Innovation is good. Disruptive Innovation is better. Futuristic Innovation is Best…

Today, people swear by the term “Innovation”. Whether it is the Budget Speech or a Chairman’s speech in AGM, the buzz word is “Innovation”.

However people who actually innovate often wonder why some thoughts get the tag of innovation and some fail to.

Today, I saw a report in Times of India that in Bangalore the BBMP may issue “Property ID Cards” for every property. (See Report here).

This reminded me of the exact proposal I had made to BBMP long long time back which was then not appreciated.

I was also reminded of an article titled “The National ID Card Challenge for Nandan Nilekani.. Part I : Part II : This should have been a sensational news when presented but did not attract the attention of any.

As of today, people need to appreciate the idea of property ID as presented by BBMP as “innovative” and welcome it.

But it is necessary to point out that more than 10 years back, this proposal was made by the undersigned as part of the implementation of the “DVIIS” or the “Digital Value Imprinted Instrument System” (Refer this 2003 post). The concept was subsequently put to suggested harnessing in the name of “ZeMo” cards or “Zero Memory Smart Cards”

The concept was a universal concept with use cases in “Citizen Identity”, “Digital Stamps”, “Prepaid Cards”, “Air and Bus Tickets”, “Digital Cheques”, and several other instances including “Property IDs”.  The idea was discussed with several Government agencies including the BBMP officials and Banks. Several of the IT companies some of whom are today MNCs and claiming to be “Innovators” could not appreciate the worth of the suggestions despite explaining of the entire concept in clear terms. If I check my e-mails, many of the “Who Is Who leaders” of today are people who could not see the potential of the innovative idea which today is seen in every IT project including the Aadhaar Card and Digital Payment Systems.

I still remember that Stock Holding Corporation was in the verge of implementing their Digital Stamps system at that time and when our solution was presented to them (see here the basic concept) we were told, “We would have taken up your solution but one of our executives has given a promise to another vendor”. The Karnataka Government of that time had also been approached and did not perhaps understand the benefits.

Companies like Cognizant considered the ideas in the Banking product area for some time but again was unwilling to pick it up as a product and wanted to consider it only if some Bank could give them the project. Banks of course were not capable of themselves taking a decision on a disruptive idea unless it is presented to them by a large IT company. Neither the Government agencies nor the senior IT executives of that time had the ability to understand and appreciate the thought and convert it into a commercial products though the undersigned had not placed any IPR barriers.

It is amusing that 13 years after the idea was first published, we are seeing that one by one all the use case instances of Digital Value Imprinted Instrument System and the “ZeMo Cards”.

Probably some of the suggestions I am discussing now will be considered “Innovative” 10 years down the lane.

I wonder if a 10 year old idea is “Innovative today” what was it 10 years back?.

……………Probably we should call it “Futuristic”? or “Innovation too early for the time?”

It is therefore necessary for Innovators looking for success to understand that even if an innovation is considered a “Disruptive Innovation”, it will only get recognized if the society is mature enough to understand the disruptive nature of the idea.

Otherwise it is necessary to wait until the society matures to a level when your “Too early to understand idea” is recognizable as “Disruptive and Innovative”.

But the thought lingers on….

If an innovative disruptive thought of today is a potential winner backed by venture capitalists and policy makers, should they not be mature enough to understand that a “Futuristic idea” which may become disruptive and innovative over a time is also a “Potential Winner” probably at a higher scale?

Even if they are not mature today, I hope they will mature in time when they reflect, “How Did I miss to recognize and back this innovation when this was presented  10 years back?”

With this positive thought, I urge “Futuristic innovators ”  to continue to do what they know best…

“Ignore the current appreciation or lack of it, continue to innovate even if it takes another decade for the society to understand and appreciate”

Naavi

Print Friendly

Tweaking the MDR charges …Watal Committee recommendations…3

This is a continuation of the discussions on the Watal Committee Report

Encouraging increased use of electronic modes of transactions was one of the objectives pursued by the Watal Committee. In this direction the committee considered the transaction cost structure  involved in the use of cards where the acquiring Bank collects MDR, (Merchant Discount Fee/Rate) pays interchange fee to the card issuing bank and the scheme fee to the scheme owner such as Master or Visa. In the present scheme MDR is 0.75% for transactions less than Rs 2000 and 1% for transactions above Rs 2000.

There is no MDR cap in Credit Cards where the charges made by the industry may be around 1.5% to 2.%

In high margin transactions,  it is possible for the merchants to absorb this cost though many donot. In some transactions where the margin in the business is low, say less than 5%, this MDR becomes a substantial part of the business margin and it would be unfair to expect it to be borne by the Merchant.

It was one of the recommendations of the Watal Committee that  there has to be a parity between cash and digital payments (R6-to be implemented within 3 months).

This rules out the possibility of the consumer being charged the MDR fee separately by the merchant. The consumer makes payment for the services in a legal tender which is cash or an alternate method which is digital payment using a Card or a Mobile Wallet or an UPI type system.

In the case of UPI or USSD system, the only intermediary involved is the NPCI apart from the two Banks. In such transactions the transaction cost can be fully absorbed by the system without being passed on either to the Merchant or the consumer.

In the event a Debit/Prepaid Card is involved, the card issuing Bank should waive its charges since use of cards in preference to cash is a direct benefit which they enjoy with a lowering of the footfalls in the Bank/ATM and the avoidance of the cash inventory cost.

The “Debit Card” is a part of the account opening and represents the balance in the account. The debit card issuing Banks therefore should not charge separately for transactions with the use of debit cards. RBI should strictly mandate that no such transaction charges should be levied on the acquiring Bank or the customer.

The involvement of scheme managers should also be eliminated here with the substitution of NPCI as the gateway as in the RuPay cards.

The cost of the card itself is a one time cost and most banks are charging it to the customer. As long as this is reasonable, this may continue.

The ATM withdrawal charges are a “Disincentive” for cash withdrawal and as long as the Debit/Prepaid card transactions are waived off, the present system of a reasonable charge for the number of ATM transaction exceeding a minimum number of say one per week, may be tolerated.

Banks s do incur a cost for authentication of transaction for which they may engage the services of outsource agents. However this is part of the “Cost of Banking” and just as a Bank cannot separately charge  extra fees because one ledger clerk enters the debit entry, one officer verifies your signature and a cashier makes the payment of cash, they should not be allowed to charge the authentication services such as OTP verification or VBA authentication to the customer.

The bottom line is that the “Interchange charges” should be eliminated in the case of Debit or Prepaid Cards.

Further, ensuring “Safe Transactions” is part of the Banker’s obligations and hence all transactions through the debit/prepaid cards should be insured against frauds and transaction failures at the cost of the Bank.

As regards Credit Cards, it is a separate contract where the Bank agrees to provide a credit line to the customer and once a credit line is approved, there should be no difference between a debit card/Prepaid card and the Credit Card.

Banks may therefore charge a Credit Approval Charge and Basic card cost. As regards the transaction cost, in the event the credit line is utilized, the card holder pays interest charges which are always usurious. Hence the issuing bank gets adequate reward by way of interest. Probably they could charge a “Commitment Charge” for those who use the card but does not avail the credit line. This commitment cost can replace the transaction cost so that the “Interchange charge”.

In view of the above, the “Interchange charges” can be eliminated even in the case of Credit cards so that at the merchant level, he could be neutral as to whether the consumer presents a Credit Card or a Debit Card or a Prepaid Card in lieu of currency.

The acquiring Bank and the scheme provider may be entitled to some reward for their services, depending on the services rendered.

Some acquirers provide POS machines free of charge and they are entitled to recover their cost either as one time fee or per transaction fee. However, since the cost they incur is fixed, there is no reason why they should be allowed to make unreasonable profits by endlessly collecting transaction fee.

There can therefore be a cap on the MDR charges payable to the acquiring Bank.

Today since the interchange charges are a substantial part of the MDR, elimination of this should bring down the MDR charges from the current levels of 0.75% or 1% to around 0.4 to 0.5%.  If a cap is placed on the MDR fee of the acquiring Bank, then the total MDR can be brought down further based on the turnover of the merchant in terms of number and volume of transactions to even around 0.1% at which every merchant including the petrol bunks should have no problem in accepting cards of any type.

Again there could be a transaction based insurance cost which can be a reasonable load at around o.05% .

This leaves the scheme owners like the VISA or Master who are an overhead on the system.  VISA and Master do not take any credit risk and except for providing international acceptability which is required only for those who need to use their cards on international channels (which may include online transactions), they are not of much value for other transactions except as a transaction gateway.

If NPCI can take over issue of RuPay credit cards, then the need for VISA and Master or AMEX can be further reduced and hence their cost can also be eliminated. Those who need to use their cards for foreign merchants who donot recognize NPCI as the scheme owner,  may use”Virtual/Prepaid cards” with VISA/Master branding.

There is therefore a good scope for

a) Elimination of Interchange charges of the card issuing Bank for Debit and Prepaid Cards

b) Elimination of Interchange charges for Credit Cards which may be substituted by a “Credit Approval Charge” and “Monthly/Annual Commitment charge” for those who use a credit card only for the free credit it provides within a billing cycle.

c) Elimination of the Scheme Charges by NPCI stepping in to replace VISA/Master/AMEX

d) Reduction or elimination of the acquiring Bank charges by replacing it with one time instrument cost

e) Introduction of Cyber Insurance for all transactions for which Banks should bear the major responsibility.

Following the Committee’s report, RBI has reduced the MDR for Debit Cards to 0.25% for transactions upto Rs 1000 and 0.5% between Rs 1000-2000.

There is however a lot more that RBI can do and whatever is discussed above is within the powers of RBI and NPCI. However it would be resisted by the Banks since it may hurt their revenue potential. Presently Banks are used to counting their profits without assuming responsibility even for frauds and using their clout to prevent RBI from introducing consumer safety measures. It is time to put an end to such unfair business practice in Banking by RBI asserting its regulatory role and powers.

Banks may submit a cost benefit analysis to RBI to justify the charges if they think that the suggestions for complete elimination of the interchange charges and the reduction of the acquiring bank cost is unreasonable.

The arguments presented above for elimination of charges for card transactions equally apply to the other mobile apps such as wallets and UPI and there should be no reason for any charges to be applied for such transactions whether the services are privately owned or not.

These suggestions are important since it is in the interest of the Government that Cash usage is reduced in the economy and it is in a way forcing the Citizens to adopt tot his new Digital payment ecosystem. Government cannot force their citizens to adopt to currency replacement without protecting them from additional cost and fraud risk.  Hence we believe that Government would be interested in pushing such suggestions.

In the above suggestions, it has been assumed that NPCI does not become greedy on its own and try to introduce its own charges. It should be considered as an “Infrastructure”  created by the Government for the efficient administration of the “Cash Less or less Cash” society for the larger good of the country.

NPCI should therefore be funded by the Government. At no point of time in the future also, NPCI should turn into a commercial organization like many other infrastructure organizations such as BSE.

Naavi

Print Friendly

Metrics for Digital payments, Watal Commitee Report..2.


This is the continuation of our discussion on the Watal Committee report on digital payment system in India.


It is not common for Committees set up by Government first of all to complete its work within the allocated time. Most Government committees extend their life by delaying the submission of their reports so that they can continue to enjoy the privileges attached to the committee for their functioning.

However it is heartening to note that this trend is changing in the Modi regime. We need to appreciate the Watal Committee set up last August for changing the trend and submitting its recommendations much before the time of one year that was set for it. The committee has responded to the changing needs following the demonetization and submitted its report far ahead of its tenure.

What is also noticeable is that the Committee has put in several recommendations and suggested a time line even for the implementation of these recommendations.  This is a tradition which needs to be taken note of and appreciated.

Now that the Budget proposals for the next year has been placed before the Parliament, there was a reflection of the Watal Committee recommendations even in the Budget speech of the Finance Minister when he reminded of the proposed revision of the Payment and Settlement Systems Act 2007, promotion of digital payments within the Government service, incentivisation of digital payments  etc in the Budget speech.

We can take a look at the different time lines suggested by the committee for its different suggestions.

No Recommendation Type Responsibility

Recommendations suggested to be implemented within 2 weeks

R 13

Other Measures – Develop metric  for digital payments

Regulatory RBI

Recommendations suggested to be implemented within 1 month

R3: Promote digital payments within Government  – Service tax input credit for digital
transactions -Utility bills and payments to Government through digital mode
Executive Ministry of Finance

Recommendations suggested to be implemented within 2 month

R4 Create a fund from savings generated from cashless transactions – Create and utilise Digital Payments Action Network (DIPAYAN) Executive

Ministry of Finance, Ministry, of Social Justice, Ministry of, Tribal Affairs and DONER

R 4

Create a fund from savings generated from cashless transactions – Mechanism to track cash handling and transitioning to digital payments

Executive Ministry of Finance
R9

Allow non-bank PSPs direct access to payment systems

Regulatory RBI
R 10 Improve shareholding and governance of retail payment organisations Regulatory RBI
R 11 Enable interoperability Executive and Regulatory RBI, NPCI
R 13 Other Measures –
Support POS, card based and
other digital transactions
Regulatory RBI
R 13

Other Measures – Enable faster and cheaper credit

Regulatory RBI
R 13 Other Measures – Promote cross-border payments Regulatory RBI

Recommendations suggested to be implemented within 2-3 months

R5

Create a ranking and reward framework

Executive Niti Ayog, State Governments
Recommendations suggested to be implemented within 3 months
R6

Other Measures – Promote eKYC and paperless authentication

Executive and Regulatory

Ministry of Finance, RBI, UIDAI

R 6

Other Measures – Implement disincentives for usage of cash

Executive Ministry of Finance-
R 6

Create awareness and transparency

Executive and Regulatory

Ministry of Finance, NITI,Aayog, RBI, Ministry of HRD, DoPT

R6

Other Measures – Create parity between cash and digital payments

Executive and Regulatory

Ministry of Finance, RBI, UIDAI

R 6

Other Measures – Promote USSD based payments

Executive and Regulatory

Ministry of Finance, RBI, TRAI, DoT

R8

Consider updating payment systems to operate on 24*7 basis

Regulatory RBI
Recommendations suggested to be implemented within 3-4 months
R 12

Create formal mechanism to allow innovations and new business models

Regulatory RBI, Niti Aayog
Recommendations suggested to be implemented within 6 months
R7

Consider outsourcing of payment systems

Regulatory RBI
R 13

Other Measures – Regulations on SIPS and SIFI

Regulatory RBI

One of the first tasks that was scheduled to be completed was “Development of Metric for Digital Payment”. The committee recognized that there is a need to measure the progress of digital payments and expected that within 2 weeks from the publication (December 9, 2016) of the report RBI would come up with the comprehensive metric to quantitatively measure and monitor the enhancement of digital payment services in India.

It appears that RBI has so far been able to come out with payment system indicators only upto November 2016The data is still a compilation of the different aspects such as RTGS, CCIL operated systems, Paper Clearing, Retail Electronic Clearing, Cards, Prepaid Instruments, Mobile Banking, etc. The Watal Committee suggested that we need to develop clarity on what constitutes digital payment and develop a “Comprehensive Metric”. It appears that RBI is yet to come up with a solution on this.

As we have found recently in the measurement of the deposits of demonetized currency, where duplications of deposits between Banks created a difficulty in assessing the real amount of currencies returned, even in the digital payment systems, there would be difficulty in collecting the details avoiding duplication.

Amongst the digital payments there would be some which touch the Bank accounts and some which donot. For example I may transfer money from my Bank account to my PayTm account This is a digital transaction that touches the Bank system and can be measured accurately by RBI with information from the Bank by assigning the transferee code to all RTGS/NEFT/IMPS/UPI/BHIM/USSD payments and receipts.

However when I use PaytM to pay my Uber bill, it completes the life cycle of the money which I loaded to PayTM but does not touch the Bank.

When I transfer money from one PayTM  account to another PayTM account, again the transaction does not touch the Bank.

When I make payment to Uber or transfer to another PayTm account, it extinguishes the life cycle of my PayTm load, but it starts the life cycle of the next PayTM load of the person to who I made the payment. These are different transactions that will have impact on the economic activity and needs to be tracked.

Therefore there is need to assign tracking codes for all payment types from the mobile wallets if we need to track them.

Those transactions that are cleared through the NPCI can perhaps be tracked with appropriate codes being inserted to the transaction based on the source and destination. But mobile wallet transactions are also cleared through private payment gateways. Here it becomes difficult to track the origin and destination of transactions that take place within the system of private digital systems. Only those which touch the Bank accounts at the destination comes to the notice of the RBI.

Similarly, when I transfer money from Paytm to PayU it becomes a “Inter-Wallet” transaction that does not touch the Bank.

Hence RBI will be able to monitor only transactions that start and end with the banking system.

If this system needs to be changed, it will take effort and a review of many private gateway systems where authentications and settlements take place. I am not sure if this can be accomplished quickly. Perhaps we need to build a transaction reporting system making use of the “Block Chain technology” to effectively monitor the system.

In the meantime, RBI can monitor movement of digital money “From Banking system to the Private Digital Money Network” and “From the Private Digital Money Network to the Bank”. This data will perhaps be reilable and will be an economic indicator of how the “Non Bank Digital Money Network” is expanding.

Within each “Private Digital Money Service Provider” (PDMSP) the number of transactions and value can be tracked by tracking the transaction processing data which is normally handled by a handful of IT Companies providing the back end services. The list of such Private Digital Money Service Provider is available with RBI since RBI authorizes such activities (Refer here). If each of these Service Providers submit periodical data of transactions processed and we de-duplicate the transaction between these companies and the Banks who report directly to RBI, then we will have a reliable indicator of the digital money transactions in the country.

When money is transferred from one Bank account to another Bank account of the same person or one Wallet to another wallet of the same person, the transaction should be considered as a “Transfer” transaction and should be taken out of the over all counting though it may be recorded as a “Contra” entry for statistical purpose and for fraud monitoring purpose.

In the above discussions, I have used the Bank account as the basic indicator of the money repository. In due course when every Bank account is tagged to a mobile or an Aadhaar, we may consider the possibility of using either the mobile number or Aadhar as the fundamental tracking element instead of the bank account. However even here there could the problem of multiple Bank accounts which are linked to the same mobile number or Aadhaar number.

The ultimate solution for tracking may be only in the use of “Blockchain technology” where every element of digital currency is associated with some wallet and every transfer is entered into a block chain register. In that scenario, each Bank account will also be a digital currency wallet and cash holding will be reflected as a “Personal Wallet”. The aggregate of the “Personal Wallet balances” will be the total currency in float as we now define. This may however require another major change of monetary policy bigger than the demonetization and perhaps is left for the post 2019 Modi regime.

These are some random thoughts that are put forth for consideration.

The suggestion of use of “Block Chain Technology” is a more comprehensive but complicated suggestion that needs to be developed further.

Comments are welcome.

Naavi

Print Friendly

You may get a heart attack when you hear about this vulnerability

The progress in technology particularly in the field of medical implants has been very impressive. Today “Techno Medical Experts” speak of , Smart Contact Lenses, Phrenic Nerve Stimulation, Glucose Biosensors, Cochlear Implants, Pace Makers and Cardioverter Defibrillators, Bladder Implants etc.

What these implants mean to an ordinary person is that many of the life critical aspects of the human body can be controlled by these implants which run on electronic signals. Such implants can also influence and control what we see and what we hear and perhaps what we touch and sense.

At the same time Cyber Security observers will also realize that if any of these implants can be hacked, then just like the Smart Cars, Smart Bodies can also crash.

These doubts are no longer the fancy imaginations of film and TV serial makers. Recently US FDA confirmed that Cardiac implants from St Jude’s are hackable. (See here).

It is also informed that St Jude has developed software patches to fix vulnerabilities for which the patients need to plug in to the transmitter and “Update” their “body”. It is scary how the patient would feel when he connects to the transmitter and decides to switch on the upload of the patch. Will he upload a patch from a reliable St Jude source? or will he upload a virus?” Is the patch “Digitally signed”? could be some of the thoughts that may be going through his mind. It would have been better if the Company had recalled the patients to their official labs and uploaded the patches in their ICU rather than let the patients sit in their homes and update the patch.

The incident highlights how “hackable” IT devices are placing our life at risk and should be an eye opener for the technologists not to neglect security in any electronic instrument whether they control the life critical human body functions or the financial transactions or any other activity.

Users need to be “Smart” about Security before they embrace the new “Smart Technologies”.

Naavi

Print Friendly

Clarification on Section 65B… Who should sign the Certificate?

Section 65B of Indian Evidence Act (IEA)is one of the hot topics discussed in Techno Legal Circles today. Though Naavi has clarified his view on the section many times on this site and in workshops and conferences, there are continued questions that linger on because some of the legal professionals hold some different point of view in respect of some of the finer points of the discussion.

One such doubt often raised is “Who should provide the Section 65B certification?”.

The supplementary questions that arise in this context is …

“Is it that the Admin of a server in which an electronic document is present the person who has to provide the certification?”

For example,

is it not the admin of Airtel who has to provide the Sec 65B certificate for the call data records?

Is it not the admin of flipkart who has to give certificate in respect of an electronic document pertaining to a sale on its site?.. “

“Now that Section 79A acrredited Digitl Evidence Examiners are being appointed, should all future Section 65B certificates signed by one fo them?”…. and so on

I wish to clarify my point of view once again in this respect so that there is clarity in all stake holders in this regard.

I must add here that I have been in the forefront of Cyber Laws since 1998 and has been encountering  Section 65B-IEA since a long time. The very first instance (2004) when a Section 65B-IEA was successfully invoked was the historically important case of The State of Tamil Nadu Vs Suhas Katti in which conviction happened for the first time in India under ITA 2000. In this case, I had presented the critical evidence of crime which was an electronic document present on the Yahoo server based on which the trial was conducted, offence recognized and accused convicted. I was also examined as an “Expert Witness” and cross examined in the case before the Court accepted the evidence. Since then, documents certified by me have been produced in many Court proceedings and must have been used in many civil proceedings. The service www.ceac.in specializes in this aspect of rendering electronic documents as evidences in an “Admissible” form in a Court. In a few cases, I have been asked to personally be present to identify the documents and in other cases, this has not been found necessary.

In the light of all the past experiences I would like to clarify on the point of “Who has to Certify under Section 65B”.

The first point we need to understand is that Section 65B indicates the manner in which electronic documents can be converted into “Computer Outputs” such that the “Computer Outputs” will be admissible as per the special provisions under Section 65A of IEA applicable to “Statement contained in Electronic Form”  defined in Section 17 of IEA.

The “Computer Output” referred to in the Section 65B can be in two forms namely “Printed on Paper” or “Copy on a Media”. If printed on paper it is to be signed. If rendered as an electronic copy, it has to be digitally signed.

To understand  “Who has to sign”? one needs to understand that what Section 65B refers to is to the process of creating the “Computer Output” and not the process of “Creating the Electronic Document which is the subject matter of the computer output”.

The “Original”  “Electronic Document” is a “Binary” document which human beings are unable to understand and can be seen or heard or seen with the assistance of a combination of tools such as the Application and the Operating System running on a hardware of a computer. Hence the “Electronic Document” needs to be appreciated by a Court only in a form which is the end result of many of the processes such as conversion of binary document to a humanly perceivable form on a computer device. However, such a “Humanly perceivable form” sits on a computer and cannot be always brought into the Court room. Even if it is brought, the Judge has to view it and form his opinion and if he incorporates his observation on the document, he will be a witness himself.  (The hard disk in which a binary document resides is only a container and not the electronic document itself and has to be connected to a computer device to know what it contains).

The presence of Section 65B enables the Judge to avoid being a witness himself by introducing a role to the Section 65B Certifier who brings the binary electronic document to an “Admissible” form by creating a “Computer Output” as envisaged in the Section. Even after this, if there is a dispute, then it is open to the Court to call a Section 79A recognized “Digital Evidence Examiner” to assist it in resolving the disputed electronic document.

If as some professionals suggest, it is necessary for the “Admin of a Server in which the document is contained” to provide the Section 65B certificate, then a situation would arise where if there are 1 lakh transactions that pass through Flipkart each day, any dispute arising out of these 1 lakh transactions involving multiple electronic documents will all have to be certified only by the admin if required for evidence. Obviously this is neither feasible nor is the intention of Section 65B.

While the admin who can view the electronic document on the server or any other hardware or software to which he has an access may provide the certified copies, it is not always necessary.

The purpose of Section 65B is to enable “Any Contractually Capable person who knows how to view (or hear) an electronic document to present a copy (printed or on an electronic media) which can be admitted in the Court as also a “document” “without further proof or production of the original”. It is that person who prepares the Section 65 statement in which he says “I viewed this document and converted it into a computer output and I certify …..”.

Hence  a “Third Party” can provide a “Section 65B Certified Copy” for admission.

In practice, the person who provides the certificate should be a “Trusted Third Party” who may be cross examined by the defense which may state that the person is unreliable, is either not capable of understanding what he is certifying and is dishonest and produced a false certificate etc.” The Section 65B certificate incorporates a declaration as to the “Procedure adopted for producing the computer output” which should indicate the manner in which any other person following similar process should be able to reproduce the same “Computer Output” except in circumstances where the original binary document has been removed.

The credentials of the person producing the Section 65B certificate becomes critical to the acceptance of the certified copy by the Court.

In the case of “Forensic Experts”, the experts use certain tools and are able to see information which are visible only on use of such tools. Hence their certificate needs to indicate the tools used which to the extent possible be “Standard Tools” capable of being used by other “Forensic Experts”. It is when there is a propritory  technique is used that the need for the Court to call in another expert who is accredited under Section 79A arises.

We need to reiterate in this context that it is not necessary that all Section 65B certificates are to be issued only by the Section 79A certified agencies. Section 65B certificate is issued for “Admissibility” while the Section 79A certified agency is called in by the Court on special circumstances only. It is like the case of a “Handwiring expert” who is called in from time to time to examine the signatures on documents presented in the Court but not mandatorily for all handwritten/signed documents.

I hope professionals in the field appreciate this point of view and if they agree should adopt it in their practice. In case they have any counter views, I welcome the feedback so that this view can be refined as required.

Naavi

Also Read: Other articles on Naavi.org

P.S: Add on following another request for clarification: Please see comments section

 

Print Friendly

Proposed Amendments to ITA 2000 and Privacy Protection

Does ITA 2000/8 address “Privacy Protection”  and if so, does it do it effectively is a question that is lingering in the industry. It will continue to be a point of debate for the amended ITA 2017 (p). …This is in continuation of the discussions on the proposed amendments to ITA 2000/8 presently being discussed by an expert committee headed by Mr T.K.Vishwanathan. ….. Naavi

Protecting the Right to Privacy of an individual is a fundamental right claimed by citizens living in a democratic society and is closely associated with the right to freedom of expression, right to information and security. India has recognized the need for Privacy by interpreting the Article 21 of our constitution favourably but has not yet enacted a separate law which says “Privacy is right protected under law and any violation thereof leads to civil and criminal liabilities”. It is also not likely that in the near future any specific law will be passed in this regard.

However, ITA 2000 and more specifically ITA 2008 has addressed many concerns of Privacy Protectionists without being recognized as a “Privacy Protection Legislation”.

What ITA 2000/8 has done is to provide protection to the “Data” which indirectly protects the “Privacy”. Without being too obsessive, it is better if we recognize the role of ITA 2000/8/17(p) as the principle legislation for protecting the Privacy for which it is eminently suited particularly if a few minor changes are accommodated in the proposed amendments.

“Privacy” of a person is defined as a “Right to determine what amount of personal information should be made public”. It should be a right that can be exercised only by the individual (provided he is in a state of mind where he can exercise that control as per the requirements of law). Every other person who comes into possession of Personal Information should follow the universal principles of privacy protection such as “Disclosure of Privacy Policy”, “Obtaining Consent”, “Collection under minimum and specific use principles”, “Protecting the information on hand” and “destroying” it when no longer required.

An effective law defines the rights, prescribes the punishments for violation and introduces mechanism for effective implementation.

Let us see how ITA 2000/8 address these issues and what can be done further to strengthen the Privacy Protection under ITA 2017 (P), equating “Privacy Protection” with “Data Security” for the current discussion.

The first task of law is to define the “Privacy Right”. In the context of its alter-ego of data security, Privacy Right gets defined by defining “Personal Information” that qualifies for protection.

Under ITA 2000/8 we have defined what is “Sensitive Personal Information” (SPI) without defining “Personal Information”.  (PI). SPI was defined in ITA 2008 along with Section 43A which brought an obligation on the “Body Corporates” handling SPI to protect it with “Reasonable Security Practice”.

Though PI is not defined, Section 72A accords protection to PI and makes its breach a punishable offence with 3 years imprisonment.

Additionally, Section 43 read with Section 66 imposes penalties when the “Value of information is diminished” (which can be an effect of privacy breach).

Also Section 69/69A/69B while providing powers to some officials for interception, decryption and data mining, puts a bar on the others to do the same without attracting penalties.

Section 79 imposes the responsibility of Privacy protection on the “intermediaries” in clear terms through the rules of due diligence.

Grievance redressal is defined with reference to the provisions of due diligence under Section 79 and also by instituting the Adjudication and Cyber Appellate Tribunal (CyAT).

While we can debate the adequacy of these provisions in comparison to the EU standards such as the GDRP or US Standards such as the HIPAA, we cannot but acknowledge that ITA 2000/8 has covered most of the requirements of Privacy Protection (In the context of Data protection).

Without therefore saying so, ITA 2000/8 therefore provides protection of Personal Information. It is possible that some may not realize it until a separate act is legislated but it is not necessary.

It must be noted that under ITA 2000/8, any information which is processed in a computer device or meant to be processed in a computer device also is “Information”.

Hence it is possible to extend the “Data Protection Rights” as is available in different forms under Section 43, 43A, 66, 72,72A, 69, 69A, 69B, 7A, etc to information which is in a form other than as “Electronically Written”, such as “Voice which is Electronically spoken or meant to be processed in an electronic device”. This can extend “Privacy Protection” to “Voice” in certain circumstances.

The perception in the industry however is different. Most of the IT professionals in India think India does not have an adequate Privacy protection provisions in the country and cannot defend the regime with their EU counterparts. Probably they are interpreting the failures in implementation as failure of law and hence the clamour for a separate Privacy Protection Act has continued.

It is therefore an opportunity now to address some of these concerns in the proposed amendments for which some suggestions can be discussed.

Perhaps, a chapter can be dedicated in the ITA 2017(P) with the title “Privacy and Data Protection” where some provisions of Privacy and Data Protection is specifically mentioned. This will provide the required confidence to professionals who compare Indian legislation to EU legislation.

Defining Personal Information

One of the requirements that is perhaps required is to upgrade the definition of “What is Personal Information” from what is provided in the rules to Sec 43A, which states

“Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

This definition is restrictive to data with the Body Corporates and the Section 43A also restricts itself to Body Corroborates.

 An improved definition that should be added in the Act itself to be applicable for all sections including Section 72A could be

“Personal Information” of an individual means any information related to a living person who is not a minor, or of unsound mind or an undischarged insolvent, which when in possession of a third person is capable of being used to identify the individual by such third person with reference to the individual’s Name and Physical location. 

By defining the Personal Information in the above manner, we will be letting a “Netizen” preserve his “Anonymity and Pseudonomity” subject to certain conditions. Mere assumption of a “Pseudonym” or “Anonymous identity” on the information space would not be an offence unless such alter-identity is used to commit an offence.

Whenever an “Information” is required for “Law Enforcement” which means that there is a prima facie evidence that the information is suspected to be  a “Tool of Crime”, the protective veil has to be lifted.

The focus of the regulation will be to introduce a due process under which alone the “Privacy Veil” is removed.

Also under this definition, “Right” ceases when a person loses his capacity to enter into valid contracts. This means that there is no “Privacy Right” of a person who has lost his mental capacity to take decisions. Of course how this has to be determined and by whom needs to be defined in law. Such issues are already addressed under HIPAA and should not be difficult.

Establishment of a “Privacy Board”:

In order to adjudicate on the Privacy issues, the current system of adjudication/CyAT may continue where the fact of a wrongful act is not under serious challenge. Where there are serious doubts as to whether an information should be subject to privacy or not, a “Privacy Board” may be constituted as a “Reference Advisory Body” to which the Adjudicator may refer an issue of a “Request for lifting of the Privacy Veil” or “Defence an alleged violation of Privacy Right by disputing the nature of information as not being subject to the protection”. Such a “Privacy Body” may be headed by the NHRC Chair person and may have representation of the Ministries of Home Affairs, Defense, Information Technology, Netizen/Privacy Right Activists etc.

Once the issue of proper “Definition” and the “Privacy Controller” is established, other aspects of protection can be defined in an acceptable manner.

Preventing International Abuse

The privacy laws just like IPR laws of some of the foreign countries are designed in such a manner that they can be used effectively to control business flow over riding the principles of free trade.

If India does not recognize this and take some steps within our own laws to ensure that Indians are protected against unfair foreign laws, we will be letting foreign forces build “Information Colonies” in India. We have seen how Mr Donald Trump has already protected the US interests by restricting the US privacy protection only for US citizens. India needs to also protect its interests in a similar manner against exploitation of Indian interests through unfair and excessive privacy regulation of foreign Governments.

For this purpose, it must be made mandatory that whenever a foreign entity has to invoke a Privacy Law against an Indian Company or individual (including the GDPR or HIPAA etc), prior clearance of the Privacy Board is required.

This will ensure that unfair and unreasonable business restrictions are not imposed on Indian entities in the guise of protecting “Privacy” .

An appropriate mechanism of Arbitration can be instituted by the Privacy Board to ensure that there is proper conduct on both sides and there is no scope for unfair use of privacy laws by international players.

These could be part of the new amended ITA 2017 and I urge the Committee to look into these suggestions seriously.

I wish organizations such as DSCI which celebrate the “Data Privacy Day” also do some thing more concrete in this direction.

Naavi

Print Friendly