Why large digital platforms opposing the DSA ?

• A wide range of proposals seeks to ensure that the negative social impact arising from many of the practices followed by the Internet giants is minimised or removed.
•  Online platforms and intermediaries such as Facebook, Google, YouTube, etc will have to add “new procedures for faster removal” of content deemed illegal or harmful. This can vary according to the laws of each EU Member State.
• Further, these platforms will have to clearly explain their policy on taking down content; users will be able to challenge these takedowns as well. Platforms will need to have a clear mechanism to help users flag content that is illegal. Platforms will have to cooperate with “trusted flaggers”.
• Marketplaces such as Amazon will have to “impose a duty of care” on sellers who are using their platform to sell products online.
• They will have to “collect and display information on the products and services sold in order to ensure that consumers are properly informed.”
• The DSA adds “an obligation for very large digital platforms and services to analyse systemic risks they create and to carry out risk reduction analysis”. This audit for platforms like Google and Facebook will need to take place every year.
• Companies will have to look at the risk of “dissemination of illegal content”, “adverse effects on fundamental rights”, “manipulation of services having an impact on democratic processes and public security”, “adverse effects on gender-based violence, and on minors and serious consequences for the physical or mental health of users.”
• The Act proposes to allow independent vetted researchers to have access to public data from these platforms to carry out studies to understand these risks better.
• The DSA proposes to ban ‘Dark Patterns’ or “misleading interfaces” that are designed to trick users into doing something that they would not agree to otherwise.
• This includes forcible pop-up pages, giving greater prominence to a particular choice, etc.
• The proposed law requires that customers be offered a choice of a system which does not “recommend content based on their profiling”.
• The DSA incorporates a new crisis mechanism clause — it refers to the Russia-Ukraine conflict — which will be “activated by the Commission on the recommendation of the board of national Digital Services Coordinators”. However, these special measures will only be in place for three months.
• This clause will make it “possible to analyse the impact of the activities of these platforms” on the crisis, and the Commission will decide the appropriate steps to be taken to ensure the fundamental rights of users are not violated.
• The law proposes stronger protection for minors, and aims to ban targeted advertising for them based on their personal data.
• It also proposes “transparency measures for online platforms on a variety of issues, including on the algorithms used for recommending content or products to users”.
• Finally, it says that cancelling a subscription should be as easy as subscribing.

When DSA will be adopted by the European Union?

• The DSA is likely to be adopted by the EU Parliament in the next few months. Once adopted, “it will apply from fifteen months or from January 1, 2024, whichever is later”.
• Building upon the European Pillar of Social Rights, these declarations are deeply rooted into the EU law such as the “Treaties to the Charter of Fundamental rights”.
• The EU is considered to be one of the strictest with respect to digital rights laws, it already has in place the GDPR (General Data Protection Regulation) which binds every online platform be it a website or an app to conform to certain stringent principles so as to protect the consumer.
• The European Commision of the EU (European Union) has proposed one if its kind a declaration of digital rights and principles to the European Parliament.
• The draft declaration addresses key rights and concepts for the digital transformation, including putting people and their rights at the centre, promoting solidarity and inclusion, securing online freedom of choice, cultivating involvement in the digital public space, increasing individual safety, security, and empowerment, and encouraging the digital future’s sustainability.
• These rights and concepts should complement individuals in the EU in their daily lives: affordably priced and high speed online connectivity everywhere and for everyone, well equipped schools and digitally skilled educators, smooth access to public services, a secure digital atmosphere for children, disconnecting after work time, obtaining easily understandable information about the environmental impact of our digital goods, and controlling how their personal information is used.

Where India’s data protection law differs with Europe GDPR?

• Anonymous information
• EU: Principles of data protection do not apply to anonymous information since it is impossible to tell one from another
• India: Non-personal data must come under the ambit of data protection law such as non-personal data

 Punishment

• EU: No jail terms. Fines up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year
• India: Jail term of up to 3 years, fine of Rs 2 lakh or both if de-identified data is re-identified by any person.

Similarity

Consent

EU: Users must have informed consent about the way their data is processed so that they can opt in or out.
India: Processing of data should be done in a fair and transparent manner, while also ensuring privacy

  Breach

•  EU: Supervisory authority must be notified of a breach within 72 hours of the leak so that users can take steps to protect information
•  India: Data Protection Authority must be informed within 72 hours; DPA will decide whether users need to be informed and steps to be taken

Transition period

•  EU: Two-year transition period for provisions of GDPR to be put in place
• India: 24 months overall; 9 months for registration of data fiduciaries, 6 months for DPA to start

  Data fiduciary

•  EU: Data fiduciary is any natural or legal person, public authority, agency or body that determines purpose and means of data processing
• India: Similar suggestions; additionally, NGOs which also process data to be included as fiduciaries

• It has been clarified that the platforms and other intermediaries will not be liable for the unlawful behaviour of users. So, they still have ‘safe harbour’ in some sense.
• However, if the platforms are “aware of illegal acts and fail to remove them,” they will be liable for this user behaviour. Small platforms, which remove any illegal content they detect, will not be liable.
• India’s IT Rules announced recently make the social media intermediary and its executives liable if the company fails to carry out due diligence.
• Rule 4 (a) states that significant social media intermediaries — such as Facebook or Google — must appoint a chief compliance officer (CCO), who could be booked if a tweet or post that violates local laws is not removed within the stipulated period.
• India’s Rules also introduce the need to publish a monthly compliance report. They include a clause on the need to trace the originator of a message — this provision has been challenged by WhatsApp in Delhi High Court.
• As per the IT Rules, 2021, that came into effect last year, social media companies like Facebook and Twitter are mandated to appoint India-based resident grievance officers as part of their due diligence as ‘intermediaries’ who enjoy legal immunity from third-party content on their platform. These officers are responsible for overseeing the grievance redressal mechanism of complaints from the people who use their services.
• The IT Rules, 2021 provide for a robust grievance redressal mechanism. However, there have been many instances that grievance officers of intermediaries either do not address the grievances satisfactorily and/or fairly.
• In such a scenario, the need for an appellate forum has been proposed to protect the rights and interests of users.

How GDPR will impact India?

• The GDPR has global implications as it applies to those outside the E.U. who either monitor the behaviour of EU residents or sell goods and services to them.
• The E.U. bloc is India’s largest trading partner, with bilateral trade in services alone running upwards of €28 billion (Rs.2.2 lakh crore).
• Therefore it will have a significant impact on Indian IT firms and other service providers with E.U. business.
• But only a third of Indian IT firms are making arrangements for the GDPR and a third unaware of such a law.
• This will likely mean fines, loss of business and missed opportunities, as well as diplomatic wrangling in trade talks between India and the E.U.

GDPR

• The GDPR redefines the understanding of the individual’s relationship with their personal data.
• It relates to an identifiable living individual and includes names, email IDs, ID card numbers, physical and IP addresses.
• This law grants the citizen substantial rights in his/her interaction with
• Data controllers - Those who determine why and how data is collected such as a government or private news website.
• Data processors - Those who process the data on behalf of controllers, such as an Indian IT firm to which an E.U. firm has outsourced its data analytics.

Digital rights in India

• Digital rights in India are not as clearly laid out or structured as in some other parts of the world. Instances have been witnessed when the government has tried to bring in regulations and codification of these rights.
• For example the “Data Protection Bill” is still in making and is expected to be tabled sooner in the Parliament of India.
• Various High Courts as well as the Supreme Court of India has stipulated the inherent existence of a few digital rights within the current Fundamental Rights present in the Constitution of India.
• For example the “Right to access Internet” is a fundamental right available to Indian citizens under the following articles:
• Article 19: Right to freedom of Speech, Expression, Peaceful Assembly, Form Associations/Unions, Move Freely, Reside, Profession etc.
• Article 21: Right to Life and Personal Liberty
• Article 21A: Right to Education
• Similarly, the “Right to Privacy” comes under the broader ambit of Article 21 too.