You may get a heart attack when you hear about this vulnerability

The progress in technology particularly in the field of medical implants has been very impressive. Today “Techno Medical Experts” speak of , Smart Contact Lenses, Phrenic Nerve Stimulation, Glucose Biosensors, Cochlear Implants, Pace Makers and Cardioverter Defibrillators, Bladder Implants etc.

What these implants mean to an ordinary person is that many of the life critical aspects of the human body can be controlled by these implants which run on electronic signals. Such implants can also influence and control what we see and what we hear and perhaps what we touch and sense.

At the same time Cyber Security observers will also realize that if any of these implants can be hacked, then just like the Smart Cars, Smart Bodies can also crash.

These doubts are no longer the fancy imaginations of film and TV serial makers. Recently US FDA confirmed that Cardiac implants from St Jude’s are hackable. (See here).

It is also informed that St Jude has developed software patches to fix vulnerabilities for which the patients need to plug in to the transmitter and “Update” their “body”. It is scary how the patient would feel when he connects to the transmitter and decides to switch on the upload of the patch. Will he upload a patch from a reliable St Jude source? or will he upload a virus?” Is the patch “Digitally signed”? could be some of the thoughts that may be going through his mind. It would have been better if the Company had recalled the patients to their official labs and uploaded the patches in their ICU rather than let the patients sit in their homes and update the patch.

The incident highlights how “hackable” IT devices are placing our life at risk and should be an eye opener for the technologists not to neglect security in any electronic instrument whether they control the life critical human body functions or the financial transactions or any other activity.

Users need to be “Smart” about Security before they embrace the new “Smart Technologies”.

Naavi


Clarification on Section 65B… Who should sign the Certificate?

Section 65B of Indian Evidence Act (IEA)is one of the hot topics discussed in Techno Legal Circles today. Though Naavi has clarified his view on the section many times on this site and in workshops and conferences, there are continued questions that linger on because some of the legal professionals hold some different point of view in respect of some of the finer points of the discussion.

One such doubt often raised is “Who should provide the Section 65B certification?”.

The supplementary questions that arise in this context is …

“Is it that the Admin of a server in which an electronic document is present the person who has to provide the certification?”

For example,

is it not the admin of Airtel who has to provide the Sec 65B certificate for the call data records?

Is it not the admin of flipkart who has to give certificate in respect of an electronic document pertaining to a sale on its site?.. “

“Now that Section 79A acrredited Digitl Evidence Examiners are being appointed, should all future Section 65B certificates signed by one fo them?”…. and so on

I wish to clarify my point of view once again in this respect so that there is clarity in all stake holders in this regard.

I must add here that I have been in the forefront of Cyber Laws since 1998 and has been encountering  Section 65B-IEA since a long time. The very first instance (2004) when a Section 65B-IEA was successfully invoked was the historically important case of The State of Tamil Nadu Vs Suhas Katti in which conviction happened for the first time in India under ITA 2000. In this case, I had presented the critical evidence of crime which was an electronic document present on the Yahoo server based on which the trial was conducted, offence recognized and accused convicted. I was also examined as an “Expert Witness” and cross examined in the case before the Court accepted the evidence. Since then, documents certified by me have been produced in many Court proceedings and must have been used in many civil proceedings. The service www.ceac.in specializes in this aspect of rendering electronic documents as evidences in an “Admissible” form in a Court. In a few cases, I have been asked to personally be present to identify the documents and in other cases, this has not been found necessary.

In the light of all the past experiences I would like to clarify on the point of “Who has to Certify under Section 65B”.

The first point we need to understand is that Section 65B indicates the manner in which electronic documents can be converted into “Computer Outputs” such that the “Computer Outputs” will be admissible as per the special provisions under Section 65A of IEA applicable to “Statement contained in Electronic Form”  defined in Section 17 of IEA.

The “Computer Output” referred to in the Section 65B can be in two forms namely “Printed on Paper” or “Copy on a Media”. If printed on paper it is to be signed. If rendered as an electronic copy, it has to be digitally signed.

To understand  “Who has to sign”? one needs to understand that what Section 65B refers to is to the process of creating the “Computer Output” and not the process of “Creating the Electronic Document which is the subject matter of the computer output”.

The “Original”  “Electronic Document” is a “Binary” document which human beings are unable to understand and can be seen or heard or seen with the assistance of a combination of tools such as the Application and the Operating System running on a hardware of a computer. Hence the “Electronic Document” needs to be appreciated by a Court only in a form which is the end result of many of the processes such as conversion of binary document to a humanly perceivable form on a computer device. However, such a “Humanly perceivable form” sits on a computer and cannot be always brought into the Court room. Even if it is brought, the Judge has to view it and form his opinion and if he incorporates his observation on the document, he will be a witness himself.  (The hard disk in which a binary document resides is only a container and not the electronic document itself and has to be connected to a computer device to know what it contains).

The presence of Section 65B enables the Judge to avoid being a witness himself by introducing a role to the Section 65B Certifier who brings the binary electronic document to an “Admissible” form by creating a “Computer Output” as envisaged in the Section. Even after this, if there is a dispute, then it is open to the Court to call a Section 79A recognized “Digital Evidence Examiner” to assist it in resolving the disputed electronic document.

If as some professionals suggest, it is necessary for the “Admin of a Server in which the document is contained” to provide the Section 65B certificate, then a situation would arise where if there are 1 lakh transactions that pass through Flipkart each day, any dispute arising out of these 1 lakh transactions involving multiple electronic documents will all have to be certified only by the admin if required for evidence. Obviously this is neither feasible nor is the intention of Section 65B.

While the admin who can view the electronic document on the server or any other hardware or software to which he has an access may provide the certified copies, it is not always necessary.

The purpose of Section 65B is to enable “Any Contractually Capable person who knows how to view (or hear) an electronic document to present a copy (printed or on an electronic media) which can be admitted in the Court as also a “document” “without further proof or production of the original”. It is that person who prepares the Section 65 statement in which he says “I viewed this document and converted it into a computer output and I certify …..”.

Hence  a “Third Party” can provide a “Section 65B Certified Copy” for admission.

In practice, the person who provides the certificate should be a “Trusted Third Party” who may be cross examined by the defense which may state that the person is unreliable, is either not capable of understanding what he is certifying and is dishonest and produced a false certificate etc.” The Section 65B certificate incorporates a declaration as to the “Procedure adopted for producing the computer output” which should indicate the manner in which any other person following similar process should be able to reproduce the same “Computer Output” except in circumstances where the original binary document has been removed.

The credentials of the person producing the Section 65B certificate becomes critical to the acceptance of the certified copy by the Court.

In the case of “Forensic Experts”, the experts use certain tools and are able to see information which are visible only on use of such tools. Hence their certificate needs to indicate the tools used which to the extent possible be “Standard Tools” capable of being used by other “Forensic Experts”. It is when there is a propritory  technique is used that the need for the Court to call in another expert who is accredited under Section 79A arises.

We need to reiterate in this context that it is not necessary that all Section 65B certificates are to be issued only by the Section 79A certified agencies. Section 65B certificate is issued for “Admissibility” while the Section 79A certified agency is called in by the Court on special circumstances only. It is like the case of a “Handwiring expert” who is called in from time to time to examine the signatures on documents presented in the Court but not mandatorily for all handwritten/signed documents.

I hope professionals in the field appreciate this point of view and if they agree should adopt it in their practice. In case they have any counter views, I welcome the feedback so that this view can be refined as required.

Naavi

Also Read: Other articles on Naavi.org

P.S: Add on following another request for clarification: Please see comments section

 


Proposed Amendments to ITA 2000 and Privacy Protection

Does ITA 2000/8 address “Privacy Protection”  and if so, does it do it effectively is a question that is lingering in the industry. It will continue to be a point of debate for the amended ITA 2017 (p). …This is in continuation of the discussions on the proposed amendments to ITA 2000/8 presently being discussed by an expert committee headed by Mr T.K.Vishwanathan. ….. Naavi

Protecting the Right to Privacy of an individual is a fundamental right claimed by citizens living in a democratic society and is closely associated with the right to freedom of expression, right to information and security. India has recognized the need for Privacy by interpreting the Article 21 of our constitution favourably but has not yet enacted a separate law which says “Privacy is right protected under law and any violation thereof leads to civil and criminal liabilities”. It is also not likely that in the near future any specific law will be passed in this regard.

However, ITA 2000 and more specifically ITA 2008 has addressed many concerns of Privacy Protectionists without being recognized as a “Privacy Protection Legislation”.

What ITA 2000/8 has done is to provide protection to the “Data” which indirectly protects the “Privacy”. Without being too obsessive, it is better if we recognize the role of ITA 2000/8/17(p) as the principle legislation for protecting the Privacy for which it is eminently suited particularly if a few minor changes are accommodated in the proposed amendments.

“Privacy” of a person is defined as a “Right to determine what amount of personal information should be made public”. It should be a right that can be exercised only by the individual (provided he is in a state of mind where he can exercise that control as per the requirements of law). Every other person who comes into possession of Personal Information should follow the universal principles of privacy protection such as “Disclosure of Privacy Policy”, “Obtaining Consent”, “Collection under minimum and specific use principles”, “Protecting the information on hand” and “destroying” it when no longer required.

An effective law defines the rights, prescribes the punishments for violation and introduces mechanism for effective implementation.

Let us see how ITA 2000/8 address these issues and what can be done further to strengthen the Privacy Protection under ITA 2017 (P), equating “Privacy Protection” with “Data Security” for the current discussion.

The first task of law is to define the “Privacy Right”. In the context of its alter-ego of data security, Privacy Right gets defined by defining “Personal Information” that qualifies for protection.

Under ITA 2000/8 we have defined what is “Sensitive Personal Information” (SPI) without defining “Personal Information”.  (PI). SPI was defined in ITA 2008 along with Section 43A which brought an obligation on the “Body Corporates” handling SPI to protect it with “Reasonable Security Practice”.

Though PI is not defined, Section 72A accords protection to PI and makes its breach a punishable offence with 3 years imprisonment.

Additionally, Section 43 read with Section 66 imposes penalties when the “Value of information is diminished” (which can be an effect of privacy breach).

Also Section 69/69A/69B while providing powers to some officials for interception, decryption and data mining, puts a bar on the others to do the same without attracting penalties.

Section 79 imposes the responsibility of Privacy protection on the “intermediaries” in clear terms through the rules of due diligence.

Grievance redressal is defined with reference to the provisions of due diligence under Section 79 and also by instituting the Adjudication and Cyber Appellate Tribunal (CyAT).

While we can debate the adequacy of these provisions in comparison to the EU standards such as the GDRP or US Standards such as the HIPAA, we cannot but acknowledge that ITA 2000/8 has covered most of the requirements of Privacy Protection (In the context of Data protection).

Without therefore saying so, ITA 2000/8 therefore provides protection of Personal Information. It is possible that some may not realize it until a separate act is legislated but it is not necessary.

It must be noted that under ITA 2000/8, any information which is processed in a computer device or meant to be processed in a computer device also is “Information”.

Hence it is possible to extend the “Data Protection Rights” as is available in different forms under Section 43, 43A, 66, 72,72A, 69, 69A, 69B, 7A, etc to information which is in a form other than as “Electronically Written”, such as “Voice which is Electronically spoken or meant to be processed in an electronic device”. This can extend “Privacy Protection” to “Voice” in certain circumstances.

The perception in the industry however is different. Most of the IT professionals in India think India does not have an adequate Privacy protection provisions in the country and cannot defend the regime with their EU counterparts. Probably they are interpreting the failures in implementation as failure of law and hence the clamour for a separate Privacy Protection Act has continued.

It is therefore an opportunity now to address some of these concerns in the proposed amendments for which some suggestions can be discussed.

Perhaps, a chapter can be dedicated in the ITA 2017(P) with the title “Privacy and Data Protection” where some provisions of Privacy and Data Protection is specifically mentioned. This will provide the required confidence to professionals who compare Indian legislation to EU legislation.

Defining Personal Information

One of the requirements that is perhaps required is to upgrade the definition of “What is Personal Information” from what is provided in the rules to Sec 43A, which states

“Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

This definition is restrictive to data with the Body Corporates and the Section 43A also restricts itself to Body Corroborates.

 An improved definition that should be added in the Act itself to be applicable for all sections including Section 72A could be

“Personal Information” of an individual means any information related to a living person who is not a minor, or of unsound mind or an undischarged insolvent, which when in possession of a third person is capable of being used to identify the individual by such third person with reference to the individual’s Name and Physical location. 

By defining the Personal Information in the above manner, we will be letting a “Netizen” preserve his “Anonymity and Pseudonomity” subject to certain conditions. Mere assumption of a “Pseudonym” or “Anonymous identity” on the information space would not be an offence unless such alter-identity is used to commit an offence.

Whenever an “Information” is required for “Law Enforcement” which means that there is a prima facie evidence that the information is suspected to be  a “Tool of Crime”, the protective veil has to be lifted.

The focus of the regulation will be to introduce a due process under which alone the “Privacy Veil” is removed.

Also under this definition, “Right” ceases when a person loses his capacity to enter into valid contracts. This means that there is no “Privacy Right” of a person who has lost his mental capacity to take decisions. Of course how this has to be determined and by whom needs to be defined in law. Such issues are already addressed under HIPAA and should not be difficult.

Establishment of a “Privacy Board”:

In order to adjudicate on the Privacy issues, the current system of adjudication/CyAT may continue where the fact of a wrongful act is not under serious challenge. Where there are serious doubts as to whether an information should be subject to privacy or not, a “Privacy Board” may be constituted as a “Reference Advisory Body” to which the Adjudicator may refer an issue of a “Request for lifting of the Privacy Veil” or “Defence an alleged violation of Privacy Right by disputing the nature of information as not being subject to the protection”. Such a “Privacy Body” may be headed by the NHRC Chair person and may have representation of the Ministries of Home Affairs, Defense, Information Technology, Netizen/Privacy Right Activists etc.

Once the issue of proper “Definition” and the “Privacy Controller” is established, other aspects of protection can be defined in an acceptable manner.

Preventing International Abuse

The privacy laws just like IPR laws of some of the foreign countries are designed in such a manner that they can be used effectively to control business flow over riding the principles of free trade.

If India does not recognize this and take some steps within our own laws to ensure that Indians are protected against unfair foreign laws, we will be letting foreign forces build “Information Colonies” in India. We have seen how Mr Donald Trump has already protected the US interests by restricting the US privacy protection only for US citizens. India needs to also protect its interests in a similar manner against exploitation of Indian interests through unfair and excessive privacy regulation of foreign Governments.

For this purpose, it must be made mandatory that whenever a foreign entity has to invoke a Privacy Law against an Indian Company or individual (including the GDPR or HIPAA etc), prior clearance of the Privacy Board is required.

This will ensure that unfair and unreasonable business restrictions are not imposed on Indian entities in the guise of protecting “Privacy” .

An appropriate mechanism of Arbitration can be instituted by the Privacy Board to ensure that there is proper conduct on both sides and there is no scope for unfair use of privacy laws by international players.

These could be part of the new amended ITA 2017 and I urge the Committee to look into these suggestions seriously.

I wish organizations such as DSCI which celebrate the “Data Privacy Day” also do some thing more concrete in this direction.

Naavi


Redefining the scope of ITA 2008.. in the amendments..

This is the continuation of the discussions on the proposed amendments to ITA 2008 being considered by the T K Vishwanathan Committee.. Naavi

The proposed amendments to ITA 2000/8 which may come out in the form of Information Technology Amendment Act 2017 [ (ITAA2017(p)] during this year is an opportunity to make substantial changes to the present Act.

One of the main sections which needs attention in redefining the scope of the Act is to take a fresh look at Section 1(4) which keeps certain types of documents as mentioned in Schedule(1) out of the provisions of the Act. In the recent past there have been many State level enactments where legislations have been passed ultravires to the main Act because this section was not properly understood. Karnataka was one such state which passed an amendment to Registration Act 1908 which may be considered as ultravires the ITA 2000 because of Section 1(4) limitations.

Presently, Section 1(4) states as follows:

“Nothing in this Act shall apply to documents or transactions specified in the First Schedule by way of addition or deletion of entries thereto.”

The excluded documents so far notified are

1. A Negotiable Instrument (Other than a cheque) as defined in Section 13 of the Negotiable Instruments Act 1881 (26 of 1881)
2. A Power of Attorney as defined in section 1A of the Power of Attorney Act 1882 (7 of 1882)
3. A trust as defined in section 3 of the Indian Trusts Act, 1882 (2 of 1882)
4. A will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 (39 of 1925) including any testamentary deposition whatever name called
5. Any contract for the sale or conveyance of immovable property or any interest in such property

The reasons for which these documents might have been kept out of the purview of the Act at that time (1998) could be either that some of these documents such as the Bill of Exchange and Promissory Notes needed to be compulsorily stamped before execution and it was difficult to do an online stamp and also establish that stamp duty was paid before the authentication and hence it was kept out of the purview.

The immovable property documents that transferred the title in the property constituted a huge part of the stamp duty income which accrued to the States and additionally there was a doubt if digital documents can be preserved for as long a time as paper documents could be preserved and hence needed to be kept out of the purview.

The other documents such as Trust Deed, Power of Attorney and Will were kept out perhaps keeping in view the “Digital Divide” and possibility of common men being duped with online frauds involving such documents.

The concerns of “Cyber Crime” involving property documents or Wills or Power of Attorney documents continue to this day and are perhaps more relevant than ever before though payment of stamp duty online is an easier problem that is no longer a concern.

Storage of electronic documents might be considered more reliable today than before. Further it would be strengthened if proper “E-Audit” under Section 7A of the Act is followed diligently.

Despite the changes that has come across in the last 18-19 years since the Schedule 1 content was drafted (first as part of Section 1 and then under Schedule 1), it is time to consider if at least some of these provisions could be addressed now.

Unfortunately the system of Authentication defined by Digital Signature and Electronic Signature itself is shaky because the system is not properly implemented. Presently the system is running because the users are unaware of the proper way of using the digital/electronic signatures and intermediaries including the licensed Certifying Authorities by pass many of the legal provisions and CCA is not enforcing its authority.

For example, today private keys are being compromised systematically by corporate directors leaving the cryptographic keys with their auditors.  Many of the Certifying authorities engage Registration Authorities (RAs) who keep copies of the private key with them, load it onto the cryptographic key and then deliver it to the customers  ignoring the fact that the private key has been compromised.

The e-sign system itself is faulty for the reason that the key pair might be generated and stored on the HSM controlled by an RA and not the subscriber and that the subscriber’s e-application for issue of digital certificate is itself not authenticated since the subscriber has not yet obtained the digital certificate at this point of time. The e-KYC of aadhaar is done with reference to the OTP relying on the KYC of the Mobile operator and the digital certificate expires before the first verification of the e-signed application is made.

In view of these fault lines in the authentication systems, it may not yet be possible to remove either the immovable property documents or the Will or Power of Attorney from the list of excluded documents.

However, if there is any conditional inclusions can be made, property lease deeds of less than one year duration which may presently be exempted from stamp duty can be included in the act.

As regards the “Will” there are two issues. A Will can be left for properties which are not digital. At the same time a Will may also include properties which are per-se digital such as the e-mail accounts, domain names, websites etc.

It can be considered if a testamentary document in electronic form could be recognized only for the digital properties such as the “Passwords”,  “e-mail accounts”, “Digi locker/Drop box accounts”, Apps on the mobile including UPI apps and Mobile wallets holding monetary value, Cryptocurrency wallets, Software purchased and running online, Mobile accounts, SIM card/Stored on the Mobile information, domain names, websites, content and web based software etc.

Additionally, I have suggested that “Contracts of Marriages” including “Contracts to nullify Marriages” can be added as an exclusion. This will address the issue of nuisance “Claimed Marriages on Twitter” or “Talaq on WhatsApp”.

A more detailed debate on this issue may throw up other suggestions if any.

Thus the scope of ITA 2017 (P) needs to be redefined with reference to the type of documents that it may cover either by modifying the First Schedule of the Act or by inserting new definitions and explanations at appropriate places.

Naavi

 

 


Domain Name Regulation in ITA 2000..to be amended

This is a continuation of our discussions on proposed amendments to ITA 2000 presently under consideration by the T.K.Vishwanathan Committee. For further discussions henceforth we shall refer to the proposed amendments as ITAA2017(p) and the new Act as ITA2017(p).

The ITA 2000 pursued the objective of E Commerce promotion by providing legal recognition to Electronic Documents and the method of authentication through Digital Signatures. It also addressed some aspects of Cyber Crimes which were expanded in 2008 along with more on compliance requirements.

However both ITA 2000 and the 2008 amendments did not in any way looked at the regulation of “Domain Name” which is the key property of any  E-Business. Additionally, today we see a number of Cyber Crimes being committed under fraudulent websites whose domain names are registered so as to cheat public, registrant’s information hidden under the false pretense of “Privacy” and ownership often determined more on the basis of “Trade Mark registration” than any other logical consideration.

Naavi has been in the forefront of the debate for the concept of “Resolving Confusing Domain Names through a system of a trusted third party disclaimer” (Refer: lookalikes.in) . The idea here is that if two persons have legitimate interests in a particular domain name and there is neither an attempt to cheat public by “passing off” a service as similar to a more popular service or to cause confusion and obtain undue advantage there of, then we should allow the two otherwise similar domain names to co-exist with disclaimers on both sites preferably corroborated by a trusted third party.

What presently happens is that a genuine person who wants to start business under a domain name will never get a name which is free of disputes because every name will be similar to some name already registered elsewhere in the world. The very system of ICANN allowing multiple TLDs means that different entities may hold the same name in different TLDs if they have a reason. Today one company cannot register all domain names in all the 200 plus extensions that are available and therefore allow others to register the names and then hound them like a prey. The UDRP process and the INDRP process is heavily skewed towards the more wealthy disputant and holder of a trademark.

In US, the Anticybersquatting Consumer Protection Act (ACPA), provides some protection to domain name owners in addition to the remedies provided under the UDRP though even this law favours the US trademark owners. In India we donot have a similar law.

In many cases, the disputes are raised after a business builds up a brand value in a domain name since when the domain name is registered, no registrar alerts the registrant about the possibility of a challenge coming up later. Both the registrars and the ICANN make money by letting people register names which are patently undefendable if challenged by the earlier registrant of a similar name.

At the same time, those who want to register phishing domain names are not concerned with either the trademark law nor the Cyber squatting law and register domain names in patently confusing names.

Thus the current system does nothing to prevent fraudsters and only hurts genuine registrants who pick up an available name because it suits them for promoting their business without any intention of taking advantage of the existing brand name owned by some body else.

ITA 2000 as proposed for amendment should therefore try to provide a solution in this regard. The suggestions I have in this regard has been discussed in detail several years back in this site (see the old articles under the link “Old Posts“). It is time for others to add their views to the debate. In short, my suggestions are

a) Given the existence of a number of options for the TLDs in the generic and CcTLD type it is not possible to prevent registration of names which may be in conflict with others.

b) The use of “Internationalized domain names” in different languages such as Hindi or Chinese and the Phonetic similarities which are also a cause of action in trademark disputes make the current system of allowing registration of any domain name without the registrant being checked at the time of registration is a completely unacceptable system.

c) The system of “Registering a Lookalike Domain Name” with a disclaimer publication was suggested so that the affected domain name owner can object if there is a real need but genuine registrants would feel safe to develop their brand in an otherwise risky domain name.

d) The practice of hiding the name of the registrant of a domain name in the disguise of “Privacy” should be discouraged and eliminated since it puts a barrier on quick investigation of frauds.

e) The registrars should be considered liable (Even now they are liable under Section 79 of ITA 2000/8 as intermediaries but this is rarely recognized) for any frauds where the registration of a fraudulent domain name was used as a tool of cyber crime.

Incorporating the above requirements we need to develop a new system of domain name registration initially within the jurisdiction of India and provide protection to the Indian registrants with the concept of the “Regulatory Gateway” discussed in the earlier article.

In our first article on the modifications ,we suggested introduction of the following section in Chapter XI..

(..) Whoever, in bad faith and with the intention to cause disrepute, harm to another person or cause disruption of any legitimate business or cause confusion in the minds of the public, who having regard to the circumstances, are likely to be influenced registers a domain name shall be liable to pay damages to the person so affected not exceeding Rs 10 lakhs and for the purpose of this section, a person not being a resident of or a citizen of India shall also be liable even if no computer or computer system located in India is used for the contravention.
Explanation:
For the purpose of this section exercising of due diligence including appropriate disclosures shall be considered as indications of good faith.

This could be a starting point to develop the appropriate penalties either in the form of civil penalties only or with a criminal punishment also.

I leave it for further discussion by the T K Vishwanathan Committee.

Naavi

P.S: 27/10/2017: A case similar to the case of cgtmse.govt.in where a fraudulent website in the name of the Government was run to cheat public has been reported again in the name of nmcsm.in (See here ).

 Highlights the need for making domain name registrars liable for the irresponsible registration of domain names. Simultaneously it also highlights the need of Government websites like UIDAI to follow certain domain name registration policies which provide confidence to the public that the sites are genuine…as pointed out in an earlier article.


Need for a Regulatory Gateway

Thinking about the proposed amendments to ITA 2008, my attention was today drawn to the “General Data Protection Regulation (GDPR)” which is the new Data Protection Regime being promoted by the European Union. Europe is known to be in the forefront of protecting the “Privacy” of individuals and has often crossed swords with even US when it comes to enforcing its Data Protection Regime in the information world.

The GDPR which is replacing the EU Data Protection regulation of 1995 has already come into existence with its adoption in 27th April 2016 and application from 25th May 2018 after a two year transition period.

The GDPR attracts attention across the globe and particularly the Indian community in view of its unrealistic penalty regime and the arrogance with which it is sought to be enforced.

For example, it is proposed that “Non Compliance” could result in penalties of upto 4% of Global Turnover of a company or €20 million (approx Rs 146 crores) whichever is greater. The regulation applies if the data controller or processor or the data subject is based in EU. If the regulation had used the term “if the data controller, the processor and the data subject” are all based in EU, it would have been a reasonable regulation. But expecting the regulation to be applicable to companies outside EU is inviting international litigation that could cause extreme disruption in global business.

Indian IT Companies should be more worried about this than the changes in immigration laws that may be brought in by the new US President.

Even if there are any doubts about the jurisdiction of EU Courts on non EU country resident companies, it is evident that contractual obligations between EU Companies and the non EU entities will hoist liabilities and indemnities for non compliance and hence if any Indian Company wants to do business with EU countries involving processing or storing or transmission of personal data from the EU residents, GDPR would be considered applicable. Hence the 4% Global turnover  penalty will loom large on such companies.

This tendency of one country trying to impose its law on another country is most relevant for the borderless Cyber Economy. We have seen how US has imposed its jurisdiction on Dmitry Sklyrov of ElcommSoft and innumerable litigations on cross border Cyber crimes. While the need for controlling Cyber Crimes and Cyber terrorism has established the need for cooperation between multiple countries with or without underlying treaties, there is a tendency in the IPR and Data Protection regulation to use the international jurisdiction to unreasonable levels.

GDPR is emerging as the next threat in this direction.

I therefore urge the ITA 2000 amendment committee to recognize that we cannot allow unrestricted international hegemony to play over the Indian regime and threaten the growth of E Business in India.

I therefore propose that in the new ITA 2000, a proposal is made to establish an ” International Cyber Law Regulator for India” who will be the sole authority to adjudicate if in any specific instance international jurisdiction should be allowed. This regulator need to work as a gateway to ensure that unreasonable international regulation does not hurt Indian interests while at the same time not preventing any reasonable compliance regulations promoted by international organizations to be complied with even in India.

The authority should register Indian players who would like to be protected under any international regime passing laws that may affect the Indian entities and manage the information flow in respect of all “Compliance related regulations”. At the same time, it should be mandated that any international organization that wants to take legal action against an Indian Citizen or Organization should have first registered their international legislation with the authority and obtained its consent to make it applicable to Indians and also route any complaints of non compliance entirely through this regulator.

This regulatory authority can be a multi member authority and not the CERT IN. It should have people who know Cyber law and International Law  besides Technology and the compliance regime.

This authority would be a protective umbrella that provides some relief to the Indian entrepreneurs to focus on their business rather than watching over their shoulders for all the international laws many of whom are only meant to be self serving for the advanced countries to build their colonies of influence using information technology as an excuse.

Naavi

Related Articles:

The Applicability Of EU Data Protection Laws To Non-EU Businesses

Does GDPR apply to organizations outside the EU?