Union Bank of India should learn to protect its Digital Assets

[In continuation of the previous Article]

Naavi has been advocating that Digital Assets need to be accounted for in the balance sheets of its owners. Today it is only under the Personal Data Protection Standard of India or PDPSI that a recommendation has been made to companies to bring the digital assets to the books of account.

By not accounting the digital assets in the books of account we have seen that NCLT declared Net4India bankrupt without recognizing the value of around 3 lakh sticky customers. In many web business take overs, mere “Eye Balls” (namely the number of average visitors to a website) have been valued at over $200/- (Read this old article in Fortune).

When Union Bank of India took over Corporation Bank and Andhra Bank, it inherited two websites namely www.corpbank.com and www.andhrabank.com.

Two years back, www.corpbank.com was valued at $503,200 (Rs 35 crores). (see here). According to another estimate it was worth $52000/-. (Rs 36 lakhs) The exact value may not be relevant. But the fact it had a substantial value is not in doubt. Will any prudent company throw away Rs 36 lakhs or Rs 35 crores worth assets?, when maintaining this asset ownership would have cost only around Rs 800/- per year?

Unfortunately, Union Bank of India has done just that. They have thrown away this asset without understanding its value. Similarly www.andhrabank.com also had a value, may be to a lesser extent.

After the merger, Union Bank of India has not renewed the domain names corpbank.com and andhrabank.com. As a result the two domain names have now been registered in the name of net4solutions and godaddy respectively.

Very shortly these domain names will be bought by Phishing scammers who will host websites which are confusingly similar to Corporation Bank and Andhra Bank respectively and successfully cheat the erstwhile customers of these Banks whose accounts will be in the Union Bank.

At that time, a valid argument of the customers would be that Union Bank of India by its ignorance and negligence failed to hold back the valuable trade mark asset of the merged banks and facilitated the phishing fraud.

The possibility of Union Bank of India failing to take note of the Digital Asset called domain names would have less if the balance sheet of Corporation Bank had shown the value of this domain name even at say Rs 1 if not Rs 36 lakhs or Rs 35 crores. Even if it had been shown as a contra entry on both the asset and liability side at say Rs 36 lakhs, the value would have remained visible.

This is the point we made in the case of Net4India.com which NCLT declared as “Bankrupt” when there was a hidden customer value of around 3 lakh X 200 Us dollars, equal to around 6 crore Us dollars or Rs 420 crores.

This valuation would be available if the concern is valued as a “Going Concern” and the value is preserved during the events such as merger or pre-insolvency evaluation. Once this is ignored, the company will revert to a “Gone Concern” status and the value will drop down to zero.

I would like ICAI to consider this and develop a methodology to bring valuation of digital assets (domain names and other assets such as personal data and non personal data) into the balance sheets.

I hereby request RBI to take note of how Union Bank has not only wasted the value of the assets taken over but also will be exposing the customers to a high Phishing Risk, which would be liabilities which have to be borne by Union Bank of India.

The Board of Union Bank of India should also check how they can atleast re-own the two domain names because there is a “Trade Mark” value associated with them which was passed onto Union Bank due to the merger.

The first thing the Union Bank has to do is to serve a notice to the two registrars and restrain them from selling the domain names to any third party. Later, they can file a buy back request and if the registrars quote an unreasonable price, the Bank should file a domain name dispute and recover the domain name immediately.

In the past, Canara Bank had a similar issue when Canarabank.com had been squatted by another person and the Bank without recovering the domain name simply adopted the Canbak.com and continued the business. After this was pointed out by the undersigned, the Bank got back the domain name through a domain name dispute process.

I am personally concerned with the Corpbank.com issue since I was personally responsible for the purchase of this domain name by Corporation Bank, create the content for the Bank’s first website and hosting it at the time they went public way back in 1997. I am also a continuing customer of Corporation Bank who has become a customer of Union Bank of India because of the merger. It is therefore sad if Union Bank does not manage its digital assets and the name corpbank.com (as well as andhrabank.com) is used by fraudsters to cheat the erstwhile customers of Corporation Bank who continue as customers of Union Bank of India.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

Union Bank of India will be facilitating Phishing by Ignorance and Negligence

Union Bank of India is considered one of the better managed banks in India and RBI recently merged Corporation Bank and Andhra Bank with Union Bank. Both the merged Banks had decades of history and brand name amongst its customers. 

However, Union Bank seems to be completely unaware of the banking risks in the digital era or it is so poor as not to be able to invest around Rs 800/- on behalf of  each of the merged Banks to protect the interests of the customers of these Banks.

I wish the Chairman of Union Bank of India looks at why I am forced to make the statement that “Union Bank of India will be facilitating Phishing by Ignorance and Negligence”.

(Continued)

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Using publicly available data under GDPR

Many organizations involved in market research often collect data from publicly available sources such as Google Searches, Social media postings etc. This information is processed and some useful market information is gathered. This may also be commercially traded as market research reports.

In the light of the recent discussions on whether WhatsApp can share some of its information internally to FaceBook and whether FaceBook can use it for advertising profiling of the users has re-kindled the debate on how data protection laws need to address publicly available information.

The regulatory authorities can take the easy way out and stick to the exact narration of Article 14 of GDPR that Where personal data have not been obtained from the data subject, the controller shall provide the data subject with  certain information about the collection and the purpose etc., within a reasonable period not exceeding one month.

There is also a proviso that the restriction shall not apply where and in so far as

(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

In the context of the above we can re-visit the decision of the Polish supervisory authority imposing a fine of Euro 220K on a company by name Bisnode .

The Company had a total of 7.5 million data records (Personal and proprietary business) and the supervisory authority expected that all of them are duly notified as required. The Company represents that it had to incur a cost of around Euro 8-9 million if proper notices are to be sent which was disproportionate to the cause. There was no issue regarding the quality of security measures otherwise adopted by the company to secure the data.

This incident raises some specific issues which require a deeper debate.

Are the GDPR authorities interested in closing down all businesses which are into market research out of the public information?

Is it not fair to consider that Data Protection is essentially giving a control to the data subject about what information he wants to keep unshared and what information he wants to share. If the data subject wanted the social media information not to be shared, then would it not have been possible for him to set the privacy settings to his posts as “Visible only to approved Contacts” rather than making it open for a search engine to parse the data?

If a data subject has taken a decision not to enforce his privacy settings, is not correct to consider that there is a “Deemed Consent” that the data can be used for purposes consistent with the disclosure as long as no adverse impact on the privacy of the person is envisaged in the processing?

In most of the cases the data may be used for statistical analysis and only part of the data subjects may need to be contacted for further use of the data such as sending a marketing message. In such cases, will a consent request only for the data subjects short listed for further communication be sufficient? is to be explored.

Also, like in the case of WhatsApp obtaining the consent of the data subject to share the data to Face Book and Face Book using it on the basis of the consent obtained by WhatsApp, would it be possible for the social media platform like Twitter to obtain a general consent which includes some thing similar to the following.

“In case the user does not restrict the visibility of the data through privacy setting, the data may be shared with search engines and research agencies subject to no automated decision making on the data subject or direct contact with marketing messages”… etc.

It is time that experts represent with EDPB for a suitable relaxation in the interpretation of Article 14 to include the legitimate interest of market research agencies.

Until such time, those companies which are directly liable under GDPR as “Data Controllers” need to prepare a DPIA and file it for pre-consultation.  If the company is a “Data Processor” then he may depend on the Data Controller to take the responsibility.

In case the data processing is outside GDPR, then there is no need to worry about Article 14 of GDPR. Companies should follow the principles enunciated in the Personal Data Protection Standard of India (PDPSI) for this purpose.

The above is towards development of Jurisprudence regarding data protection.

Comments are welcome.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

WhatsApp relegates India to the Third World of Privacy Regulation

The revision of WhatsApp Privacy Policy and Terms has brought to light why an organization which is working in a multinational environment need adopt the approach taken by PDPSI (Personal Data Protection Standard of India)  for compliance.

The first thing we look forward in a Privacy policy or the Associated Terms of service is who is the service provider? Indian law clearly defines the Privacy Consent as a “Contract” and the essential part of a contract is to identify who is entering into a contract, what kind of commitments are being given and expected, whether the contract is a “dotted line contract” , whether the contract is “Unconscionable”, what is the dispute resolution associated with the contract, what is the liability clause and what is the exit clause etc.

In terms of compliance of the data protection law we also examine if all the required points to be notified (eg Section 7 of PDPB 2019) are covered.

As we observe, WhatsApp has indicated only two versions of their Terms of Service and Privacy Policy, one applicable for EU region and another for the rest of the world. The “Rest of the World” policy is tuned to the US requirements and hence all other countries are in the third world need to follow the WhatsApp policy for the US.

There is Privacy Law already in India

It is to be noted that WhatsApp has not provided an India specific policy at present. Probably WhatsApp thinks that India does not have a Privacy law at present and they want to introduce the new policies before the Act may be passed in India so that they can take some time to implement the new laws.

We would like to point out however that India presently has “Privacy” protection obligation because the Supreme Court has recognized it as a “Fundamental Right” and some Courts (eg Kerala) has indicated that the obligation extends to private companies as well.

More importantly Section 43A, Section 72A and other sections of ITA 2000/8 already determine the data protection regulations in India and it is in operation for a long time. Though there is no Data Protection Authority with an independent mandate to monitor, affected persons (including a group of persons represented by a public interest) can approach any of the Adjudicators or any adjudicator can take up a suomoto investigation of any perceived damage to a data principal.

Since the draft PDPB represents the legislative intent in the near future, it also doubles up as “Due Diligence” and “Reasonable Security Practice” under Section 43A of IITA 2000/8 and hence WhatsApp cannot escape compliance of PDPB 2019 even if the Act is yet to be passed and there could be 89+ amendments to the original draft.

Lack of Transparency on the Entity signing the Consent

The parent company of WhatsApp service is WhatsApp Inc, 1601, Willow Road, Menlo Park, California 940025, USA. WhatsApp Ireland Limited provides the services of WhatsApp to persons who live in the EU territory. WhatsApp LLC provides the services if the user lives in any country other than EU region. WhatsApp business services are also provided by WhatsApp LLC (Refer to the separate terms here).

WhatsApp LLC is located at 1601, willow Road office while the WhatsApp Ireland limited is located at No 4, Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

It has six locations, including two in India at Hyderabad and Gurugram, one in Dublin, Ireland, one in London besides two in USA (Menlo park and Austin).

There are registered companies like WhatsApp Africa LLC also registered in USA. In payment services, WhatsApp may use the services of Facebook companies making the maze of companies more complex.

As is common with Facebook, it is not easy to find out the physical location of Whats App offices and the “Transparency” aspect of Privacy compliance fails miserably at this stage itself.

It is not clear if WhatsApp’s two offices in India are considered only “Development” or “Marketing offices” and have legal divisions or Data Protection Officers or the Grievance Officer under ITA 2000/8. It is a reasonable presumption that there is no designated “Grievance Redressal Officer” and the company is not presently in compliance with ITA 2000/8.

India Specific Privacy Policy/Terms are absent

It is natural that WhatsApp has to adopt policies to be in compliance with US laws where it is the group head quarters . As regards the EU region, it is fine to adopt the policies from the Ireland office.  But not adopting policies relevant to India is a show of arrogance.

Considering that WhatsApp wants to expand its business in India, and is fully aware of the JPC’s views when they met them recently, it appears that WhatsApp did not give too much of value to the Data Sovereignty rights of India and thought it reasonable to ignore India reference in its new policies.

Presently WhatsApp has plans of expanding its operations in India with health insurance and micro-pension products through tie ups with licensed financial services players. It is presently set to partner SBI General to launch health insurance and HDFC Pension to make available NPS products on the App platform. The company is already live on the UPI platform with 4 Banks (SBI,HDFC Bank, ICICI Bank and Axis Bank) and 20 million users.

This partnership provides enough opportunity for WhatsApp to get the benefits of the service with the legal obligations being borne by the Indian banks.

Given these expansion plans, India expected WhatsApp to recognize the existence of our sovereign rights in terms of Privacy or Cyber Security when it thought of revising its Privacy policies with effect from 8th February 2021 which could be after or a few days before the Personal Data Protection Bill in its final form would be presented to the Parliament.

A question therefore arises whether these policies will be compliant with the proposed Indian laws or is set to become operative just before the Act comes into effect so that they can claim some privileges as a legacy policy before the Act came into existence.

A question therefore arises whether these policies should be compliant with the proposed Indian laws and if not should the licensing authorities like RBI and IRDAI withdraw their provisional approvals.

Dispute Resolution

We did briefly discuss the Dispute Resolution Clause yesterday and we can add some additional points today.

The dispute resolution issues are covered in Terms of service and not directly in the Privacy Policy.

The clause mentions the following:

Forum And Venue. If you are a WhatsApp user located in the United States or Canada, the “Special Arbitration Provision For United States Or Canada Users” section below applies to you. Please also read that section carefully and completely.

If you are not subject to the “Special Arbitration Provision For United States Or Canada Users” section below, you agree that any claim or cause of action you have against WhatsApp relating to, arising out of, or in any way in connection with our Terms or our Services, and for any claim or cause of action that WhatsApp files against you, you and WhatsApp agree that any such claim or cause of action (each, a “Dispute,” and together, “Disputes”) will be resolved exclusively in the United States District Court for the Northern District of California or a state court located in San Mateo County in California, and you agree to submit to the personal jurisdiction of such courts for the purpose of litigating any such claim or cause of action, and the laws of the State of California will govern any such claim or cause of action without regard to conflict of law provisions. Without prejudice to the foregoing, you agree that, in our sole discretion, we may elect to resolve any Dispute we have with you that is not subject to arbitration in any competent court in the country in which you reside that has jurisdiction over the Dispute.

Governing Law. The laws of the State of California govern our Terms, as well as any Disputes, whether in court or arbitration, which might arise between WhatsApp and you, without regard to conflict of law provisions.

Time Limit To Bring A Claim Or Dispute. THESE TERMS ALSO LIMIT THE TIME YOU HAVE TO BRING A CLAIM OR DISPUTE, INCLUDING THE TIME TO START AN ARBITRATION OR, IF PERMISSIBLE, A COURT ACTION OR SMALL CLAIMS PROCEEDING TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW. We and you agree that for any Dispute (except for the Excluded Disputes defined below) we and you must bring Claims (including commencing an arbitration proceeding) within one year after the Dispute first arose; otherwise, such Dispute is permanently barred. This means that if we or you do not bring a Claim (including commencing an arbitration) within one year after the Dispute first arose, then the arbitration will be dismissed because it was started too late.

As regards the US and Canada users, the Arbitration shall be “Binding” and unless they opt out they would be waiving any right to have the disputes decided by other means.

Though the consent is obtained on the basis of “Click Wrap” acceptance which has no legal validity in India except as a “Deemed Acceptance”  and the terms are part of a “Standard form/dotted line form” of contract which can be considered voidable in respect of unconscionable aspects of the contract, it is better if we avoid any defense being available to WhatsApp to avoid any legal scrutiny in India.

In case  WhatsApp launches a legal proceeding in US either against an individual user or against the Indian Government, it is difficult to defend in such forums that the jurisdiction is not acceptable. We may therefore end up facing an Arbitration notice or Court notice from the US jurisdiction and spending time, money and effort in filing petitions in Indian courts to counter such cross border litigation notices.

In India, the disputes with WhatsApp may arise out of ITA 2000/8 or PDPA (Proposed). Both of the statutes provide for “Adjudication” and “Appellate Tribunals”. Hence “Binding” arbitrations will not be compatible with the law.

[It may be noted that DDMAC (Data Disputes Mediation and Arbitration Center of FDPPI) as a specialized ODR center for data related disputes has adopted only Mediation and Non Binding Arbitration and avoided binding arbitrations. ]

The terms indicate that WhatsApp can do forum shopping at its discretion and not the other contracting party. This is a typical characteristic of a dominating party to the contract imposing an one sided term on the weaker party and would be considered by Courts in India as a determining factor to adjudicate if this is an “Unconscionable” contract or not.

The other point to note in the dispute resolution clause is that it attempts to over ride the “Limitation Act” of India. This may also be considered “Ultravires” the Indian law.

In view of the above, WhatsApp contract is not an admissible contract and an admissible consent under the Indian law.

It would have been better if WhatsApp had consulted organizations like FDPPI before such a major step is taken which could result in flight of many users to alternate messaging apps including some which may come up from India itself. 

The PDPSI Approach

Had WhatsApp adopted the PDPSI approach , it would have realized that the compliance program and the Privacy Policy has to be developed separately for different applicable law. In that case, there would have been a different Privacy Policy and the Associated Dispute Resolution Policy. By adopting a policy which may be in compliance with GDPR or the US law and assuming that it would automatically accepted under the Indian data protection law, WhatsApp has made a mistake.

Hopefully WhatsApp would correct the same. Otherwise the call from Privacy Professionals in India would be to “Switch From WhatsApp”.

Naavi

Previous Article: WhatsApp needs to change its jurisdiction clause

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

WhatsApp needs to change its Jurisdiction clause in the Terms or else, exit from India.

WhatsApp has announced a new Privacy Policy and Terms of use effective from 8th February 2021. Since then there have been a series of debates in the media about the impact of the change and how should users react. Most of these discussions are on the “Privacy Policy” and not on the “Terms of use”.

The objections have been on whether WhatsApp will have access to the User’s content and share it with Face Book. 

A brief review of the policies is attempted here for opening up more discussions.  It is not easy to decipher the privacy policies of any large MNC like WhatsApp or even Google or Twitter since there could be many  subtle wordings which can be technically and  legally interpreted in different ways. 

We also have to recognize that WhatsApp has created two different sets of policies, one offered by WhatsApp Ireland Ltd to the EU region and the other by WhatsApp LLC  to other countries . Except for the ownership of the service, there does not appear to be any difference between the two policies. This is either a mistake or perhaps WhatsApp thinks that the world outside EU has no importance and hence any policy will do.

Perhaps WhatsApp will realize that countries like India are conscious of the data sovereignty principle and will not tolerate this arrogance.

The Privacy Policy and the Terms of Service have to be read together.  There appears to be more contentious issues in the terms of service rather than the Privacy Policy as explained below.

A: Privacy Policy

The Privacy Policy consists of the following 12 sections.

1 Information We Collect

2. How we use Information

3.Information you and we share

4.How we work with other Facebook companies

5. Our legal basis for processing data

6. How we process your information

7. How you exercise your rights

8.Managing and retaining your information

9.Law, our rights and protection

10.Our Global operations

11.Updates to our policy

12.Contact Us

The policy appears to cover most of the requirements of a Law Compliant Privacy Policy though we cannot say that it is in “Clear and Precise ” format.

A couple of key points of the privacy policy are discussed below.

  1. Is there a Discrimination in refusing the service if permissions are not given?

In analyzing the Privacy Policy and commenting if it is acceptable or not, we must appreciate that WhatsApp is a private business of FaceBook and its commercial interests cannot be wished away.  We can only comment on whether there is transparency in the Privacy Policy as notified and the company does not deviate from what is stated in the policy. The right of the company to modify the policy need to be also recognized though we can expect a reasonable notice whenever major change occurs in the policy. Presently a notice of one month has been given and this need to be maintained in the future also.

In order to recognize the rights of WhatsApp to set pre-conditions with a right to reject the service if a certain information is not provided, we must recognize the nature of the WhatsApp service and the “legitimate Interest” built into it. According to its mission statement, WhatsApp started as an alternative to SMS and it now supports sending and receiving a variety of media: text, photos, videos, documents, and location, as well as voice calls.

As we understand, WhatsApp is a “Platform”. It enables a person to send a message to another provided they have downloaded the App in their device and subscribed to the service. Additionally in a “Group Communication”, one to many messages are sent to the WhatsApp server which distributes it one by one to all the members of the closed group. In this context, WhatsApp server is an agent to hold the content until it is downloaded by all the members within 30 days etc. The members of the group are collectively responsible as owners of the group. At present the “Admin” has only limited powers of admission or removal of members but has no powers to delete content posted. The member who posts the content to the group is the sole owner of the message  and make it disappear or remove it within a certain time. This reiterates the status of the service that WhatsApp is a messaging service from the sender of the message to the receiver. The server provides certain intermediary services. The Admin has no role in the transmission of the message. 

Hence it is the WhatsApp subscriber who has a contract with WhatsApp both for sending individual messages as well as to to form and participate in a group messaging activity. The Privacy Policy and the Terms of service are parts of this contract formation.

If therefore the terms of the contract is not acceptable to either of the two parties, there is nothing wrong in the service being not made available. Whether this can be brought under “competition Act” can be debated. But since there are multiple other services of similar nature, it is unfair to bring the service within the provisions of the Competition act and call the right of WhatsApp not to provide a service if the Privacy policy is  not accepted, as “Discriminatory” in terms of the Data Protection laws.

2. Information Collection and Storage

The information collected by WhatsApp is declared as specific to the “Options” used by the user. Hence it is declared as purpose specific. The mobile number and maintenance of log records of the use of the App therefore is directly related to the messaging service and hence within the rights of WhatsApp.

The “Storing” of the information in the servers for the intermediary period when it is yet to be downloaded by the receiver does not mean that the server is reading the information though technically this is possible even if it is in encrypted form. Encryption will prevent third party access but if Whats App really intends  to read the message, they can always simulate either the sender’s phone or the receiver’s phone and use the keys to decrypt it. However this is an unreasonable suspicion and unless there is any evidence of the same, should not be considered as a possibility. 

From the policy it appears that WhatsApp has two storage policies one for the Media and the other for the text message sent. The text part gets deleted from the server after delivery but the media remains in storage in an encrypted form to enable forwarding of the same. The company has a justification for this storage from the technical point of facilitating the forwards. When a forward occurs, this prevents the entire data related to the media travel again from the forwarder to the server. If the forward is to multiple persons, it will save on data transfer substantially. The media is held in the WhatsApp server not permanently but for a certain time so that forwards within this time span would save on data transfer.

Hence storage both from the point of view of maintenance of encryption and temporary storage can be considered legitimate. Criticisms in this regard is not sustainable.

3. Sharing of Information

The policy suggests that WhatsApp access, preserve and share certain information. This however refers to the information that is collected from the account holder such as the account information., messages (in encrypted form ) during the interim period when it is being held for deferred delivery, and meta data associated with the use of the services. 

There is nothing in the policy to suggest that the message content will be read by WhatsApp and used for profiling etc. 

In case the WhatsApp payment system or Contact upload feature, the users may be sharing more information related to the specific service. 

4. Legitimate Interests

The policy declares that legitimate interest relied upon includes provision of accurate and reliable aggregated reporting to business and other partners and statistics on performance, need to demonstrate the value the partners realize etc. 

It also states that Facebook products may be marketed to the users for direct marketing. This indicates that there could be “Advertising” messages sent to the users similar to Twitter inserting advertising in between messages. 

Prevention of fraud, securing against spam, abuse etc are also stated as a reason to use information under legitimate interest. 

Policy indicates that Pubic interest could also be a legitimate interest.

B. Summary views on Privacy Policy

At first glance therefore the policy does not seem to raise grave concern. It is possible that the company may draw a profile and use it for advertising but that is only to be expected as a revenue generation method unless the service becomes a paid service.

Since India is coming up with its Data Protection Law shortly, once the final version of the law is ready, we may review the Privacy policy to check if it is in tune with the requirements.

The Privacy policy appears to concede the requirements envisaged in the Indian law regarding providing tracking information when required by the law enforcement.

Perhaps remaining compliant with the Indian law could be one of the reasons for which the Privacy Policy was revised before the Indian Act is likely to be effective.

However, the policy is to large to be considered as easily comprehensible by an ordinary user of the service. Businesses should find a way to simplify their Privacy Notice to the public while keeping a more legalistic and verbose policy for internal use. Otherwise public will need expert interpreters to certify if a Privacy Policy is compliant with the requirement of law and meets the principles of Privacy protection. 

Terms of License

The terms of use however has some aspects which may cause some doubts in the minds of the users.

Fore example in the paragraph “Your license to WhatsApp”, it is stated as follows:

Your License To WhatsApp. In order to operate and provide our Services, you grant WhatsApp a worldwide, non-exclusive, royalty-free, sublicensable, and transferable license to use, reproduce, distribute, create derivative works of, display, and perform the information (including the content) that you upload, submit, store, send, or receive on or through our Services. The rights you grant in this license are for the limited purpose of operating and providing our Services (such as to allow us to display your profile picture and status message, transmit your messages, and store your undelivered messages on our servers for up to 30 days as we try to deliver them).

Though at first glance this appears to indicate that WhatsApp may use the content for its own purpose, the issue is more related to IPR rather than Privacy. Also if the content is encrypted before it is shared by the user with the company, unless it is decrypted, it cannot be used in raw form by WhatsApp. The mention of “Limited purpose” indicates that there is no intention of creating “Derivative Works” from the user’s content and use it commercially though an “Enabling feature” has been wrote in.

Probably WhatsApp will be answerable for IPR violation if the user content is used for creating revenue generating product.  

The statement that “WhatsApp does not claim ownership of the information” further corroborates the status that the content is owned by the user. 

If WhatsApp tries to make derivative works out of the user’s content, they will also lose the status of an “Intermediary” under ITA 2000 and hence cannot claim any immunity for crimes that are committed with the service.

If WhatsApp claims absolute rights to use the content, then they will have to admit knowledge of the content which will make themselves liable for any drug related conversation or other offences using the WhatsApp messages. 

It would therefore be advantageous for WhatsApp to claim that they are not aware of the encrypted content and they don’t use them for any of their purposes. This is evident in the terms also.

The terms of use also take into account the disclaimers expected under the ITA 2000, Section 79, Intermediary rules.

As can be expected there is a disclaimer that “WhatsApp does not accept responsibility for losses” if they have exercised due diligence.

The Dispute resolution clause is not properly constructed in the policy since the both the policy applicable to EU and other countries seem to state that in countries outside EU, the applicable law is that of Ireland. 

This will not be acceptable in India. The amendment to the ITA 2000 intermediary rules as well as PDPB will ensure that WhatsApp is declared as requiring to open a separate Indian office and be considered as a Significant Data Fiduciary. At that time, WhatsApp will need to get itself licensed from the regulator and it may be refused a license to carry on its business unless the applicable law of India and jurisdiction of Indian Courts along with ODR usage is brought into the terms. 

Even the RBI needs to take a look at this since it is responsible for letting WhatsApp to handle payments. 

This will happen to be the most contentious issue of the terms of service/Privacy policy which needs to be addressed by WhatsApp. We may recall here that the Kerala High Court did pass adverse remarks in the Sprinklr case that the Kerala Government had accepted the New York Jurisdiction without proper evaluation of the terms of service.

Summary Views on the Terms of Service

The applicable law and Jurisdiction clause of the Terms are not compatible to Indian legal environment.

The RBI should take steps to withdraw the permission given to WhatsApp for running the payment services unless this clause is changed immediately.

Meity has to issue a notice to WhatsApp under Section 79, that the Jurisdiction clause which is part of this “Implied Contract” between the user and the WhatsApp is not valid in India and it shall accept the jurisdiction of the Courts of India at the residential place of the user as evidenced by the SIM card information.

Also under the PDPB, WhatsApp needs to provide a grievance redressal system which is more data principal friendly by incorporating an ODR facility to resolve grievances. The DPA is yet to come into existence and until that time, Section 43A , 43, 72A, 67C, 69,69A,69B, 70B and other provisions of ITA 2000 will be applicable to WhatsApp and compliance of ITA 2000/8 is necessary to be demonstrated by WhatsApp. 

CERT In should issue a notice to WhatsApp for an assurance that it is ITA 2008 compliant. 

It is open to any interested parties to file a PIL to force WhatsApp to change the Jurisdiction clause if it has to maintain the payment services and operate in India.

It is also a great opportunity for an indigenous messaging app developer to introduce an equally efficient app and  there will be lot of support from India.

(Comments Welcome)

  Naavi

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | 2 Comments

NCLT has been Irresponsible in the case of Net4India

Judiciary and Quasi Judiciary authorities in the country have been accorded a special place in the structure of our democratic society. We respect them and fear them. With the increasing burden on the regular judicial institutions such as Courts, quasi judicial authorities such as Adjudications and Appellate Tribunals have been constituted under different laws so that the first trial and first appeal could be handled by these specialized institutions before the dispute passes on to the higher judiciary normally at the High Court or in some cases bypassing the High Court and going directly to the Supreme Court.

Most of  these institutions are often managed by retired Judges of the High Court and Supreme Court and have powers both to ease the procedures to make litigation convenient to the public but also powers to ensure that they are not inferior to any Court in enforcing its orders.

The availability of powers and the respect from the society needs to be repaid by these institutions with a sense of responsibility to the citizens of the country.

It is necessary to point out that the National Company Law Tribunal (NCLT) has in the case of Net4India failed to show this responsibility despite having been pointed out that the action or inaction of NCLT has resulted in lakhs of consumers of Net4India being left in the lurch with their digital business being disrupted.

Not withstanding the respect due to an institution like NCLT, it is our duty to point out the fact that NCLT missed its duty to serve the consumers of Net4India by being ignorant and irresponsible.

In the hope that this situation would not recur in the future, we provide here some thoughts along with why we need to be critical of what NCLT has not done in the case of Net4India to protect the interest of the consumers.

Net4India is one of the oldest Internet Service Providers in India and provided services for registration of Domain Names under the license from ICANN. It provides services for hosting websites, hosting e-mail services, providing digital certificate to web servers for secure web transactions etc.

Many large and small business organizations and individuals had availed their services from Net4India and have been running their web based services. Even Naavi started his activities on the web through Net4India.

Some where down the line, Net4India borrowed money from SBI and defaulted. It appears that SBI was negligent in providing the facilities and probably there was corruption and fraud in SBI which resulted in the loans being granted, not properly monitored and allowed to turn into NPAs. Given the nature of activities of Net4India and the head start it had on other competitors, it was a gold mine by itself and did not require Bank finance for its normal business.  If an enquiry is held on how SBI granted credit facilities running to more than 100 crores and let it rot, it would perhaps come to light that the officials of the bank had colluded with the company in financing overtrading and diversion of funds.

The bankers remained mute spectators when Net4India did some manipulations to shift its assets, use the services of Open Provider to keep up its public face while slowly shifting the assets out of the company. (See here)

Having committed a possible fraud, SBI made use of the provisions of the NCLT to shift the liabilities to  Edelweiss Asset reconstruction Co Ltd which invoked insolvency proceedings.

Medianama.com quotes the advocate of the Resolution Professional and indicates how there was a fraud committed over a period by the company. The advocate reportedly stated

“The RP discovered that the entire business and income of the Corporate debtor has been diverted to Net 4 Network [Services Limited], thereafter 70% shareholding of the Corporate Debtor in Net4 Network was surreptitiously transferred to a related company called Track Online India Private Limited, which is another company of the same Promoter-Director and thereafter the business of the Corporate Debtor was on 20.10.2016 transferred to Net4 Network [Services Limited] (once upon a time wholly owned subsidiary of the Corporate Debtor company) through Master Reseller Agreement (MSA), which has made Net4 Network “Master Reseller”, therefore as on the date the Corporate Debtor has remained for name sake because its shareholding in Net4 Network was transferred leaving no control over Net4 Network [Services Limited] and then strategically business as well. “

This sort of fraud could not have occurred except through connivance of the Banker, the company like Openprovider.com as well as other professional firms like the statutory auditors and company secretaries. Even ICANN and NIXI should have been able to see the fraud before it became irreparable.

The Ministries of Finance or Consumer Affairs have been silently watching the happenings and not tried to resolve the issue in a manner where the consumer’s interests are protected.

For a long time MEITY also was a silent spectator until after the issue was escalated through this website, NIXI started helping out registrants of dot in domain names ensuring that they were transferred to other registrars.

The India representative of ICANN has also been doing his bit to get the ICANN supervised domain names like dot com names to other registrars through the dispute resolution process with the ICANN which is slow and painful.

However the domain name owners are not able to recover their money stuck up with the Net4India accounts. They are cumulatively “Creditors” of Net4India in its insolvency provision which the NCLT has conveniently ignored.

Each of the 70000 plus customers (may be upto 3 lakh according to one estimate) have different amounts from Rs 1000 to Rs 25000/- in their accounts remaining as balances in their accounts with Net4India which were ear marked for their future renewal of services. These were in the nature of pre-assigned payments and not available for being used for repayment to SBI or Edelweiss and NCLT should have arranged for this to be segregated and accounted for the individual customers, which it has failed to do so.

The NCLT also failed to recognize that Net4India even as a shell company was a “Going Concern” and if its rights of being a domain manager for 70000 customers had been traded with another registrar, the rights would have fetched a value of its own. This “Intangible value of the domain business” went un accounted before NCLT declared Net4India as insolvent.

NCLT also failed to give notice to each of the 70000 domain name registrants who were small creditors to the company before the Insolvency proceedings were launched.

NCLT by launching the insolvency proceedings closed down the running operations of the company and the services of the consumers got disrupted.

NCLT has to be therefore squarely blamed for the disruption of the businesses of 70000 plus consumers of Net4India.

NCLT had within its powers to ensure that before ordering closure of the company, sale of its immovable properties etc., an search for auctioning the customer rights to other registrars at a premium. Some other registrar would have valued the customer acquisition of 70000 domain name operators as a great opportunity and acquired the entire business which NCLT valued at “Zero” value at least under a management contract at say around Rs 10 crores with a seamless continuation of the services to the consumers which is priceless.

But NCLT was not aware of the damage it was creating to the digital markets in India and /or was not concerned. It had its blinkered approach to going through the motions of resolution so that SBI could recover its own fraud proceeds and Edelweiss could make some money of its own.

PS: In case NCLT feels aggrieved with this criticism, we would like to know what measures NCLT took to bring the interests of the consumers of Net4India to the resolution process, whether notices were given individually to each of these consumers, whether there was any attempt to value the “Contractual Rights” created through domain services contracts at least at a notional nominal value to the books. We are willing to apologize if there has been a reasonable effort from NCLT in this regard.

At present several of the affected persons are rallying around Naavi.org and many of them have been able to resolve a part of their problem in getting the domain names transferred, But they still have not been able to recover the money stuck with Net4India and there are many more whose domains are still not transferred particularly by ICANN. All of them have to view NCLT as the villain who protected the fraud partners for Net4India at the cost of innocent consumers of Net4India.

Future Actions Required

For the time being let us leave the NCLT to learn from its mistakes but focus on what we need to do in the future.

  1. Bring the value of digital assets into the books of accounts.

The first and foremost action required to be undertaken by all of us who are users of domain names and other digital assets created out of contracts to bring the value of such assets into the books of account.

For example, Naavi.org as a domain name is valued at $1328 at Godaddy. In terms of expenses it costs around Rs 942.82 to renew every year which can be capitalized.  If Ujvala Consultants Pvt Ltd which has registered the domain names for Naavi aggregates all the domains under its control and values it either at the market value estimated by Go daddy or at capitalized annual expenditure to be written off over a period of time instead of being considered as an expense, the balance sheet of Ujvala would reflect an asset value of several lakhs which today is not getting recognized.

If under the similar principle, Net4India had recognized the value of its domain name  business at some valuation method say on the basis of cost of acquisition, the net present value of future business or the cost for a competitor to build 70000 plus customers, then its balance sheet would have carried an asset base of crores of rupees which the NCLT could not have ignored.

The Accounting professionals, ICAI and Ministry of Finance should therefore think of introducing a system where by digital assets are accounted for in the books as “Intangible Assets”.

It is possible that the Ministry of Finance would immediately think if they can tax this asset. It would be cruel if they did so. But since the valuation method may not be universally agreed upon, the accountants can start by placing a “Contra entry” in the books of account so that the valuation does not affect the balance sheet in real terms.

While the ICAI may take its time to understand the value of this “Digital Asset Valuation”, considering the future advent of Non Personal Data Protection regulation where valuation of data may become a realizable value, Naavi has already recommended inclusion of the “Personal Data Valuation” as a best practice under the PDPSI (Personal Data Protection Standard of India) which is a new standard of data protection and assessment of compliance.

2. Registrars of Domain Names to be regulated by MeitY

Considering the critical nature of the business of domain name registrars, the adverse impact if registrars go out of business in future as well as to reduce the incidents of domain name frauds. the Meity has to recognize that Registrars are a special category of “Intermediaries” and  introduce appropriate regulatory control.

The Data Protection Authority (DPA) under Personal Data Protection Act (proposed) should also recognize domain registrars as “Significant Data Fiduciaries” and bring them under the regulatory control.

Both the above suggestions are well within the powers of Meity at present and hence we hope that they would be considered seriously.

Naavi

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment