United States
WhatsApp Inc. v. NSO Group Technologies Limited (2024)
Decision Date: December 20, 2024
The United States District Court for the Northern District of California held that the NSO Group could not claim sovereign immunity as a private company and found that its Pegasus spyware exploited vulnerabilities in WhatsApp to monitor over 1,400 individuals. These individuals included journalists, human rights activists, dissidents, and government officials from various countries. WhatsApp accused the NSO Group of using the spyware to hack into its platform and monitor targets without their consent. The District Court reasoned that sovereign immunity did not apply to a private entity like the NSO Group, even if its actions were on behalf of a foreign government. It further determined that the NSO Group’s use of the spyware violated US laws—particularly the Computer Fraud and Abuse Act (CFAA), and the California Comprehensive Computer Data Access and Fraud Act (CDAFA)—and was a breach of contract. The Court granted summary judgment on the CFAA and CDAFA claims—finding unauthorized access to WhatsApp’s California-based servers—and on the breach of contract claim due to the NSO Group’s reverse-engineering of WhatsApp software—in violation of its terms of service. The NSO Group’s defense on personal jurisdiction and evidence sufficiency was rejected, and the Court imposed evidentiary sanctions for discovery noncompliance.

India
Apoorva Aroraa v. State (TVF Series Case)
March 19, 2024
The Supreme Court of India held that the web series College Romance, despite its use of expletives and profane language, does not violate Sections 67 and 67A of the Information Technology Act. The case arose from a complaint alleging that the series violated the IT Act and the Indecent Representation of Women (Prohibition) Act due to its explicit content. Aggrieved by the complaint and the subsequent First Information Report (FIR), the Appellants sought to quash the complaint in the Delhi High Court, which dismissed their petition. Upon appeal, the Supreme Court criticized the High Court’s reasoning, clarifying that while the series may be vulgar or distasteful, it does not meet the legal standards for obscenity or sexually explicit material. The Court clarified that obscenity under the law requires content to be lascivious, appeal to prurient interests, or tend to deprave and corrupt those likely to view it. Profanity alone, the Court emphasized, does not meet this threshold. Additionally, the Court found that the High Court’s reliance on “impressionable minds” as a standard was inappropriate, as legal obscenity must be judged by the perspective of the average viewer, not a hypersensitive or overly impressionable audience. In conclusion, the Supreme Court quashed the FIR against the Appellants, underscoring the importance of a nuanced approach to regulating content while protecting artistic freedom.

Theodore v. Registrar General
February 27, 2024
An Indian High Court ordered the redaction of an acquitted individual’s name and personal details from a judgment published online, citing his right to privacy under Article 21 of the Indian Constitution. The individual had been acquitted in a criminal case and argued that the public disclosure of his identity served no public purpose and negatively impacted his present life. The High Court referred to the Digital Personal Data Protection Act, 2023, and opined that the Act would apply to it since Courts are under no obligation to make personal data publicly available. The Court noted that although it is a “Court of Record” and believes in preserving the sanctity of records, it is upon its wide discretion to determine which personal data is made publicly available. The Court stressed that the open court system elucidated under Swapnil Tripathi v Supreme Court of India had to be balanced with the right to privacy guaranteed under the Puttaswamy v Union of India. The Court emphasized that redaction of personal details from the published judgment while retaining the name in the original records would strike such a balance.

Webinar on International Standards on Hate Speech. Join the upcoming online workshop, “Introduction to Standards on Hate Speech,” hosted by the Centre for Law and Democracy (CLD). Designed for lawyers who seek a better understanding of international law while practicing nationally, the webinar will focus on legal prohibitions of hate speech, discriminatory speech in professional media regulation, and emerging practices in tackling discriminatory speech online. CLD’s Executive Director Toby Mendel and Legal Officer Raphael Vagliano will join as speakers, as well as Andrew Puddephatt, Senior Consultant to UNESCO on Digital Policy. January 28, 2025. 8:30-10:00 AM ET / 2:30-4:00 PM CET. Register here.

● EFF’s Transition Memo on Digital Policy Priorities to New Administration and Congress. How can the Trump administration and the 119th US Congress protect Americans’ digital rights and freedoms? The Electronic Frontier Foundation (EFF) shares a 64-page transition memo with both. EFF’s recommendations cover 1) Surveillance, including the Foreign Intelligence Surveillance Act, facial recognition, and border surveillance; 2) Encryption and cybersecurity; 3) Consumer privacy; 4) AI, including transparency in AI and copyright concerns; 5) Broadband, including net neutrality; 6) Section 230, including deepfakes and content moderation; 7) Competition; 8) Copyright; 9) Computer Fraud and Abuse Act; and 10) Patents. Read the memo here.

● India: Snapshot of the Draft Digital Personal Data Protection Rules 2025. SFLC.IN reviews the Draft Digital Personal Data Protection Rules, 2025, aimed to serve as guidance to the provisions of the Digital Personal Data Protection Act, 2023. The latter, enacted in India two years ago, was a significant step forward in data protection but had several critical gaps in clarity and implementation – the 2025 Draft Rules address those gaps, seeking a balance between personal data protection and the needs of businesses and state officials. SFLC.IN notes that while the Draft Rules resolve some ambiguities, others remain, “such as thresholds for Significant Data Fiduciaries, clarity on consent management practices, and timelines for grievance redressal.” India’s Ministry of Electronics and Information Technology opened the Draft Rules for public consultation.

● Africa’s 2024 Elections: Disputed Results and Graceful Exits, Historical Shifts and New Beginnings, by Reyhana Masters. IFEX Regional Editor Reyhana Masters looks at the aftermath of the super-election year across Sub-Saharan Africa. Out of the 17 states scheduled to vote in 2024, eleven held elections, widely seen as “​​credible, competitive, free, and fair” but with problems: erosion of electoral integrity and media freedom, shrinking of civic space, internet shutdowns, imprisonment of opposition leaders, disinformation, and hate speech. In some countries, disputes over the outcome sparked unrest, like in Mozambique, where after “[p]ossibly the most contentious election of the year,” a violent crackdown followed the protests with at least 11 people dead and dozens injured.

Serbia: Surveillance and the Suppression of Civil Society. This Amnesty International report, titled “Digital Prison,” charts the deployment of surveillance technology by Serbian authorities, who use digital repression tactics to control and persecute civil society. Based on technical digital forensic research and extensive interviews with spyware victims and Serbian civil society members, the report documents Serbia’s ubiquitous use of data extraction products, including NSO’s Pegasus spyware and the new NoviSpy spyware system – revealed by Amnesty for the first time in this report – targeting journalists, activists, and protesters. “Implement a human rights regulatory framework that governs surveillance and is in line with international human rights law and standards,” one of the report’s recommendations to Serbian authorities states. “Until such a framework is implemented, a moratorium on the purchase, sale, transfer, and use of all spyware should be enforced.”

● Persuasion: Don’t Mourn the Fact-Checkers, by Jacob Mchangama. In an article for Persuasion, Jacob Mchangama, Executive Director at the Future of Free Speech (FFS), argues that the recently announced overhaul of Meta’s content policies makes a promising direction for online speech. Referring to the benefits of crowdsource fact-checking and the FFS’s 2024 report on the over-removal of legal content on social media, Mchangama welcomes the changes but warns against the possible co-optation of Meta by the Trump administration. 

In case you missed it…

● EU Parliament Debate: DSA Enforcement and the Protection of Democracy. On January 21, 2025, Members of the European Parliament discussed the need to enforce the Digital Services Act (DSA) and address disinformation, illegal content, and other threats in order to defend European democracy from foreign meddling and algorithmic manipulation. The debate’s recording is available here.