Corporate Accountability News Highlights: India’s Supreme Court issues landmark privacy verdict, Yahoo to face civil suit for data breaches, Chinese government’s crackdown on free speech online continues

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Privacy is a fundamental right, says India’s top court

Image by MohitSingh (Licensed CC BY 3.0)

In a landmark decision, India’s Supreme Court has ruled that privacy is a fundamental right, protected by the country’s constitution. The case stems from a legal challenge to the Indian government’s controversial new biometric database, Aadhaar, which is the largest of its kind in the world. Individuals must enroll in this database—which requires submitting their fingerprints, iris photographs, and facial photographs—in order to obtain a variety of government services, including paying taxes or receiving a government subsidy. According to The Atlantic, this makes it “almost impossible to live in India without enrolling.”

Privacy advocates in India petitioned the court over the program’s privacy risks to individuals enrolled in Aadhaar. In its ruling that privacy is a fundamental right, the court also overturned previous cases which said it was not. The court did not rule on the legality of Aadhaar itself, which will be considered separately. Advocates also anticipate the case will also have an impact on tech companies’ collection and use of user data. “These companies must brace for [legal action],” Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, told CNN. “Individuals who are unhappy with the treatment of their personal information can now take them to court, because it is an infringement of a fundamental right.”

The Corporate Accountability Index contains 18 indicators measuring companies’ disclosure of policies affecting users’ privacy, and whether these policies and commitments demonstrate the concrete ways companies respect and protect the privacy rights of users. Indicators in this category are based on standards established by the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights and other international human rights instruments, which guarantee privacy as a fundamental human right. However, national laws and regulations can have a significant impact on a company’s policies affecting users’ privacy. As noted in our recommendations, governments should work with the private sector and civil society to ensure that legal and regulatory frameworks make it possible for companies to respect digital rights.

Yahoo to face civil suit for data breaches

Yahoo will face a class action lawsuit over two major data breaches that affected more than one billion accounts, according to a new court ruling. The company suffered separate data breaches in 2013 and 2014, during which hackers stole user information, including passwords and personal details. A class action lawsuit was filed on behalf of those affected by the data breaches, on grounds that Yahoo did not adequately protect users’ information or provide timely notification to users about the breaches. Yahoo sought to dismiss the case, arguing that plaintiffs did not have legal standing to sue. But a U.S. district judge ruled that the lawsuit can proceed on the grounds that plaintiffs have “alleged a risk of future identity theft, in addition to loss of value of their personal identification information.”

Data breaches are on the rise, and given the vast amount of personal information that users trust internet, mobile, and telecommunications companies with, it is important that companies disclose what processes they have in place for addressing and mitigating the impact of such breaches when they occur. The 2017 Corporate Accountability Index found that only three of the 22 companies we evaluated—AT&T, and Vodafone, and Telefónica—disclosed any information about their process for responding to data breaches.

Chinese government announces ban on anonymous online comments

In its latest crackdown on online expression, the Chinese government announced a new regulation that bans internet users from posting comments online anonymously. The regulation, which comes into effect October 1, requires online platforms that allow users to comment on original content to verify users’ identities in order to leave comments. Online platforms will also be responsible for pre-screening comments related to news stories before they are published.

The measure comes as part of the government’s ongoing efforts to restrict freedom of expression online before the 19th Communist Party Congress on October 18. Over the past several months, the Chinese government has also ordered app store companies to remove unauthorized Virtual Private Networks (VPNs) from their Chinese app stores and investigated Chinese internet companies for content posted on their services deemed “disruptive to the social order.” A 26-year-old man in China was recently sentenced to nine months in prison for creating and distributing VPNs.

The ability to communicate anonymously is essential to freedom of expression. As noted in our recommendations, governments should respect the right to anonymous online activity and should refrain from requiring companies to document users’ identities when it is not essential to the provision of service. The Index methodology looks for companies to allow use of their services without requiring users to verify their identity with their government-issued identification, or other forms of identification that could be connected to their offline identity. Of the two Chinese internet companies evaluated, Baidu and Tencent, both disclosed policies requiring users to verify their identities. Baidu disclosed that it requires users to verify their identity with a government-issued ID for all services and Tencent disclosed that it may, depending on applicable laws, require users to verify their identity with a government-issued ID. Both of these companies are already required by law to do so. The new regulation imposes this legal requirement on additional online platforms and services, such as discussion forums.

Leave a Reply