Ameya Garud, Rajas Salpekar*
India witnessed institutionalization of its data protection framework with the introduction of Personal Data Protection Bill (Hereinafter referred to as the “PDPB”) on 11th December, 2019. The need of a robust framework concerning data privacy was acknowledged by the Union Government at a time when Aadhar judgment[i] was sub-judice. A committee was set up under the chairmanship of Justice B.N. Srikrishna to “identify key data protection issues in India and recommend methods of addressing them”.[ii] This pressing need for a uniform legislation concerning regulation of personal and non-personal data arose owing to the scattered landscape of legislations governing privacy in different sectors in India and the inadequacies and ambiguities that accompanied them.
The PDPB thereafter submitted by the committee was then referred for review to a Joint Parliamentary Committee which was due to submit its report by 15th March, 2021.[iii] Among many others, representation to the JPC on PDPB was also made by the Internet Corporation for Assigned Names and Numbers (“ICANN”) expressing concerns[iv] over the implications being faced by domain registrars like GoDaddy, BigRock while processing data due to the ‘consentprovision’ under Section 11 of PDPB. ICANN has submitted that Section 11, which mandates taking consent of a data principal (an individual) before processing any personal data, acts as a roadblock in the functioning of data registrars (GoDaddy, BigRock etc.) as they require processing personal data for registering domain names and the same process shall be hampered if consent from an individual is required at every step.
This article, firstly, attempts to analyze the submission and recommendation made by ICANN to the Joint Parliamentary Committee; Secondly, its possible future pros and cons of these recommendations. Thirdly, the article seeks to suggest possible solutions which if adopted may mitigate any possible future implications.
ICANN and WHOIS Registry
Formed in 1998, ICANN is a not-for-profit organization which deals in framing policies for the expansion of the internet.[v] It is responsible for the allocation of Internet Protocols, domain names, country codes and management of these servers. In other words, ICANN distributes IP addresses, country codes (‘.in’, ‘.eu’, ‘.au’, etc.) and domain names can be bought from any of the 2000 and more domain registrars (BigRock, GoDaddy etc.).
These domain registrars need to maintain an account of the information concerning the registration of domain name like the name, address, email, phone number, and administrative and technical contacts of the registrants. The maintenance of a registrant’s personal data by registrars is known as the (“WHOIS”) data as it tells ‘who is’ the registrant of a domain name.[vi] Further, the registrars, under the existing consensus policies and contracts with ICANN are obliged to make the WHOIS information accurate, timely-updated and publicly available, subject to the laws of different countries. Owing to the implications of publicly available information like spam calls, unsolicited marketing and a risk of domain hijacking, domain registrants started giving ‘WHOISprivacy’ services to their customers against some fees wherein the address and contact details of a registrant were replaced by that of the registrar but the personal information of those registrants who did not subscribe to the ‘WHOISprivacy’ service still lies available in the public domain.[vii]
ICANN and its representation to the Joint Parliamentary Committee.
ICANN being a multi-stakeholder body has made a representation to the Joint Parliamentary Committee raising a concern against ‘Section 11’ of the PDPB as an impediment in the working of data registrars and processing of personal data thereof. Section 11 of the draft legislation mandates taking consent of an individual before taking processing any data relating to him and this very mandate of taking consent obligates the registrars to take consent of a registrant before taking any action concerning its data. ICANN has charted out conditions wherein this mandate can cause an obstruction, especially in time sensitive cases. It argues that there are cases wherein data must be transferred by registry operators and registrars, as reproduced herein:
“1. Registry operators or registrars transfer limited registration data for particular domain names to ICANN org for the purpose of investigating compliance-related inquiries and enforcing ICANN agreements and policies.
2. Registry operators transfer registration data to an Emergency Back-End Registry Operator if it is at risk of failing to sustain any of the critical registry functions.
3. Registry operators and registrars transfer certain registration data (such as a registrant’s name, e-mail address, and/or postal address), upon request, to third parties, such as law enforcement authorities and intellectual property holders, who have demonstrated that they have a legitimate interest in accessing this data.”
Better Compliance & Smooth Functioning for Registries
Ironically, there can be a situation where the WHOIS data of a cyber-criminal is demanded by law enforcement agencies/officers from a registrar and the same shall not be provide any information unless the cyber-criminal consents to the sharing of his personal details with the police. ICANN therefore suggests that to avoid such circumstance which can jeopardize the functioning of registry operators and registrars and can also obstruct transfer of data between law enforcement agencies or other personnel having legitimate interest in receiving the data, data processing for domain name registration should be made an exception of Section 11. ICANN also suggests that if data processing is covered under the ambit of Section 14 or Section 13 of the PDPB which talks about exceptions to Section 11, then data registrar shall not be dependent on ‘registrant’s’ consent and will function smoothly.
However, making an exception for domain registration comes with a lot many questions. The subsequent section shall deal with the possible implications of widening the ambit of Section 13 and/or Section 14 and shall further chart out solutions which can be adopted to mitigate these implications.
Concern of Misusing Consent by deploying Click-Wrap contracts.
If the exception is made, Domain Registries, while selling Domains to Data Principals, may deploy click-wrap agreements to obtain their consent and sneak-in unfair Terms & Conditions (“T&C”) regarding privacy and processing of personal data. The inherent problem in ‘Click-Wrap’ Standard Form Contracts, which are e-contracts deployed by website owners to obtain acceptance to certain T&Cs of the website from a consumer before the consumer is allowed to access the website, is that the deployer may frame unfair T&Cs in fine-print or make it difficult for readers to reach the webpage setting-forth the complete T&Cs, thus giving them no real opportunity to read and negotiate the T&Cs before ultimately clicking on the ‘I agree’ button signifying acceptance.[viii]
Thus, it is imperative for domain registries to enlist and disclose full terms unambiguously, give a real opportunity to read the T&Cs to pass the test of unconscionability and public policy for Click-Wrap contracts as laid by the Supreme Court in LIC v. CERC.[ix] Similarly, a California court also made it mandatory for all Click-Wrap contracts to fulfill the aforementioned conditions.[x] Further, non-compliance to the aforementioned conditions may not render the consent obtained by click-wrap contracts as ‘free’, ‘well-informed’, ‘specific to the scope of consent’ and ‘clear’ as mandated by section 11(2) of PDPB, 2019.[xi]
As an alternative to obtain consent, the GDPR Guidelines for consent propose methods such as electronic scanned forms, emails, oral statements & other scanned documents with the Data Principal’s signature.[xii]
Competition Law concerns arising.
In absence of regulations to govern handling of data, the domain registries will have absolute control over this data, giving the registries power to process, or share such data. This may result the domain registries indulging in anti-competitive practices like discriminative/exclusionary data sharing agreements. The threat of such data sharing practices in data-driven markets was recognized by Bruno Lasserre & Andreas Mundt in their paper titled- “Franco-German Study on Competition Law & Big-Data”.[xiii] This study highlights a French case of discriminative exclusive data sharing which involved a French entity ‘Cegedim’ indulging in exclusive sharing of a medical software to one of its competitors ‘IMS’ and refusing to share data with other entities. The European Commission (“EC”) then ordered “Cegedim” to share data with other entities.[xiv]
Further, the Competition Commission of India (“CCI”) in the recent deal of Google purchasing a 7.73% stake in Jio Platforms, expressed its concern of such data sharing, if any, causing an appreciable adverse effect on competition in the market.[xv] Thus, strict self-regulation by data registries along with strict monitoring of such actions by the competent regulators is important in such cases.
Self-Regulating use of Data- The solution.
Other than the rules applicable to process personal data without consent of the data principal, demarcating boundaries and regulations for processing data by data fiduciaries themselves is also imperative to stay protected from huge liabilities. Now, ICANN has recommended the aforementioned categories as the scope of processing data. Another step data registrars can take is to conduct a ‘balancingexercise’ before processing any data, so as to examine if the ‘LegitimateInterest’ of the data registrars in such processing is not overridden by that of the DPs.
Position in the EU.
The GDPR ‘Guidelines for Autonomous Decision-Making & Profiling’ lay down a ‘balancingexercise’ in article 6(1)[xvi] which requires a data registrar to ascertain that the legitimate interest possessed by it for sharing the data is not being overridden by the interest, fundamental rights or freedom of the data subject i.e. a user. The Article 21 of the GDPR[xvii] is very pertinent to take note of as it gives the authority to a data registrar to process the data in spite of an objection to the same from the data subject if the legitimate grounds for processing the data override the interests, rights and freedoms of the data subject. Further, as the European Court of Justice in the Rigas case held that data registrars need to lawfully use the ‘legitimate Interest’ to process data and that the ‘legitimateinterest’ differs with each case.[xviii] Therefore, the data registrars should conduct a balancing exercise and weigh their legitimate interest behind processing the data with the rights of the data registrant/ data subject and then decide whether or not the data is to be shared.
Aarogya Setu’s Knowledge Sharing Protocol.
Another example of effective self-regulation by data fiduciaries can be Aarogya Setu App’s “Data Access and Knowledge Sharing Protocol”[xix] (hereinafter referred to as “Protocol”) which prescribes a robust policy clarifying the nature of users’ data which may be processed from the app, circumstances in which any specified type of data may be shared to third parties along with the objective sought by the same. This restrains the data fiduciary from exercising any unfettered discretion in handling user’s data. Some provisions, among many others, which can act as a guiding principle for data fiduciaries can be Rule 5(b)[xx] of the Protocol which mandates the collection of only as much data as is necessary to be collected for the objective sought to be achieved and also Rule 5(c) which mandates the processing of the data so obtained from the user in a fair, transparent and non-discriminatory manner.
Thus, in this case, so far as a self-regulation policy by a domain registrar prescribes a fair balancing exercise outlining the scope of legitimate interest, liability of entities with whom data is shared and sets in place a mechanism to handle data without leaving a scope of discretion used arbitrarily, an exception for domain registrars can be made under section 11 of PDPB, 2019, without jeopardizing privacy, yet enabling smooth functioning.
This test shall not only guide registries, but also help registries to justify their ‘Legitimate Interest’ and reason behind processing certain data. This may also harmonize co-operation between registries, principals, and the competent regulators.
*Ameya Garud and Rajas Salpekar are third-year students at Maharashtra National Law University, Nagpur.
[i] Justice K.S. Puttaswamy (Retd) v. Union of India, Writ Petition (C) No. 494/2012.
[ii] Surahi Agarwal, Justice BN Srikrishna to head Committee for data protection framework, THE ECONOMIC TIMES (Aug. 01, 2017, 07:32 PM), https://economictimes.indiatimes.com/news/politics-and-nation/justice-bn-srikrishna-to-head-committee-for-data-protection-framework/articleshow/59866006.cms.
[iii] With 89 Amendments, Data Protection Bill Set to be Passed during Budget Session as JPC Draws Report, NEWS 18 (Jan. 06, 2021, 09:53 PM), https://www.news18.com/news/india/with-89-amendments-data-protection-bill-set-to-be-passed-during-budget-session-as-jpc-draws-report-3254528.html.
[iv] ICANN, Letter to the Joint Parliamentary Committee (Feb. 25, 2020), https://www.icann.org/en/system/files/correspondence/marby-to-joint-parliamentary-committee-25feb20-en.pdf.
[vii] DNSIMPLE, What is the WHOIS Privacy Protection Service ?, https://support.dnsimple.com/articles/what-is-whois-privacy/ (last visited Nov. 1, 2021).
[viii] Robert A. Hillman, Consumer Internet Standard Form Contracts in India: A Proposal, 29 NLSI. Rev. 71, 77 (2017), https://scholarship.law.cornell.edu/cgi/viewcontent.cgi?article=2731&context=facpub.
[ix] Life Insurance Corporation of India & Anr. v. Consumer Education & Research Centre & Ors., 1995 SCC (5) 482.
[x] Bruce Gatton et. al., v. T-Mobile USA Inc., 61 Cal. Rptr. 3d 344 (2007).
[xi] The Personal Data Protection Bill, 2019, §11(2), No. 373, Bills of Parliament, 2019 (India).
[xii] Guidelines on consent under Regulation 2016/679, Article 29 Working Party, §4, Pg. 18, https://ec.europa.eu/newsroom/article29/items/623051.
[xiii] Bruno Lasserre & Andreas Mundt, Competition Law and Big Data: The Enforcers’ View, 1 Ital. Antit. Rev. 87, 93 (2017), https://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Fachartikel/Competition_Law_and_Big_Data_The_enforcers_view.pdf?__blob=publicationFile&v=2.
[xiv] Case No. COMP/M.7337 – IMS Health/ Cegedim Business, Regulation (EC) No. 139/2004, https://ec.europa.eu/competition/mergers/cases/decisions/m7337_20141219_20212_4101276_EN.pdf.
[xv] Aditya Chunduru, CCI Looking Into Data Sharing Agreement In Google-Jio Platforms Deal: Report, MEDIANAMA (Oct. 12, 2020), https://www.medianama.com/2020/10/223-cci-data-sharing-google-jio-platforms-smartphone-market/.
[xvi] Guidelines on Automated individual decision-making and profiling for the purposes of Regulation 2016/679, Article 29 Data Protection Working Party, ¶B.6, Pg. 14, https://ec.europa.eu/newsroom/article29/items/612053/en.
[xvii] The General Data Protection Regulations, 2016, art. 21, No. 679, Acts of European Parliament, 2016 (EU), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679.
[xviii] Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v. Rīgas pašvaldības SIA ‘Rīgas satiksme’, Case C- 13/16, ¶¶28-29, https://curia.europa.eu/juris/document/document.jsf;jsessionid=71045BC895355831401AC860A028A72A?text=&docid=190322&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=5188148.
[xix] The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, Notification No: 2(10)/2020-CLeS, MEITY, https://www.meity.gov.in/writereaddata/files/Aarogya_Setu_data_access_knowledge_Protocol.pdf.
[xx] Id., §5(b).