#FactCheck-Mosque fire in India? False, it's from Indonesia

Recognizing As the Ministry of Electronic and Information Technology (MeitY) continues to invite proposals from academicians, institutions, and industry experts to develop frameworks and tools for AI-related issues through the IndiaAI Mission, it has also funded two AI projects that will deal with matters related to deepfakes as per a status report submitted on 21st November 2024. The Delhi court also ordered the nomination of the members of a nine-member Committee constituted by the MeitY on 20th November 2024 (to address deepfake issues) and asked for a report within three months.‍

Funded AI projects :

The two projects funded by MeitY are:

1. Fake Speech Detection Using Deep Learning Framework- The project was initiated in December 2021 and focuses on detecting fake speech by creating a web interface for detection software this also includes investing in creating a speech verification software platform that is specifically designed for testing fake speech detection systems. It is set to end in December 2024. 
2. Design and Development of Software for Detecting Deepfake Videos and Images- This project was funded by MeitY from January 2022 to March 2024. It also involved the Centre for Development of Advanced Computing (C-DAC), Kolkata and Hyderabad as they have developed a prototype tool capable of detecting deepfakes. Named FakeCheck, it is designed as a desktop application and a web portal aiming to detect deepfakes without the use of the internet. Reports suggest that it is currently undergoing the testing phase and awaiting feedback.

‍

Apart from these projects, MeitY has released their expression of interest for proposals in four other areas which include: 

• Tools that detect AI-generated content along with traceable markers,
• Tools that develop an ethical AI framework for AI systems to be transparent and respect human values,
• An AI risk management and assessment tool that analyses threats and precarious situations of AI-specific risks in public AI use cases and;
• Tools that can assess the resilience of AI in stressful situations such as cyberattacks, national disasters, operational failures, etc. 

CyberPeace Outlook

Deepfakes pose significant challenges to critical sectors in India, such as healthcare and education, where manipulated content can lead to crimes like digital impersonation, misinformation, and fraud. The rapid advancement of AI, with developments (regarding regulation) that can’t keep pace, continues to fuel such threats. Recognising these risks, MeitY’s IndiaAI mission, promoting investments and encouraging educational institutions to undertake AI projects that strengthen the country's digital infrastructure comes in as a guiding light. A part of the mission focuses on developing indigenous solutions, including tools for assessment and regulation, to address AI-related threats effectively. While India is making strides in this direction, the global AI landscape is evolving rapidly, with many nations advancing regulations to mitigate AI-driven challenges. Consistent steps, including inviting proposals and funding projects provide the much-needed impetus for the mission to be realized.

References

1. https://economictimes.indiatimes.com/tech/technology/meity-dot-at-work-on-projects-for-fair-ai-development/articleshow/115777713.cms?from=mdr
2. https://www.hindustantimes.com/india-news/meity-seeks-tools-to-detect-deepfakes-label-ai-generated-content-101734410291642.html
3. https://www.msn.com/en-in/news/India/meity-funds-two-ai-projects-to-detect-fake-media-forms-committee-on-deepfakes/ar-AA1vMAlJ
4. https://indiaai.gov.in/

‍

Procedural History: 

‍

The case started with a 2011 Madras High Court ruling that included the appellant’s personal information. In the case discussed, the court decided in 2024, the appellant went to the Madurai Bench of the Madras High Court to request that his name and other identifying information from that previous ruling be redacted. He argued that his right to privacy under Article 21 of the Indian Constitution was violated by the ongoing release of such private information into the public arena. He claimed that the revelation had hurt him in real ways, such as having his application for an Australian visa denied. Therefore, without compromising the ideals of open justice, the current procedures aimed to have the court recognize a person’s “Right to be Forgotten” within a broader framework of privacy and data protection.

‍

Background and Factual Matrix

‍

The appellant was charged under Sections 417 and 376 of the IPC. The trial court convicted him in 201, but later, the High Court in 2014 fully, completely and unconditionally acquitted him, which was not based on the benefit of doubt. Following the acquittal, he remarried and has three children. The judgment of both the High Court and the Trial Court has personal and intimate details about him. Being available in the public domain has caused him significant repercussions, as he was denied a visa to travel to Australia by authorities, citing the criminal cases. The appellant has filed a plea seeking a mandamus directing the Registrar General, Additional Registrar General, and Registrar (IT-Statistics) as R1, R2, R3 to redact his name and other identities from the acquittal judgment. He has sought a direction from Ikanoon Software Development Private Limited (R4) to reflect the redaction in its publication. 

‍

Issue 

‍

1. Whether a writ of mandamus can lie against a High Court for redaction of personal details from its own judgment, or does such a prayer tantamount to a High Court issuing a writ against itself?
2. Whether the High Court, being a Court of Record under Article 215 of the Indian Constitution, is entitled to preserve its record for perpetuity in its original form without any modification or redaction?
3. Whether the ‘Right to be Forgotten' can be recognised and enforced in the absence of a specific statutory provision or Supreme Court direction, given that it constitutes an exception to the fundamental principle of open courts and open justice?

‍

Adjudication and Reasoning

The division bench has allowed the Writ appeal and granted the following relief:

1. R4 directed to take down the judgment in Crl.A. (MD) No.321 of 2011 dated 30.04.2014 forthwith.
2. R1 to R3 directed to redact the name and other details of the Writ Petitioner relating to his identity from the judgment dated 30.04.2014 in Crl.A.(MD) No. 321 of 2011 and ensure that only the redacted judgment is available for publication or for uploading.

‍

Rule 

‍

1. Courts have a wide discretion in deciding whether to allow redaction or not. Such discretion can either be granted at the request of the party seeking redaction or, in appropriate cases, even suo moto by the court.
2. The accused who have earned full, complete and unconditional acquittal without any benefit of doubt have a legitimate claim to move forward for redaction of personal information.
3. The open Court doesn’t require absolute disclosure of all personal information, and the courts, while deciding the concern of privacy and the right to ensure that in litigations to leave behind parts of their past which are no longer relevant, have to balance the concept of open Court on the one hand and privacy concerns of a citizen on the other.
4. As the High Court is the repository of a wide range of information and is entitled to preserve the original record in perpetuity. However, without diluting the sanctity of the original record, the public reflection of that record can be moderated to preserve the privacy of the person to whom that record pertains.

‍

Reasoning 

‍

1. Drawing on the judgment K.S. Puttaswamy v. Union of India, the court found Article 21 to protect not only informational privacy but also the "right to be forgotten," which gives individuals the right to request the deletion of any personal data when there is no longer any legitimate public interest in retaining such information. Such irreparable reputational damage is thus an infringement on constitutional privacy that demands judicial redaction. 
2. The court rejected the argument that a writ against its own order is impermissible, drawing a distinction between challenging the legal correctness of a judgment and seeking redaction of personal information. Allowing redaction will not question the validity of the judgment; rather, it will simply change its public appearance to ensure privacy.
3. Since a High Court is a Court of Record with an obligation to preserve its judgments in their unaltered form forever, the court held here that such internal maintenance of complete records was not incompatible with the issuance of a redacted public version. Institutional integrity is maintained when the original kept in the archives is supplemented with a public version that masks the privacy areas.
4. Open justice principles work to establish transparency, accountability, and public confidence, but these are not absolute. The court took a proportionality stance: personal identifiers, where they neither educate nor have precedential value and continue to inflict harm, may be expunged without affecting the established legal principles of judgment.
5. Although the DPDP Act exempts courts from several statutory obligations, the court held that it can, by virtue of its inherent discretion, protect personal data, and in so doing, exercise that power without the need for any legislative command. Traditionally the Madras High Court rules provide for the possibility of restriction of certified copies, thus establishing redaction as feasible both legally and administratively.

‍

Introduction

The Digital Personal Data Protection (DPDP) Act, of 2023, introduces a framework for the protection of personal data in India. Data fiduciaries are the entity that essentially determines the purpose and means of processing of personal data. The small-scale industries also fall within the ambit of the term. Startups/Small companies and Micro, Small, and Medium Enterprises (MSMEs) while determining the purpose of processing of personal data in the capacity of ‘data fiduciary’ are also required to comply with the DPDP Act provisions. The obligations set for the data fiduciary will apply to them unilaterally, though compliance with this Act and can be challenging due to resource constraints and limited expertise in data protection. 

DPDP Act, 2023 Section 17(3) gives power to the Central Government to exempt Startups from being obligated to comply with the Act, taking into account the volume and nature of personal data processed. It is the nation's first standalone law on data protection and privacy, which sets forth strict rules on how data fiduciaries can collect and process personal data, focusing on consent-based mechanisms and personal data protection. Small-scale industries are given more time to comply with the DPDP Act. The detailed provisions to be notified in further rulemaking called ‘DPDP rules’.

Obligations on Data Fiduciary under the DPDP Act, 2023

The DPDP Act focuses on processing digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. Hence, small-scale industries also need to comply with provisions aimed at protecting digital personal data.

The key requirements to be considered:

• Data Processing Principles: Ensuring that data processing is done lawfully, fairly, and transparently. Further, the collection and processing of personal data is only for specific, clear, and legitimate purposes and only the data necessary for the stated purpose. Ensuring that the data is accurate and up to date is also necessary. An important part is that the data is not retained longer than necessary and appropriate security measures are taken to protect the said data.
• Consent Management: Clear and informed consent should be obtained from individuals before collecting their personal data. Further, individuals have the option to withdraw their consent easily.
• Rights of Data Principals: Data principals (individuals) whose data is being collected have the right to Information, the right to correction and erasure of data, the right to grievance redressa, Right to nominate.the right to access, correct, and delete their personal data. Data fiduciaries need to be mindful of mechanisms to handle requests from data principals regarding their concerns.
• Data Breach Notifications: Data fiduciaries are required to notify the data protection board and the affected individuals in case a data breach has occurred.
• Appropriate technical and organisational measures: A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder.Cross-border Data Transfers: Compliance with regulations in relation to the transfer of personal data outside of India should be ensured.

Challenges for Small Scale Industries for the DPDP Act Compliance 

While small-scale industries have high aims for their organisational growth and now in the digital age they also need to place reliance on online security measures and handling of personal data, with the DPDP act in the picture it becomes an obligation to consider and comply with. As small-scale industries including MSMEs, they might face certain challenges in fulfilling these obligations but digital data protection measures will also boost the competitive market and customer growth in their business. Bringing reforms in methods aimed at better data governance in today's digital era is significant. 

One of the major challenges for small-scale industries could be ensuring a skilled workforce that understands and educates internal stakeholders about the DPDP Act compliances. This could undoubtedly become an additional burden.

Further, the limited resources can make the implementation of data protection, which is oftentimes complex for a layperson in the case of a small-scale industry, difficult to implement. Limitations in resources are often financial or human resources.

Cybersecurity, cyber awareness, and protection from cyber threats need some form of expertise, which is lacking in small enterprises. The outsourcing of such expertise is a decision that is sometimes taken too late, and some form of harm can take place between the periods by which an incident can occur.

Investment in the core business or enterprise many times doesn't include technology other than the basic requirements to run the business, nor towards ensuring that the data is secure and all compliances are met. However, in the fast-moving digital world, all industries need to be mindful of their efforts to protect personal data and proper data governance.

Recommendations 

To ensure the proper and effective personal data handling practices as per the provisions of the act, the small companies/startups need to work backend and frontend and ensure that they take adequate measures to comply with the act. While such industries have been given more time to ensure compliance, there are some suggestions for them to be compliant with the new law.

Small companies can ensure compliance with the DPDP Act by implementing robust data protection policies, investing in and providing employee training on data privacy, using age-verification mechanisms, and adopting privacy-by-design principles. Conduct a gap analysis to identify areas where current practices fall short of DPDP Act requirements. Regular audits, secure data storage solutions, and transparent communication with users about data practices are also essential. Use cost-effective tools and technologies for data protection and management.

Conclusion

Small-scale industries must take proactive steps to align with the DPDP Act, 2023 provisions. By understanding the requirements, leveraging external expertise, and adopting best practices, small-scale industries can ensure compliance and protect personal data effectively. In the long run, complying with the new law would lead to greater trust and better business for the enterprises, resulting in a larger revenue share for them.

References

• https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1959161 
• https://www.financialexpress.com/business/digital-transformation-dpdp-act-managing-data-protection-compliance-in-businesses-3305293/ 
• https://economictimes.indiatimes.com/tech/technology/big-tech-coalition-seeks-12-18-month-extension-to-comply-with-indias-dpdp-act/articleshow/104726843.cms?from=mdr 

‍