Getting Ready for the New Era of Personal Data Protection

Personal Data Protection Act is round the corner. Every organization handling personal information both of their employees or their customers need to get ready in understanding what we need to do for compliance.

FDPPI as the pioneering Data Protection Organization in India is organizing a free webinar on 23rd September 2020 between 10.30 am to 12.30 pm focussed on the SMEs and MSMEs.

The program is free to participate.

 

Request each one of you to spread the word so that maximum number of persons and organizations can take advantage of the webinar.

Those of you who are associated with industry organizations may kindly spread the word in your community so that your members can benefit.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Divide and Destroy Policy to delay Passing of PDPB 2019

Hindustan Times has carried an article today under the title “RBI Seeks exemption from Data Protection Law”.  At first glance it appears to be a serious opinion from the financial regulator but on deeper verification, appear to be a planted story to support views of some lobbies.

Given an opportunity, there is no doubt that even FaceBook wants to be exempted from Data Protection Law and may be even other organizations. Just as the Parliament session is about to commence on September 14th and we are expecting that the JPC would place its recommendations to get the Personal Data Protection Bill 2019 (PDPB 2019) to the next stage, HT’s article suggests that there is an attempt to plant dissidence among the regulatory agencies.

In the next few days we may expect articles suggesting that even TRAI, IRDAI, SEBI etc all would like to be exempted from the PDPA.

It appears that this article is part of the propaganda unleashed to scuttle the passage of the Bill. In all probability this could be a fake story published to stir up a controversy.

The approach of PDPB is similar to GDPR in that it is not a sectoral approach to Privacy protection but an across the board approach. It will affect Financial information, Health Information, stock market information etc. To some extent it will disrupt the existing regulators. But this is natural and inevitable. In fact PDPB is a continuation of ITA 2000/Section 43A and hence there is no reason why RBI which was comfortable all these years when 43A defined financial information is “Sensitive Personal Information”, should raise an objection now.

In all probability the views expressed in the article are not that of RBI. In fact RBI was more stringent regarding the data localization and PDPB is far more lenient.

There is a strong lobby of credit card processors lead by NASSCOM which does not want “Financial Information” to be within the PDPB. The reason is that Financial information is the most valuable personal information and several organizations are making money in processing the information in a manner in which PDPB will not allow.

PDPB does not exempt even the DPA from the provisions of being considered as a Data Fiduciary and there is no reason why RBI or any other organization should seek exemption. It is also not clear why RBI should be concerned since the personal data it handles is minimal and is restricted to that of the employees. It is the individual Banks who would be subject to PDPB and hence RBI need not worry about any serious disruption of its activities.

When RBI collects any financial information of a data subject, it may come through a Bank and hence its role may be only that of a data processor. Also most of the time the data is used for monitoring the security of the financial transactions as well as for statistical purpose and hence PDPB has in built exempts for RBI.

There are several other points mentioned in the article as if they are stated by some anonymous representative of the RBI. It is however more likely that this is a planted story of some vested interests who are worried about the loss of their commercial opportunities to exploit the financial data of individuals.

The report is also false when it mentions that “Data Retention Norms” are mentioned in PDPB. There is no such norms and RBI’s regulations will determine how long Banks keep the personal data. Similarly it is wrong to say that PDPB does not allow storage of payment data abroad at least in the current version. It only says that a copy should also be kept in India.

RBI”s role as operator of RTGS and NEFT are technology platforms which are managed through the Banks and hence the role of RBI is only as an intermediary through which the data passes through and not as a Data Fiduciary.

The report therefore needs to be ignored as yet another attempt by lobbyists to check the passage of PDPB in the current session. It would be advisable that RBI comes up with its official view whether the comments attributed under the article are official views of the RBI.

Just as the CDS has to manage the relationship with the three service chiefs, the regulators like RBI, IRDAI, TRAI, SEBI etc., need to manage the relationship with the DPA and unless there are ego issues, senior people should be able to manage the overlapping issues that may come from time to time.

It is unfortunate that the media is trying to create a divide between RBI and the Government to help some industry interests to prevail.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

The Man Who Saw Tomorrow

M.K Anand, of Seechange Consulting recently interviewed Naavi and captioned the release with an attractive title “The Man who saw tomorrow”.

The video is now available on line.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

“Defamation” as Business Strategy

Among the many abuses of the great innovation called Internet and World Wide Web is the misuse of the technology for organized defamation like what we used to refer in the physical world as “Yellow Journalism”.

While some adopt abuse through obscenity or abuse through manipulated information which are considered offences under ITA 2000, “Abuse through Defamation” and “Abuse through an Online Threat” are no longer offences under the ITA 2000 because our honourable Supreme Court took a wrong decision in the in famous Shreya Singhal case by scrapping Section 66A which has not been replaced so far.

I have recently come across a “Death Threat” on Whats App which cannot be booked under ITA 2000 and another incident of defamation through postings on some websites/blogs dedicated to defamation, which also cannot be booked under ITA 2000.

Such cases have to be booked under IPC but the evidence is in the electronic form and has to be supported by Section 65B certificate.

Unless the Government of India re introduces Section 66A or its equivalent or files for a review with the Supreme Court and the Supreme Court reviews it and allows the section to come back at least in a “read down version”(Please refer to discussions on Section 66A here), there is no relief to the victims.

Similarly, there is no relief to Cyber Crime victims if the MeitY and the MOF continues to ignore the immediate need to ban Crypto Currencies in India. These issues have also been highlighted in this website in the past.

Now I would like to bring to the notice of the public some websites such as shesahomewrecker.com, fraudsters.online and exposecheaters.online.

These are websites which encourage posting of defamatory content. We have earlier discussed in these columns about the “Glassdoor attack” and also referred to the law in NewZealand to prevent such harmful effects of Social Media misuse. In one dimension of job market we pointed out to “Glassdoor attack”  which involved posting of bad reviews about companies by disgruntled employees.

For these websites, and even for the Twitters and Face Books,  attracting visitors is the criteria. If this can be done with sensational news often created out of AI robots, they would grab it with both hands. What is lacking here clearly is “Ethics of Business”.

While Internet provides the freedom of expression which can be used effectively when incidents like suspected murders in the cases of Sushant Rajput or D K Ravi or Sunanda Pushkar, Palghar sadhus, Sridevi etc takes place and the Police under the influence of corruption fail to take appropriate steps, there are also instances when innocent persons are harassed through wrongful posts in some of the websites mentioned earlier.

Of course, these issues have to be handled on a case to case basis and we cannot impose censorship that could prevent good use of Internet freedom.

However, in most cases, it is difficult to find the owners of these websites since the Registrars promoted by ICANN have a false sense of Privacy and mask the identity of the business information called “Ownership of domains” as if they are “personal data. Hence even if our neighbor is indulging in slander, we will be running behind companies registered in Panama to request for the Who Is records. Similarly G Mail does not want to reveal the originating IP address for emails that land in my InBox for which I should have the right of information.

In a recent incident we also pointed out that Net4India a sub registrar of domain names and ISP services in India suspended many of its activities inconveniencing hundreds or thousands of web users.

The ICANN is not taking any responsibility for misuse of Internet and its approach to Cyber Crimes is the biggest challenge to Cyber Security at this point of time.

If we want not to depend on ICANN for securing the Cyber Space, it is only the individual countries who have to ensure that the Cyber Space does not become a menace.

In India therefore the responsibility falls on the MeitY to address some of these issues.

Despite our repeated nudges, MeitY has not taken action for resolving the Net4India issue or the Crypto Currency issue. It has earlier indulged in half hearted attempts to amend Section 79 intermediary rules but backed out when Urban Naxalites launched action in the Supreme court. Though it has taken steps to block Chinese Apps, it has not taken steps to block the websites who have made it a business out of defamation.

Now we need to again remind MeitY that reintroduction of “Harassment through messaging” which was present in Section 66A along with the Cyber Bullying, Cyber Stalking, Spamming, Phishing, Cyber threats which were all present in Section 66A but the Supreme Court failed to see as it was after its own desire to assert its support to freedom of expression calling Section 66A as a “Chilling” effect on the society.

We are not sure that MeitY has an ear to listen to these aspects. MeitY appears to be mortally afraid of PIL lawyers who may get a sympathetic hearing by the Supreme Court also. Our Attorney General is more concerned with letting off persons with a history of contempt of Court proceedings rather than protecting the victims of Cyber Abuse.

But it is our duty to record our observations and hope that some Court at least will take note of the vows of Internet abuse when some defamation cases are brought before them like the Baba Ramdev case which was heard by the Delhi High Court.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Atleast Now Mr Modi should know the Villain called Bitcoin

It is reported that Mr Narendra Modi’s twitter account was hacked and a request was placed for contribution to the PM’s fund through Bitcoins.

It is obvious that this is the work of fraudulent hackers who must have been able to get some benefit by way of Bit Coin contributions before the hack was detected and removed.

Naavi has been urging the Government of Mr Modi to ban Bitcoins through a number of articles here but the request has gone unheeded.

It is our firm belief that unless Bitcoin is banned the Government of India’s effort to remove black money is only to be considered as half hearted.

Unfortunately the Supreme Court paved the way for a surge in Bitcoin usage in India by scrapping the RBI notification preventing Banks from dealing with companies engaged in Crypto Coin exchange.

The Finance Ministry has quietly looked the other way and even the RBI has withdrawn to the back ground since the lobby behind the Bitcoins is so powerful that even Mr Modi is hesitant to act.

Now that Bitcoins have been demanded and received in the name of Mr Modi, we can expect the opposition to demand an enquiry on whether this was really a hack or was only stage managed.

It would not be possible for BJP to prove that no body paid in bitcoins because that is the nature of secrecy that sorrounds this “Currency of Criminals”.

We hope that at least now, Mr Modi and Mr Shah would realize the damaging potential of Bitcoins and issue an ordinance to ban Crypto Currencies forthwith.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

Techgentsia sets a new Trend

The announcement that a relatively unknown company from Alampuzha a small town in Kerala has won the grand challenge mounted by MeitY to find an alternative to Zoom has created a new enthusiasm in many small software development teams that they too have an opportunity to emulate this company and  achieve  instant recognition if they have a good product.

India has for long been a “IT Service hub” and many giant companies have refused to invest their time and energies in developing a product profile. They have been happy to be followers of the US companies and often develop IP for the US companies to exploit. In the bargain Indian talents are getting hired for a salary to create huge software IP for other companies. Naavi.org has often called them as “Cyber Coolies” not to derogate them but to stimulate them.

Now with a new found enthusiasm to replace the Chinese products there is a new found opportunity for all intelligent software developers in the country to try and develop their own IP and their own products.

If Techgentsia’s VConsol has come out the topper in search of a replacement for Zoom, it will catapult the company into prominence. Apart from the guaranteed Government contract, it is likely to find market among all patriotic Indians waiting to use indigenous products. The Company is targeting a 1 million client base and even assuming a monthly income of Rs 1000 per client, this is a targeted business of Rs 100 crore per month.

We congratulate the company on hitting this jackpot and hope they will not fritter away this opportunity.

Remembering Dewang Mehta

This reminds us of the Dewang Mehta Award which had been instituted by the MeitY for which even Naavi.org had submitted an application. Mr Dewang Mehta was the Nasscom Chief at that time and sadly passed away suddenly at an early age. He was a very dynamic professional who would have contributed significantly to the development of self reliant IT industry in India if fate had not snatched him away. The award instituted in his name by MeitY also carried a prize amount of Rs 1 crore (in 2000) and the first such award was won by a Bangalore company for developing low cost computer. Unfortunately the technology changes have pushed this innovation into the oblivion. Subsequently MeitY seems to have discontinued its association with the award though the family may be continuing the tradition.

Need to Continue this Trend

I hope that the Techgentsia initiative is not a one off initiative but should continue for other major technology replacements we are looking for. The Government has forgotten its commitment to replace the computer operating system and has not even thought of an indigenous mobile operating system. Even some of the replacements for WhatsApp produced even by NIC and the use of local E-Mail services have not been adopted by the Government. If a self reliant India has to be developed, Government should recognize all indigenous initiatives even without funding support to encourage voluntary efforts in this direction.

Naavi’s two Aatma Nirbhar Projects

Naavi has now placed a challenge before MeitY with two initiatives for self reliance in the domain of “Data Protection” by first launching a “Certification Program” for professionals for which individuals are paying crores of rupees to foreign organizations and a “Locally developed data protection standard which can be used both in India and outside” which again can save crores of rupees paid today to foreign organizations. This “Personal Data Protection Standard of India or PDPSI” and its global counterpart “Global Personal Data Protection Standard” will enable SMEs to achieve compliance without spending a huge amount of money to the foreign agencies.

However we need to wait and see if MeitY can recognize such efforts or continue to support the international agencies unmindful of the foreign exchange outflow.

Responsibilities of Techgentsia

On the other hand, I would like to caution Techgentsia that if they want this opportunity not to go waste, they need to recognize that the Government has onboarded them onto a sensitive Government project and they have a huge responsibility to ensure that the security of the system is fully taken care of. Now all the anti Indian forces both in China or Pakistan or in India and more so in the sensitive state of Kerala will be trying to break this system which is going to be associated indirectly with sensitive Government data.

They may come in all forms even in the guise of appreciating the company and helping them. They may try to compromise their employees. They may try to steal the codes. They may also offer huge incentives for compromising the codes. Techgentsia has to overcome all the temptations and preserve their loyalty to the nation.

I hope they will..

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment