Facebook

Facebook By Weblizar Powered By Weblizar

Twitter

Hospital cable TV Seattle

Instagram

Load More
Something is wrong. Response takes too long or there is JS error. Press Ctrl+Shift+J or Cmd+Shift+J on a Mac.

Camel back rider of UAE

UAE may be one of the most developed and by far the most stable state in middle east. Indeed it has invested substantially in its overall stability and infrastructure thus ensuring a relatively desirable business environment. Along with raising endless cities and amazing wonders in terms of almost everything, its oil economy has brought endless prosperity to the citizens. However, there is perhaps an undesirable can rather expensive cost associated with this development.

(more…)

The leftist media bias!

https://www.prageru.com/courses/political-science/what-fake-news

This video gets into particulars of a fake news and explains the basics of a method to analyse a fake news. Interestingly it specifically targets left inclined media and talks from a right biased perspective. While we are least interested in ideological inclination of multi-billion dollar US media groups, what really interests us is the method and three pillar test to determine fake news!

Regulating online advertising

Online advertising could easily be the biggest industry terms of advertising volume. As per data retrieved from PWC, Internet advertising industry stands at an approximate $ 200 billion in 2017-18 and is likely to surge at a rate of 10.8% over the coming years with Asia-Pacific leading the growth and United States still being the largest market in 2021. This industry is a direct outcome of the internet revolution and numerous opportunities it has to offer. Online advertising industry in particular has moved over the years from publisher centric approach to network centric approach and ultimately to a data centric model. This new data centric model is also referred to as Online Behavioural Advertising (hereinafter called OBA). OBA is based on reconstructing an individual’s or a group’s behavioural profile depending upon multiple variables such as their location, search queries, friends, shares online, and past behaviour. In terms of technological terminology it involves usage of cookies, flash cookies, browser fingerprinting, mobile devices variable, deep packet inspection and history sniffing. The outcome of this process is then linked to advertising and only relevant advertisements are shown to the users, thus increasing the probability of achieving intended goal of advertising.

From the perspective of societal values and accepted norms, OBA produces a grave challenge to privacy of users. As a matter of fact privacy debate is at the heart of all proposals of regulations of the online advertising industry. The proponents of OBA argue that it is an efficient form of advertising as users are served only the advertisements that serve their needs and are in accordance of their interests. This results in saving time and valuable money on advertising, thus saving resources for generating free content. In addition to this they also argue that it is a consent game. That is to say that user’s trade off their privacy for subsidised or free content. This, the proponents argue is the best method for subsidising online experience for users. On the other hand opponents of free and unregulated OBA argue that it is violate of an individual’s privacy. In addition to this they are also of the belief that mixing of content and advertising results in bubble effect that subsequently results in ill-informed users and thus a polarised society. Thus at a very rudimentary level it is a cost benefit analysis debate between the cost of and benefits to be reaped out of OBA. From the perspective of regulation of industry it these seems to be the question whether industry has to be regulated at all or not. If it is to be regulated, the important question is whether to what extent?

In this essay I analysing the above given stream of arguments and the effectiveness of the same in terms of their adoption in popular jurisprudence of various jurisdictions. For the purpose of this essay, I will be looking at European Union, United States and India. This is to be done with the objective of coming to a conclusion about the exact nature of current regulatory regime and determining its overall nature.

The origin of this debate lay at different levels in different jurisdictions. European Union has been at forefront of imposing regulations with respect to privacy protection over the internet. It initiated with data protection directive adopted in 1995. This was subsequently followed by multiple amendments to the main document. However there was no major change. It was by General Data Protection Regulation issued in 2016 that unit data protection for all individuals was strengthened. This regulation broadened the definition of private data and created an integrated framework with respect to regulation of private data. In addition to this, it created the concept of privacy shield for data of EU citizens that is to be transferred over to other jurisdiction, particularly the United States. In terms of OBA, it prescribes that the advertiser has to take explicit consent of the user. Earlier the consent was only an implicit consent with an opt-out option. In terms of cost benefit analysis, there is substantial research to suggest that opt-in mechanism makes it much more difficult for the advertisers to take consent from users. As a matter of fact, there are initial figures indicating inefficient trends in overall OBA in EU. However, it seems that European Parliament is much more inclined to protect the identity of its citizens than secure interests of OBA firms. It is also interesting to note that EU laws find no mention of polarisation and bubble implications of content mixed targeted advertising.

In US privacy related risks were pitched on multiple occasions by Federal Trade Commission (Hereinafter called FTC). FTC in the initial days of online advertising declared that user protection was its major goal. In 1999 FTC conducted its first workshop on online profiling and subsequently presented a report of the same to the congress in 2000. Subsequent to this there were multiple attempts by FTC at regulating OBA industry.f However, due to efforts by advertising lobby attempts to regulate industry remained at large. The best that could be achieved was a self-regulating mechanism imposed upon itself by the industry. Currently there is no legal framework to regulate OBA in united stated except for some self-imposed guidelines that are seldom followed as per FTC report of 2010. In addition to this there is an absence of any formal enforcement mechanism. However, self-imposed regulations and FTC guidelines prescribe for informing the users about their private data being sued by the website and giving them an opt-out option. In context of our primary debate it seems that OBA industry has been able to successfully secure its interests in US and jurisprudence is leaning towards consent based privacy violation regime. In addition to this, in USA also we do not find any reference to polarisation of the society and bubble effect.

In the Indian context the privacy debate is still immature. Privacy and online advertising is at best covered under information technology act. Section 43 A of the Information Technology (Amendment) Act, 2008 defines civil liability for releasing of private information in a manner that causes some harm to the user or holder of such information. In addition to this personal information is defined under the information technology rules, 2011. However, this does not bar personal information from being used for OBA advertising. It merely prescribes for punishment for wrongful usage of personally identifiable information. Thus in the Indian context debate is premature. While jurisprudence shows signs of leaning towards a privacy security model, there are no signs of any form of regulation of OBA firms.

Notice, choice/consent, integrity, access and redress seem the five free data concepts at the forefront of privacy advocates. On the other hand OBA lobby still focuses on efficiency, contractual arrangement between users and subsidised online content. Idea of bubble effect and polarisation still seem to be at a nascent stage and hasn’t been relevant in the larger debate. Various debates and laws indicates towards a general tone of acceptance of important privacy norms and regulation of OBA, but to what extent is unclear. It seems that a concrete jurisprudential outcome will only be achieved after a grandiose tussle between OBA firms and privacy rights advocates.

 

_____________________________________________________________

 

[1] Available at https://www.pwc.com/gx/en/industries/entertainment-media/outlook/segment-insights/internet-advertising.html (Last visited on July 24, 2017).

[1] Whitepaper on Data-Centric Middleware, Model Software Infrastructure to Monitor,Control and Collect real Time Equipment Analysis, RTI, Available at https://www.rti.com/hubfs/docs/RTI_Data_Centric_Middleware.pdf (Last visited on July 24, 2017).

[1] S. C. Bennett, Regulating Online Behavioural Advertising, 44 John Marshall law Review 899 (2011), 44(4) 899, 900 (2011).

[1] Id.

[1] J. Polonetsky, To Track or Do not Track: Advertising Transparency and Individual Control in online Behavioural Advertising, 13(1) Minnesota Journal of Law, Science & Technology, 281, 290 (2012).

[1] Supra note 3, at 906.

[1] Supra note 5, at 291.

[1] Supra note 5, at 291.

[1] Supra note 5, at 291.

[1] Supra note 3, at 906.

[1] Supra note 3, at 906.

[1] Directive 95/46/EC, On Protection of Individuals with Regards to Processing of Personal Data and Free movement of such Data (1995).

[1] Regulation (EU) 2016/679, General Data Protection Regulation (2016).

[1] Available at https://www.commerce.gov/sites/commerce.gov/files/media/files/2016/eu-us_privacy_shield_fact_sheet.pdf (Last Visited on July, 25, 2017).

[1] Id.

[1] Available at http://www.businessinsider.in/The-online-advertising-industry-is-about-to-be-severely-disrupted-its-the-amputation-of-a-significant-revenue-stream/articleshow/50204800.cms (Last Visited on July, 25, 2017).

[1] Supra note 3, at 903.

[1] Fighting Back Against Identity Theft, F.T.C., http://www.ftc.gov/bcpledulmicro sites/idtheft/business/publications.html (last visited Oct. 2, 2011); see also Privacy and Security, F.T.C., http://business.ftc.gov/privacy-andsecurity (last visited Oct. 2, 2011) (providing access to behavioral advertising information)

[1] F.T.C., ONLINE PROFILING: A REPORT TO CONGRESS (June 2000), available at http://www.ftc.govos/2000/06/onlineprofilingreportjune2O00.pdf [hereinafter, FTC 2000 REPORT].

[1] See IAN C. BALLON, E-COMMERCE & INTERNET LAW: TREATISES WITH FORMS, § 26.05 (2010).

[1] Available at https://www.ftc.gov/tips-advice/business-center/guidance/advertising-marketing-internet-rules-road (Last visited on July 25, 2017).

[1] The Information Technology (Reasonable Security Practice and Procedure and Personal Data or Information) Rules, 2011.

Report on AUA seeking entity authentication process

Contents

Executive summary 2

Introduction 3

Laws and regulations applicable 7

Process of compliance and other qualifications 19

Manner of capture of biometric information by requesting entity as per regulation 7 of the Authentication Regulations 19

Standard of Devices, client applications, etc. used in authentication under regulation 14 of the Authentication Regulations 20

Compliances under regulation 14 of the Authentication Regulations 20

Compliance under regulation 17 of the authentication regulations 22

Audit of requesting entity or ASAs under regulation 21 of Authentication Regulations 24

Data security norms to be followed by requesting entities and ASA as per regulation 22 of Authentication Regulations 25

Audit and inspection under regulation 6 of DS Regulations 25

Implications of non-Compliance 27

Cost of using authentication services 31

Method of implementation (Technical aspects) 32

Conclusion and recommendations 36

Annexure I 38

Appendix II 42

Reference 43

Introduction

Aadhaar project aims at issuing unique number to every individual residing in India. Consequent to this objective, Aadhaar is a 12 digit unique-identity number issued by Unique Identification Authority of India (hereinafter called UIDAI), a statutory authority established on July 12, 2016 by the government of India, Under the Ministry of Electronics and Information Technology, as per the provisions of Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (hereinafter called Aadhaar Act). Prior to the enactment of the Aadhaar act, UIDAI functioned as an attached office of Planning Commission. Post-enactment of the Aadhaar act UIDAI became a statutory authority via money bill introduced in parliament to give legislative backing to UIDAI. In terms of legal validity of the project, a constitutional bench of the Supreme Court of India comprising of nine judges is deliberating upon the issue. This bench was created in response to the decision in cases of Kharak Singh and M.P. Sharma. These cases were decided by six judge bench and eight judge bench in the year 1960 and 1950 respectively. These cases ruled back then that right to privacy is not a fundamental right. Validity of the project will largely depend on the decision of Supreme Court of India in this case.

In term of objective of the project, UIDAI seems to be directing its efforts at issuing unique identification numbers along with biometric details of the concerned individual and simultaneously also develop an ecosystem of integrated services, programmes and internet based applications. The Authority collects data at it data centre at Industrial Model Township, Manesar, Haryana. This large data set forms the basis for usability of the ecosystem developed around Aadhaar number. It forms the basis of distribution, authentication and other forms of public and private services offered within the system.

In terms of legal rights and obligations, as per notification dated December 16, 2010, Government of India recognizes the letter issued by Unique Identification Authority of India (UIDAI) containing details of name, address and Aadhaar number, as an officially valid document. The letter reads that Aadhaar neither aims to replace any existing identity cards nor is it a cognizance of citizenship. It neither confers citizenship nor guarantees rights, benefits, or entitlements. Aadhaar is a random number which never starts with a 0 or 1, and is not loaded with profiling or intelligence into identity numbers that makes it insusceptible to fraud, theft and provides privacy in such perspective.

In term s of services that require usage of Aadhaar for authentication, the above mentioned letter was limited to providing that Aadhaar would also qualify for as a valid ID while availing various government services, like a LPG connection or subsidized ration or kerosene from PDS or benefits under NSAP or pension schemes, e-sign, digital locker, Universal Account Number (UAN) under EPFO, and for some other services, like a SIM card or opening a bank account. This aspect pertaining to the nature of Aadhaar has been contentious. There have been various cases filed in the supreme court of India, challenging the mandatory requirement of Aadhaar for availing certain government subsidies and services. On 23 September 2013, the Supreme Court issued an interim order saying that “no person should suffer for not getting Aadhaar” as the government cannot deny a service to a resident if s/he does not possess Aadhaar, as it is voluntary and not mandatory. In another interim order on August, 11 2015, the Supreme Court of India ruled that “UIDAI/Aadhaar will not be used for any other purposes except PDS, kerosene and LPG distribution system” (which order was later amended to include Mahatma Gandhi National Rural Employment Guarantee Scheme, all types of pensions schemes, employee provident fund and the Prime Minister Jan Dhan Yojana), and made it clear that even for availing these facilities Aadhaar card will not be mandatory. On March 27, 2017, the Supreme Court affirmed that Aadhaar cannot be mandatory for availing benefits under welfare schemes, though it can be mandatory for other purposes (such as income tax filings, bank accounts etc.). On June 9, 2017, the Supreme Court of India partially read down a legal provision (Section 139AA of the Income Tax Act) which mandated an individual to link their Aadhaar for filing their Income Tax Returns.

The Aadhaar act has further increased the scope and nature of services that may be offered within the Aadhaar ecosystem. The Clause 7 states that the central or state government may require a person to possess an Aadhaar number if he/she is receiving some subsidy. If they do not possess an Aadhaar number, they will be required to apply for other, in meantime the government will provide them the subsidy using an alternate mean of identification. According to Clause 8, UIDAI may perform verification of Aadhaar for other private and public agencies on request in exchange for a fee. The requesting must obtain the consent of the Aadhaar holder for verification, and inform him/her of nature of the information that will be shared upon verification. The Clause 8 (4) states that UIDAI may share identity information, but it cannot share the biometric information.

It is in light of introductions made by Aadhaar act that private agencies were granted a gateway for access to authentication through Aadhar data base. It is to be noted that this does not refer to the access of information of individuals. It merely refers to access to authentication service without any access to private data of the individuals enrolled under the Aadhaar scheme. This service of authentication of identity offered to the private agencies in turn require multiple compliances, the basis to which could be found under the Aadhaar act, rules and regulations made thereunder and Information Technology Act, 2000 and Information technology (Amendment) Act, 2006. It is this requirement of compliances for private agency and the legal basis of the same that form the foundation of this report.

Subsequent sections to the report lay down laws applicable to private agencies that seek to make a use of the authentication platform provided by UIDAI. It also lays down procedure to be followed for compliance in terms of compliance forms and other physical, Human Resource and cyber compliances. In addition to this, these sections also look at implications of non-compliance, overall cost of availing authentication services, method of implementation in terms of cyber infrastructure, and lastly some recommendations with respect to the overall procedure.

Laws and regulations applicable

Section 2 (c) of the Aadhaar act defines authentication to mean, “the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it.” In addition to this section 2 (u) defines requesting entity as, “an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.

Chapter III of the Aadhaar act specifically deals with the issue of authentication. It reads as follows:

Section 7: The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a  subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application for enrolment: Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.

Section 8: (1) The Authority shall perform authentication of the Aadhaar number of an Aadhaar number holder submitted by any requesting entity, in relation to his biometric information or demographic information, subject to such conditions and on payment of such fees and in such manner as may be specified by regulations. (2) A requesting entity shall— (a) unless otherwise provided in this Act, obtain the consent of an individual before collecting his identity information for the purposes of authentication in such manner as may be specified by regulations; and (b) ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication. (3) A requesting entity shall inform, in such manner as may be specified by regulations, the individual submitting his identity information for authentication, the following details with respect to authentication, namely:— (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity. (4) The Authority shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information excluding any core biometric information.

Section 9: The Aadhaar number or the authentication thereof shall not, by itself, confer any right of, or be proof of, citizenship or domicile in respect of an Aadhaar number holder.

Section 10: The Authority may engage one or more entities to establish and maintain the Central Identities Data Repository and to perform any other functions as may be specified by regulations.

Section 23 of the Aadhaar act empowers UIDAI to develop policy, procedure and systems to perform authentication as prescribed under the act. Sub section 2 of this section also prescribes for the powers and functions of the authority to include performing authentication of Aadhaar number. Sub-section 3 of the act also empowers UIDAI to “enter into Memorandum of Understanding or agreement, as the case may be, with the Central Government or State Governments or Union territories or other agencies for the purpose of performing any of the functions in relation to collecting, storing, securing or processing of information or delivery of Aadhaar numbers to individuals or performing authentication.” In addition to that the authority may also “by notification, appoint such number of Registrars, engage and authorise such agencies to collect, store, secure, process information or do authentication or perform such other functions in relation thereto, as may be necessary for the purposes of this Act.”

Section 28 of the Aadhaar act prescribes for a maintaining privacy and ensuring security of the authentication record. In addition to this section 29 also prevents sharing of crore biometric information, collected for the purpose of authentication, for whatever reason. It also says that usage of biometric information or any other information collected for the purpose of authentication, for any purpose other than for authentication is prohibited. In addition to this, this section also states that all sharing and collection of information is to happen in the manner as prescribed by regulations made by UIDAI as per the provisions of the Aadhaar act. In case these provisions are not followed, section 37 prescribes for punishment and states that, “whoever, intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act or regulations made thereunder or in contravention of any agreement or arrangement entered into pursuant to the provisions of this Act, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.

Lastly, section 58 of the Aadhaar act empowers UIDAI to make regulations by notification consistent with the act and rules made thereunder, for carrying out the provisions of the act. Clause (f) under sub-section 2 of this section empowers UIDAI to make regulations with respect to authentication of the Aadhaar number under section 8 and clause (w) under the same sub-section empower the authority to make regulations with respect to manner and the time for maintaining the request for authentication and the response thereon under sub-section (1), and manner of obtaining, by the Aadhaar number holder, the authentication records under sub-section (2) of section 32.

In exercise of the powers conferred by sub-section (1), and sub-clauses (f) and (w) of sub-section (2) of Section 54 of the Aadhaar act 2016, the UIDAI, by notification No. 13012/64/2016/Legal/UIDAI (No. 3 of 2016) dated September 12, 2016, made the Aadhaar (Authentication) Regulations, 2016 (hereinafter called Authentication Regulations). These regulations form the basis of procedure to be adopted for allowing usage of authentication services by private entities.  A comprehensive analysis of these regulations is as follows:

Section Number

Description

Comment

2

It is the definition section and defines authentication, Authentication Service Agency, Authentication user Agency etc.

Definitions are comprehensive and some of it is borrowed from the Aadhaar Act.

3

States that there are two types of authentication facilities.

  1. Yes/No authentication facility
  2. e-KYC authentication facility

4

It further elaborates on types of authentication and prescribes various types of authentication models. These include:

  1. Demographic authentication
  2. One-time pin based authentication
  3. Biometric-based authentication
  4. Multi-factor authentication

It also states that e-KYC authentication shall only be carried out using OTP and/ or biometric authentication.

A requesting entity may choose suitable mode(s) of authentication.

5

Imposes onus on requesting entity to inform the Aadhaar number holder of:

  1. Nature of information to be shared with UIDAI
  2. Use to which this information will be put
  3. alternatives

Ensures that proper consent of the Aadhaar number holder is taken.

6

Record of consent obtain has to be maintained

7

Describes process with respect to Capturing of biometric information by requesting entity. It prescribes that biometric information shall only be captured by certified biometric devices, and biometric data should be encrypted and secured at the time of capture.

Secures the process of capturing data to prevent leakage etc.

8

It states that, all devices and equipment used for authentication and the client applications i.e. software used by requesting entity for the purpose of authentication, shall conform to the standard APIs and specifications laid down by the Authority from time to time for this purpose.

Compliance provision.

9

This regulation defines Process of sending authentication requests. Process is as follows:

  1. After collecting the required information the client application shall immediately package and encrypt these input parameters into PID block before any transmission, as per the specifications laid down by the Authority, and shall send it to server of the requesting entity using secure protocols as may be laid down by the Authority for this purpose.
  2. After verification, server of a requesting entity shall pass the authentication request to the CIDR, through the server of the Authentication Service Agency as per the specifications laid down by the Authority. The authentication request shall be digitally signed by the requesting entity and/or by the Authentication Service Agency, as per the mutual agreement between them.
  3. After due process UIDAI shall return a digitally signed Yes or No authentication response, or a digitally signed e-KYC authentication response with encrypted e-KYC data.
  4. Requesting entity shall ensure that encryption of PID Block takes place at the time of capture on the authentication device.

Lays down particulars of the process of authentication and safeguards to be undertaken for the same. It is to be noted that many of these safeguards are defined in the contract between the authority and the concerned private entity. 

12

This regulation provides for Appointment of Requesting Entities and Authentication Service Agencies. Particulars of the same are as follows:

  1. Requesting entities can be the ones that fulfil the criteria laid down in Schedule A. (See appendix I)
  2. Authentication Service Agencies can be the ones that fulfil the criteria laid down in Schedule B. (See appendix II)
  3. Once the application is approved, UIDAI may enter into appropriate agreements with the entity or agency incorporating the terms and conditions for use by requesting entities of the Authority’s authentication facility, or provision of services by ASAs, including damages and disincentives for non-performance of obligations.

Prescribes qualifications and procedure in order to seek appointment as Requesting Entities and Authentication Service Agencies.

13

In case application is rejected, applicant can file for reconsideration.

14

Functions, obligations, roles and responsibilities of requesting entities are as follows:

  1. establish and maintain necessary authentication related operations, including own systems, processes, infrastructure, technology, security, etc., which may be necessary for performing authentication;
  2. establish network connectivity with the CIDR, through an ASA duly approved by the Authority, for sending authentication requests;
  3. ensure that the network connectivity between authentication devices and the CIDR, used for sending authentication requests is in compliance with the standards and specifications laid down by the Authority for this purpose;
  4. employ only those devices, equipment, or software, which are duly registered with or approved or certified by the Authority;
  5. ensure that persons employed by it for performing authentication functions, and for maintaining necessary systems, infrastructure and processes, possess requisite qualifications for undertaking such works;
  6. keep the Authority informed of the ASAs with whom it has entered into agreements;
  7. ensure that its operations and systems are audited by information systems auditor certified by a recognised body on an annual basis to ensure compliance with the Authority’s standards and specifications and the audit report should be shared with the Authority upon request;
  8. in the event the requesting entity seeks to integrate its Aadhaar authentication system with its local authentication system, such integration shall be carried out in compliance with standards and specifications issued by the Authority from time to time;
  9. shall be responsible for the authentication operations and results, even if it sub-contracts parts of its operations to third parties. The requesting entity is also responsible for ensuring that the authentication related operations of such third party entities comply with Authority standards and specifications and that they are regularly audited by approved independent audit agencies;

Lists down important compliances for a requesting entity.

15 & 16

Use of yes/no authentication facility and Use of e-KYC authentication facility respectively. AUA seeking further licensing of key shall ensure that licensed entity shall not further share the license key with any other person or entity for any purpose, and shall comply with all obligations relating to personal information of the Aadhaar number holder, data security and other relevant responsibilities that are applicable to requesting entities.

17

Defines obligations relating to use of identity information by requesting entity.

18

All requesting entities must maintain logs of transactions they have processed.

21

Audit of requesting entities and ASAs. Such audit may be undertaken by UIDAI or any other authority designated by it.

Audit is undertaken in order to determine whether other regulations are bing properly implemented.

22

Prescribes data security norms to be followed by requesting entities and Authentication Service Agency.

25

Where requesting entity or an ASA appointed under the Act:

  1. fails to comply with any of the processes, procedures, standards, specifications or directions issued by the Authority, from time to time;
  2. is in breach of its obligations under the Act and these regulations;
  3. uses the Aadhaar authentication facilities for any purpose other than those specified in the application for appointment as requesting entity or ASA,
  4. fails to furnish any information required by the Authority for the purpose of these regulations; or
  5. fails to cooperate in any inspection or investigation or enquiry or audit conducted by the Authority

The UIDAI may take action against such requesting entiy of ASA.

The punishment prescribed is termination of appointment and requisite action under the Aadhaar act.

In addition to this UIDAI has also notified Aadhaar (Data Security) Regulations, 2016 (hereinafter called DS regulations) on September 12, 2016. These regulations provide for data security standards to be followed by authority and the overall Aadhaar based ecosystem. Regulation 3 provides for measures to be taken for ensuring information security and provides that authority may specify an information Security policy. Regulation 5 provides that all agencies, consultants, advisors and other service providers engaged by the Authority for discharging any function relating to its processes shall ensure compliance with the information security policy specified by the UIDAI. Lastly these regulations also provide for Audit and inspection of service providers under regulation 6.

Further, UIDAI has also notified Aadhaar (Sharing of Information) Regulations, 2016 (hereinafter called SoI regulations) on September 12, 2016. These provide for control on sharing of information by requesting authority under regulation 4. Regulation 4 bars from sharing of biometric information of the Aadhaar number holder, limits purpose for which information can be extracted and that further sharing of such information can only be after gaining consent from the Aadhaar number holder. In addition to this any contravention of regulations 3, 4, 5 and 6 of these regulations constitute a violation of sub-section (2) of Section 29 of the Aadhaar Act.

Process of compliance and other qualifications

There are number of compliances to be adhered to under various legal provisions. In this section of the report, there is a list of compliance requirements and various other qualifications that a requesting entity (Authentication User Agency (AUA)) has to fulfil. Not fulfilling these may attract liability as is comprehensively laid down in the next section.

It is to be noted that a requesting entity has to fulfil criteria mentioned under schedule A (refer to Appendix I) to be eligible for enrolling itself as requesting agency.

Manner of capture of biometric information by requesting entity as per regulation 7 of the Authentication Regulations

  1. A requesting entity shall capture the biometric information of the Aadhaar number holder using certified biometric devices as per the processes and specifications laid down by the Authority. 
  2. A requesting entity shall necessarily encrypt and secure the biometric data at the time of capture as per the specifications laid down by the Authority. 
  3. For optimum results in capturing of biometric information, a requesting entity shall adopt the processes as may be specified by the Authority from time to time for this purpose.

Standard of Devices, client applications, etc. used in authentication under regulation 14 of the Authentication Regulations

  1. All devices and equipment used for authentication shall be certified as required and as per the specifications issued, by the Authority from time to time for this purpose. 
  2. The client applications i.e. software used by requesting entity for the purpose of authentication, shall conform to the standard APIs and specifications laid down by the Authority from time to time for this purpose.

Compliances under regulation 14 of the Authentication Regulations

  1. Establish and maintain necessary authentication related operations, including own systems, processes, infrastructure, technology, security, etc., which may be necessary for performing authentication;
  2. establish network connectivity with the CIDR, through an ASA duly approved by the Authority, for sending authentication requests;
  3. ensure that the network connectivity between authentication devices and the CIDR, used for sending authentication requests is in compliance with the standards and specifications laid down by the Authority for this purpose;
  4. employ only those devices, equipment, or software, which are duly registered with or approved or certified by the Authority or agency specified by the Authority for this purpose as necessary, and are in accordance with the standards and specifications laid down by the Authority for this purpose;
  5. monitor the operations of its devices and equipment, on a periodic basis, for compliance with the terms and conditions, standards, directions, and specifications, issued and communicated by the Authority, in this regard, from time to time;
  6. ensure that persons employed by it for performing authentication functions, and for maintaining necessary systems, infrastructure and processes, possess requisite qualifications for undertaking such works;
  7. keep the Authority informed of the ASAs with whom it has entered into agreements;
  8. ensure that its operations and systems are audited by information systems auditor certified by a recognised body on an annual basis to ensure compliance with the Authority’s standards and specifications and the audit report should be shared with the Authority upon request;
  9. implement exception-handling mechanisms and back-up identity authentication mechanisms to ensure seamless provision of authentication services to Aadhaar number holders;
  10. in case of any investigation involving authentication related fraud(s) or dispute(s), it shall extend full cooperation to the Authority, or any agency appointed or authorised by it or any other authorised investigation agency, including, but not limited to, providing access to their premises, records, personnel and any other relevant resources or information;
  11. in the event the requesting entity seeks to integrate its Aadhaar authentication system with its local authentication system, such integration shall be carried out in compliance with standards and specifications issued by the Authority from time to time; (l) shall inform the Authority of any misuse of any information or systems related to the Aadhaar framework or any compromise of Aadhaar related information or systems within their network. If the requesting entity is a victim of fraud or identifies a fraud pattern through its fraud analytics system related to Aadhaar authentication, it shall share all necessary details of the fraud with the Authority;
  12. Shall be responsible for the authentication operations and results, even if it sub-contracts parts of its operations to third parties. The requesting entity is also responsible for ensuring that the authentication related operations of such third party entities comply with Authority standards and specifications and that they are regularly audited by approved independent audit agencies;

may agree upon the authentication charges for providing authentication services to its customer, with such customer, and the Authority shall have no say in this respect, for the time being; however, the Authority’s right to prescribe a different mechanism in this respect in the future shall be deemed to have been reserved;

  1. shall, at all times, comply with any contractual terms and all rules, regulations, policies, manuals, procedures, specifications, standards, and directions issued by the Authority, for the purposes of using the authentication facilities provided by the Authority.

Compliance under regulation 17 of the authentication regulations

Obligations relating to use of identity information by requesting entity are as follows:

  1. the core biometric information collected from the Aadhaar number holder is not  stored, shared or published for any purpose whatsoever, and no copy of the core biometric information is retained with it;
  2. The core biometric information collected is not transmitted over a network without creation of encrypted PID block which can then be transmitted in accordance with specifications and processes laid down by the Authority.
  3. the encrypted PID block is not stored, unless it is for buffered authentication where it may be held temporarily on the authentication device for a short period of time, and that the same is deleted after transmission;
  4. identity information received during authentication is only used for the purpose specified to the Aadhaar number holder at the time of authentication, and shall not be disclosed further, except with the prior consent of the Aadhaar number holder to whom such information relates;
  5. the identity information of the Aadhaar number holders collected during authentication and any other information generated during the authentication process is kept confidential, secure and protected against access, use and  disclosure not permitted under the Act and its regulations;
  6. the private key used for digitally signing the authentication request and the license keys are kept secure and access controlled; and
  7. all relevant laws and regulations in relation to data storage and data protection relating to the Aadhaar based identity information in their systems, that of their agents (if applicable) and with authentication devices, are complied with.

Audit of requesting entity or ASAs under regulation 21 of Authentication Regulations

  1. UIDAI may undertake audit of the operations, infrastructure, systems and procedures, of requesting entities, including the agencies or entities with whom they have shared a license key or the entities on whose behalf they have performed authentication, and Authentication Service Agencies, either by itself or through audit agencies appointed by it, to ensure that such entities are acting in compliance with the Act, rules, regulations, policies, procedures, guidelines issued by the Authority.
  2. The Authority may conduct audits of the operations and systems of the entities referred to in sub-regulation (1), either by itself or through an auditor appointed by the Authority. The frequency, time and manner of such audits shall be as may be notified by the Authority from time to time. 
  3. An entity subject to audit shall provide full co-operation to the Authority or any agency approved and/or appointed by the Authority in the audit process, and provide to the Authority or any agency approved and/or appointed by the Authority, complete access to its procedures, records and information pertaining to services availed from the Authority. The cost of audits shall be borne by the concerned entity.
  4. On identification of any deficiency by the Authority, the Authority may require the concerned entity to furnish necessary clarifications and/or information as to its activities and may also require such entity either to rectify the deficiencies or take action as specified in these regulations.

Data security norms to be followed by requesting entities and ASA as per regulation 22 of Authentication Regulations

  1. Requesting entities and Authentication Service Agencies shall have their servers used for Aadhaar authentication request formation and routing to CIDR to be located within data centres located in India.
  2. Authentication Service Agency shall establish dual redundant, secured leased lines or MPLS connectivity with the data centres of the Authority, in accordance with the procedure and security processes as may be specified by the Authority for this purpose.
  3. Requesting entities shall use appropriate license keys to access the authentication facility provided by the Authority only through an ASA over secure network, as may be specified by the Authority for this purpose. 
  4. Requesting Entities and Authentication Service Agencies shall adhere to all regulations, information security policies, processes, standards, specifications and guidelines issued by the Authority from time to time.

Audit and inspection under regulation 6 of DS Regulations

  1. All agencies, consultants, advisors and other service providers engaged by the Authority, and ecosystem partners such as registrars, requesting entities, Authentication User Agencies and Authentication Service Agencies shall get their operations audited by an information systems auditor certified by a recognised body under the Information Technology Act, 2000 and furnish certified audit reports to the Authority, upon request or at time periods specified by the Authority.
  2. In addition to the audits referred to in sub-regulation (1), the Authority may conduct audits of the operations and systems of such entities or persons, either by itself or through an auditor appointed by the Authority.

Limitations on sharing of information by requesting entity under regulation 4 of SoI Regulations

  1. Core biometric information collected or captured by a requesting entity from the Aadhaar number holder at the time of authentication shall not be stored except for buffered authentication as specified in the Aadhaar (Authentication) Regulations, 2016, and shall not be shared with anyone for any reason whatsoever.
  2. The identity information available with a requesting entity:  (a) shall not be used by the requesting entity for any purpose other than that specified to the Aadhaar number holder at the time of submitting identity information for authentication; and (b) shall not be disclosed further without the prior consent of the Aadhaar number holder.
  3. A requesting entity may share the authentication logs of an Aadhaar number holder with the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes, as specified in regulation 18 of the Aadhaar (Authentication) Regulations, 2016.

Implications of non-Compliance

The major implications of non-compliance are provided for under chapter VII of the Aadhaar act. Of various offences defined under the sections in this chapter and liability for the same, following are material for a private agency seeking authentication services of UIDAI. Section 36 of the Aadhaar act punishes anyone who by words, conduct or demeanour pretends that he is authorised to collect identity information under the provisions of Aadhaar act. It prescribes for an imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.

Section 37 imposes liability for disclosing identity information. It applies to Whoever, intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under Aadhaar act or regulations made under Aadhaar act. In case of violation of the provisions of this section, wrongdoer shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.

Section 38 of the Aadhaar act provides for liability in case of unauthorised access to the Central Identity Data depository. This section  makes it illegal for an unauthorized entity to  accesses or secures access to the Central Identities Data Repository; download, copy or extract any data from the Central Identities Data Repository or stored in any removable storage medium; denies or causes a denial of access to any person who is authorised to access the Central Identities Data Repository; reveals any information in contravention of sub-section (5) of section 28, or shares, uses or displays information in contravention of section 29 or assists any person in any of the aforementioned acts etc. it prescribes for an  imprisonment for a term which may extend to three years and for fine which shall not be less than ten lakh rupees.

Section 40 of the Aadhaar act states that, “Whoever, being a requesting entity, uses the identity information of an individual in contravention of sub-section (3) of section 8, shall be punishable with imprisonment which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.” This section aims at securing the data of individual users whose information is being used for authentication purpose, thus protecting privacy. This is perhaps an extension to the provisions already present under the Information Technology Act, 2000 (hereinafter called IT act), Information Technology (Amendment) Act, 2006 (hereinafter called ITA act), and The Information Technology (Reasonable Security Practice and Procedure and Personal Data or Information) Rules, 2011. While rules prescribe an exhaustive list of personal information that is to be covered under privacy norms prescribed under the IT act, amendments therein and rules made thereunder, liability for privacy violation and definition of privacy violation is only provided for under the ITA act. Section 43A of the IT act states that “where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected.” (Change vide ITA act, 2008). The liability is prescribed under section 72A of the IT act, provides for imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both in case lawfully contracted personal information is disclosed beyond the requirements of the contract.

Section 41 of the Aadhaar act, prescribes for penalty in case of non-compliance with intimation requirements, i.e. In case a requesting entity, fails to comply with the requirements of sub-section (2) of section 3 or sub-section (3) of section 8, it shall be punishable with imprisonment which may extend to one year or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.

Section 42 prescribes for a general penalty in case an offence is committed under Aadhaar Act or any rules or regulations made thereunder for which no specific penalty is provided elsewhere within the act or the respective regulation. This section provides for an imprisonment for a term which may extend to one year or with a fine which may extend to twenty-five thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees, or with both.

Section 43 deals separately with the ideal of corporate criminal liability and holds individuals in charge liable for offence, and in case offence was committed with consent or due to neglect in part of director, manager, secretary or other officer of the company, such director, manager, secretary or other officer, s/he shall be liable for the offence.

Lastly, imposition of penalty under this act shall not prevent imposition of any other penalty or punishment under any other law for the time being in force as per the provisions of section 46 of the Aadhaar act.

In addition to liability under Aadhaar act, various liability regimes have also been prescribed under regulations made by UIDAI. Under Aadhaar (Sharing of Information) Regulations, 2016, liability for contravention of the regulations is prescribed under regulation 7. It provides that “without prejudice to any action that may be taken under the Act, any contravention of regulations 3, 4, 5 and 6 of these regulations shall constitute a violation of sub-section (2) of Section 29 of the Act,” and shall attract liability under the provisions of section 42 of the Aadhaar act. Regulation 25 of the Aadhaar (Authentication) Regulations, 2016 provides for liability of Authentication Service Agency.

Hence, Aadhaar act, various regulations made thereunder, and IT act and rules thereunder provide for a comprehensive liability regime. This liability regime could be fundamentally understood as a regime to ensure compliance, prevent unauthorised access to the central data depository, and protect privacy of enrolled individuals, secure data transfer over the internet, prevent unlawful gains from data and authentication service access and prevent unauthorised use of personal data.

Cost of using authentication services

While cost of implementation depends on multiple factors, a fair estimate is produced hereunder:

  1. Rs.7-10 lakhs towards development of AUA/KUA software.
  2. Each transaction of AUA/KUA has to be digitally signed. The Cost of procuring File Based Digital Signature is approximately Rs. 50,000 (For 2 Signatures).
  3. Rs. 8-10 Lakhs towards Hardware Cost (1 Main Server + 1 DR Server + OS etc..) for deployed for AUA/KUA Services.
  4. Deploy dedicated staff for managing of end to end services for AUA/KUAs.
  5. Software development charges for any changes introduced in future by UIDAI, for which additional resources have to be deployed.
  6. Rs. 1-3 Lakhs towards software AMC (Annual Maintenance Cost).
  7. Generate Test Conditions & getting successful reports and logs from UIDAI. Submission of the same to UIDAI. Audit of the system (separate audit by the system auditor for AUA & KUA. The cost of the same would be around Rs.1 lakh.

The cost would also vary depending upon the nature of authentication service required and other factors such as cost of Human Resource involved etc.

Method of implementation (Technical aspects)

Aadhaar authentication is the process by which the Aadhaar number along with the demographic information or biometric information of a Aadhaar number holder is submitted to the Central Identities Data Repository (CIDR) for its verification and such repository verifies the correctness, or the lack thereof, on the basis of the information available with it. For the aadhaar authentication API input data should be sent as XML document using Content-Type “application/xml” or “text/xml”.

This authentication API does not provide any identity data as part of the response. All it does is to match given input and respond with a “yes/no” in Response XML.

Aadhaar e-KYC authentication authentication API provides identity data as part of the response. The Aadhaar e-KYC API provides a convenient mechanism for agencies to offer an electronic, paper-less KYC experience to Aadhaar holders eliminating insecure and costly paper process that exist today. The e-KYC service provides simplicity to the resident, while providing cost-savings from managing and processing paper documents to the KUA.

Verification of the Proof of Identity (hereinafter called PoI) and Proof of Address (hereinafter called PoA) is a key requirement for access to financial products, SIM cards for mobile telephony, and access to various Central, State, and Local Government services. Today, customers provide physical PoI and PoA documents. Aadhaar is already a valid PoI and PoA document for various services in the Financial, Telecom, and Government domains. In addition, the UIDAI now also proposes to provide an e-KYC service, through which the KYC process can be performed electronically. As part of the e-KYC process, the resident authorizes UIDAI (through Aadhaar authentication) to provide their basic demographic data for PoI and PoA along with their photograph (digitally signed) to service providers.

It is to be noted that STQC certified and UIDAI approved biometric devices with complete SDK, Software & Services to enable Businesses to implement Aadhaar authentication and eKYC in their existing processes/Applications are the pre-requisites for enrolling under the scheme. Further, this is merely an example of one of the methods to be used for authentication software. There could be many other forms of authentication methods and software. The only requirement for a software to be granted access to Aadhaar data is that it embodies basic principles prescribed under Aadhaar act and regulations notified thereunder.

In terms of legal compliances, one has to merely fulfil required forms and get into agreement with the UIDAI. In addition to these, there are audit compliance checklists, Appointment of sub-AUA application and Undertaking (in case there is one), AUA  KUA appointment letter and bank guarantees, disincentives to be imposed of AUA, Criteria mentioned under Schedule A of Aadhaar act and amendments made thereto, and documents to be submitted by AUA.

In addition to these legal compliance documents, there are a number of technical compliance documents. They include:

  1. Aadhaar Registered Devices Specification 2.0.2
  2. Implementation of HSM by AUA/KUA/ASA
  3. UIDAI Certified Biometric Devices
  4. Aadhaar eKyc API specification – version 2.1
  5. PID encryption key Certificate
  6. Aadhaar Authentication API 2.0 Specification
  7. Aadhaar e-KYC API 2.0 Specification
  8. Aadhaar Registered Devices Specification 2.0
  9. Aadhaar Registered Devices Error Codes 2.0.1
  10. Registered Devices 2.0 PoC – Clarifications on EoI
  11. IRIS Authentication Accuracy – PoC Report
  12. Aadhaar Authentication API 1.6
  13. Aadhaar Best Finger Detection (BFD) API 1.6
  14. Aadhaar One Time Pin (OTP) API 1.6

These legal forms and technical forms can be found on the website of UIDAI.

  1. Legal documents
  2. Technical Documents

This list may also be found here.

In order to enrol as a requesting agency (AUA), the private entity has to submit required forms and legal and technical compliances to UIDAI. Upon deliberation of these filings UIDAI will communicate its decision to the private entity. Upon acceptance, private requesting entity may get into a standard form agreement with UIDAI.

Conclusion and recommendations

This section seeks to address the client query. The querry is reproduced hereunder for convenience:

“######################***************

“###################################

The main issue that client seeks to be addressed are:

  1. What is the meaning of ownership of SDK?
  2. What implications it may have in general?
  3. In a specific sense what might be implications of UIDAI having access to code base and code being subjected to audit?
  4. What are the implications of code base being in DTMF?

These issues can be boiled down to two basic questions. These are:

  1. Whether UIDAI also comes to own the SDK that is within the thinnest layers of client’s software by virtue of owning SDK and thus, is it mandatory to grant them access to their codebase?
  2. Is the code base subjected to Audit?

The first question basically relates to the ownership of the code. While any impact of such ownership on authentication service for the receiving entity is non-existent, none the less we address it. However, it is to be noted that compliances prescribed under the Aadhaar act, regulations made thereunder and in authentication forms available on the website of UIDAI do not distinguish software used anywhere in the process of authentication on the basis of their ownership. Software used by AUA is under all circumstances obligated to comply with all compliances and is also subjected to audit. In this case question boils down to licensing.

The answer to second question is straight yes. While the ability to audit has nothing to do with ownership, it is clear that as per the provisions of Aadhaar act, authentication regulations and AUA audit compliance checklist that this code and all the other parts of the code owned by AUA are subjected to audit by qualified authority.

Annexure I

Schedule A

Eligibility criteria for appointment as requesting entities See Regulation 10 (1)

  1. Entities seeking to use authentication facility provided by the Authority as requesting entities are classified under following categories for appointment as Authentication User Agency (AUA) and/or e-KYC User Agency (KUA), as the case may be:
  1. Technical and Financial criteria for entities for appointment as requesting entity are as under:-

Appendix II

Schedule B

Eligibility criteria of Authentication Service Agencies See Regulation 10(2)

  1. Entities seeking to provide secure access to CIDR to requesting entities for enabling authentication services are classified under following categories for appointment as Authentication Service Agency:
  1. Technical and Financial criteria for entities for appointment as Authentication Service Agency are as under:

Reference

Independent Directors

With the coming up of the joint stock companies and ever-increasing base of shareholders, separation of management from ownership was inevitable. Hence the theoretical basis of development of the principle of Independent director can be traced back to the issue of separation between ownership and control in the company. While this was necessary to make operation of joint stock companies with thousands of shareholders practical, as they could not have participated individually in the decision making of such corporations, it resulted in problem of management fraud. Due to this there were demands of regulating the management and managerial staff of a company in such a manner that the interests of various shareholders and stakeholders are protected. As a consequence of these demands various corporate governance norms were evolved overtime. Institution of independent director was one such norm.

In this presentation we have looked at various aspects of the institution of independent director and have also looked at their evolution and jurisprudential development. Along with looking at the legal provisions in India we have also considered other jurisdictions such as United States of America, United Kingdom and Germany. We have undertaken an extensive analysis of the provision under the Indian law comparing it with provisions in other jurisdictions, looking at various jurisprudential aspects of the same and also analysing various pros and cons of the same in terms of practical implementation of the laws.
In case of law with respect to the institution of independent director in India, major developments in other jurisdiction with respect to corporate governance and independent directors have specifically influenced the way the corporate governance norms have developed in the country. The Companies Act, 1956 did not contain provisions relating to independent directors specifically. The provisions relating to independent directors was for the first time introduced as an amendment to Clause 49 of the Listing Agreement, which was applicable only to public listed companies. Thereafter, the new act, i.e., Companies Act, 2013 came into force which contained specific provisions and the Companies (Appointment and Qualification of Directors) Rules, 2014.
In this presentation we resort to analyzing the practical relevance of this institution in India. We have resorted to a detailed chapter wise analysis in order to determine relevance of this institution by analyzing its development in various jurisdictions, looking at the particulars of Indian law, and analyzing reports of various committees in this regard. We have also analyzed current legal system in India in one of the chapters with the objective of understanding pros and cons in implementing the current system.
The relevance of this institution is immense in terms of corporate governance as it provides for an effective check on the arbitrary and wrongful acts of the management. In light of recent scams such as Satyam scan, Enron scandal etc., the relevance of this institution increases multifold. Thus, this research paper assessing the practicality and relevance of this institution under current legal system and prescribing for changes to make it more efficient in the Indian context.

Bar on Statutory Auditors to carry out non-audit functions

 

Introduction and brief background.

CA is termed practicing if he undertakes certain functions such as auditing, verification of financial transactions etc. as per section 2 sub section 2 of the CA Act, 1949. CA can only undertake can undertake functions prescribed under Regulation 190A of the CA Regulations, 1988. These include an entire range of management and consultancy services such as Capital structuring plan, working capital management etc.

Statutory Auditor cannot provide such other non-audit services to the audit client because the same might impair the objectivity and independence of the auditor.

Why was it introduced? (Reasons in a nutshell)

 

  1. “Statement of Objects and Reasons” for the Companies Act, 2013, read as follows:

“Stricter and more accountable role for auditor being retained. Provisions relating to prohibiting auditor from performing non-audit services revised to ensure independence and accountability of auditor.”

 

International Federation of Accountants (IFAC) identifies five types of threats:

  1. Self-interest threat – which occur when an auditing firm, its partner or associate could benefit from a financial interest in an audit client.
  2. Self-review threat – which occur when during a review of any judgment or conclusion reached in a previous audit or non-audit engagement, or when a member of the audit team was previously a director or senior employee of the client.
  3. Advocacy threat – which occur when the auditor promotes, or is perceived to promote, a client’s opinion to a point where people may believe that objectivity is getting compromised, e.g. when an auditor deals with shares or securities of the audited company, or becomes the client’s advocate in litigation and third party disputes.
  4. Familiarity threat – occur when auditors form relationships with the client where they end up being too sympathetic to the client’s interests
  5. Intimidation threat – occur when auditors are deterred from acting objectively with an adequate degree of professional scepticism.

These provisions were included in the regulatory framework by various jurisdictions post 2002 scams of Enron/ Worldcom etc. to ensure independence of auditors.

 

History

  1. Section 224 of Companies act,1956 act together with the requirements of CA act, 1949 – A statutory auditor could not be the internal auditor of the same company and undertake book keeping work of the same client.
  2. Provisions with respect to regulating non-audit services were introduced for the first time under clause 127 in Companies bill 2009 and subsequently featured in amended Companies bill 2011.
  3. Section 144 Companies act, 2013.

 

Section 144 (Reading)

There are no rules to this effect and no clarifications or circulars. It only mentions

Two important aspects:

  1. Approval of board or Audit committee for rendering non-audit services.
  2. Holding company and all its subsidiaries.
  3. Non-auditing areas that have been barred include.[1]
  • Construction of management services is not clear.
  • Same is the case with investment advisory service and investment banking service.
  • Say for instance in case of working capital management, it will be violation of clause (e), however the same might not be true for financial due diligence services.
  1. Clause I specifically prescribes for other kinds of activities.
  2. Meaning of directly and indirectly interested.
  • In case of individuals – Himself, relative, /any person connected to this person through any entity in which individual has significant influence or control, or whose trademark, brand etc. is used by such individual.
  • In case of firms – itself, through partners, through its parent firm, subsidiary, associate entity or/ any other entity in which from or partner of firm has significant influence or control, or whose name, trademark, brand etc. is used by firm.
  • In this case problem with construction of significant influence or control. There is no guidance with respect to same. Hence construction in light of other aspects.

Discrepancies in the section

Construction of non-audit functions

Functions referred to from (a) to (g) are not well constructed. A lot of them do not feature in the list provided by the CA act and CA regulations.

Construction of significant control and influence not clear.

Companies Act unlike the Income Tax Act, is not a fiscal statute and therefore, should not be construed strictly but purposively. (Umakant)

Liability

Under section 147 –

Of company

147 (1) – company punishable with fine between 25K and 5lakh – every officer of company who’s in default punishable with imprisonment for term which may extend to 1 year or fine between 10K and 1 lakh

Of CA

147 (2) – Auditor fine between25l to 5lakh, — Knowingly, wilfully, with the intention to deceive company etc. imprisonment for 1 year and fine between 1 lakh and 25 lakh.

 

 

 

 

 

 

 

 

[1] Thus, it follows that the scope of section 144(h) of the Companies Act, 2013 cannot go beyond section

2(2)(iv) and Regulation 190A (supra), in light of the provisions contained in aforementioned Clause 11 of Part I of the First Schedule to the Chartered Accountants Act, 1949.

Drafting, Pleading and Conveyancing

Have you ever wondered how these things are drafted. There is a well defined format for all of them under the respective procedure manuals. In the herein attached document we have given description of Drafting,  Pleading and Conveyancing related documents. Get yourself acquainted. However, it is only with practice and experience that one can learn it properly.

 

 

-We would like to than Professor Shankara Reddy and Professor Praveen Tripathi for their valuable contribution!

DPC drafts– Please find file attached here!

Wikipedia edit-a-thon (May 8, 2017 to May 14, 2017)

Hey, PLR is coming up with its latest edition of Wikipedia edit-a-thon. It starts on May 8 i.e. coming Monday and ends on the Sunday of that week i.e. May 14. You are most welcomed to be a part of it and to contribute in the development of online free information directory. In the past few months we have worked extensively to development Wikipedia using one of the biggest law libraries in India. This is not just in accordance with our objective of deliberating upon law but also runs much wider in the sense that it includes contributing towards the community. Come join us and be a part of this noble initiative.

 

What is this initiative about?

There have been numerous long hour events focused on a certain task. These events have a hybrid name comprising of the base name that depicts the nature of event followed by -a-thon that describes the nature of the extent of such an event. Wikipedia edit-a-thon is one such event. In past there have been numerous such events. One of these was held recently on March 8, 2017 on the sidelines of Women’s day. Feminists took over the internet and included their biased version of all they could on a generally neutral forum. However, not being political, we go fourth on similar lines to modify the existing legal literature on the internet and make relevant desirable additions to the internet.

  1. a scheduled time where people edit Wikipedia together, whether offline, online, or a mix of both;
  2. typically focused on a specific topic, such as science or women’s history;
  3. a way to give new-comers an insight into how Wikipedia works.

Edit-a-thons improve the encyclopedia and can be a great way to help new Wikipedians learn to edit. This is quite different than large conferences such as Wikimedia, which often have multiple speakers or panels about a huge variety of topics. An edit-a-thon is also unlike a regular meetup, which tends to be without a single goal and/or for socializing. In other words: an edit-a-thon is like a hackathon for Wikipedians (and definitely not like a teletho).

What will we do and what preparations have we done before hand?

We will be working over the weak to write new Wikipedia articles. These articles will essentially be in accordance with the Wikipedia’s policy and we will make an attempt at introducing new content as well. In addition to this we will rely on authorities in a particular field of law. In this Wikipedia edit-a-thon our objective is to introduce as many new cases as possible. Keeping the same in mind we have done preparations of following nature:

Define a clear set of goals

Define a clear set of goals in terms of what general group of articles you would like to work on and who you want to attend. This can be as broad as an overarching topic, like women’s history or items in the collection of a museum, or you can target a specific backlog. People who have never edited before often feel most comfortable with either: A) a topic which they have some degree of interest in and B) a very simple activity, like copyediting or wikifying.

Be prepared with a list of things that need work or attention. Even if that isn’t what gets worked on, it can help generate ideas.

Determine logistics

When determining the date, time, and venue for an edit-a-thon, keep the following in mind.

Size

Find out how many people your venue can hold and limit the number of signups to that number. Or, guess how many attendees you’ll have, and try to find a venue that will accommodate that many.

Internet access

Museum of Modern Art

Participants must have reliable access to the internet, preferably meaning wifi. This is vital otherwise your participants will not be able to connect to edit Wikipedia. Though the venues can often accommodate internet connectivity, some chapters have portable wifi hotspots which make it possible to run events wherever you like.

Computers

If the venue has computers, consider the following when deciding on how to incorporate them into your event:

  • What accounts/passwords do attendees need to access the computers? Does anything need to be done in advance?
  • What browser is used, and does it play nicely with Wikipedia?
  • Can people connect cameras and memory card readers? Do the computers have image editing software?

If participants will be bringing devices, consider:

  • Does the venue have wifi? Can it cope with the expected number of users?
  • What accounts or passwords do you need to access wifi?
    • If the wifi has a single password, post a sign with the details and check that you can see the sign from the farthest point of the room.
    • If the wifi requires you to have individual accounts, then have slips of paper and hand them out to each person as they arrive.
  • Can people use power sockets? Do you need extension cables?

Refreshments

Drinks and food will encourage people to stick around for longer than they might otherwise and provide an opportunity to take a break and talk with other editors.

Access

Especially when edit-a-thons are hosted within cultural institutions, attending the event may not be as simple as coming in. Find out what the access arrangements are for the venue. Ideally you want people to turn up on time and be able to get in without disrupting your event. But there will be latecomers. If the venue has receptionists then introduce yourself and make sure they know what to tell people who ask for the Wikipedia event (if you have bling then offer the receptionist a badge, biro or beermat). If people are going to have to phone you to be let in:

  1. If the only way in is to text or call you, warn them to bring a mobile phone and put a Wikipedia sign outside with a phone number .
  2. Assign someone other than the presenter to answer the phone and let people in.
  3. Find out if your venue is wheelchair accessible or has a hearing loop and put those details on your event page.

Recruit active Wikipedia editors and research experts

Edit-a-thons go most smoothly when experienced editors are available to help new editors. One-on-one coaching is ideal, and one longtime Wikipedian per 10 attendees is probably the absolute minimum. Connecting with a local Wikimedia affiliate or chapter provides access to support, expertise and promotion of events.

It can also help to include people who aren’t experienced with Wikipedia, but are good at teaching information literacy. Librarians, for example, can teach about finding reliable sources and help build Wikipedia experience at libraries.

Determine how to create user accounts

Within a 24-hour period, only six Wikipedia accounts can be created via single IP address. If there’s a chance you’ll have more than six new editors at your edit-a-thon, you’ll want to have a plan for how they’ll create accounts.

You can do one or more of the following:

  1. Encourage new editors to create their account before they arrive;
  2. Recruit an account creator to (remotely or in-person) help at your event; or
  3. Request an exception to the limit for your IP address a few days in advance.

Provide a way for people to find details and sign up to attend

A subpage of Wikipedia:Meetup is easiest, but there are other options depending on the location and topic of your event. If it’s at an institution such as a gallery, library, archive, or museum, a subpage of WP:GLAM may be appropriate. If you are aiming this at newbies don’t confuse them by having the sign up page on a different wiki such as a chapter wiki, especially if that requires a different account to be created.

Providing a way for people to sign up outside of Wikipedia will be more inviting to new editors. Asking people who may have never edited before to navigate a meetup wiki page presents a Catch-22 where they have to edit a page filled with wiki markup in order to learn how to edit wiki markup. Good secondary alternatives are free tools such as Eventbrite, Meetup.com, or even a Facebook event.

Have appropriate forms for data collection afterwards

If you plan to report statistics on participant activity. There are two main ways to do this:

  • Using Wikimetrics)– to use this tool you you need record participants’ usernames and use appropriate forms to get their consent for you to collect data about their activity.
  • Using the Programs and Events Dashboard (currently in Beta) — contributors join events, and through joining those events, can be tracked for their contributions during a window of time.

 

Why should you join?

Hereunder is a list of simple reasons. Decide for yourself!

  1. It helps build the encyclopedia
  2. It builds relationships in the community
  3. It is an opportunity for editors to learn from each other
  4. It can convince people to become new Wikipedians
  5. It can help new Wikipedians to contribute
  6. It is an opportunity to improve the quality of Wikipedia by accessing offline materials and experts
  7. It’s fun!

 

How can you join?

Just mail us. You can go to the contact us option on our website or just go about send us a mail with your statement of purpose and curriculum vitae to our mail address contact@projectlegalrenaissance.com or ping us in our inbox on Facebook.

 

Event details

Welcome

  • Welcome people, find them a seat, tell them where the toilets are and what to do if there is a fire.
  • Keep in mind that whatever their experience level, editors will likely come with a set of things in which they are interested. Asking them what their interests are is the easiest way to try and direct them to work that needs doing on the project.
  • Unless everyone knows each other, it can be good to start with a round of introductions. Nametags don’t hurt either, especially if there are only a handful of experienced editors around to answer questions. At a minimum get all the trainers/helpers to stand up so people know who to ask for help.
  • If you expect more than a handful of people and, particularly, if people aren’t all going to show up at once, consider having someone volunteer to be a “greeter,” to welcome people as they arrive and help them get started.

Teach

  • Take time to help new editors create an account and learn a few editing basics. If there are several new editors at the event, they might like to be grouped together along with an experienced Wikipedian for guidance, so that they can support each other as they get setup.
  • Familiarize new editors with Wikipedia’s core content policies (neutral point of view, verifiability, no original research) and content guidelines (particularly notability and reliable sources).
  • Demonstrate the use of draft space and userspace sandboxes for incomplete articles.
  • Demonstrate using the Article Wizar and Articles for Creation to confirm that an article is appropriate before publishing.
  • Experienced editors are comfortable editing with the classic wikitext interface, but that user interface can be challenging for new editors. Consider having new editors use VisualEditor, particularly since it has Citoid (editors only need a URL to generate a full citation, at least for the most common news sources) as of mid-2015.
    • There should be consensus among the experienced editors assisting with training that VE’s benefits outweigh its disadvantages.
    • Experienced editors should (obviously) do some editing in VE, themselves, prior to the edit-a-thon, so they understand the interface. They should also know where the user guide is located.
  • Having designated spaces for doing and teaching different tasks is a good idea (such as “Creating an account and making your first edit”, “Starting a new article”, or “Improving existing articles”). Whether that is simply a table per topic or a separate room should depend on the size of the group; keeping a very small group in the same space even if they work on different things can make things more fun.

Conclude

  • Make sure new editors know where to go to ask for help before the event is over (e.g., the Help desk or Village pum). It might also be good to have materials such as the Wikipedia:Cheatsheet printed out.
  • Take some photos! Even just one group photo at the end is better than nothing.
  • If you can get it before the event, hand out some Wikipedia merchandis. If there are many people and not enough t-shirts or other materials, you can raffle them off to be fair and create some fun. Having merchandise as a prize for the most-improved article is also a great motivator.
  • If your edit-a-thon is happening purely online, try to have a real-time discussion space where people can ask questions and chat. An IRC channel, group Skype chat, or a Google Hangout are about as close to the ease of offline communication as you can get.
  • If you have another event planned for the future then make sure you announce it before people start to leave.

 

Methods to edit

Although everyone is usually welcome at an edit-a-thon, invitations and publicity help encourage participation. Consider who will be most interested in attending (is the event intended for mostly experienced Wikipedians? Medical professionals? Women who haven’t edited before? Some combination?), and where they’re most likely to be. Then, tailor your outreach to the audience(s) you’re trying to reach.

In rough order of effectiveness…

  • Geographically-specific software notice; these invite existing editors via their watchlist. Aim for people within two hours travel.
  • Ask people to help promote it to their friends and colleagues. Social connections are your friend.
  • Email relevant mailing lists (which may not always be a Wikimedia list! University departments, professional associations, and other groups can be good places to reach potential editors) (Remember that informing an email list is useful not just for potential attendees, but for letting others know of your activities which may inspire them.)
  • Contact editors who have self identified as being in the area.
  • Ask for help and participation from relevant WikiProjects, if a project exists.
  • Suggest a tidbit in the Signpost, Wikipedia’s online newsletter.
  • Talk about it on social media, if that’s your thing.
  • Write a blog post. If you don’t have one, ask someone who has an active blog in Planet Wikimedia. (Yes, that includes the Wikimedia Foundation blog! You can draft a proposed Wikimedia Foundation blog post here)

For the benefit of online participants, make clear the time zone in which the event will take place.

Tip: For a great registration URL link to use in your advertisements, go to your Wikipedia event page while signed out and click “Create account.” The URL now in your browser will automatically direct people to your event page after they create their account.

His love for Russia wanted him to work for a ex-Russian negotiator

I’m ABC and I am interested in applying for the position of research assistant under you. My motivation for applying to be a part of this research opportunity is threefold. Primarily it is because my interest for geo-politics, role of law and economic policy in the process of globalization and general implications of regional trade pacts on economy of a country. Further, these negotiations consists of areas such as intellectual property, competition, economic and technical cooperation and dispute settlement. It would be really interesting to see these negotiations develop over time, as the negotiating nations have conflicting economic interests in these areas. I also find it extremely fascinating to analyse different variables involved in negotiations of this nature and understand their relative and absolute importance in determining the overall outcome. I have passionately followed geo-political and economic issues of this nature in the past and have also written about important legal issues in the South Asian and South East Asian region.[1]

Secondly, working for someone of your stature is in itself a wonderful opportunity. Sir, your extensive experience extends for over more than four decades. Your work for the soviet military service, then work in the media sphere for over two and a half decades, experience gained as a head of the WTO Accession Office and lastly presence in the academic field, gives you a plethora of know-how and perspectives. Considering the same, working under a person of your standing would be an extraordinary experience. This experience would perhaps be a great learning opportunity and your valuable guidance will be of great benefit.

Thirdly, on a personal level it is reconnecting with Russia. I grew up in a gated community of a public sector unit (Coal India ltd.) of the government of India where there were numerous mining machines of Soviet and Russian origin. To assist in upkeep of these machines there were numerous Russian engineers and their families lived within the gated community. In fact my immediate neighbours were Russians and few of classmates were from the old soviet republics. Additionally, my uncle studied medicine in the early 2000s in Russia and eventually developed Russia based export-import business. His stories and description of the country always fascinated me. Sir, working under you will be a great opportunity for me to emotionally reconnect with wonderful past and experiencing the much appreciated Russian intellect.

____________________________________________________________________

 

[1] I worked on issue of International Court of Arbitration, South China Sea ruling. I also wrote blog entries on the issue.

Nodal agency for implementing net neutrality framework

Telecom Regulatory Authority of India (TRAI) provides for various mechanisms to monitor violation of net neutrality framework in India. It also tabulates legal and technical mechanisms in other countries for monitoring NN framework violation and charts possible pros and cons of all the systems. For the ease of understanding, I have first tabulated TRAI’s understanding of the issue as furthered in the consultation paper. This is followed by a brief analysis of merits and drawbacks of the proposed systems. Thereafter I have proposed a possible institutional mechanism strictly discussing its legal feasibility and in a limited sense also discussing its feasibility in terms of other relevant aspects such as ease of implementing the model, impact of implementation model on business community etc. In this model, I have also addressed drawbacks of the existing models of implementation and also included meritorious traits of the existing models.

TRAI’s approach

TRAI recommends following approaches for implementing net neutrality framework.

  1. Self-regulation by the ISPs.
  2. Complaints to the agency by users etc. and a mechanism to deal with that complaint.
  3. Use of user experience applications to understand feasibility.
  4. Survey using questioner by an organization or authority to understand the extent to which NN framework is being followed.
  5. Third party research contributions and contributions from consumer rights groups may be used to understand the extent to which NN framework is being followed and behaviour of ISPs may be regulated accordingly.
  6. Authority or a similar specialised monitoring institution may be appointed/created. This institution may take suo motu cognizance of any NN framework violation.

TRAI’s consultation paper basically takes into account three mechanisms of implementing the NN framework. These include self-regulatory approach; regulation by method of complaint from consumers, third party etc. (basically an adjudicatory approach); and lastly implementation institution based approach. Relative importance of these approaches for the Indian context depends on multiple aspects such as legal mechanism adopted to implement NN framework, technology used to assess violation etc.

Pros and cons TRAI’s approaches

Self-regulatory mechanism

Under this approach TRAI seeks to define Quality of Service (QoS) standards. These QoS along with self-regulatory guidelines could then be implemented by an internally assigned mechanism by the ISPs. This approach is followed in Norway. In Norway this approach involves allowing all licensed providers of Internet services to follow a voluntary mechanism for adhering to core principles of NN as identified through this process, with a self-regulatory monitoring mechanism that would function under the overall guidance of the Authority.

In adopting this mechanism the primary concerns is that it will create conflicts of interest, in part because of the possibility for self-regulation to favour the interests of the industry over the interests of stakeholders and the public.[1] This is more so considering the fact that there is a culture of rewarding such behaviour in this industry.[2] Further, this approach limits accountability and transparency as there is no mechanism of checks. There is no external agency composed of individuals with contrary interests to that of the ISP that can oversee actions under this approach. Additionally lack of any established mechanism to detect violation of self-regulatory mechanism by ISPs is also a problem. Lastly, along with being inefficient, this mechanism also increases the overall cost of regulation and doing business by adding another layer of oversight.[3]

In addition to the above there are both legal and economic limitations to self-regulation. Some actions of SROs have raised anti-trust concerns in the past when their activities become anticompetitive. For example, the U.S. Department of Justice brought an anti-trust suit against the National Association of Realtors (NAR), which sets the rules for how brokers can access Multiple Listing Service (MLS), after finding that the NAR restricted Internet brokers from displaying MLS data on their websites[4]

One economic limitation of self-regulatory organization is the free-rider problem. To be effective, self-regulatory organization may set rules for an industry, including firms that do not participate in the self-regulatory organization. These “outsider” firms obtain all of the benefits of the regulatory regime without paying any of the costs. Bad actors, who want to avoid the rules of the SRO, will also stay outside the system. Such a system is unfair to dues-paying businesses. Some of these limitations make self-regulation an inadequate choice for certain industries without additional government oversight. Many of the limitations of self-regulation, however, can be offset by a well-designed self-regulatory program.[5]

As noted previously, all regulation inherently involves trade-offs among competing values and among costs and benefits. Self-regulation may make more sense in countries like the United States where privacy is often rightly seen as one value among many, with competing trade-offs. However, self-regulation is unlikely to satisfy proponents of government regulation intended to protect something seen as a fundamental right. Countries like France and Germany, where privacy is considered a basic human right, have been early adopters of state regulation to govern the use of data.[6] But consumers in these countries are not necessarily better off. Europe is generally seen as lagging behind the United States in e-commerce, in part because of its privacy regulations.[7] Europe’s strict privacy rules threaten to reduce the potential revenue from online advertising, which will reduce the quantity and quality of content produced for European consumers.[8] Compliance costs for these regulations can be high as well. Viviane Reding, vice president of the European Commission, has stated that the complex and fragmented nature of the data-protection policies in the twenty-seven member states cost businesses 2.3 billion euros annually.[9] Not only do businesses face higher costs, which are then passed on to consumers, but consumers may also miss out on certain online services. For example, strict privacy regulations have led Google to cease developments of its Street View map feature in Germany.[10]

The potential for overregulation also poses a risk to consumers. Unnecessary or inefficient regulation raises production costs for businesses without any corresponding benefits and these costs are ultimately borne by consumers. Government regulation by its nature addresses identified harms, and as such can inadvertently create barriers to innovation or competitive entry when it establishes norms that only address current market participants and practices. Self-regulation can be more efficient for business, and these saving are passed on to consumers. Rulemaking, monitoring, enforcement and remediation processes can also be faster using self-regulation rather than government regulation, which means that consumers are protected sooner.[11]

Regulations may be rigid or flexible, gradual or disruptive. Government regulators may focus on creating rules to protect established interests, rather than creating rules that allow market participants and new entrants to innovate. In contrast, self-regulation benefits the economy by creating a more flexible regulatory environment than is typically found with state regulation. Industry experts review current activities, identify best practices, and develop these into industry guidelines. The guidelines continue to evolve over time in response to feedback from industry leaders. This more flexible regulatory environment may allow firms to operate more efficiently and minimizes compliance costs. Flexible regulations tend to maximize economic efficiency by providing firms multiple pathways for innovation.[12]

Self-regulation may also help businesses internalize ethical behavior and principles since the rules are based on social norms and conduct of peers rather than top-down prescriptive rules. This may help instil deeper respect and acceptance of the rules and result in better firm behaviour, and avoid adversarial situations in which firms try to find exceptions to externally imposed rules.[13]

Opponents of self-regulation may incorrectly assume that self-regulation is necessarily “weaker” than state regulation either because it has less stringent rules or because it ineffectively enforces its rules. First, self-regulatory organizations can be effective self-policing organizations, particularly when the institutions are designed to eliminate conflicts of interest.20 Many SROs begin enforcement actions in response to complaints. Businesses provide a high degree of oversight since they regularly monitor the activities of their competitors and have an incentive to report violations.[14]

Self-regulation benefits government and taxpayers. Regulatory processes, including rulemaking, monitoring and enforcement, can be expensive and resource intensive. Self-regulatory organisations may have more resources to deal with regulatory process than agencies like the FTC. This means, for example, that complaints can be investigated sooner and violations can be resolved quicker. This benefits government agencies by reducing regulatory overload and allowing them to focus their efforts on more productive activities, such as taking action against bad actors that refuse to follow the rules.[15]

Adjudicatory process

As per the recommendations of TRAI, an adjudicatory approach involves primary focus on consumers, civil society and activists. While TRAI may define fundamentals of the NN framework, prescribe for industry standards and may also prescribe liability in case these standards are not met, the primary onus of tracing violation of industry standards is on consumers and third party activists.

Normatively, third parties and civil society have a great potential to contribute in the process of regulation. They encourage the development of ethics and of norms of citizenship and subsequently transcend them to the field that they help in regulating. They serve as a countervailing power to reduce the government control over businesses. Further, they also contribute to the democratization of regulation. The co-option of third party, consumers and civil society into the government policy making process and subsequently in the process of regulation may empower citizens, give them voice and help to build political support and legitimacy for the process of regulation. In fact there are numerous models in the stage of ideation that recommend tripartite arrangement that gives these groups power in the regulatory process by allowing them right to information.[16]

However there are drawbacks too. This system may create a regulatory vacuum which may be filled by particular interest groups. Further, considering the fact that detection of NN regulations requires considerable technological knowhow, it is difficult for this system to determine in absolute terms whether or not NN framework has been violated. Additionally, it is clear that absence of regulation and accountability provisions for these social actors begins to make the likelihood of ineffective or illegitimate actions by an individual or an organization much more probable. There is a high possibility that these organizations or individuals may resort to undemocratic and unethical means as they are not democratically accountable for their activities. They are in general less open to public scrutiny than government organizations. In fact to the extent that they represent a particular interest group they do not necessarily represent and act in the interest of the wider public.[17]

Funding of multiple organizations might also be an issue. Depending on the interest of the funders, these organizations may strengthen or dilute their stand on a particular issue. This can particularly be seen in case of multiple NGOs in USA. NGOs that are supported by USAID tend not to voice against the interests of the US government as they fear funding cuts.[18]

Implementation by a regulator

TRAI also proposes a model wherein TRAI or some other expert organization with regulatory powers and expertise in the concerned field manages the implementation of NN framework. In fact this is the general practice in EU where regulators in every country check for violation of NN framework and impose liability according to the legal provisions.

In the Indian context this will perhaps be the easiest mechanism to implement under the existing legal regime. Under the Prohibition on Discriminatory Tariffs for Data Services Regulation, 2016, TRAI Act, 1997 and provisions of the ISP licensing agreement, TRAI is empowered to formulate regulations for implementation of NN framework. In addition to legal backing for implementing the NN framework, TRAI is also the best equipped agency with required technical knowhow and resources to implement the framework.[19] Along with these advantages TRAI or for that matter any specific agency also has following advantages:[20]

  • Parliament cannot provide for effectively pass statutes that are sufficiently detailed to regulate an entire subject matter. While laws may provide for a general outline for regulation, the agency rules and regulations make the statutory law more exact.
  • Administrative agencies such as TRAI employee officials who are subject matter experts in the given area of regulation. As such they are often more efficeient in developing rules and regulations to govern conduct in the specific area. Their expertise also provide thoroughness and consistency in the development and enforcement of business regulations.
  • Even while executing quasi-judicial function of adjudicating a certain dispute, individuals unfamiliar with the subject are not relied upon.
  • Agencies often exist to regulate an area in a manner that protects the public interest. Individuals and businesses do not always act in accordance with the public interest.
  • They are accountable to the parliament or other democratic institutions.
  • Will of the people and other stake holders may also be considered, particularly in the consultation period.

While an implementation process based on administrative agencies provides for various benefits, there are numerous disadvantages to relying on these agencies in the rule making and adjudication process. These agencies have heavy bureaucratic systems which delay efficient formulation and implementation of rules and regulations. Further, considering the fact that this particular field is rapidly changing, an administrative lag due to heavy bureaucratic machinery is undesirable. This could have negative implications over the business of TSPs and also increase the cost of doing business. Consequently there may be a negative impact on other stake holders such as government, consumers and dependent businesses.[21]

Proposed system

Considering the above analysis, it is advisable to implement a hybrid system. While TRAI or an agency of similar nature may be given leading role in terms of formulating the NN framework, implementing the same, adjudicating on disputes and implementing appropriate penalties; other stake holders, consumers and third parties may be given a consultative role. Rules and regulations of the NN framework should be visited time and again through the process of consultation with all the stake holders of this industry and necessary amendments should be made. Further, it should be the statutory duty of the authority to assess all the advice received during the consultation process and release a reasoned document stating reasons for considering or not considering a certain advice. This system, if implemented in a time bound manner, will ensure efficient management of the NN framework and will assist in overall development of the market.

In addition to the above mentioned mechanism, there must be an adjudicatory authority that can entertain complaints with respect to NN framework violation and penalise ISP accordingly. This leaves ground for implementing NN framework using consumers, third parties and civil society.

Lastly, idea of self-regulation by ISPs can be ruled out. This is perhaps due to the fact that there is already a robust system in place and having provisions for self-regulation would merely amount to having an additional layer of implementation. This will be cost inefficient and would perhaps be unnecessary.

________________________________________________________________________

[1] http://hbswk.hbs.edu/item/industry-self-regulation-whats-working-and-whats-not

[2] http://pogoblog.typepad.com/pogo/2011/07/three-problems-with-self-regulation.html

[3] http://www.itif.org/files/2011-self-regulation-online-behavioral-advertising.pdf

[4]  U.S. Department of Justice, “United States v. National Association of Realtors,” n.d., http://www.justice.gov/atr/cases/nar.htm (accessed July 22, 2011).

[5] Thomas A. Hemphill, “Self-regulating industry behavior: Antitrust limitations and trade association codes of conduct,” Journal of Business Ethics 11, no. 12 (1992).

[6] Francesca Bignami, “The Non-Americanization of European Regulatory Styles: Data Privacy Regulation in France, Germany, Italy, and Britain,” Center for European Studies Working Paper Series #174 (2010), 11.

[7] See for example, Robert D. Atkinson et al., “The Internet Economy 25 Years After .com,” Information Technology and Innovation Foundation (March 2010), http://www.itif.org/files/2010-25-years.pdf.

[8] Avi Goldfarb and Catherine E. Tucker, “Privacy Regulation and Online Advertising,” (2010)  http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1600259

[9] Viviane Reding, “Building trust in the Digital Single Market: Reforming the EU’s data protection rules,” Conference organized by the Industry Coailtion for Data Protection, Brussels, November 28, 2011, http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/data-protection_en.pdf.

[10] Erica Ho, “Alas, there Will Be No More Google Street View in Germany,” Time.com, April 11, 2011, http://techland.time.com/2011/04/11/alas-there-will-be-no-more-google-street-view-in-germany/.

[11] EPA’s Audit Policy, U.S. Environmental Protection Agency (January 31, 2011),

[12] “Code of Responsible Practices,” Distilled Spirits Council of the United States, May 26, 2011, http://www.discus.org/pdf/May_26_2011_DISCUS_Code_Word_Version.pdf.

[13] Federal Trade Commission, “Self-Regulation in the Alcohol Industry,” June 2008, http://www.ftc.gov/os/2008/06/080626alcoholreport.pdf.

[14]  For example, the FTC noted in one report that “It is not clear…that the presence of company representatives on the review boards inherently biases the complaint process in industry’s favor. DISCUS’s review board, composed solely of industry members, rejected alcohol advertisements more often than did the Beer Institute’s review board.” Federal Trade Commission, “Self-Regulation in the Alcohol Industry,” June 2008, http://www.ftc.gov/os/2008/06/080626alcoholreport.pdf.

[15]  Federal Trade Commission, “Self-Regulation in the Alcohol Industry,” June 2008, http://www.ftc.gov/os/2008/06/080626alcoholreport.pdf.

[16] Enderl and Peters, (1998:8).

[17] http://www.lse.ac.uk/accounting/carr/pdf/dps/disspaper26.pdf

[18] https://www.oecd.org/gov/regulatory-policy/1910833.pdf

[19] http://www.repository.law.indiana.edu/cgi/viewcontent.cgi?article=3130&context=ilj

[20] http://thebusinessprofessor.com/knowledge-base/advantages-of-administrative-agencies/

[21] http://thebusinessprofessor.com/knowledge-base/disadvantages-of-administrative-regulations/