ILNU MUN 2.

Letter from the Executive Board

Respected Parliamentarians,

It gives us immense pleasure to welcome you in the ‘Lok Sabha’ Committee which is to be simulated at
MPSMUN 2022. We welcome you all and congratulate you on being a part of this committee. The committee
would focus on political intellect and analytical application and strategic application of thoughts in resolving
impending politically and socially sensitive issues and discussions on forming future policies for the nation on
the said agenda. Kindly note, we are not looking statements that would be a copy paste of what the
leader/portfolio you are representing have already stated; instead we seek an understanding of the issue from
you, while knowing and understanding your impending political and ideological limitations as well as an
understanding of the immediate and long-term consequences of your statements, actions and solutions. Your
political identity is an integral part of the purpose of the committee and we look forward to your portfolio
representation.

This Introductory guide is as abstract as possible and would just give you a basic perspective on what you can
expect from the committee and areas wherein which your research should be focused at this given point in time.
Given, the political nature of this committee, your presence of mind and politico- analytical aptitude is
something which we as the executive board would be looking to test. That being said, kindly do not limit your
research to the areas highlighted further but ensure that you logically deduce and push your research to areas
associated with the issues mentioned.

Regards,

The Executive Board

Shreyansh Bhandawat Sudeep Chandra

Speaker Deputy Speaker

Introduction to the Committee

Lok Sabha is composed of representatives of the people chosen by direct election on the basis of the adult
suffrage. The maximum strength of the House envisaged by the Constitution is 552, which is made up by
election of upto 530 members to represent the States, upto 20 members to represent the Union Territories and
not more than two members of the Anglo-Indian Community to be nominated by the Hon'ble President, if, in
her/his opinion, that community is not adequately represented in the House.

After coming into effect of The Constitution (One Hundred and Fourth Amendment) Act, 2019, the provision of
special representation of the Anglo-Indian community in the House of the People by nomination has not been
extended further. The total elective membership is distributed among the States in such a way that the ratio
between the number of seats allotted to each State and the population of the State is, so far as practicable, the
same for all States.

Committees Under Lok Sabha

1. The work done by the Parliament in modern times is not only varied and complex in nature, but also
considerable in volume. The time at its disposal is limited. It cannot, therefore, give close consideration to all
the legislative and other matters that come up before it. A good deal of its business is, therefore, transacted in
Committees of the House, known as Parliamentary Committees. Parliamentary Committee means a Committee
which is appointed or elected by the House or nominated by the Speaker and which works under the direction
of the Speaker and presents its report to the House or to the Speaker and the Secretariat for which is provided
by the Lok Sabha Secretariat.

2. By their nature, Parliamentary Committees are of two kinds: Standing Committees and Ad hoc Committees.
Standing Committees are permanent and regular committees which are constituted from time to time in
pursuance of the provisions of an Act of Parliament or Rules of Procedure and Conduct of Business in Lok
Sabha. The work of these Committees is of continuous nature. The Financial Committees, DRSCs and some
other Committees come under the category of Standing Committees. Ad hoc Committees are appointed for a
specific purpose and they cease to exist when they finish the task assigned to them and submit a report. The
principal Ad hoc Committees are the Select and Joint Committees on Bills. Railway Convention Committee,
Joint Committee on Food Management in Parliament House Complex etc also come under the category of ad
hoc Committees.
 “Discussion On Data Privacy And Consumer Protection With
Reference To New Aged Internet Applications”

The Constitution of India observes a fundamental right to privacy. This constitutional privilege casts a broad
impact on Indian law and influences policy and legal action and acts as a check on senatorial and managerial
action. Additionally, to the public law significance, these privileges and the clarification of privileges
demonstrate in laws on user security, IT, telecom licenses, and the financial sector. The Personal Data
Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology,
Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to provide for protection of personal data of
individuals, and establishes a Data Protection Authority for the same.

Regulations, Directives, Bills, Key Acts: Generally, the Indian Data Privacy Act is located in multiple
differing sources, which consist up:
 Information Technology Act, 2000 – the IT Act and Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 the SPDI Rules.
 Consumer Protection Act, 2019 CPA, and Consumer Protection E-commerce Rules, 2020.
 Rules made by the Reserve Bank of Indian (RBI).
 Rules enforced by the Telecom Regulatory Authority of India (‘TRI’).
 Rules imposed by the Insurance Regulatory and Development Authority of India.
 Rules enforced by the Securities and Exchange Board of India (‘SEBI’).
 Different agreements of Indian courts.
 Unified License Agreements concerned compatible with the National Telecom Policy, 2012 by the
Department of Telecommunications (‘DOT’).

What are the IT Act and SPDI (Sensitive personal Data & Information Rules?
Various Organizations, disregarding the sector, are most attentively affected by the IT Act and the SPDI Rules.
The IT Act authorization that body mandates such as companies, firms, sole proprietorships, and various
organizations of peoples committed in commercial or professional activities that manage critical personal
information or data are amenable to pay damages for any loss harmed by their disregard in implementing and
handling reasonable preservation practice and operations.

During the IT Act does not define ‘reasonable security practices and procedures,’ the SPDI Rules, designed
under the IT Act, enumerate minimum standards of data security for critical personal information. The SPDI
Rules are not aimed to be comprehensive, but referring critical personal information or data, to generate
approval when gathering or transferring sensitive personal data, and to inform data subjects of recipients of
such collected data. One of the most important differences between the SPDI Rules and other more modern data
establishments is that consent continues to be the primary ground for processing the information.

What are Legislation and Policies?

Additionally, to the above, the below draft laws and policies that regulate data protection rules are at different
stages of discussion or implementation:

 Personal Data Protection Bill, 2019 (‘the Bill’);

 Non-Personal Data Governance Framework (‘the NPD Framework’), which is currently being
deliberated by the Committee of Experts constituted under the Ministry of Electronics and
Information (‘MeitY’), whose reports on non-personal data can be accessed here and here;
 Digital Information Security in Healthcare Act, 2017 (‘DISHA’); and
 National Digital Health Mission (‘NDHM’) and Health Data Management Policy issued by the
Ministry of Health and Family Welfare.
Some of these draft laws will replace or update the existing laws. Particularly, the Bill is a disputed draft law
that intends to implement similar provisions as the General Data Protection Regulation EU 2016/679 (GDPR)
into the data protection law in India. While the Bill is in the process of being finalized by the Lok Sabha.

Moreover, a draft law is known as DISHA that’s intent to regulate the health data, an area where the
constitutional agreement of a fundamental right of privacy, as mentioned above, has a large influence. On the
other hand, the Government of India has issued the Electronic Health Record Standards, 2016 for the
management of electronic records and has arrived up the NDHM, a government starts that aims to develop
digital health infrastructure in India.

(2) Case Law: The Modern Indian case laws on data protection and privacy originate from the decision by the
Supreme Court of India in Justice KS Puttaswamy and Anr v. Union of India and Ors. In Puttaswamy, the
Supreme Court collectively held that the right to privacy was an intrinsic element of the promise of the right to
life and personal liberty secured under Article 21 of the constitution and that consist of, as its core, a negative
obligation to not contravene the right to privacy rules, and raised the spectre of a robust common low error of
violation of privacy, independent of legal rules.
The Supreme Court wants on to analyse that any law that infringed upon the right to privacy would be subject
to constitutional inspection, and would have to meet the three-fold needs for:

 Legality
 Necessity
 Proportionality
Moreover, the Supreme Court designed a positive agreement on the Government to execute legislation that
appropriately protects the right to privacy. Recently, various High courts are trading with data security issues
from a post-Puttaswamy perspective. While a clear judicial trend cannot be discovered, it is obvious that data
collection and processing efforts in India must appraise and anticipated the effect of Puttaswamy on Indian data
law.

Other decisions of effect from the Supreme Court consist of:

 R Rajagopal and Ors v. State of Tamil Nadu which recognized tortious remedies for breach of
privacy and the ability to seek damages for invasions of privacy; and
 Mr. X v. Hospital Z [Civil Appeal No. 4641 of 1998] that dealt with privacy-related implications of
disclosures of health data. The Court held that in a conflict between the right to privacy and public
interest, the public interest would override an individual’s right to privacy.

What is the Brief History of the Bill?

The history around data protection in India reached an escalation during the hearings in the K.S. Puttaswamy
vs. Union of India (2017) “right to privacy” case. In a landmark answer, a nine-judge bench of the Supreme
Court of India affirmed the right to privacy as a fundamental right.

In the duration of the case, the Indian government set up an expert committee to devise India’s data protection
framework. After a public conference on a white paper, the committee submitted a draft Personal Data
Protection Bill and an accompanying report interestingly entitled “A Free and Fair Digital Economy: Protecting
Privacy, Empowering Indians.”

The Bill’s Foundation

What are the stated motivations behind the law? The bill’s preamble identifies three key focal points:
 “The right to privacy is a fundamental right and it is necessary to protect personal data as an essential
facet of informational privacy.”
 “The growth of the digital economy has expanded the use of data as a critical means of communication
between persons.”
 “It is necessary to create a collective culture that fosters a free and fair digital economy, respecting the
informational privacy of individuals, and ensuring empowerment, progress and innovation through
digital governance and inclusion.”
 Applicability: The Bill governs the processing of personal data by: (i) government, (ii) companies
incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used
to identify an individual. The Bill categorises certain personal data as sensitive personal data. This
includes financial data, biometric data, caste, religious or political beliefs, or any other category of data
specified by the government, in consultation with the Authority and the concerned sectoral regulator.

 Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means and
purpose of processing personal data. Such processing will be subject to certain purpose, collection and
storage limitations. For instance, personal data can be processed only for specific, clear and lawful
purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability
measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse
of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They
must also institute mechanisms for age verification and parental consent when processing sensitive
personal data of children.

 Rights of the individual: The Bill sets out certain rights of the individual (or data principal). These
include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been
processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal
data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing
disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.

 Grounds for processing personal data: The Bill allows processing of data by fiduciaries only if
consent is provided by the individual. However, in certain circumstances, personal data can be
processed without consent. These include: (i) if required by the State for providing benefits to the
 individual, (ii) legal proceedings, (iii) to respond to a medical emergency.

 Social media intermediaries: The Bill defines these to include intermediaries which enable online
interaction between users and allow for sharing of information. All such intermediaries which have
users above a notified threshold, and whose actions can impact electoral democracy or public order,
have certain obligations, which include providing a voluntary user verification mechanism for users in
India.

 Data Protection Authority: The Bill sets up a Data Protection Authority which may: (i) take steps to
protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the
Bill. It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data
protection and information technology. Orders of the Authority can be appealed to an Appellate
Tribunal. Appeals from the Tribunal will go to the Supreme Court.

 Transfer of data outside India: Sensitive personal data may be transferred outside India for processing
if explicitly consented to by the individual, and subject to certain additional conditions. However, such
sensitive personal data should continue to be stored in India. Certain personal data notified as critical
personal data by the government can only be processed in India.

 Exemptions: The central government can exempt any of its agencies from the provisions of the Act: (i)
in interest of security of state, public order, sovereignty and integrity of India and friendly relations with
foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest
without warrant) relating to the above matters. Processing of personal data is also exempted from
provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of
any offence, or (ii) personal, domestic, or (iii) journalistic purposes. However, such processing must be
for a specific, clear and lawful purpose, with certain security safeguards.

 Offences: Offences under the Bill include: (i) processing or transferring personal data in violation of the
Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is
higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the
annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified
personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
  Sharing of non-personal data with government: The central government may direct data fiduciaries
to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible
to identify data principal) for better targeting of services.
 Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete the
provisions related to compensation payable by companies for failure to protect personal data.

What’s in the Bill?

Many of the consent-related provisions in India’s data protection bill sound quite similar to those enshrined in
the European Union’s General Data Protection Regulation (GDPR). According to the new Indian bill, to collect
personal data, those entities classified as data fiduciaries must obtain consent from the individuals whose data is
in question. Data fiduciaries are essentially any entity determining the “purpose and means of processing
personal data,” a wide definition that could encompass everything from ride-sharing apps to social media
platforms to data brokers that buy and resell customer data.

Data collectors are also subject to various new reporting requirements. For example, the bill imposes additional
requirements, such as a requirement to obtain parent or guardian consent for the collection of data belonging to
children.

That said, the legislation’s text does carve out a number of exceptions for when data fiduciaries may not have to
obtain consent in order to collect personal data on Indian citizens. For instance, there are consent exemptions
for state or other entities complying with court orders, enforcing the law, providing public benefits or services,
and treating medical emergencies. There are other “reasonable purpose” carve-outs for situations like
whistleblowing, mergers and acquisitions, credit scoring, and the operation of search engines. Europe’s GDPR,
by comparison, also contains consent exemptions in areas such as law enforcement data access and functions
related to taxation, but the exemptions in India’s draft bill are defined a bit more vaguely.

The legislation also contains provisions giving rights to “data principals,” those about whom data are being
collected, to request information from data fiduciaries about what is being collected on them. Similarly, data
principals are given rights to correct or erase data stored by the fiduciary—a “right to be forgotten,” like in the
GDPR. Data principals will also have the right to view the data itself in a clear and portable manner, with the
data presented in a “structured, commonly used and machine-readable” format.

These protections demonstrate that the Indian government is interested in both safeguarding the rights of Indian
data principals and chipping away at the gross power imbalance that currently exists between large technology
firms and individual Indian citizens around data collection. But, again, it remains to be seen how that
relationship will play out when it comes to individuals and the government, not just individuals and
corporations. For example, the numerous vaguely defined exemptions on data regulation could potentially
enable forms of surveillance, when government organs deem collection and use pertinent to state functions.

In fact, the biggest concern about the bill among academics and activists is the exemptions granted to the
government for data collection. Section 35 states that exceptions can be made to collection rules, reporting
requirements, and other requirements whenever the government feels that it is “necessary or expedient” in the
“interests of sovereignty and integrity of India, national security, friendly relations with foreign states, and
public order.” Most importantly, “necessary or expedient” has replaced the “necessary and proportionate”
standard for government processing of data. The latter was a recognized standard in Indian constitutional and
international law. Just last year, the right to privacy ruling had stated clearly that any intrusion into the right
must be authorized by law, conducted in accordance with the procedure established by law, and be necessary
and proportionate to the objective being sought. The use of the term “necessary or expedient” does not impose
an obligation to undertake the balancing act between the intrusion and the objective, thereby augmenting the
government’s surveillance powers. This leaves a gaping regulatory vacuum around surveillance law in India
and fails to adequately protect citizen privacy, as there are no clear rules that govern government use of data.

In a bid to improve social media corporations, marking a departure from both the GDPR and the 2018 draft of
the bill, the most recent bill proposes the creation of a special class of significant “data fiduciaries” known as
“social media intermediaries.” These are defined as entities whose primary purpose is enabling online
interaction among users (and does not include intermediaries that enable business transactions or access to the
internet, or that are in the nature of search engines or encyclopedias). Basically, a “data fiduciary” is a social
media company. The bill includes vague language that stipulates that social media intermediaries allow for the
voluntary verification of their accounts by any users who use their services from India or register from within
India. However, the proof users need to submit to the social media intermediary to verify their accounts is
unclear. No other country has the provision for a voluntary verification mechanism of this nature.

Despite adding layers of regulatory obligations, the revised version of the bill does provide some cheer to
foreign technology companies. After protracted lobbying and pushback from foreign companies, diplomats, and
heads of state (including President Trump), the bill narrowed the scope of a data “mirroring” requirement for all
data, which was present in the earlier draft. This data mirroring requirement would have mandated that a copy
of all data on Indian citizens be stored within India’s borders. Now, the legislation only requires that certain
types of data must be stored in India. The first, “critical personal data,” must be stored and processed only in
India. The second, “sensitive personal information,” must be stored within India but can be copied elsewhere
provided certain conditions are met. This includes a provision that mimics the GDPR’s adequacy requirement:
In order for data to be copied into a country, the destination country must apply sufficient privacy protections to
the data and not impede Indian law enforcement access to the data.

Localized data storage requirements are also not entirely new to India. Rather, they would supplement measures
that are already in place. Most important among the pre-existing protections is a Reserve Bank of India (India’s
central bank) requirement for the local storage of payment data. Major technology firms such as WhatsApp
Pay, Google Pay, Mastercard, and other payment companies have made attempts to comply with the new
Reserve Bank regulation.

Finally, the government made sure to add Section 91—a provision clarifying that it reserves the right to
interpret any policies for the benefit of India’s digital economy—as long as this does not involve the use of
personal data that can be directly used to identify an individual. Section 91(2) states further that the government
can direct data collectors to hand over anonymized personal information or other “non-personal data” for the
purpose of “evidence-based policy-making.” Little clarity has been provided on what that might entail.

Implications for India and the World

Since the bill was introduced in Parliament, the global business community has expressed disapproval over
certain aspects of the proposed legislation. For example, U.S.-India Business Council President Nisha Biswal
criticized the job sensibly privacy-focused bill for reaching into other areas, such as liability of social media
intermediaries, that she thinks should be handled in separate legislation. Despite her reservations about
legislative overreach, Biswal praised the bill for relaxing India’s data localization requirements, a move she
feels would provide access to global processing and data analytics that could benefit India’s economy. Moving
forward, it will be interesting to watch other responses from the international business community to the now-
diluted data localization elements of the bill.

There are also business costs associated with data localization compliance that many foreign companies would
prefer to avoid. There is no doubt that many companies incorporated within India, and particularly those
incorporated beyond, will continue to push back against other existing data localization requirements that raise
storage and processing costs. The revised data localization provision in the new bill addresses these costs as the
mandate is limited to “sensitive personal data” and “critical personal data.”

Data capture privacy tensions

Data capture technologies, including various sources and methods of data extraction, fuel data sharing and data
monetization practices. In this respect, instead of technologies that collect transactional data such as point-of-
sale systems, we focus on social media, geospatial, biometrics, and web tracking technologies. To facilitate
data sharing, the data gathered via these technologies can be shared readily with business partners and
networks, such as between manufacturers and suppliers or across subsidiaries (e.g., WhatsApp shares phone
numbers, device specifications, and usage data with other Facebook [recently rebranded to Meta] companies).
The data collected from social media, geospatial, biometrics, and web tracking technologies can also be
monetized in various ways. With user-generated social media content, location insights from geospatial
technologies, biometric data, and web tracking technologies such as cookies, firms can improve marketing and
business performance by developing market segmentation and (re)targeting strategies, by crafting personalized
content, products, and experiences, and by building and strengthening customer relationships They also can
conduct data wrapping, for example, through customization and optimization practices such as facial
recognition and medical alerts (e.g., Apple watch). Firms also can apply extended data wrapping or sell data to
other entities. Facebook, as noted, sells in-depth insights and analytics based on its users’ personal data and
Twitter sells third-party subscriptions to its API that allow other firms to explore users’ behaviors.

These practices threaten information privacy because consumers lose control over who has access to their
personal information and communicative exchanges (e.g., tweet, review on a public Facebook page). Geospatial
data enable firms to identify customers’ positions; by monitoring consumers’ digital footprints, companies also
can follow them across different platforms, raising concerns about individual privacy. Soft biometric data,
about moods or emotions, raise security and ethical concerns, because they reflect personal feelings that can be
manipulated for commercial purposes, which would represent individual privacy violations. Each user’s
information might also include details about other users, due to the networked nature of social media. If a user
tags a friend on a public Facebook post, their conversations get exposed, which violates both
friends’ communication privacy if firms review and exploit these exchanges.

Data aggregation, processing, and storing privacy tensions

Firms often combine data sets from multiple novel sources, which allows them to effectively share and
monetize such data. Key technologies in data aggregation, processing, and storing technologies are IoT, big
data, and cloud computing, with capacities to process and manage massive amounts of information The
convergence of IoT, big data, and cloud computing is central to data sharing as it enables firms to share
applications and analytics with multiple parties in real-time and at reduced technology costs. Data can be shared
via IOT-enabled devices in machine-to-machine communications. Insights and analytics based on big data can
be exchanged with partners, whereas cloud technologies offer a cost-effective information storage cyber-
infrastructure that is broadly available across time and space and accessible by multiple users simultaneously
aggregation, processing, and storing technologies empower data monetization practices by establishing novel
insights about customers from IoT-enabled devices and big data, facilitated by cloud technologies, which can
inform consumer profiling, behavior prediction, and targeting efforts. In turn, these efforts can optimize
marketing and business performance, supply chain management, and (extended) data wrapping (i.e.,
development of analytical functions). Accordingly, these technologies have been widely adopted by many
businesses, such as Netflix and Woolworths to improve their performance and profitability.

Both data sharing and monetization practices in this domain can result in significant privacy tensions. Data
collected from IoT devices such as CCTV cameras that track people using facial recognition technology and
wearable devices that gather real-time information about users’ medical conditions or physical activity are very
sensitive and highly personal. A comprehensive personal picture created through data aggregation and
algorithmic profiling using big data analytics increases information privacy concerns, because it can reveal
identifiable attributes such as sexual orientation, religious and political views, and personality Moreover, when
their behavior can be predicted more accurately, consumers become more susceptible to marketing efforts. For
example, gambling companies might pinpoint addicts and entice them with free bets). Less purposefully, cloud
services rely on virtual storage, but such remote processing can compromize system security), especially at the
transition moment, when firms shift internal applications and data to the cloud, which risks information
exposure to fourth parties, including unethical actors that seek to steal consumers’ personal data The sheer
volume of information, historical and real-time, that links connected consumers, especially those proximal to
one another through IoT devices, heightens security risks involving stolen identities, personal violations, and
intellectual property losses These practices together threaten communication privacy and individual
privacy because they are intrusive, invisible, and extraordinarily difficult to control.

Data modeling and programming privacy tensions

Automation enabled by data modeling and programming technologies plays a key role in data sharing and data
monetization. Considering our focus on privacy tensions, we discuss AI/machine learning and service robots as
relevant amalgamations of engineering and computer science that produce intelligent automation, capable of
learning and adaptation). These technologies facilitate data sharing as AI generally enables automated sharing
of real-time data, and embodied AIs such as robots can exchange information in physical interactions.
Moreover, AI-based systems enable data monetization by improving marketing and operational performance
(e.g., personalized recommendations, smart content, programmatic media buys, chatbots, and predictive
modeling) (). Modern robots, such as humanoid, programmable Pepper can understand verbal instructions,
interpret human emotions, and exhibit social intelligence to improve customer experiences and optimize
performance. AI and service robots also enable data wrapping/extended wrapping by automating tasks and
services; in addition, their data analytics–based features can adapt automatically to the real-time, physical
environment.

However, optimizing machine learning requires enormous amounts of data, collected from consumer
interactions, often without their knowledge. In general, AI might extract sensitive information such as people’s
political opinions, sexual orientation, and medical conditions from less sensitive information then manipulate
users through predictive analytics or create deception such as deep fakes), which threaten information privacy.
Robots equipped with computer vision and machine learning both see and sense the environment, implying
greater penetration into consumers’ private, physical, and emotional spaces and threats
to individual and communication privacy.

Importance of Consumer Protection and Existing studies/recommendations

Consumer protection in an important aspect of service provsioning and has invited the attention of national
governments as well as consumer associations and other stakeholders. Even within the ICT sector, consumer
protection still remain an important aspect because if customers do not feel comfortable enough, they might not
use the ICT services with confidence that will impact digital inclusion, which is critical in the digital
transformation of the society, especially post COVID-19.

Several UN agencies have also provided guidelines and recoemmendations in this area. In addition to the ITU
Study group report mentioned above that also not only highlights many of the issues faced by consumers in the
ICT sector but also provides many good examples of best practices from around the world. Furthermore, the
ITU and World Bank’s “Digital Regulation Platform” has a separate chapter on Consumer affairs. The
platform highlights several important issues related to consumer protection such as: Consumer rights in the
digital context, good practices in consumer support, international organizations relevant to consumer affairs,
digital consumer right (consumer consultation), consumer requirements from regulators, dispute resolution and
good practices in consumer outreach and education.

Impact of new technologies on Consumer Protection

New technologies also have an impact on consumer protection. According to the ITU report titled “Big data,
machine learning, consumer protection and privacy” that identified beside the two technologies mentioned in
the title Artificial Intelligence as something that will have a significant impact on consumer protection . The
said report discusses this topic more in the context of financial services but such technologies can be used in
other sector also. Furthermore, UNCTAD Digital Economy Report 2021 identifies some of the technologies
that impact the data related regulation which has an impact on consumer protection in general and the economic
prosperity in particular ate (big) data analytics, Internet of Things, cloud computing and other Internet based
services. There are other technologies like location based services that can have an impact on consumer
protection but are required for example for ride sharing services. The list will continue to grow as new services
and technologies become available.

CONCLUSION

Several effective actions have emerged for companies that seek to address enhanced consumer-privacy and
data-protection requirements. These span the life cycle of enterprise data, and include steps in operations,
infrastructure, and customer-facing practices, and are enabled by data mapping.

Leading companies have created data maps or registers to categorize the types of data they collect from
customers. The solution is best designed to accommodate increases in the volume and range of such data that
will surely come. Existing data-cataloging and data-flow-mapping tools can support the process. Companies
need to know which data they actually require to serve customers. Much of the data that is collected is not used
for analytics and will not be needed in the future. Companies will mitigate risk by collecting only the data they
will probably need. Another necessary step is to write or revise data- storage and -security policies. The best
approaches account for the different categories of data, which can require different storage policies.

Of further importance is the growing appetite for applied analytics. Today, leading companies need robust
analytics policies. Given the proliferation of advanced machine-learning tools, many organizations will seek to
analyze the high volumes of data they collect, especially by experimenting with unsupervised algorithms. But
unless companies have advanced model-validation approaches and thoughtfully purposed consumer data, they
should proceed with extreme caution, probably by focusing specifically on supervised- learning algorithms to
minimize risk.

Leading organizations have developed identity- and access-management practices for individuals according to
their roles, with security-access levels determined for different data categories. About one-third of the breaches
in recent years have been attributed to insider threats. This risk can be mitigated by ensuring that data sets are
accessible only to those who need them and that no one has access to all available data. Even the most robust
practices for identity and access management can fail—some breaches can be caused by individuals with
approved access—so additional activity monitoring can be helpful.