Information Technology & Business Process Outsourcing
Right to be Forgotten
The High Court of Karnataka (‘Karnataka HC’) passed an Order, on January 23, 2017 in the case of Vasunathan v. The Registrar General, High Court of Karnataka and Ors., regarding the rule of ‘Right to be forgotten’. In the instant matter, a writ petition was filed before the Karnataka HC seeking masking of the name of the petitioner’s daughter from all court records (including the cause title), which contained details of a previous marriage of the petitioner’s daughter that had been annulled, as well as court records of orders that had been passed in criminal proceedings filed by his daughter’s former husband. The masking was sought to protect her reputation in society and her relationship with her current husband.
The Court held that the Registry will endeavour to ensure that the petitioner’s daughter’s name was not reflected in any internet search in the public domain including any search within the order or in the body of the order apart from the cause title. This would be in line with the trend in many foreign jurisdictions where the principle of ‘Right to be forgotten’ is followed in sensitive cases involving women in general, and cases involving rape or affecting the modesty and reputation of the person concerned. The Court further held that where the website of the Karnataka HC is concerned, no steps need to be taken to anonymize the petitioner’s daughter’s name and accordingly, any certified true copy of the relevant order of the Karnataka HC will reflect the name of the petitioner’s daughter.
 Writ Petition 62038 of 2016 (GM-RES), order dated January 23, 2017
The Personal Data Protection Bill, 2018
In July 2017, the Government of India constituted a committee of experts under the chairmanship of former Justice B. N. Srikrishna (‘Committee’) to: (a) study various issues relating to data protection in India; (b) make suggestions on the principles for data protection in India; and (c) suggest a draft data protection bill.
The Committee invited public comments on the proposed data protection framework. Based on the feedback received, the Committee published a report on July 27, 2018 titled ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’. The Committee also submitted a draft bill titled ‘Personal Data Protection Bill, 2018’ (‘Bill’) to the Government of India.
The Bill, once enacted, is intended to replace the existing data protection framework as contained under Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (‘SPDI Rules’) framed thereunder.
Key Highlights of the Bill
1. Fiduciary Relationship: The Bill introduces a unique concept of a fiduciary relationship between data subjects (natural persons to whom the personal data relates) and data controllers (persons who determine the purpose and means of processing of personal data) and classifies them as ‘data principals’ and ‘data fiduciaries’ respectively.
2. Jurisdiction and Applicability: The Bill applies to the processing of personal data:
(a) where such data has been collected, disclosed, shared or processed within India;
(b) by the State (which has been given the meaning ascribed to this term under Article 12 of the Constitution of India), any Indian citizens, any Indian company, or any person or body or persons incorporated or created under Indian law; and
(c) by data fiduciaries located outside India in connection with:
i. any business carried out in India; or
ii. any systematic activity of offering goods or services to data principals in India; or
iii. any activity that involves profiling of data principals in India.
3. Extends to public entities: The Bill covers processing of personal data by both public as well as private entities. This is a significant departure from the SPDI Rules, which do not contemplate processing of sensitive personal data or information by the State.
4. Enlarged scope of Sensitive Personal Data: The terms “Sensitive Personal Data or Information” under the SDPI Rules include password, financial data, health data, sexual orientation, medical data and biometric data. The definition of ‘sensitive personal data’ (‘SPD’) under the Bill has been expanded to include Government issued identifiers (which includes Aadhaar number), sex life, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, etc.
5. Differential Consent Requirements: The Bill proposes a differential approach to processing of personal data as compared to processing of SPD. For the processing of personal data, the consent of the data principal needs to be free, informed, specific, clear and capable of being withdrawn. However, for the processing of SPD, explicit consent of the data principal is required.
6. Data Protection Principles: Some of the key data protection principles envisioned under the Bill include:
(a) Fair and reasonable processing: The Bill seeks to recognize duty owed by persons processing personal data to the data principal for processing their data in a fair and reasonable manner that respects the privacy of such data principal;
(b) Purpose limitation: The Bill expressly recognizes the purpose limitation principle, i.e. personal data should be processed only for the purpose specified by the data fiduciary or for any other incidental purpose reasonably expected by the data principal to be connected to such specified purpose; and
(c) Storage limitation: The Bill requires the data fiduciary to retain personal data of the data principal only as long as may be necessary to satisfy the purpose for which it is processed. Such fiduciaries are proposed to also conduct periodic reviews to determine whether retention of personal data is necessary or not.
7. Data Principal Rights: The Bill expressly recognises certain rights of data principals, such as:
(a) Right to confirmation, which includes the right to receive from the data fiduciary a brief summary of the personal data being processed;
(b) Right to correction, completion and updation of personal data;
(c) Right to receive own personal data, which the data fiduciary has: (i) received directly from such data principal, or (ii) generated while providing goods or services, or (iii) obtained from any third party;
(d) Right of portability of personal data from one data fiduciary to another;
(e) Right to be forgotten (i.e. prevention of continued disclosure of personal data of the data principal), which right may be exercised by filing an application with the concerned officer within the DPA (as defined below); and
(f) Right to receive compensation in case of breach of obligations by the data fiduciary.
8. Cross-Border Data Transfer: The SPDI Rules allow free transferability of personal data including SPD subject to the consent of the data principal being obtained regarding such transfer and the transferee maintaining the same level of protection as maintained by the transferor. However, the Bill proposes certain incremental requirements for cross-border transfer of personal data including SPD, such as:
(a) Such transfer being made in accordance with model contract clauses or intra group schemes approved by the DPA (defined below);
(b) A copy of such personal data being stored by the data fiduciary on a server or data centre located in India; and
(c) ‘Critical personal data’ (which would be a sub-category of personal data, as may be notified by the Government of India) being processed only in a server or data centre located in India.
9. Data Protection Authority of India: The Bill contemplates the establishment of a Data Protection Authority (‘DPA’) which would be responsible for, inter alia, the enforcement and effective implementation of the data protection law, taking action in response to a data security breach, monitoring cross-border transfer of personal data, etc.
10. Privacy by Design & Security Safeguards: The Bill requires the data fiduciary to implement policies & measures to ensure that the technology used in processing personal data is in accordance with commercially accepted or certified standards. They are also required to implement managerial, organizational, business practices & technical systems to anticipate, identify & avoid harm to the data principal. Both, the data fiduciary & the data processor are also required to implement appropriate security standards having regard to the nature of the personal data being processed, including the severity of harm that may result from such processing.
11. Notification of Data Breach Incidents: The Bill also proposes to impose an obligation on data fiduciaries to notify the DPA of personal data breach, where such breach is likely to cause harm to any data principal. The DPA may then determine whether such breach should be reported to the data principal, taking into account the severity of the harm that may be caused to such data principal.
12. Significant Data Fiduciaries: The Bill empowers the DPA to categorise data fiduciaries as ‘significant data fiduciaries’, based on inter alia the volume and sensitivity of personal data processed by and turnover of such data fiduciaries. Such significant data fiduciaries would be required to register themselves with the DPA in order to process personal data. Some of the key obligations of significant data fiduciaries include:
(a) Data audits: The obligation to undergo annual data audit by independent auditors in respect of processing of personal data;
(b) Data protection officer (‘DPO’): The requirement to appoint a DPO (including in case of offshore significant data fiduciaries who would need to appoint a DPO who is based in India); and
(c) Data protection impact assessment (‘DPIA’): Significant data fiduciaries using new technologies of processing data at a large scale would be required to perform DPIA before commencement of data processing.
13. Processing of Personal Data of Children: For data principals below the age of 18 years, the Bill introduces special provisions requiring data fiduciaries to incorporate appropriate mechanisms for age verification and parental consents. Data fiduciaries who provide services directed at children or who process large volumes of personal data of children may be notified by the DPA as guardian data fiduciaries. Such fiduciaries would be, inter alia, barred from profiling, behavioural monitoring and targeted advertising directed at children.
14. Penalties & Offences: Depending upon the nature of contravention by data fiduciaries (such as violation of provisions governing processing of personal data, SPD, personal data of children, etc.), the Bill proposes penalties up to INR 150 million (approx. USD 2.1 million) or 4% of the total worldwide turnover of the preceding financial year of the data fiduciary, whichever is higher. The Bill also proposes imprisonment and/or fine on persons who intentionally, knowingly or recklessly obtain, disclose, transfer or sell personal data or SPD.
The Bill, which has been submitted by the Committee, is currently under consideration by the Ministry of Electronics and Information Technology and other relevant Government stakeholders, before it gets tabled with the Houses of the Parliament.
Further, specific sectoral laws and guidelines would need to be aligned with the data protection laws, such that the data protection law sets the baseline for processing of personal data and any sector specific law will be able to cover specific concerns over and above these requirements. In case of conflict, it is proposed that the data protection law will prevail.
Until the Bill is finally passed by the Parliament, receives Presidential assent and is notified in accordance with the provisions thereof, the present regulatory framework under the Information Technology Act, 2000 and the SDPI Rules will continue to govern the collection, storage and processing of personal data and SPD or information.
CCI Dismisses Allegations of Abuse of Dominance Against a Trading and Distribution Company of Mobile Handsets
On October 4, 2018, CCI dismissed allegations of abuse of dominance against Fangs Technology Private Limited (‘OP 1’) and Vivo Communication Technology Company (‘OP 2’) with respect to certain clauses in a VIVO Distributorship Agreement (‘Agreement’) entered into by the OP 1 with its distributors.
The distributors are members of Tamil Nadu Consumer Products Distributors Association (‘Informant’) which is registered under the Tamil Nadu Society Registration Act, 1975. The Informant pointed out several concerns with regards to the clauses of the Agreement, inter alia that the conditions imposed were unfair and unreasonable for the distributors, resulting in foreclosure of competition by creating barriers to new entrants. The Informant also alleged that the Agreement prohibited the distributors from doing business in Oppo and Honor brand of mobile phones. Thus, the Informant alleged that the conduct of the OPs was in violation of Section 3 (4) and Section 4 of the Act.
While assessing the allegations of abuse of dominance, CCI defined the relevant market as ‘market for smartphones in India’. Placing reliance on the GFK Report (‘Report’), prepared by GfK SE (Germany’s largest market research institute) for the year 2017-18, it was observed that the market for smartphones in India is highly competitive with several players. Moreover, the Report indicated that the brand share of Vivo in the Indian market declined from 14.4% to 12.1% during this period. Additionally, CCI observed that other competitors in the market such as Samsung and Xiaomi held close to 33% and 16.6% respectively. As a result, CCI opined that OP 1 is not dominant in the relevant market. In the absence of dominance, no case can be made against OP 1 in violation of Section 4 of the Act.
With regard to the allegation of resale price maintenance (‘RPM’) under provisions of Section 3(4) of the Act, CCI observed that the Informant had not submitted any evidence to prove that OP 1 has imposed RPM on the Informant. CCI also observed that there exists high inter-brand competition in the smartphone market in India. On this basis, CCI held that OP 1 does not have the significant market power required to impose anti-competitive vertical restrictions. In addition, CCI opined that the restriction imposed by the Agreement on doing business with Oppo and Honor was justified on the ground that it was to avoid leakage of intellectual property of Vivo. CCI also justified some of the other contentious clauses of the Agreement as being reasonable restrictions imposed by OP 1. Therefore, CCI ordered the matter to be closed under Section 26(2) of the Act.
 Case No. 15 of 2018 (Order dated October 4, 2018)
CCI Approves Acquisition of Intelnet BPO Holdings Private Limited by Dutch Contact Centres B.V
On August 08, 2018, CCI approved the proposed acquisition of 100% of equity shares of Intelenet BPO Holdings Private Limited and Intelenet Global Services Private Limited (collectively, ‘Targets’) by Dutch Contact Centres B.V (‘DCC’/’Acquirer’). The proposed acquisition contemplates acquisition of shares in the Targets, both directly and indirectly, i.e. through the Acquirer’s wholly owned subsidiary, Teleperformance Services India Private Limited. The Acquirer will also acquire group debentures and group loans of the Targets.
The Acquirer is engaged in the business of providing information technology and information technology enabled services, particularly, business process outsourcing (‘BPO’) services. The Targets are also engaged in the same business.
CCI identified overlaps in the market for provision of (a) information technology and information technology enabled services; and (b) BPO services. However, as the market shares of the parties were insignificant in both markets, the relevant market was left open. CCI concluded that the proposed combination will not result in an AAEC and thus, approved the transaction.
CCI Approves Acquisition of Alight HR Services India Private Limited by Wipro Limited
On August 3, 2018, CCI approved the proposed acquisition by Wipro Limited (‘Wipro’/ ‘Acquirer’) of Alight HR Services India Private Limited (‘Alight’/ ‘Target’).
Wipro operates in the Information Technology – Business Process Management (‘IT- BPM’) industry and provides: (a) Information Technology (‘IT’) products; (b) IT services; (c) Business Project Management (‘BPM’); and (d) E-commerce. Further, Wipro’s IT services include IT and IT enabled services such as digital strategy advisory, customer centric design, technology consulting. Alight, on the other hand, provides only BPM services to its overseas group entities and cloud deployment services.
CCI observed that as the market dynamics were unlikely to change further to the proposed combination, it is unlikely to result in an AAEC. The proposed combination was accordingly approved.
Information Technology (Amendment) Bill, 2018
The Ministry of Electronics and Information Technology has sought to amend the Information Technology Act, 2000 (‘IT Act’) by way of the Information Technology (Amendment) Bill, 2018 (‘IT Bill’), which is expected to be introduced in the Parliament shortly. The IT Bill has been prepared in response to certain recent online phenomena such as the Blue Whale Challenge which induced several individuals (primarily children) in India and across the world to commit self-harm. It is sought to be introduced on the grounds that there exist several online games which involve violence and therefore have an undesirable effect on players and that much of the material available online denigrates the cultural values of India. The IT Bill seeks to introduce the following new provisions in the IT Act:
(i) Publishing or transmitting any material repugnant to cultural ethos: Section 67BA is sought to be introduced which will penalise any person who publishes or transmits or causes to be published or transmitted in the electronic form, any material which ‘is repugnant to well established cultural ethos’. While the IT Bill does not define ‘cultural ethos’, it does provide that any material shall not be deemed to be against cultural ethos merely because it goes against or contradicts an established practice or custom.
(ii) Hosting of dangerous online games: Section 67BB is sought to be introduced which will penalise hosting any online gaming resource which induces users to commit: (a) dangerous acts harmful to themselves or others; (b) acts with cause injury to themselves or others; and (c) any illegal acts. Further, Section 79B is sought to be introduced which requires anyone that hosts online gaming resources or produces any storage media containing gaming resources to be sold offline, to ensure that: (i) the game resource is categorised for use by appropriate age groups on the basis of content of the game; and (ii) the game contains a mechanism that warns users against the repetition in real life of the dangerous acts depicted in the game (if any).
CCI Orders Investigation for Abuse of Dominance Allegations against Intel Corporation
On November 9, 2018, CCI dismissed the information filed by Velankani Electronics Private Limited (‘VEPL’) against Intel Corporation (‘Intel’). The information alleged contravention of the provisions of Section 4 of the Act. Intel is in the business of designing, manufacturing and distribution of a wide range of IT components, peripherals, computer systems, etc. Intel is also in the business of designing, manufacturing and distribution of electronic devices related to communications and computing such as processors, chipsets, mother-board/ server-board, integrated circuits, network interface controllers, flash memory, etc. VEPL manufactures ‘servers’, a type of computer designed to process requests and deliver data to another computer over the internet or a local network. Servers have various sub-assemblies which are not manufactured by VEPL but assembled after purchase from the market. VEPL had entered into a Manufacturing Enablement Agreement with Intel to enable itself to manufacture server-boards based on Intel’s designs, in exchange for a license fee.
VEPL submitted that Intel has a market share of more than 80% and most consumers of servers treat and accept Intel’s processors as the industry standard, preferring it over other micro-processor manufacturers. Therefore, VEPL was completely dependent on Intel for procuring processors for its servers and in its information has alleged refusal on Intel’s part in providing the reference design files required to manufacture server-boards. VEPL has also submitted that these reference design files are provided by Intel to VEPL’s competitors in the server market like Dell, HPE, etc. (‘ODMs/OEMs’). The reason given by Intel for not providing the required reference designs to VEPL is that VEPL does not have ‘sufficient technical and sales scope and expertise’.
CCI determined the relevant market to be the market for ‘processors for servers in India’. CCI concluded that Intel is in a dominant position in the relevant market having more than 90% share globally and at least 80% market share in India. CCI also relied on its previous decision in ESYS Information Technologies Private Limited v Intel Corporation where Intel was considered dominant in the market for micro-processors for servers in India. According to CCI, Intel:
(i) was unable to provide a reasonable explanation for not allowing VEPL access to reference design files in order to develop processors when it has provided them to other ODMs/OEMs (discriminatory treatment);
(ii) had denied market access to VEPL in contravention of Section 4 (2)(c) of the Act;
(iii) had limited and restricted the production of servers and the market and has also limited the technical/ scientific development relating to servers in the market, in violation of Section 4 (2)(b) of the Act.
Consequently, without going into Intel’s intent for alleged contravention of the provisions of the Act, CCI directed the Director General to ascertain whether Intel has abused its dominant position in the relevant market.
 Case No. 16 of 2018.
 Case No. 48 of 2011.