- Question the government’s intent to conduct KYC and the manner of its gradation.
- How KYC will function in specific cases like accessing CBDC
- Test whether KYC passes the test of proportionality
- Allow for the right to anonymity and anonymous speech
- Highlight the need for a data protection law before such measures are taken
MediaNama organised a discussion on the draft Telecommunications Bill 2022, on October 18, 2022. The experts attending the event at the India Habitat Centre gave excellent insights and recommendations about the Bill. You can watch the video of the event here.
Among other things, participants discussed the mandatory KYC identification imposed on platforms that will compel every user to identify themselves on the internet. Speakers talked about how this call for KYC despite pre-existing provisions in other laws arguably infringe basic rights of privacy and free speech and do not withstand the argument of proportionality. Here’s the detailed account of the conversation:
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Privacy issues around KYC
One speaker argued that unequivocal identification from every level of service creates more data than the government may necessarily need. Already, some amount of KYC is required for a phone connection. The speaker argued that such measures that restricts data to like one service provider are satisfactory. He said that asking every entity downstream thereafter to continue with KYC goes against some fundamental principles that data protection laws generally talk about.
Illustrating the issue, Aastha, a financial services lawyer at Ikigai Law, said, “In some cases it makes sense when we talk about crypto currency transactions and anonymity. When we talk about financial services, it makes sense. But when I talk about buying goods from Amazon or messaging, do you really need to conduct my KYC before I do that, I find that absurd.”
- Ask the government: why it needs a telecom service provider, whoever is covered under the definition, to conduct KYC and how will that KYC be graded?
- Ask whether it will be equivalent to the KYC that a financial service provider does under the KYC master durations that RBI prescribed or will it be like just collecting just OTP-based KYC?
- This gradation will likely defer based on the type of telecom services provided.
KYC allows greater government access: Participants talked about the data localization requirement and regulations for the collection of any sensitive personal data. One speaker voiced concern that WhatsApp and other organisations are made to collect KYC data then store it within India. She said the Telecom Bill allows the government the power to intercept messages, take possession of telecom infrastructure.
“Effectively, our private data is under a greater threat of privacy from the government itself. It’s easier for the government to take and intercept KYC data from the organizations because it’s being stored locally,” she said.
Earlier, Estonia had tried to ID everyone on the internet for every service. As it turned out, Russia later hacked into their data.
- As argued during the Puttaswamy case, the government has to prove proportionality in the action. As a speaker explained, it cannot treat everybody as a potential criminal.
KYC, a threat to anonymity
One speaker pointed out how the Indian government has a very one-dimensional perspective on anonymity and which contributes to cyber security and national security risks. Anonymity gives a person certain protections especially vulnerable users, representatives from minority groups.
“The idea is that they can selectively disclose parts of their identity to platforms, services, and other users when they interact with one another because of disclosure of any element of identity can bring value, but also carries a certain element of risk,” he said.
One speaker observed that the Ministry had argued for KYC to “help prevent spam and prevent scams.” However, if telecom is a space where everyone is already “KYCed” why aren’t scams and spam being prevent, he asked.
Speakers talked about earlier incidents like how Korea in 2007-08 passed a law with a real name requirement for websites and bloggers. The Korean Court later struck down this law. Similarly, Facebook also had a real name policy which failed.
“The stated objective is that of preventing cyber fraud and the ills of anonymity. If you are saying, okay let’s exclude the KYC requirement for OTTs from here, where they’re going to cram it up into is in the Digital India Act. So this is probably the first sort of move that’s being done. So we have to be careful of what we are proposing and what we are holding back on,” said one speaker.
- The Government of India must nuance the idea of anonymity over the internet from both a risk perspective and understand that there are certain individual and community based rights associated with that concept.
- Use specific examples like Central Bank Digital Currency (CBDC). Ask the government how Bills like the Telecom Bill ensure anonymity in such cases. How will conducting KYC for each and everything, solve/ interact with conflicts like ensuring anonymity when accessing CBDC?
- Be mindful that the proposal to remove KYC requirement for OTT from this Bill will likely redirect it to the Digital India Act.
“A push towards making all digital services verify people’s identity will sort of curtail that right, in a thoroughly like disproportionate manner and that needs to be evaluated in my mind,” said a speaker.
An observation in favour of KYC: One speaker pointed out that in 2008-09, telecom operators were told that they have to give any new SIM card against another, or any government identification. While there was a lot of resistance due to the added load, bomb hoax calls went from an average of 250 to 300 calls a year in pre-2008 times to single digit calls by 2011.
“So just for all the other concerns and privacy, there was a great customer convenience. The times you’ve hung out in the airport because there was a bomb hoax call because somebody from somewhere just picked up a phone and did it. There is a little bit of a counterpoint that one must keep in mind,” he said.
Focus on making KYC effective first: One speaker pointed out that fraudsters have figured out ways to beat systems such as biometric scanning etc. To deal with this, the Department of Telecommunications is using ASTR, a facial recognition system where all the photographs that go on your Customer Acquisition Form for telecom are scanned first. People who’ve got more than their authorized share of numbers are gotten rid of. Recently, such a police exercise was reported in Nuh, Haryana.
“So we get these cases that have been brought to our notice. These are actually challenges that the government is trying to fix because of late, particularly in COVID times, the amount of financial frauds actually that have gone up are significant and have made the government sit up. So what would be good is to suggest how to improve the KYC rather than make it more effective,” he said.
KYC and right to free speech
One speaker argued that KYC in this context is also grounds for challenge using Anuradha Basin principles where you can try to argue that this would become a disproportionate restriction on the right to carry out your business or even communicate. He argued that the ability to communicate itself also can be part of the right of freedom of expression as can right to be anonymous.
Do we have a right to be anonymous? Speaking about basic rights, one legal expert agreed that people do have a right to anonymous speech but it is subject to national security, public order arguments, etc. However, even in case of exceptions, the government has to prove proportionality for the action implemented.
Discussing KYC regulation without PDPB is putting cart before the horse
Speaking on regulatory overlap, one speaker pointed out that that there is scope for regulatory arbitrage which again is not good for governments, consumers or industry players. This is because India still has not “settled on the shape and format of its data protection law.”
“And in this bill, I think we will end up hard coding a lot of things that have implications on how that can be framed and whether we can frame a strongly type,” she said.
- Decide principles before we decide exceptions. In terms of framing regulation, you set a baseline and then you figure out what you carve out.
KYC and Jurisdiction
One speaker wondered whether the degree of KYC would differ based on the kind of service provided. She pointed out this would mean talking about the fragmentation of the internet, and slicing and dicing of services provided on the internet with differential regulation.
“For instance, for someone who’s shopping on an e-commerce website versus someone who’s watching content versus someone who’s quote unquote communicating interpersonally, are there differential degrees of KYC required and that question then kind of applies to across the bill itself, right? Are there differential degrees of regulation required and then if the answer to that is yes, are we principally accepting a future where there is fragmentation of the internet effectively, and that’s kind of where we’re going,” she said.
The Bill has no policy and does not explain what kind of norm should be followed for a particular sort of service that requires KYC. Even the civil liabilities have been completely given off to the government so they can, describe what a civil liability is, the definition part of it, and the compensation and penalty part of it. This needs to be addressed.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Draft Telecom Bill 2022: Will The Provisions Create A Regulatory Overlap? #NAMA
- Draft Telecom Bill: Can The Provision To Intercept Communications Be Legally Challenged? #NAMA
- Draft Telecom Bill 2022: Definitions Need To Be Narrowed Down And Specific #NAMA
- Draft Telecom Bill 2022: Are The Licensing Provisions Overly Broad? #NAMA