Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

“Privacy by Design” is a concept which GDPR expects from Data Controllers and Data Processors.  The concept of Privacy by design basically means that measures for Privacy protection should be initiated right from the inception of a project and during the engineering process. It is not an after thought considered over the layer of processing but should be embedded into the basic framework of processing.

The concept of Privacy by design imposes a sense of responsibility on software manufactures who have a tendency to design software solely for functional purpose and expect Privacy to be taken care of manually at the time of implementation.

This concept needs to be extended to complete compliance of all provisions of the Data Protection Act which can be controlled by technical means by making “Compliance By Design” as a mandatory provision under law so that the responsibility for compliance is shared by both the software developers and the users. This could mean that systems and outsourced services should have mandatory encryption, mandatory authentication in the form of non repudiable digital signature system, mandatory compliance of data retention, mandatory archival of log records etc.

If such “Compliance by design” is mandated, then the quality of software products from the point of view of “Data Security” would increase and in the event of any “Data Breach” caused by vulnerabilities in the software systems, some responsibility may be imposed on the software companies also. This would help SMEs in particular who donot have greater dependency on the software suppliers, who donot agree for source code audit or for source code escrowing and also donot guarantee that their software is free from bugs.

Larger companies may have better ability to take their own measures to secure the systems irrespective of the vulnerabilities they come with. They also have the power to extract maintenance contracts and source code audits better than the SMEs and hence the proposal for Compliance by design should help SMEs more than large entities provided the definition of “By design” is extended to software development.

The new data protection act can consider imposition of “Compliance By Design” as one of the responsibilities of system developers (both hardware and software). In order to incorporate this provision, a separate chapter that defines the compliance requirements of the Data Controllers, Data Processors and Data Managers (as proposed in our previous article) along with how the fact of compliance should be disclosed to the public and to the Data Protection Authority. This should obviously be controlled through Registration and penal de-registration of entities who are Data Controllers/Processors/Managers.

Hopefully Compliance requirements donot simply remain on paper but are followed up for strict implementation.

In order to ensure that Compliance is taken seriously, Cyber Insurance should also be made mandatory so that the Cost of Insurance should incentivise the business entities to invest the right resources in achieving compliance.

The SKC has asked the feed back on whether the law should be made retrospective or prospective. If “Compliance” is an honest expectation, it goes without saying that the law has to be enforced prospectively with reasonable time given for compliance.

In the meantime the regulatory authorities need to even provide guidance and assistance to the Data processors and Controllers in the SME sector so that they can achieve compliance in the specified time. The compliance schedule also need to be extended with an additional time for smaller entities taking into account the incidence of cost as well as scarcity of manpower to assist them in the compliance.

The compliance dead line could therefore be about 1 year for large units and about 2 years for smaller units, with exact definition of what is Small and what is not being decided on the basis of turnover.

Naavi

Print Friendly, PDF & Email

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The EU law on Privacy under GDPR recognizes the “Right to Forget” which essentially means that the data subject can demand that his personal information should be erased from the records in the custody of the data processor/data controller once the data subject withdraws his consent.

Enabling “Erasure” of data is not as simple as it looks since data has a tendency to multiply and spread in different systems within the processing organization and it is often difficult to even recognize where all the copies of data are present. With need to back up data for reasons of disaster recovery and different versions of data getting created during the course of relationship of a customer with a data processing entity, when a demand for deletion comes up, it is difficult to ensure the complete erasure of data.

Further, since data is related to National Security and Crime control, there is a legal obligation to “Retain Data” in many circumstances. There will therefore be a conflict of interest between the need to erase data on request and the need to retain data for control of criminal activities. Even the need for Governance such as Direct benefit Transfer with the use of Aadhaar requires data to be retained and not erased at the request of only the data subject.

Even when Privacy is considered as a Fundamental Right, the law provides for exemptions for security purpose and hence the “Right to Forget” or “Right of erasure” is a concept which cannot be considered for the Data Protection Act.

Print Friendly, PDF & Email

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

Many of the issues connected with Privacy arise out of the complaint that “information collected by a Data Controller” is processed in such a manner that the data subject feels that his privacy has been breached. Hence “Consent” is sought and obtained before collection of information. Section 79 of ITA 2000/8 under its rules has already adopted the procedure of disclosure and consent when an “Intermediary” collects personal data from a data subject in India. The fact that “Consent” should be an “Informed consent” is also well appreciated.

However most data subjects never care to read the Privacy statements or Privacy policies when presented to them before a specific use of a service. Many service providers also take blanket permissions ignoring the principles of minimal collection and purposeful use.

In the absence of proper legal requirements, data subjects can only try to take legal action against an entity that breaches the law if they can claim damages. But in most cases, damages cannot immediately be recognized and evaluated and hence “breach” can be recognized but not its consequences. Hence there can be no legal remedy in most cases.

When a data protection law is in place, the regulator can take action for breaches even when no damage is claimed by any data subject. Though this provision is available even now under Section 46 of ITA 2000/8, it is hardly recognized as existing. When the new law comes in, since there will be a recognized regulator called the “Data Protection Officer of India”, it will be his duty to monitor the industry and initiate action when required.

Some data controllers may blame the data processors for the breach and data processors may allege that the data controller did not indicate the responsibilities properly in the SLA. Even now many of the data processors in India coming under GDPR allege that they donot have a proper Business Associate Contract from their vendors specifying the information security requirements. Hence the responsibilities cast on the data processors is vague and goes without compliance.

The new law should ensure that this “Vagueness” is removed, by making it mandatory that the Data Controller who is the person/entity to whom the data subject provides the personal data and  “Consent” to use that data in a particular manner, take full responsibility for any breach and also mandate that any sub processors are bound with specific instructions which are clear. If the sub processor is also within the Indian jurisdiction, it may suffice to make a reference to the legal provision in toto by referring to the Act. But when the Data Controller and Data Processor are in different jurisdictional areas, it is necessary for the Data Controller to specify in a contract the actual responsibilities related to the processing of any data set/s and not leave it vague.

Assuming that this provision is taken care of, we can expect that all controllers will present comprehensive “Consent Requisitions” whenever online consent is required. They may even justify in the requisition the purpose of collection and how the information will be secured etc. However, in the process the consent requisition will be a long online document which no user is likely to read at length and just proceed to click “I Accept” and start availing the service. In some cases the service provider may say that “Continued use of the service is deemed to be a consent of the privacy policy” and provide a hyper link which the user does not care to open and see.

Such online consents may not be treated as proper  “Informed Consent” because it is not digitally signed and also because the likelihood of it having been read and understood before it is consented to is low. Since India does not recognize the Click Wrap contract  the acceptance of consent by the click of the button has no legal sanctity. The consent therefore only becomes an “Implied Consent of a dotted line contract”, where the fine point details could be considered voidable at the option of the customer.

Even when such consents are treated as contractually acceptable, the data subject may not be able to decypher the intricacies of the contract and take an informed decision. When multiple parties require multiple types of consents and multiple times, there would be inevitably the “consent fatigue” that makes him simply click without a second thought.

Hence the current system of each data controller taking individual consent each time a data is required for a specific purpose is not practically efficient.

One of the ways by which we can overcome this is to treat personal data as a property of value to the data subject and every usage as “Licensed Use” with some kind of rewards to be available to the data subject which is proportionate to the benefits that the data user may enjoy. In this concept the data subject actually sells the right to use his personal data for a consideration. However to manage this system, the data subject needs professional assistance and hence there is a role for an intermediary “Who Collects consents and data, keeps it with himself and releases it on specific request to a user as a personal Data manager of the data subject”.

The “Data Manager” being a professional agency knows the value of the personal data to different service providers and maximize the returns to the data subject. It is not necessary that the reward to the data subject is in the form of direct money. It could be in the form of reward points that are exchanged for some valuable service.

Further, the “Data Manager” as an intermediary can act like the “Personal Data Locker” and offer services such as anonymization and pseudonomization as well as providing limited set data devoid of key identifiers. He can ensure that value addition in the form of data mining and Big data analytics can be conducted without compromising the privacy of the data subject.

In order to provide an opportunity for such intermediary business, Personal property should be recognized as the property of the individual and he should have the right to license it for a price. The proposed data protection act should also recognize and define the role of the “Data Manager” as a business in which the data subject transfers the right to manage his personal data exclusively to one such agency. This role is different from that of the “Data Controller” and “Data Processor” as is used in laws such as GDPR. He should deal with the Data Controllers and ensures that they adhere to the principles such as minimal collection, purposeful use, adequate security, removal on completion etc. When he approves disclosure of personal data of his clients, he can ensure that adequate value is returned to the data subject however small it is.

The Data manager will subsume the role of the Data Controller to the extent that the data subject provides his consent only to the Data manager and all that the data controller gets is a “proxy identity”. The linking between the proxy identity and the real identity is in the hands of the Data Manager and the principles enunciated in our earlier discussions on “Regulated Anonymity” can be used so that only responsible data controllers will get the real identity based premium personal data. Others can get a lower valued proxy identity data. Some others may use limited data set and others the de-identified data. Thus the Data Manager can effectively classify and package data offerings and create value where as today the data subject does not get any value for his personal data which he shares with various service providers.

This type of parallel thinking can be incorporated in the Indian Data Protection Act so that it does not become simply a rehash of the GDPR or other international data protection legislation.

Naavi

Print Friendly, PDF & Email

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The Justice Srikrishna Committee (SKC) has propounded 7 key principles of the Data Protection Act and proceeded to provide several questions in its report seeking public comments.

The Seven key principles under which the proposed Data Protection law would be based are as follows.

1.Technology agnosticism– The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.

2.Holistic application– The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims.

3.Informed consent– Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria.

4.Data minimisation– Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.

5.Controller  accountability–  The  data  controller  shall  be  held  accountable  for  any processing of data, whether by itself or entities with whom it may have shared the data for processing.

6.Structured enforcement– Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms.

7.Deterrent  penalties–  Penalties  on  wrongful  processing  must  be  adequate  to  ensure deterrence.

The above principles may determine the broad contours under which the SKC may work out a draft of the Data Protection Act of India (DPAI). In the background  the Supreme Court’s views on Aadhaar as an instrument of Governance and a potential tool of breach of Privacy will be weighing in the minds of those who will work on the drafts.

One of the first counters to be raised therefore is “Whether these principles need to be expanded? or Modified?”

It is in this context that we raise the first supplementary principle to be added to the list.

“The proposed Data protection Act should be amenable for compliance by all stakeholders with pleasure and appreciation of the purpose. It should not attempt to enforce the law compliance by pain… except to the inevitable minimum required pain that accompanies all changes.”

The second principle which follows the first is that the proposed law should confine itself to the limitations that is inherent in such a legislation. The law is proposed as “Data Protection Act of India” but is it the right defining of the proposed law? or should it be considered differently? is a question to ponder.

When the honourable 9 member bench of the Supreme Court (Puttaswamy Judgement) declared in a hurry that “Privacy is a Fundamental Right under the Constitution of India”, there was no time to deliberate and come to a conclusion on “What is Privacy”. The order did not specify the definition but said Privacy is a fundamental right. So the task before the Data Protection Act legislators include defining what they propose to protect.

A question naturally arises therefore that if the 9 eminent jurists could not define the enigmatic concept of “Privacy”, should the Data Protection Act of India attempt to do it?

Data protection legislation may not be the right law to define Privacy. It should be through a different law under the overall domain of  “Democratic Rights of an Indian Citizen under our constitution”.

On the other hand the Data Protection law can effectively define the “Security to be accorded to Data” of a particular type. “A Data Protection Act” should confine itself to protection of “Data” which may be personal data, sensitive personal data, or even corporate data. Calling an Act as “Data Protection Act” and confining it only to being an “Individual Information Privacy Protection Act” is not warranted.

However, India already has a law called “Information Technology Act” which has several provisions that fall in the category of “Data Protection”. It also has provisions that are meant to protect “Information Privacy” because of Sections 72A and 43A. Sections 43 and 66 along with several other sections such as Section 67C, Section 79, etc define responsibilities of individual information privacy protection. Sections like 69, 69A and 69B also provide the “Reasonable Exemptions”.

Now whatever the new Data Protection Act proposes will be in partial modification of ITA 2000/8 and will introduce a conflict with ITA 2000/8 and perhaps also on the UIDAI act.

The new Data Protection law should therefore decide if it steers clear of the existing ITA 2000/8 or trample upon its provisions and replace them with a new set of the same provisions under a different legal provision.

We should not forget that there is a “Health Care Data Privacy Act” which is also on the drawing board and has already been partially rolled out in the form of EHR guidelines (though the industry has largely ignored it).

One of the other principles that the proposed law should declare for itself is therefore the following:

The Proposed Data Protection Act shall work in harmony with the current established laws in the country such as Information Technology Act 2000Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,

The Key principles should therefore be increased from 7 to 9.

The main purpose of the suggestion is that we need a legislation that the stakeholders will absorb as a necessary legislation that is good for our society and hence all of us have a duty to comply with it.

Unlike the GDPR which tries to impose its will through  obnoxious penal provisions, Indian Data Protection Act or Information Privacy Protection Act, or Individual/Personal Information Privacy Protection Act, as it may be called should not bank upon its ability to control the market with its penal provisions. By stating that the penalty can be 4% of global turnover or 20 million Euros, GDPR is showing its muscle. India can counter this by saying that the penalty may be 5% of global turnover and INR 2 billion and make it applicable to any entity in the world. With such a provision we can also make the international community raise eyebrows and recognize our existence.

But is this the way law should be imposed? by threatening to wipe out a company in case of non compliance? and leave it to the mercy of the adjudicator to determine the final penalty and if possible use his discretion as a leverage to ask for favours from the accused?

Penalty should be a deterrent but it should not be so huge that the accused either declares bankruptcy immediately or thinks of bribing his way out. It is in this context that we say law should promote compliance not with pain but with pleasure.

Data Controller is also a stake holder

In the data protection law, the drafting people should also decide who is the stake holder/ or stake holders?. Is the stake holder solely the individual and others like the Data Controller or Data Processor only targets for imposing a penalty if they donot comply? ..when what they need to comply itself is unclear?

We must accept that a Company registered in India is as much an entity that needs Government protection as the individual who is a citizen of India. Hence the law of privacy cannot go over board and look at punishing the Data Controller severely as the EU law tries to do. Of course we donot trust the Companies as also the Government when it comes to Privacy protection and hence the need for the law. Law some times tries to provide protection to the Government separately (eg UIDAI) but imposes hefty fines on the private sector for the same offence. This may not be fair.

What follows therefore is that whatever law which is now being proposed, it should be equally applicable to a Company or the Government or an individual.

Secondly, if Individual’s data needs protection, corporate’s data also needs protection. If one is called “Privacy”, the other may be called “Data Protection”.

Hence if we call this new law as “Personal Information Privacy Protection Act”, then it can confine itself to protecting individuals against invasion of privacy that may arise because such information is not protected by a corporate or Government.

If we call this a “Data Protection Act”, then it should extend to Corporate data as well. Since ITA 2000/8 is already covering this aspect, there is no need to cover security of corporate data through this Act. On the same logic, if this law has to be a comprehensive law on Personal Data Protection, then Section 43A and 72A needs to be removed from ITA 2000/8.

If Section 43A and 72A are to be retained and the new law has to extend to privacy protection, then the law should clearly explain that the new provision is in addition to the earlier provisions in ITA 2000/8 and not in derogation of the earlier provisions present in ITA 2000/8.

If this precaution is not taken into account, we will end up with the argument which was presented by an advocate in an adjudication proceeding in Karnataka and accepted by the then adjudicator that “Introduction of Section 43A applicable for body corporate in ITA 2008 automatically changes the meaning of Section 43 and confines its jurisdiction to individuals only”. Though the undersigned did not subscribe to this view at that time and does not even now, if law is not clear, it enables such manipulation by clever advocates to the detriment of the society.

I therefore urge the SKC to declare that

what they are proposing is not in derogation of any of the existing laws and in particular the provisions contained in ITA 2000/8 on data protection in general and personal data protection in particular.

Jurisdictional Umbrella

It is more or less imperative that the law will define that it is applicable to the processing of data of an individual citizen of India by any person including a Company incorporated in India or otherwise or by Government in India or otherwise.

However, this will naturally lead to a conflict in implementation when the law is breached by a foreign company or a Government. Similarly a foreign Company or a Government may also try to impose its own law (eg GDPR) on an Indian company and claim penalties which may be significant and also involve foreign exchange outflow.

The Proposed law provides an opportunity to ensure that this conflict between different laws applicable to a single company in India is resolved without the company (registered in India and therefore expecting the Indian Government to protect it’s legitimate interests) having to face several international regulatory organizations at a given time.

Typically an organization handling data processing may have personal data from persons of different nationality. Each   now trying to impose its own laws and also extend extra territorial jurisdiction just like what GDPR has done in respect of information that belongs to its citizens. It has therefore become necessary for companies (Data Controllers or Data Processors) to tag every piece of personal information with the citizenship of the individual and try to apply appropriate laws. In one case it may involve “Right to Forget” and in another case there may be an “Obligation to retain”. In such cases, the Companies will be unable to comply with conviction if they donot have a data classification system that tags the information to the country of citizenship. (Hopefully there will be no dual citizenship problem).

This data protection law should recognize this problem of the business community and try to provide a solution.

The solution we suggest is two fold.

  1. Every consent should incorporate a specific clause which states that “This personal data shall be protected as per provisions of personal data protection applicable to ….. country. 
  2. The adjudication and imposition of penalties if any shall be determined as per the personal data protection regulations applicable to India and the Indian Data Protection Authority shall have the final authority in sanctioning any penalty in respect of any individual who is a citizen of India, any corporate or other organization registered and subject to Indian laws.

The jurisdiction clause is proposed as a mandatory part of the consent which itself should be mandatory.

This provision also means that if any EU entity imposes a penalty on an Indian Company, the Indian Data Protection Authority shall intervene to accept or reject the penalty claims.

In order to make the provisions of the new law fair, the law can offer reciprocal arrangements of similar nature to foreign jurisdictions and state

“Where penalties are imposed under the Personal Data Protection Act of India on a person who is either not a citizen of India or is a company registered outside India, then the Indian Data Protection Authority shall provide an opportunity to the Data Protection authority (if any) of the country to which the said company/individual belongs to implead on behalf of the said entity.”

Since some of these suggestions could interfere with international obligations, these may need to be properly drafted. The suggested intent is that no Indian Company will be directly made liable to any foreign authority whether by a contractual agreement or otherwise without a sanction of the Indian authorities. If this umbrella of protection is not created, GDPR will be an instrument that will create colonies in India and allow European companies control Indian Corporate entities.

Naavi

(Discussions will continue)

Print Friendly, PDF & Email

At a time when India is debating a new law on Data Protection, an interesting question has been raised  before the Supreme Court about the “Right of Privacy” and whether it extends beyond death. The recent judgement of a 9 member bench of Supreme Court referred to as “Puttaswamy Judgement” was hailed as a “Land mark” judgement because it held that “Privacy is a Fundamental Right”.

At Naavi.org, we have discussed the Privacy Judgement in detail. In conclusion, we discussed the need for a proper definition of Privacy before we worry about how to protect privacy. (Refer: “The Privacy Judgement… Conclusion.. Need for Definition of Privacy” )

According to us, it was a failure of the Puttaswamy judgement that it did not define Privacy as a Right and only went about beating around the bush on the “Protection of the unknown and undefined right called Privacy”.

How can we protect a Right without defining the Right itself?

It is not prudent to make a law for protecting a concept which itself is not properly understood and defined. If we attempt to do it, then it will provide endless scope for litigation and will not help honest citizens.

Criminals will however take full advantage of such ambiguous law and ensure that they thrive at the cost of honest citizens.

The mistake committed by the 9 member bench to declare Privacy as a Fundamental Right without a definition of Privacy has now opened the question as to whether the “Right of Privacy” extends after the death of a person.

I hope this lacuna will be corrected in the Data Protection Law that the Government is trying to develop.

Background

It must be recognized that the current issue, namely “Whether the Right of Privacy extends beyond death” has arisen because there is a need to access and verify finger print data of late J.Jayalalitha,  available with UIDAI as well as the Jail authorities in Karnataka to decide on an allegation that her finger print was affixed on a document when she was in a state of health where she was either already dead or was unconscious.

There was a reasonable ground to believe foul play since during the entire period of her hospitalization, access to her was not permitted to any body other than a small group of people. Even prominent political leaders including Mr Rahul Gandhi and Venkiah Naidu came to the hospital and returned without even looking at the patient.

The prima facie perception which the citizens carried at that time was that the hospital and the Sasikala faction of AIADMK were in collusion and did not declare the true condition of her health. Even the current dispensation of the TN Government did not know her true state of health.

During such a state of doubtful health, she was supposed to have affixed her thumb impression on one of the documents which has now been questioned.  It was a reasonable doubt in the minds of the public that the thumb impression was not willingly placed by a person in understanding of the document on which it was placed and hence it was a “Forgery” and a “Fraud”. The fraud is on the citizens of India both those who like/d or dislike/d Ms Jayalalitha.

Now the honourable Supreme Court has intervened on a petition before the High Court and stayed a request for verification of the genuineness of the thumb impression.

Unfortunately, by granting a stay, The Supreme Court has intervened in a case where Criminal Conspiracy has to be investigated and the only persons who could benefit from this stay are people who want to hide the actual events that surrounded the mysterious death.

Even the UIDAI has wrongly taken a view that it cannot submit the copy of the thumb impression to help in the judicial process and in the process supporting an attempt to protect the secrecy of the doubtful death rather than bringing out the truth.

By trying to protect this questionable request not to grant access to the finger print and proceed with the investigation whether it was genuine or not under the garbs of a discussion of Privacy the Supreme Court will be further muddying the waters to an extent that people will question the integrity of the Supreme Court. Let us not forget that some of the Judges who will sit in judgement in this case may be persons who could have acted as Jayalalitha’s advocates in her days in power.

What is Right to Privacy

It is necessary for us to first define the “Right of Privacy”. As a fundamental right, Privacy can only be a Right that a Citizen can exercise against the democratic state committed to a constitution. If one “Fundamental Right” is considered the “Right that extends beyond death”, every other Fundamental Right can also extend beyond death.

If we define Privacy as a “Right to Life and Liberty” there is no logic in extending it to a dead person who does not have life or liberty.

Privacy cannot be equated to “Right of Secrecy”.

In a situation where the person has died, “The right to privacy of the dead person” cannot be extended as “Right to secrecy of the people around not to provide truthful information” or “Right to protect the deceased from loss of reputation”.

There is no doubt that the Supreme Court has powers to give any judgement and no body can  question their wisdom if they say Privacy extends beyond death. They may even quote some international practices and justify whatever they decide.

But if they do, it cannot be seen as anything other than an attempt to protect the secrets surrounding the death of Ms Jayalalitha and to protect those who could be implicated for causing her wrongful death and compounding it with fabrication of documents with her alleged finger print. Hence whatever judgement they come to will be seen with a sense of suspicion and distrust.

The feeling that ” I have a sense of Privacy” is a “State of Mind” and not a “State of Physical location”.

Let’s think……

When a person is in the Mumbai local, does he have a sense of loss of privacy because of the proximity of the next person? When a person is all alone in a deserted street in the night, does he enjoy our right of privacy?….

If a human desires to have other people around him in certain circumstances and does not mind them being too close physically, Privacy cannot be a matter that is determined by the physical proximity of the person or Right to access his body or private physical space.

Right to “Peaceful state of mind” is a creation of the person himself and not that of the environment. Hence Privacy cannot be equated to anything physical but can only be a state of mind of a person. If a person feels that he is alone, he will have a sense of privacy even in a crowd. If not, he will not feel “Privacy” even if he is in a graveyard.

Being a “Mental State”, Privacy can only be an experience of a “Living Person” and not a dead person. The Right to protect the information about a dead person can only be a “Right to be protected against defamation after death” and not a “Right to protect Privacy”. Right to be protected against defamation is fine but in the current case, it is not the reputation of Jayalalitha at stake and it is the reputation of the people who were around her at that time which is at stake. This cannot and should not be linked to the Right to Privacy of Jayalalitha living or dead.

It would therefore be appropriate if the stay is vacated forthwith and the UIDAI also directed to assist the judicial process.

I would like to point out that if the Supreme Court makes an exception to this case because they may consider that Ms Jayalalitha dead or alive is a special person, then in every other property case where a dead person’s finger print has been affixed on a document after his death, the perpetrators of the crime will claim protection under “Privacy”. There are many past cases where forensics have proved that such property documents were fraudulent and in future there will be no scope for preventing such frauds.

I hope  Supreme Court will be intelligent and honest enough to understand the consequences of holding the Right of Privacy as subsisting after the death of a person and come to the right decision.

Naavi

Print Friendly, PDF & Email

International Commission of Jurists, Bangalore had organized a lecture on Digital Evidence and Section 65B of Indian Evidence Act at the Karnataka High Court on 8th December 2017.

Speaking on the occasion, Naavi highlighted the evolution of Section 65B as a law since 17th October 2000 when the ITA 2000 was notified till date. He also explained the nuances of Section 65B and why it is a very innovative legal provision that has added great strength to Indian Cyber Law.

In the process, Naavi recalled that the first “Section 65B certified evidence” was produced in a Court of law in the historic case of State of Tamil Nadu Vs  Suhas Katti in AMM, Egmore, Chennai in 2004. This case has been recognized as the first case of conviction in India under ITA 2000. However Naavi pointed out that this case was also historic from the point of view of Section 65B since the evidence presented in the case was a Section 65B certificate submitted by Naavi  dated  18th February 2004 in which content which was present as an electronic document on Yahoo Groups server was brought to the evidence and admitted. This was the critical evidence which evidenced the commission of the crime on which the accused was convicted under Section 67 of ITA 2000 besides Sections 469 and 509 of IPC.

Subsequently, it was only on 18th September 2014 that in the P.V.Anvar Vs P.K.Basheer case in the Supreme Court that the eminent judges led by Justice Kurien Joseph stated that Electronic Documents can be admitted as evidence only if they are accompanied by Section 65B Certificate. In the process, Supreme Court over ruled the earlier judgement in the Afsan Guru case which on 4th august 2005 had held that in certain circumstances electronic documents can be accepted without Section 65B certificate.

While it took 14 years for the larger community of Judges to highlight the importance of Section 65B, it should be recognized that Justice Arul Raj had created history by appreciating such an evidence and accepting it for the trial. At that time it required courage of conviction to accept a piece of paper submitted by a private person in Chennai as convincing evidence that a defamatory electronic document existed in the server of Yahoo in US.

The acceptance of Section 65B evidence was not the only point made out in this case. The defense raised a query if a private person like Vijayashankar could submit the Section 65B certificate and whether it was not necessary for a Government appointed person to submit it. Mr Arul Raj again came to the right conclusion that the section 65B does not restrict the submission of Section 65B certificate only to a Government authority.

The decision of Arul Raj in the Suhas Katti case was not just a flash in the pan or a decision prompted by the circumstances. Some time later in the same year, Mr Arul Raj took another decision related to Section 65B which again was a point that was touched upon by the Basheer case and requires to be highlighted now.

In this case, a case of defamation had been filed by actor Trisha on a Tamil publication which had published some photographs extracted from a video which was in circulation in the internet at that time. A series of screen shots had been printed in the magazine. Police had raided the office of the publication, seized a CD containing the video and filed the charge sheet stating that the content of the CD was printed in the magazine and hence the CD was a prime evidence for the case.

Justice Arul Raj at that time invited the undersigned to the Court and asked me to view the contents of the CD on the computer in the chamber and provide a Section 65B certified print out so that he could proceed with the trial on the basis of Section 65B certified copy.

The logic behind this decision to invite an external consultant to convert the contents of CD which was already on hand with the Court and which many could say was the “Primary” evidence, into a Section 65B certified print out, which many would say is the “Secondary” evidence was a master stroke of understanding of the principle of Section 65B.

I personally feel that Mr Arul Raj should be honoured specially for displaying a vision that though the “Primary” evidence is with the court, it cannot be appreciated by the Court without the assistance of a “Section 65B certified document”.

In the Basheer case a reference has been made that if the original CD in which the recording which formed the evidence for the case had been seized by the Police and presented, it could have perhaps constituted a  “Primary” evidence and non availability of Section 65B could have been condoned.

In many other cases also, we some times see that Courts ask the “Mobiles” containing the evidence to be presented as “Primary Evidence”. Hard disks are often presented as “Primary Evidence” for documents in a Computer.

Even assuming that the original binary impressions which first generated the electronic document which is the evidence in question is in the possession of the Court embedded within the container called the hard disk or a mobile, the Court cannot simply view the content itself and admit the evidence in to the proceedings. If any Judge proceeds to admit the evidence because he himself saw or heard the electronic document, then he is himself taking the responsibility to confirm that the electronic document which he saw or heard based on the computer, the operating system,the application and its configurations etc which all combined to render the binary data of the electronic document into a human intelligible experience was working properly etc., as envisaged in Section 65B.

It is therefore essential for the Court to involve an external person to produce a Section 65B Certificate before accepting the evidence into the proceedings.

Mr Arul Raj had realized this way back in 2004 and that is what I call as a visionary understanding of the challenges involved in appreciating digital evidence presented to a Court in its “Primary” form.

During the last several years, the undersigned has assumed credit for having been the person who first presented a Section 65B certificate in a Court. The Police officer who was involved in the case as an IO, namely Mr Balu Swaminathan (who was the ACP in charge of the Cyber Crime cell in Chennai at that time) has also been commended and recognized for being the first IO to get a conviction under ITA 2000.

But I feel that the magistrate Justice D Arul Raj has not perhaps been properly recognized for displaying his vision beyond the normal call of duty which brought in the conviction as well as the appreciation of electronic evidence in proper form.

Today, we are not aware where is Justice Arul Raj. But Naavi as a person and Naavi.org/ceac.in considers it our duty to record the contribution of D Arul Raj in the development of Cyber Jurisprudence in India and honour him with this article.

We wish that appropriate persons in Tamil Nadu, locate Mr Arul Raj and provide him the due honour that he deserves.

We urge my friends in Cyber Society of India and Prime Point Foundation in Chennai to take the lead in this regard.

Naavi

Print Friendly, PDF & Email