Technology Law and Data Privacy Updates
Edition I I- November 2024
INDEX
A. SUMMARY
B. NATIONAL
- India Enacts Key Telecom Rules for Critical Infrastructure and Cybersecurity
- CCI imposes Hefty Penalty on Meta under Anti-Trust Regulations
- Delhi HC upheld ‘Right to be Forgotten’ by masking Petitioner’s Details post Acquittal
- The High Court of Kerela upholds Right to Access Digital Documents while balancing Privacy of Victim in Criminal Matter
- High Court at Karnataka refused to quash FIR in relation to Online Crime
- Bombay High Court grants Temporary Injunction to Insurance Company on Data Breach
PREFACE
Welcome to the latest edition of Fountainhead Legal’s Data Privacy and Technology Law newsletter. November 2024 has been a pivotal month for data privacy and technology regulations, with noteworthy developments shaping the national and international landscape.
In India, the introduction of the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024, and the Telecommunications (Telecom Cyber Security) Rules, 2024, marks a significant step towards fortifying critical infrastructure and addressing cybersecurity threats. These rules impose stringent compliance obligations on telecommunications entities, ensuring the resilience and security of India’s digital backbone.
Additionally, the Competition Commission of India’s imposition of a hefty penalty on Meta Platforms highlights the critical importance of aligning data-sharing practices with legal standards. This case emphasizes the interplay between user autonomy, transparency, and competition law. Indian courts have also reinforced privacy protections with landmark judgments. The Delhi High Court’s directions on masking the identity post acquittal and the Bombay High Court’s intervention in a recent data breach case involving customer information of a prominent insurance player underscore the judiciary’s proactive role in upholding privacy rights.
Globally, international developments continue to shape data privacy discourse. The European Data Protection Board’s revised guidelines on the ‘Cookie Rule’ emphasize greater transparency and consent in data collection technologies, while California’s recent legislation introduces groundbreaking transparency requirements for generative AI systems.
Fountainhead Legal is dedicated to supporting organizations on this journey. With our deep expertise in data privacy compliance and a strong understanding of regulatory nuances, we provide tailored solutions for each client’s unique needs. From drafting privacy policies and building data protection frameworks to advising on cross-border data transfers and facilitating employee training programs, our team is equipped to guide clients through every step of their compliance strategy.
Meanwhile, we hope you enjoy our latest updates!
NATIONAL
1. India Enacts Key Telecom Rules for Critical Infrastructure and Cybersecurity
In November 2024, Department of Telecommunications, introduced The Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024[1], and The Telecommunications (Telecom Cyber Security) Rules, 2024[2] which apply to telecommunication entities.
The Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024
These Rules establish a comprehensive framework to safeguard India’s critical telecommunication infrastructure. They mandate that telecommunication entities ensure their critical infrastructure complies with specified standards, including Essential Requirements (ERs), Interface Requirements (IRs), and Indian Telecommunication Security Assurance Requirements (ITSARs). Additionally, entities must adhere to the National Security Directive on Telecommunication Sector (NSDTS) and directives on communication security certification issued by the Central Government. The Rules empower the Central Government to authorize personnel to access and inspect hardware, software, and data related to critical telecommunication infrastructure. Telecommunication entities are required to facilitate such inspections and appoint a Chief Telecommunication Security Officer (CTSO) responsible for implementing the Rules. This officer must provide detailed information to the government, including network architecture, authorized personnel access, inventory of related hardware and software, vulnerability assessments, and security audit reports. Furthermore, entities must report security incidents within specified timelines and ensure that any upgrades to critical infrastructure receive prior written certification from the Central Government, confirming compliance with established standards.
The Rules must be adhered to by all entities involved in the ownership, operation, management, or maintenance of critical telecommunication infrastructure. This includes telecommunication service providers, network operators, and entities handling hardware, software, or services associated with critical infrastructure. Critical Infrastructure refers to telecommunication infrastructure deemed essential for the security, defense, public safety, or economic resilience of the country. This includes systems, networks, and assets whose disruption or compromise could have a significant impact on national security, economic stability, or public well-being. The specific designation of such infrastructure is determined by the Central Government.
The Telecommunications (Telecom Cyber Security) Rules, 2024
These Rules are designed to ensure enhanced cybersecurity in India’s telecommunication networks by enforcing stringent compliance measures and introducing a standardized framework for identifying and addressing cyber threats. These Rules mandate that telecom service providers (TSPs) and other relevant entities adhere to comprehensive security protocols, including implementing Government-specified security assurance frameworks, conducting periodic vulnerability assessments, and maintaining incident response mechanisms. The overarching goal is to safeguard critical telecom infrastructure and services from escalating cyber risks, which could compromise national security and public trust.
These Rules are crucial as they directly address the increasing sophistication of cyber threats targeting telecommunication networks, which form the backbone of digital communication and commerce. They emphasize the creation of Security Operations Centres (SOCs), mandatory incident reporting, and a clear chain of accountability. The Rules mandate that only approved and secure hardware and software be deployed, thereby reducing the risk of vulnerabilities introduced through third-party components. The application of these Rules extends to all entities involved in the telecommunication ecosystem, including TSPs, network operators, and equipment providers.
These Rules collectively impose stricter operational and compliance obligations on telecom service providers, network operators, and equipment vendors, requiring them to enhance their security frameworks, regularly assess vulnerabilities, and promptly report security incidents. For entities, this translates to a significant overhaul of existing practices, increased accountability, and a more proactive approach to securing telecommunication networks in alignment with national security objectives.
2. CCI imposes Hefty Penalty on Meta under Anti-Trust Regulations
The Competition Commission of India (“CCI”), in the matter of In re: Updated Terms of Service and Privacy Policy for WhatsApp users [Suo Motu Case No. 01 of 2021][3] has imposed a hefty penalty of INR 213.14 crores on Meta Platforms, Inc. (“Meta”) in relation to the updated ‘Terms of Service’ and ‘Privacy Policy’ of WhatsApp released in 2021 (“Updated Policies”).
In January 2021, WhatsApp introduced its Updated Policies effective from 08 February, 2021. These Updated Policies required users to accept new terms, including mandatory data sharing with other Meta entities, (e.g., with Facebook), to continue using the platform. Unlike WhatsApp’s 2016 policy, which allowed users the choice to opt-out of data sharing with Facebook, the Updated Policies eliminated this option. The CCI observed that the Updates Policies, undermined users’ autonomy and violated The Competition Act, 2002. Meta was also found to have leveraged its dominant position in the OTT messaging apps market to reinforce its influence in online advertising, creating barriers for competitors. Basis this, the CCI directed WhatsApp to restrict data sharing for advertising purposes for 5 years and provide users with clear explanations along with an opt-out option for other types of data sharing. The platform must also allow users to review and modify their preferences through app settings and ensure that future updates comply with these transparency and choice requirements.
Data sharing practices must comply with the law, ensuring transparency, informed consent, and user autonomy as emphasized by the DPDP Act. When data sharing is conducted unlawfully such as imposing mandatory terms without user choice it can trigger repercussions under other legislation, including the Competition Act, 2002. As seen in the CCI’s penalty on Meta, anti-competitive effects like market barriers and abuse of dominance can arise from exploitative data practices, underscoring the necessity for businesses to align data policies with legal standards to avoid liabilities under various legislations.
3. Delhi HC upheld ‘Right to be Forgotten’ by masking Petitioner’s Details post Acquittal
The Court, in the matter of ABC v. State and Others [Crl. M.C. 495/2019][4], recognized that public availability of case details, despite the petitioner’s acquittal, could cause irreparable harm to his privacy, career, and dignity. It directed the masking of the petitioner’s name and respondent details in all records and search results related to the case, aligning with the ‘right to be forgotten’. Additionally, search engines and social media platform were encouraged to adhere to these privacy principles and remove any relevant public material, reflecting a nuanced balance between individual dignity and the public’s right to information.
4. The High Court of Kerela upholds Right to Access Digital Documents while balancing Privacy of Victim in Criminal Matter
In Aji v. State of Kerela [Crl. Rev. Pet. No. 1218 of 2024][5], the Court addressed a plea by the accused in a case under the Indian Penal Code, 1860 (“IPC”) and Prevention of Children from Sexual Offences Act, 2012 seeking access to CCTV footage to defend himself. The Court identified critical issues regarding fair trial rights, noting the trial court’s denial of access to the footage. While the footage lacked certification under Section 65B of the Indian Evidence Act, 1872 the High Court emphasized that the accused’s right to defend himself included access to all prosecution evidence, barring materials that infringed on the victim’s privacy. It deemed the denial unjustifiable and directed the trial court to allow the accused to view the footage before or during trial. This decision reinforces the balance between procedural fairness and privacy considerations in criminal proceedings.
5. High Court at Karnataka refused to quash FIR in relation to Online Crime
In the case of Mr. Sourish Bose and Smt. Deepanvita Ghosh v. State of Karnataka [Criminal Petition No. 10546 OF 2024], the petitioners sought to quash an FIR registered against them for alleged cheating and fraud involving Amazon Transportation Services Private Limited (“Amazon”). The complaint, filed by Amazon, detailed a scheme where high-value products were ordered and then swapped and returned with low-cost items, resulting in a loss of approximately INR 69,91,940. The petitioners argued that the case should fall under Section 66D of the Information Technology Act, 2000, rather than Section 420 of the IPC, and that the proceedings were without jurisdiction.
The High Court of Karnataka rejected the petition and determined that the allegations, which involved a scheme of returning low-cost items in place of high-value products ordered from Amazon, constituted a clear case of cheating under Section 420 of the IPC. The Court emphasized that the case involved seriously disputed questions of fact that required a full trial and could not be resolved at this stage. Consequently, the petition was dismissed, and the case was allowed to proceed to trial.
6. Bombay High Court grants Temporary Injunction to Insurance Company on Data Breach
In the case related to data breach of policy-holder’s information, the Bombay High Court, in HDFC Life Insurance Co. Ltd. v. Meta Platforms Inc.& Ors [Interim Application (L) No. 35886 of 2024][6], granted temporary injunction in favour of the applicant, recognizing the significant risk posed by the unauthorized disclosure of sensitive customer data by the defendants including Meta Inc., Telegram and WhatsApp. The applicant demonstrated a prima facie case, highlighting the potential for identity theft, financial fraud, privacy violations, and misuse of confidential information, including impersonation and trademark infringement. Further, the Court ordered WhatsApp and Telegram to take immediate action to remove or block any accounts and content linked to the misuse of HDFC’s customer data. The court also mandated Meta Inc., Telegram and WhatsApp to disclose all available information on Defendant 6 (the unknown person responsible for hacking the Applicant’s data), including personal and contact details, IP addresses, and associated accounts, to aid in the investigation.
INTERNATIONAL
7. USA – California introduced Bills on ‘Generative AI’ focusing on Content Training and Transparency
California’s Assembly Bill 2013[7] is a new law that mandates greater transparency from developers of generative Artificial Intelligence (“AI”) systems. Starting January 1, 2026, developers must publicly share information such as the sources of their datasets, whether they contain personal data, and whether they were licensed or purchased. This law applies to all developers offering generative AI systems in California, regardless of the number of users.
Further, Senate Bill 942[8] focuses on the output of AI systems, requiring large-scale generative AI developers to offer AI detection tools and watermarking options for audiovisual content. It applies to systems with over 1 million monthly users. From January 1, 2026, developers must provide a free AI detection tool, allow users to detect AI-generated content, and include metadata showing the content’s origin. Additionally, the law mandates that such content include metadata revealing its origin and includes watermarking features. Further, AI developers will be required to provide a free AI detection tool and include ‘latent disclosures’ that reveal details about the content’s creation.
California’s recent efforts to regulate AI industry highlight its proactive approach to managing the rapid growth of technology. While the State has previously passed laws aimed at combating the spread of deepfakes, its new legislation, takes a broader approach by targeting the transparency of generative AI systems. By implementing these measures, California is moving quickly to ensure AI technology is developed and deployed responsibly, addressing both data transparency and the integrity of AI-generated content.
8. EU – EDPB proposed ‘Cookie Rule’ through Revised Guidelines[9]
The European Data Protection Board (“EDPB”) has released an updated version of its ‘Guidelines on Technical Scope of Art. 5(3) of ePrivacy Directives’ (“Revised Guidelines”) for public consultation from stakeholders till January 18, 2025.
Through the Revised Guidelines, the EDPB has introduced the ‘Cookie Rule’ to include technologies beyond traditional cookies. This broader interpretation includes methods like URL and pixel tracking, local processing, Internet of Things devices, and IP-based tracking. These technologies now trigger the cookie rule, meaning companies must obtain prior consent to access or store data unless it is strictly necessary for service delivery. The Revised Guidelines emphasize transparency and aim to provide more control to users over their personal data.
The expanded interpretation of the ‘Cookie Rule’ highlights the growing need to regulate data collection through various technologies like cookies, URL tracking, and IoT devices. With privacy concerns escalating, these regulations ensure that companies obtain prior consent from users before accessing or storing their data unless strictly necessary. Similarly, the Indian DPDP Act reinforces this approach by mandating prior consent for data collection, aligning with global trends to provide users more control over their personal information.
Authors:
- Rashmi Deshpande
- Aarushi Ghai
- Janmejay Jaiswal
[1]https://dot.gov.in/sites/default/files/Telecommunications%20%28Critial%20Telecommunication%20Infrastructure%29%20Rules%2C%202024.pdf?download=1
[2] https://dot.gov.in/sites/default/files/Telecommunications%20%28Telecom%20Cyber%20Security%29%20Rules%2C%202024.pdf?download=1
[3] https://www.cci.gov.in/antitrust/orders/details/1158/0
[4] https://dhccaseinfo.nic.in/jsearch/
[5] https://hckinfo.kerala.gov.in/digicourt/Casedetailssearch/fileviewcitation?token=MjA0NDAwMDEyMTgyMDI0XzEucGRm&lookups=b3JkZXJzLzIwMjQ=&citationno=MjAyNDpLRVI6ODMzNzc=&isqr=1
[6] https://bombayhighcourt.nic.in/generatenewauth.php?bhcpar=cGF0aD0uL3dyaXRlcmVhZGRhdGEvZGF0YS9vcmlnaW5hbC8yMDI0LyZmbmFtZT1GMjkwNzAwMzU4ODYyMDI0XzEucGRmJnNtZmxhZz1OJnJqdWRkYXRlPSZ1cGxvYWRkdD0yOS8xMS8yMDI0JnNwYXNzcGhyYXNlPTAzMTIyNDEzNTczMSZuY2l0YXRpb249JnNtY2l0YXRpb249JmRpZ2NlcnRmbGc9WSZpbnRlcmZhY2U9Tw==
[7] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB2013
[8] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB942
[9] https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2023/guidelines-22023-technical-scope-art-53-eprivacy_en
