Protect Indian Companies through the proposed Indian Data Protection Act from possible GDPR Overreach

Indian Corporate world exposed to any form of data processing involving a member of the European Union including the countries which have exited recently (Like Britain) or those who may exit in due course (Say France?) are keenly watching the impact of the General Data Protection Regime (GDPR) which has come into force as a replacement of the well known “Data Protection Act” of these countries.  GDPR has been enacted as a “Regulation” and will be applicable from 25th May 2018. We are therefore in the transition period where the Companies in EU as well as those who are in India and processing the personal data of EU citizens either with a direct interaction with EU based companies or with US companies working in EU are re writing their data processing contracts to be in line with the GDPR.

25th May 2018 is not too far considering the criticality of the task and the need to check and double check whether the companies are on the right track.

Indian Companies get exposed to GDPR firstly through their data processing contracts and secondly through their own activities. The data processing contracts are expected to have performance requirements meeting the standards of GDPR and also an indemnity to compensate the vendor company for losses arising out of non compliance. If the Indian Company is directly operating in EU then it is directly exposed to the compliance requirements through its office in the EU.

Additionally, we expect that India will have its own Data Protection Act by 25th May 2018 which will impose responsibilities similar to GDPR and will also endorse the need to uphold the contractual obligations as if it is a legal obligation in India. This provision already exists in ITA 2000/8 and with or without a reiteration in the new proposed Indian Data Protection Act, the agreement with an international vendor to comply with GDPR becomes a statutory obligation under ITA 2000/8 also.

It is in this context that we need to take a serious look at two of the Articles of GDPR and understand how GDPR may apply to Indian Companies.

The first article that we need to observe closely is Article 3, which is on Territorial Scope of GDPR.

The Article states as follows.

Article 3: Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

The first clause of this article is relatively straight forward.  This states that “In the context of activities of an establishment” which involves processing of personal data, the regulations are applicable whether the processing itself takes place in the EU or not.  This means that even when the data is outsourced or the establishment itself maintains a processing center outside EU, it is still under the scope of this regulation. Such an organization is therefore exposed to the possibility of imposition penalties that the GDPR envisages which as we know extends upto 4% of global turnover of the company.

Such companies will therefore impose clauses in their outsourcing contracts which will require the sub contractors indemnify the company for any losses caused by them due to the non compliance of GDPR. The contracts will be deemed to also impose the responsibilities of a “Data Controller” as envisaged in the GDPR on the Indian Sub Contractor whether it is explicitly stated or implicitly meant.

Considering the huge liabilities envisaged in the GDPR, an open indemnity may be a proposition that will drive any Indian Company including the bigger and the biggest of them to insolvency if any major data breach occurs that results in imposition of penalties under GDPR.

Indian Companies need to therefore check what are the compliance requirements and how they should plan to implement them. They should also check if there are any exemptions and how they need to handle the conflicting aspects of Indian law under which they operate such as the existing ITA 2000/8 or the proposed Indian Data Protection Act. Additionally, they need to obtain appropriate Cyber Insurance that will add to their costs by at least 1 to 1.5% of the potential liability. Since the potential liability is indifferent to the value of the contract the cost of insurance in terms of the revenue generated by the contract can be many times more than 1.5% of the contract benefits.

Hence the Indian companies need to take the impact of GDPR seriously before taking up EU contracts. If the risk is not worth it, smaller companies need to withdraw from the contracts that impose indemnity against GDPR liabilities. Larger companies like Infosys or Wipro or TCS need to fight it out with the vendors for at least covering the Cyber Insurance costs.

Additionally, according to Article 3(2), any Indian Company which offers goods or services to a data subject in EU or monitors their behaviour is directly liable under GDPR as a “Data Controller”.

“Offering” goods and services may occur if the Company maintains a website through which online services are offered which can be availed by EU citizens. “Monitoring” of behaviour may also occur in such cases and also by companies which are engaged in data mining on a global scale. If such companies have not taken the precaution of including the “GDPR Exclusion Clause” as proposed by Naavi in their web site policies and contracts, then they are open to being held accountable under GDPR.

Assuming that such companies have no office in EU nor any representative (Required to be designated under (Article 27), still action can be brought in India either under the existing ITA 2000/8 or under the proposed Indian Data Protection Act and hence the risk of GDPR penalties may have to be addressed even by them.

In case of non compliance of an Indian Company it  would be liable for the consequences and is also answerable to its share holders.

Such Indian companies may process the data within India or outside India. If they are storing the data within India or even otherwise, they would be exposed to the possibility of an Indian law enforcement authority issuing/executing a search warrant for seizure of the data which may amount to “Disclosure”. In certain cases, Judicial authorities may order disclosure of some data which interalia involves disclosure of personal data belonging to the EU citizen.

In such cases, we need to also observe the impact of Article 48 which states as under.

Article 48: Transfers or disclosures not authorised by Union law

Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

What this Article implies is that a company subject to Indian law will be in conflict with the jurisdiction of the Indian Courts  because of  a contract  it might have signed with its business partner who is bound by the EU regulation.

It may be noted that this Article is not simply a choice of “Jurisdiction” in a contractual agreement. On the otherhand it renders the Indian Courts impotent.

This Article also introduces a confusion since the general principle of Privacy does provide right to the law enforcement agency and Judiciary to intrude on certain circumstances.

GDPR does permit some exemptions under the “Right of a Data Subject” for reasons such as national security, criminal investigation etc. So it appears difficult to comprehend that  Judiciary has no right even after a trial having been conducted and arriving at a judgement.

We therefore need to interpret this  Article as applicable only if the data has to be released by an organization which is under the jurisdiction of the Eu Courts and not companies which are under the jurisdiction of the Indian Judiciary whether they process EU data or not.

Probably the confusion could have been avoided if the Article had specified that it is not applicable to data processors who are established outside the Union or that it was not in derogation of the rights of the Judiciary of the country in which the data controller operates.

The option now before the Indian authorities to reduce confusion is to introduce an appropriate clause in the proposed Indian Data Protection Act which is on the lines of Article 23 where the member nations are permitted to introduce laws that may impose restrictions on the rights of data subjects in cases of National Security, Defence, Public security etc.

Naavi advocates that a provision be made in the Indian Data Protection Act that

No international agency can launch any legal action against an Indian company except through the Indian Data Commissioner.

This would be a protective umbrella for Indian companies to be protected from frivolous threats from outside India.

This is not to advocate that Indian companies need not follow privacy protection. In fact GDPR does have good provisions for Privacy protection which is good to be implemented even by Indian companies. However, it is desirable that the Indian Data Protection Commissioner takes the responsibility for disciplining the Indian Companies rather than a EU Data Commissioner. Hence it is necessary to provide a statutory protection for penal action to be restricted through the Indian Data Commissioner’s office only.

I request the MeiTy to take this into account while drafting the new law.


Print Friendly

West Bengal Adjudicator imposes Rs 50000/- penalty on husband

In a first decision from the Adjudicator of West Bengal, an order has been passed against an estranged husband who spied on his wife’s phone using “Team Viewer” software.

See Report 

According to the report, the husband had installed a “Team Viewer” software on his wife’s phone and extracted certain Chats which were produced in a divorce suit to prove her disloyalty.

The Adjudicator, (IT Secretary Mr Talleen Kumar) has considered this as a violation of the wife’s privacy and ordered payment of Rs 50000/- as penalty.

Firstly, we congratulate Mr Tallen Kumar for his first decision as Adjudicator of West Bengal. I am aware that there are other cases pending before him they would also perhaps see the light of the day.

At this point of time it is difficult to say that the husband will be too unhappy with the verdict since his case in the matrimonial court may continue. Being a matrimonial Court,  the question of whether the evidence produced for proving the disloyalty of the wife remains valid may be separately debated.

If appealed, this could be the first fresh case to be referred to TDSAT in its role as the new Cyber Appellate Tribunal under ITA 2000/8 and would test TDSAT on how it handles a Cyber Case. However, this does not appear to be a fit case for appeal and hence it may not have the privilege of being referred to TDSAT.

The other point that is to be noted is that “Team Viewer” software normally requires a confirmation from the destination computer for access. However, there is a feature called “Unattended Access” which if activated would provide access to the destination computer without popping up a consent screen each time.

One of the news papers has referred to the Team Viewer software as a “Virus”, and this should set the software manufacturers (Team Viewer GmbH) thinking of how to prevent their genuine and useful software be tarred with the image of a “Virus”.

This leads to the question of how to make a software “Cyber Law Compliant” and should be a lesson to all the software manufacturers.


Copy of the Judgement

[According to the West Bengal Government website, as of 4/4/2017, Mr Tallen Kumar was indicated as Principal Secretary, Paschimanchal Unnayan affairs Deptt,  and Dr. Krishna Gupta, was the Principal Secretary of the department of IT & Electronics.  Probably Mr Kumar might have been transferred after delivering this award. The judgement seems to have surfaced in the last two days, almost 2 weeks after Mr Tallen Kumar ceased to be the Adjudicator. No date appears on the copy of the judgement except the date 26/11/2014 which obviously is the date of complaint. ]

P.S: According to one reaction to this article, Team Viewer was not used. My note above is based on Telegraph report and I am awaiting further information on this.. But the award confirms the use of Team Viewer and also a cloud storage facility Probably it was not the Unattended access of Team viewer that was used but the back up on syncdroid to get the information that is held as unauthorized access. … Naavi

Print Friendly

Nation Wants To Know Why we donot have the freedom to say “Nation Wants To Know”

It is ridiculous that Times Now Group thinks it is smart in issuing a legal notice to Mr Arnab Goswami that he should refrain from using the phrase “Nation Wants To Know” on which Times Now claims an “Intellectual Property Right”. (Refer here).

At this point of time, it is not clear that the restraining notice is only on Mr Arnab Goswami or on the whole world and if so it is for the entire phrase along with a certain intonation and voice modulation and whether it applies to written text, voice, TV etc.

Just because Mr Arnab used to use the phrase often while on the news program and made it popular, it is not automatically possible to consider that an exclusive “Intellectual Property Right” is created for the owner of the channel. The first thing to settle is whether the claim is for Trademark or Copyright  or some other IPR.  Since the program was named “News Hour” and not “Nation Wants To Know”, there cannot be a trademark right associated with the phrase. The most obvious choice of the type of IPR is therefore the Copyright.

Mr Arnab is not the only person who used the term “Nation Wants to Know” but since he was the anchor of the channel, he did speak out the phrase several times a day and made it popular. Was the creation of the value an accident? or was it a “Literary Work” created with the use of “Intellect” of Mr Arnab?… are questions to ask before applying the Copyright Act.

It is also necessary to ponder whether  the employment contract between Times Now and Arnab mention or even envisage the possibility of copyright on different phrases used by the news readers and anchors? If so, can Ravi Shastri (or on his behalf Star Sports) claim similar rights on “The Ball Goes to the fence like a Tracer Bullet”? “Can Sidhu ( or on his behalf Star Sports) claim rights on all the Sidhuisms that he introduced?..are some of the questions that pass in our mind.

I remember one of our lecturers in the College saying “OK” after every sentence and we used to enjoy counting whether he will hit a century of “OKs” in one lecture hour. If Times Now was the college authorities, they would have perhaps claimed copyright on “Saying OK” and claim royalty on others using the word.

Yes… the Court will spend its valuable time on this trivia for days on end and in the next couple of years give out its wisdom. Probably the Court will reject the claim of Times Now or the matter becomes irrelevant with the passage of time.

But it is time that the public in the meantime pull up Times Now for the arrogance they have shown in trying to gag Mr Arnab Goswami of spoken words which is actually an assault on his freedom of speech and expression. If the thought to be expressed is that the” Nation wants to know”, except to substitute the word “Nation” with say “Country” or “Wants”  with “Desires”, there cannot be an alternative. If every news anchor has to stop using all his popular phraseology once he moves from one channel to another he will have to always carry a thesaurus in his pocket.

Legally, there is a provision for “Compulsory Licensing” and the Government should come forward to issue a notification that the phrase “Nation Wants To Know” is too generic an utternace that it cannot be a subject matter of “Exclusive Copyright”. The objective behind the provision is to provide for the mechanism to prevent the abuse of monopoly by the copyright holder and to ensure that the general public is not deprived of the copyrighted work, solely because of the unreasonable demands of the copyright holder. Normally the “Compulsory Licensing” is applied where a “Copyright” is recognized and the owner is preventing the use of the copyrighted property by the community.

In the current instance, the principle to prevent abuse of law is very much relevant.  But  in the instant case, we need to reject even copyrightability of the phrase and not go into the discussion of “Licensing”. We need to declare that “Nation Wants To Know” is a generic phrase in the language which cannot be copyrighted.

While the Court has a power to come to such a conclusion in due course, and probably it will, it should be explored if the Government can bring in an explanatory notification to clarify that Copyright Act does not extend to such phrases (I am not sure if it can be called a phrase in the normal English Grammatical usage).

Alternatively, pressure should be brought upon Times Now to withdraw its stupid claim of intellectual property rights through a social media campaign against Times Now and by consumers boycotting products advertised on Times Now channel.

We have seen in the past some equally objectionable copyright claims by the music industry including that a record cannot be played aloud for multiple persons to hear at the same time . (Remember the ad where two people listen to a song sharing the ear pieces?….it is copyright violation). It is this tendency to abuse the law that makes Copyright law lose its respect.

I am certain that Mr Arnab will ignore the notice and the controversy will fizzle out. But it would be better if Times Now itself withdraws  its notice and apologize to the public for trying to misuse Copyright law pursuing its vengeance on an outgoing employee.

Probably an online petition should be started with the theme “Nation Wants to Know why Times Group should not have an exclusive right to say so”.


Related Article:

Print Friendly

Software Application is not a mere piece of coding…There is business behind it

My article on the Bank of Maharashtra(BOM)  UPI fraud where in I had expressed an opinion that NPCI and RBI also have  some responsibility elicited some off the record remarks  from NPCI and one of the senior technical members of another Bank. Their main contention was that the BOM Core Banking System (CBS) interacts with the BOM-UPI system which inturn interacts with NPCI, and in this instance the problem of mis communication was between BOM-CBS and BOM-UPI interface. Hence they argue that NPCI was not in a position to understand if the transaction was genuinely cleared by the CBS system or not. It is also stated that BOM-UPI interface belongs to BOM and hence it has to assume complete responsibility for the transaction and NPCI cannot be held liable.

I suppose that this is the structure of communication used and if so, it may be technically correct to consider that NPCI was not in a position to find out whether the transaction was cleared in the back end between BOM CBS and BOM UPI systems or not.

That apart, we should discuss some additional aspects of how the system was adopted between NPCI and BOM without an end-to-end testing so that a faulty sub system became part of the whole system that operated between a customer of the Bank and an intended payee.

It is possible that technical persons in NPCI as well as BOM were only focussing on how the UPI interface of BOM interacts with UPI interface at NPCI and only tested the technical aspects involved in this exchange of data.

The technical persons forgot that what UPI interface of BOM was communicating to NPCI was whether a certain money was debited to a certain account and the debit was passed by the Banking officials.

Here was a banking transaction bound in law. Had it been a cheques transaction,  Negotiable Instruments Act 1881 (NI Act) as amended in 2002 would require the payment should be a “Payment in Due Course”.  Even in this case of e-instructions substituting the cheque transaction,  it is essential that the payment from BOM CBS system should be a Payment in Due Course” or its equivalent. If not, the Paying Bank may be liable for the fraud.  At the same time the Collecting Bank (to which the money was credited on behalf of the payee) should also fulfill its responsibilities similar to what is contained in Section 131 of NI Act for collection of cheques, which should be taken care of by the technology team configuring the UPI app at that end.

Without satisfying the legal requirements of the NI Act, or its equivalent,  the transaction cannot be considered as legally complete.

In the digital payment transaction, between the Paying Bank and the Collecting Bank, there is NPCI as a clearing agency. It is an intermediary which instructs both the Paying Bank and the Collecting Bank on what they should do to complete the banking transaction using the UPI interface.

As an intermediary, NPCI has its own responsibilities under ITA 2000/8 besides some immunity derived under the Payment and Settlements Act.

NPCI should have supplied APIs to different Banks along with instructions on how they may be configured at the respective Banks and linking it with their own CBS systems. If the API belongs to NPCI, then it is also responsible to ensure that it is compatible with the different CBS systems that may be under use by different Banks.

It appears from this BOM incident that the UPI interface as built by BOM was not properly functioning and hence it’s instructions to NPCI were unreliable. But NPCI did not know because it had not tested  the “transactions” from the banking perspective and was satisfied only in testing the technical connectivity within a section of the transaction.

In this type of transaction, the transaction originates from one mobile using an UPI app and the digital instruction travels to NPCI, then onto the paying Bank, comes back and is communicated by NPCI to the sender. In case of successful transactions, information is also sent to the intended payee’s mobile app and his bank’s UPI interface. The authentication system used in each segment of the transaction may not conform to the legal standards necessary in Indian laws but is only riding on a technical belief that nothing will go wrong.

The way UPI system developed, it may be argued that NPCI is the owner of the system and has enrolled the Banks as members to use the platform. Therefore, the responsibility for the integrity of the platform lies more with NPCI than the Banks. Even if in the case of individual Bank’s UPIs, there is a possibility for NPCI to shift the responsibility to the Banks, at least in the case of BHIM, it is clear that NPCI is the lead institution and others are supporting organizations.

Frauds can occur right from the downloading of the App by either of the two  transaction parties, with possible malware infections at various levels.

It would not be possible for Banks and NPCI to consider that they donot have responsibility for technology related frauds and the customer should bear the cost of such frauds. Since the Government is behind forcing users to adopt digital payments, it is the responsibility of the Government and RBI to ensure that the system is safe and does not create a technology based risk to the customers.

Technology persons especially the software developers should understand that they are building software that substitutes humans at different points of decision making and unless they view the software from the perspective of the underlying transaction and not as  few bytes of data that go in between, they will not be able to build secure applications. Applications that are tested only for the functionality without any regard to the underlying business transaction, are to be considered as “Faulty ab-initio”.

Software developers who are used to releasing software with bugs and later on sending patches and holding the users responsible for not applying the patches in time cannot be called “Responsible Software Developers”.

Knowing the difficulties in technology, there are two things which software developers and their owners should do.

First is that any software released to the public should be put on extensive field test at first. During this time, there should be a “Bug Bounty” program which attracts other specialists to pool their skills in cleaning up bugs. UPI did not go through this standard process.

Secondly, in financial transactions related software, the users must be protected by “Cyber Insurance” and part of the liability of the insurance premium must be borne by the software developers.

In the present instance, none of the players such as the Banks or NPCI or the RBI or the Government is concerned about the risks that an UPI user is exposed to. Banks are interested in their profits, RBI is powerless to regulate the Banks and the Government officials and politicians donot know what is the risk they are pushing  into the system. Since public love Mr Modi, they are adopting digital payment systems faster than they should and hence exposing themselves to greater and greater financial risks by the day.

By making NPCI as a giant universal gateway for financial transactions across India, a huge amount of financial risk has converged on the organization. In the event of a war or a major terrorist attack, NPCI may be rendered dysfunctional by our enemies and the Indian financial system may take a huge hit.

I am not convinced that the technologists who donot have a holistic view of the transactions will be able to visualize all the risks in the system and take adequate action.

In the meantime, we the honest citizens of the country are left to keep praying to our favorite Gods that they should be spared from Cyber Crime risks, more so  in the coming days when payments happen with their aadhar registered biometric.

One technology person complained that I am creating a “Scare” by exaggerating the risks. I donot agree. But even if it is so, it does not matter. Because I know that software developers suffering from “Technology intoxication” are likely to over speed and cause accidents to the passer’s by while they themselves are protected behind sophisticated air bags.  Some body like us should therefore challenge them from time to time for the general good of the society.


Print Friendly

Fighting susceptibility for “Cyber Hypnotism” with Ulysses Contracts

The recent Cyber fraud in Mumbai where an elderly (72 year old)  woman was duped to the extent of Rs 42 lakhs in a Nigerian Scam (Refer here) open up a discussion on how it that  seemingly intelligent people fall for this old trick of fraudsters. We often dismiss such frauds as a result of “Greed” where the victim wanted to get rich overnight and fell to a trap. It is true that some of the Nigerian frauds are induced by the greed of the victim. But there could be other reasons as well for which some people seem to get carried away by the various promises made by their online friend and behave as if they are “hypnotized”.

It is not only this case where there is no reason for a 72 year old lady with Rs 42 lakhs in her Bank account should feel greedy and lose her life time savings. There have been similar cases where elderly persons and young kids have fallen for the sweet talk of fraudsters on the facebook or chat apps.

In all these cases, if we look beyond the motive of greed, it appears that the victim was led to behave in a particular manner which appears irrational for many of us exactly in a manner a “hypnotized” person behaves with a post hypnotic suggestion.

We need to analyse these cases scientifically to understand if there exists a phenomenon of “Cyber Hypnotism” where a person can induce hypnosis through written words, implant suggestions and make the  subject behave differently under post hypnotic state.

Hypnosis itself is a very interesting phenomenon and this age old art perhaps is still not fully understood though there  could be several theories to explain the phenomenon.

One easy to understand explanation of hypnotism is that the human brain consists of a conscious part which we interact with the surroundings on a day to day basis but beneath this conscious part seems to exist a “Sub Conscious mind” which can come to the fore during a hypnotized state of mind.

This sub-conscious mind is a store house of every one of our experiences though it is not available for recall by our sensory organs and conscious memory.  In a way it is like our computer where files are stored in a “hidden” storage space and are not accessible by our operating systems and hence are invisible. But if we can use a suitable software to  “undelete a deleted file” or “discover the hidden files”, we may suddenly realize that there are many files which we ourselves have created and saved may be as earlier versions of currently used files and later on over written with other versions.

In the case of human mind, the storage space available is very large compared to what we normally use and hence the “Sub Conscious Memory” holds a very large volume of data that has a “Photographic memory recording” of every one of our past experiences through our sensory organs.

A hypnotist finds a way to put the conscious mind to sleep and awaken the subconscious mind to make the subject remember long forgotten experiences. A therapist uses this to discover reasons for unexplained attitudes and behavioural pattern of individuals and through hypnotic suggestions during the state of hypnosis alter the attitude and behaviour in the post hypnotic state even though the subject is no longer in a “trance”.

It is however a part of theory that the post hypnotic suggestions may be resisted by the subject if it goes against fundamental beliefs of the person and hence cannot be used to make the person do “Criminal Acts”. According to this theory, there are some basic beliefs which a person has got embedded in his mind which cannot be wished away even under the hypnotic state by the hypnotist. But if the hypnotist is clever and makes a person believe that a post hypnotic state is not actually against the basic tenets but in support of it, then the post hypntic state may work. This explains the growth of ISIS type of terrorism in the world and also some of the schizophrenic personalities built through self suggestions.

The post hypnotic suggestions which are harmful are like “Trojans” implanted in the minds of persons which lie low under normal circumstances but make the person behave differently when certain circumstances converge.

This is a state of mind that is created in some persons who exhibit the propensity to fall to the “Social Engineering” of  online fraudsters. As a society, we need to fight against not only such fraudsters but also the susceptible potential victims. It is like preventing the “Addiction” to undesirable habits.

Normally, the hypnotist induces a hypnotic state of mind in a willing subject by making him relax and then speaking to him in a relaxed state of mind, through spoken words the subject is made to slip gradually from a conscious state to a sub conscious state. In some cases it is as simple as telling the subject that “You are now completely relaxed….your eyes are feeling heavy…when I count 5 you will go into deep sleep…etc”. For many this appears like magic particularly when some suggestions are also implanted during this “Inducement stage” as to the subject partially waking up and working under a trance and also waking up completely to come out of the trance. For example when the subject opens his eyes and is still in a trance, a mere statement of “Sleep” may quickly take him back to hypnotic state while a suggestion that after a count down from 5, he will be wide awake brings him out of trance.

What we understand from this phenomenon is that there is a way to take a person from his conscious state to a subconscious state by talking through intelligently. There is no reason to think that this can only be done through spoken words, or through dangling a pendulum or darkening the surroundings etc. These are all methods to ensure that there are no distractions and similar effect is automatically present in the case of most lonely individuals working in the social media  I donot rule out the use of psychedelic images to induce hypnotic state of mind in some cases. Perhaps “Voice Messages” and “Video Messages” can also be used to induce Cyber hypnotism in the same way that hypnotists do in the physical world.

If a person is staring into the Computer monitor and is chatting for a period of time, he is so involved in the conversation that he could slip into a state of pre-hypnotic inducement. If the other person is considered trustworthy and he starts making some suggestions, the subject may start getting into a trance like state of mind letting himself to be “Cyber Hypnotized”. Some games including the “” kind of situations may take the visitor into a fantasy world where there could be interactions with malicious characters who can “brainwash” the victims into a hypnotic state.  The rest follows as per the normal principle of hypnosis where the subject trusts the hypnotizer and executes his commands in the post hypnotic state later. This in the case of the Nigerian frauds could be going into the Bank and sending out payments or even sharing the Banking credentials online.

Now, how do we prevent our lonely elders and young kids from being so Cyber hypnotized?

The first step is to create a “Self Awareness” in an individual that he is susceptible to “hypnosis” through “Cyber talk”. When a person receives an SMS message ..”Are you feeling lonely? … Can we chat?, the lonely elder male or female should realize this is not a “Friendly therapist” talking to him but a potential fraudster. The best thing is not to test out of curiocity and avoid responding to such messages .

People should think of binding themselves with the “Ulysses Contracts” (Research on finding out what is Ulysses contract and how to use it to avoid irrational and impulsive decisions). The technique has been successfully used in the Finance world as well as Medical world to avoid irrational decisions by subjects. This works well for adults… in the present case the elderly people who feel lonely, who feel aggrieved that they have been neglected by the society and seek alternate remedies on the social media to find company. This is nothing different from being addicted to smoking, drinking or drugs though it is fashionable to say that I am old but I have active facebook profile with many many friends and likes.

We often think Kids are difficult to handle the same way like adults. But the same techniques that work on the adults may also work on those kids who are likely to fall prey to the online inducement of pedophiles or fraudsters since most of the time they also suffer from the psychological state of personal neglect and isolation from busy parents and feel that they are no longer kids and “Know all”. In this state of mind they behave with the confidence that they are adults mentally though they may not be so physically.

Hence, an awareness campaign on”Don’t get Cyber hypnotized” amongst the school kids can be the first step in combating this addiction.

Second precaution that people should adopt is to break away from the computer or mobile screen from time to time to ensure that they are not in a trance. This could be also good for the eyes of the Computer user.

Can this be done with an App that is an add on to social media that “Pops out” at periodical intervals to interrupt a computer user on Facebook or Twitter or other social media to talk to the user and wake him up from a half hypnotic state if he has slipped himself into?.

Yes, this could be annoying for serious Computer users but I am suggesting this only when a person is on social media.

In fact advertisers may grin and be happy with my suggestion that their annoying pop up full screen ads also have a positive purpose!

Probably the Fitness Bands of tomorrow should be programmed to throw up such ads just the way some Car manufacturers are thinking of waking up persons who tend to sleep while driving.

Beyond these three measures of….

 “Creating Awareness on Cyber hypnotism”,

“Motivating people to adopt Ulysses Contracts to avoid irrational cyber induced decisions” and

“Forced breaks with pop up ads with relevant reminder messages”,

the need to make these vulnerable sections of the society feel that they are not alone and are wanted by their family members and friends in the real society is also essential.

This is the toughest part in our society since every youngster feels that he is too busy with his work and hence has no time for socialization with his elders or kids at home.

Hopefully we start thinking in this direction and each one of us may find our own solution that helps to combat malicious use of  “Cyber Hypnotism”.


[P.S: Author has been an interested student of hypnotism since 1971 and also holds a basic level certificate in hypnotism…. just for knowledge enhancement and not for practice.]

Print Friendly

Creating a Protection for Indian Companies from European hegemony

The first question that an Indian Company needs to satisfy for itself is whether it is at all exposed to the provisions of the dreaded GDPR and if so whether there is need to respond.

It must be clarified that Indian Companies appreciate the principle of Privacy and the need to protect privacy in data form as a part of the protection of human rights of any global citizen. What is however creating a resentment is the obnoxious level of penalties that GDPR is empowering itself to impose on companies which are actually not established in EU. This is seen as an attempt to build an hegemony in the Data Processing market across the globe.  It is also perceived that the GDPR is trying to re-write the jurisdictional laws as is understood in the “Border less Cyber Society”.

There is a need for the authorities implementing GDPR to abrogate the clause of “percentage of global turnover” in article 83. The financial limits of 10 or 20 million Euros is not an issue but an open ended turnover based penalty is unreasonable and smacks of an arrogance that needs to be challenged. This should however be done by organizations such as NASSCOM which should discuss it with countries such as USA and Australia to form a global forum to protect the interest of the industry bodies.

At present, it is not however completely clear how the GDPR penalty clause will play out in the Indian market.

The GDPR recognizes two main roles for IT Companies namely

  1. Data Controller
  2. Data Processor

A “Data Controller” is one who has the power to decide on how the “personal Information” will be processed. “Data Processor” is the one who processes the information as determined by the Data Controller. The “Data Processor” is therefore a “Sub Contractor” to the “Data Controller” and does not have the contractual power to act independently.

A similar issue also exists under HIPAA-HITECH Act where the Business Associates (BA) are presently directly under the regulation of HHS in terms of the audits and imposition of penalties.

However, in the case of HIPAA-HITECH Act, the jurisdiction boundaries are well defined and a company which has no legal establishment in USA but works as a Business Associate is more appropriately recognized as a “Sub Contractor” bound only by the Business Associate Contract which may have an indemnity clause to protect the liabilities arising on the Covered Entity or another BA in USA  which has outsourced the business to the Indian Sub Contractor.

The GDPR has however tried to establish its control even over companies established outside EU through some of its provisions which needs a close watch.

Under Article 3 (1),

“GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

Under Article 3(2),

“GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

Under Article 3(3)

“GDPR  applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”

Article 3(3) obviously applies to countries under some kind of a Treaty or Convention which includes the protection of Privacy of EU citizens.

Article 3(1) applies to Data Controllers or processors who have an establishment in the EU including those who outsource the data processing to another entity outside the EU or use Cloud for certain part of its services.

It is Article 3(2) which tries to include extra-territorial jurisdiction to the regulations and contains two sub clauses.

The first sub clause is directed to Data Controllers or Processors which are not established in the Union but “Offer services of goods and services” to data subjects in the Union.

The second sub clause is directed to Data Controllers or Processors which are not established in the Union but “Monitor the behaviour of EU Citizens to the extent that it takes place within the EU”.

It may be noted that the definition of a “Data Controller” is that he is one “” who determines the purposes and means of the processing of personal data”.

A person who collects the data is not included as a “Data Controller” though he may come under the category of a “Data Processor”.

Indian Companies who have direct IT contracts with EU Companies like Infosys, TCS or Wipro may be “Data Controllers” but most other companies will be “Data Processors” since they may be only sub contractors.

However, most of the Indian Companies may not be  “Offering Services” to EU data subjects though they may be offering services to “EU based companies”. In such cases, it is possible interpret Article 3(2) as not being applicable to such Indian Companies.

This interpretation also goes with the ITA 2000/8 where in defining the due diligence under Section 79, the Government of India has clarified that the obligation of obtaining  “Consent” from data subjects lies with the “person collecting the information from the data subject” and not the company which receives the personal information of data subjects from another company which has collected it.

In Other Words, ITA 2008 recognizes the “Collector of Personal Information from the data subject” as the “Data Controller” (though this terminology is not used) and every body else becomes a “Sub Contractor”. GDPR has knowingly or unknowingly created a class of a “Recipient of Data” who is the first party to interact with the Data subject but may not be a “Data Controller”. The “Recipient” could be a sub contractor of a Data Controller and hence a “Data Processor”. Subsequently, under the directions of the Data Controller, the Recipient may transfer the data to another “Data Processor” who may actually have a contract with the Data Controller and not have direct relationship with the “Recipient”.

Indian Companies which are not receiving personal data from the data subjects and not having an establishment in EU are purely “Data Processors who are not established in EU and not offering services to EU data subjects”. Their liability for GDPR implementation is therefore only through the Contract with the Data Controller who may be an establishment in EU or one who may not have establishment in EU but determines how the data is to be processed.

The “Indian Sub Contractors” are therefore bound by ITA 2000/8 which of course defines reasonable security practice as what is contained in the contract with the data supplier. The Data Controller is therefore well within his rights to state in the contract that the data processor in India has to follow all the security measures indicated under GDPR. He can also put an indemnity obligation that if any loss is caused due to his action or inaction, it should be reimbursed to the extent of a stated limit.

The open ended contract which makes an Indian Company liable to pay a foreign entity may actually be a violation of the FEMA and hence is ultravires the Indian law. The “Turnover based penalty” can therefore not be applied on Indian Companies nor accepted by Indian companies.

As regards websites of Indian Companies or mobile Apps which may be used globally, it is essential for the companies to include a “GDPR Exclusion Clause” on the lines of what is proposed under the privacy policy of which states as under.


GDPR Exclusion

It is declared that follows the principles of Privacy protection under Information Technology Act 2000 as amended from time to time and where there is a conflict with any other international law or guideline, the provisions of ITA 2000 shall prevail. In particular, does not subject itself to the administrative jurisdiction of GDPR and any data subject who intends to be protected by GDPR and not ITA 2000 shall not use any of the services of this site or its networked sites. Any claims made under non-ITA 2000 statutes or regulations regarding privacy protection or otherwise are unacceptable and may be deemed as maliciously intended.


It is also possible to consider that the act of visiting a website established from the shores of India and availing any of its services is like “Virtually visiting Indian shores” and hence does not constitute an “Activity of the Data Subject in the EU”.

Hence I would like Indian Companies on the web and the App developers to review their privacy policies and include a “GDPR Exclusion Clause”  so that they are not unnecessarily becoming liable under GDPR for a stray visitor who may come from EU.


Print Friendly