policies, and strategies are technically feasible. With a mandate in hand, the CISO can confidently work with his or her security team to plan the necessary operations and campaigns and, if necessary, acquire new tools and tactics to facilitate them. Together, they decide to implement a network security monitoring (NSM) operation, defined as the collection and escalation of indications and warnings to detect and respond to intruders. 

The security team begins the long-term, strategic process of hunting for hostile cyberattack campaigns, encompassing both known and unknown intrusion patterns. The CISO, board, and CEO all agree that a second programme goal is a rapid detection, response, and containment of cyber threats. This goal helps to ensure that when intruders breach the perimeter defences, the game is far from over. 

Defenders can still win, so long as they contain the threat before the attacker can accomplish his or her ultimate mission. Therefore, the security team will develop strategies to identify compromises quickly, determine their nature, give them some level of attribution, and above all develop a plan to stop the attacker from accomplishing his or her mission. At the tactical level of individual engagements with the adversary – the equivalent of battles in war – the security team will have myriad decisions to make, including whether to dislodge the intruder immediately or whether to watch the intruder for a time in order to collect valuable intelligence.

Some tactics govern how specific tools or techniques can be used, such as when Star Trek personnel switch their hand phasers between ‘stun’ and ‘kill’. As always, the adversary gets a say in what happens, but from the enterprise’s point of view, programme goals, policies, and guidelines should be written to govern this entire process.

Is Credit or Debit Card PIN a Electronic Signature as per the Law ?

Is Credit or Debit Card  PIN a Electronic Signature as per the Law ?

For Lawyers across the world, click and wrap agreement i.e. the act of ticking an icon in the shape of a box to accept the terms of a contract can hardly count as a form of signature. In the physical world, that must be right. Similarly, it might be questioned that a personal identity number (PIN) can also be considered to be an electronic signature.

Arguably, the PIN combines two functions. Before considering the two functions, consider the requirements of the bank. The bank needs to satisfy itself that:

1. The card is legitimate (this is difficult to achieve, as the reports about fraud demonstrate), and

2. The card is in the possession of the customer to whom it was issued, or a person authorised by the customer to use the card.

If the bank satisfies itself that its computer systems are interacting with the card issued to the customer (which is not always the case), then the computer system requests the purported customer to undertake one further act to confirm they (or a person authorised by them) have physically inserted the card into the ATM or the point of sale terminal, by keying in the correct PIN. Generally, if the computer systems receive positive results from both interactions, then the bank will permit the person at the ATM or the point of sale terminal to undertake whatever activity they are permitted to do within the terms of the mandate.

The first function of the PIN acts as a means of authentication. The PIN purports to demonstrate that the person that keyed in the PIN knew the correct PIN (there are some forms of attack that do

The first function of a PIN

Prefacenot need the correct PIN – any combination of numbers will act vii to deceive the card issuer that the correct PIN has been keyed in).

Once the computer systems of the bank are satisfied that the card is legitimate and the PIN is the correct PIN of the customer, then the person at the ATM or the point of sale terminal can undertake any activity on the account that is permitted within the mandate and within the limitations of the technology.

The second function of a PIN

The PIN, even though it is offered to the machine before a transaction is effected, acts as a signature to verify a payment or other form of transaction. This means that the presentation of a card to an ATM, and the input of a PIN, is similar to a cheque that is written out by the account holder, signed, and then presented to the cashier at the bank. The customer completes the action necessary to request a payment in advance of the payment being made by the cashier, and then signs the cheque in the presence of the cashier – all before receiving acknowledgment that a transaction has been authorised. This means the PIN is a form of electronic signature.

It might be considered that the action of clicking the ‘I accept’ icon or box, or typing in a PIN are merely a means by which the person agrees to conclude the contract, but the act is not that of appending their electronic signature.
This analysis might be right, but we must recall that the digital world is different to the physical world. Conceptually, some of the forms of electronic signature may not strictly be considered ‘signatures’ in the physical world. Nevertheless, it is a convenient shorthand to refer to some forms of agreeing to enter a contract as an ‘electronic signature’ – at least we can all understand the meaning behind these words, even if the form is not quite what we expect.

Case Law:

Standard Bank London Ltd v. Bank of Tokyo Ltd [1995] CLC 496; [1996] 1 C.T.L.R. T-17 and Industrial & Commercial Bank Ltd v. Banco Ambrosiano Veneto SpA [2003] 1 SLR 221, where a message using an authentication code sent through the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system has the legal effect of binding the sender bank according to its contents, and where a recipient bank undertakes further checks on credit standing or other aspects, it does not detract from this proposition. 

What is ones responsibility as a cardholder?

You, and all your supplementary cardholders, must take all reasonable precautions to prevent the card and the card number, the PIN, or any other security details for the card or account (the “card security details”) from being misused or being used to commit fraud. These precautions include:

• sign the card as soon as it is received and comply with any security instructions;
• protect the card, the PIN, and any card security details;
• do not allow anyone else to have or use the card;
• do not write down the PIN or the card security details nor disclose them to anyone else including the police and/or banks staff;
• do not allow another person to see your PIN when you enter it or it is displayed;
• do not tamper with the card;
• regularly check that you still have your card;
• keep card receipts securely and dispose of them carefully; and
• contact bank about any suspicious matter or problem regarding the use of the card at a terminal.

You must notify bank immediately if:

• your card is lost or stolen; or
• your PIN may have been disclosed; or
• your card is retained by an ATM; or
• your address or contact details have changed

Definition of Electronic Signature in various Countries

USA:
Electronic Signatures in Global and National Commerce Act, 15 U.S.C. §§ 7001-7003. 
ELECTRONIC SIGNATURE. – The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. 

CANADA:
The Uniform Electronic Commerce Act provides a single, media neutral, definition of an electronic signature in s1(b):

(b) “electronic signature” means information in electronic form that a person has created or adopted in order to sign a document and that is in, attached to or associated with the document.

 China:

Order No. 24 of the President of the People’s Republic of China, promulgated on and effective since 4 April 2015, amending the 2004 law.  

Electronic Signatures Law of the People’s Republic of China of 2015. Article 2 provides a definition of electronic signature and data message, both of which are widely drafted:

“Electronic signature” in this law means data in electronic form in or affixed to a data message, which may be used to identify the signatory in relation to the data message and to indicate the signatory’s approval of the information contained in the data message.

“Data message” means information generated, sent, received or stored by electronic, optical, magnetic or similar means.
EU:

The Regulation provides the definition of an electronic signature in article 3(10)
‘electronic signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;

India:

Sec 2 (ta) of Information Technology Act 2000 had defines electronic signature as
“Authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and includes digital signature.”
The definition of electronic signature includes digital signature and other electronic technique which may be specified in the second schedule of the Act, thus an electronic signature means authentication of an electronic record by a subscriber by means of electronic techniques. The adoption of ‘electronic signature’ has made the Act technological neutral as it recognizes both the digital signature method based on cryptography technique and electronic signature using other technologies.