Data Privacy Day of India is today

We the Indians often forget our own history but remember the colonial history. This is true as much of the story of Indian independence as the story of India’ journey to the era of Privacy Protection and Data Protection.

Today most of us recognize as the “Republic Day” when the Constitution was adopted in 1950 and we remember January 28 as the International Privacy Day.

We must recognize that the “Right to Privacy” which was upheld as the fundamental right by the Supreme Court of India on 24th August 2021 is extracted out of the Right to Life and Liberty under Article 21 of the Constitution. The Supreme Court did not pass a new law recognizing the right to privacy. It just re-iterated that the right is already there and we did not know it. (Remember the Advertisement of Amazon Pay!).

Hence January 26 should be rightfully recognized as the Indian Privacy Day though the International Privacy Day is celebrated on January 28. This will at least establish that India did not wake up to Privacy only after GDPR but had recognized the concept at the beginning of our democratic life itself.

If however we want to celebrate the concept of “Data Protection” or “Information Privacy”, perhaps October 17, 2000 (Date when ITA 2000 was notified) is the right day . On this day Electronic documents got legal recognition and the recognition that Privacy protection extends to protection of personal information came with the passage of the Information Technology Act 2000.

On this day, we started recognising that  personal information in electronic form needs to be secured for protecting the privacy of an individual. The law stated that failure could result in penalties under Section 43, imposed by the Adjudicating officer who is the regulatory authority.

Again since the focus of ITA 2000 was more on Cyber Crimes, we did not recognize it as a Data Protection Law.

Even when the amendments were passed in 2008 and made effective on 27th October 2009 with the introduction of Section 43A and 72A,  we failed to recognize that the Data Protection Act had become operative in India.

We even missed the 11th April 2011 when more detailed “Reasonable Security Practice” under Section 43A was released containing a summary of what we recognize today as DPA 2021 did we realize that India’s Data Protection day had arrived.

But it is never late to realize the truth. Just as it took us 75 years to realize that Netaji Subhash Chandra Bose has a legitimate claim to be called  the first Prime Minister of India, January 26 has the claim to be called the Indian Privacy Day and 17th October has the claim to be called the first Data Protection Day of India.

Hopefully this truth will start sinking in with the professionals now.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Is EDPS endangering the global community including India?

Recently when the JPC submitted its report on PDPB 2019 dissent notes were  presented by a few members of the committee belonging to opposition parties . Some of these were related to “Excessive powers” to the law enforcement and “Lack of parliamentary oversight”.

Two recent incidents in EU directly reflect the views of the EU community on these issues and are interesting for us to take note since they may come in for discussion during the Parliamentary debate on DPA.

While it is difficult to accept the views of the EU society on both these counts, it is nevertheless interesting to take note of these issues.

First is the decision of the EDPS passing an order on the Europol to delete vast amount of data held for criminal investigation purpose. Second is the reprimand issued on the EU Parliament itself for violations of GDPR.

No doubt the EDPS appears to be a hero in his own right but whether these actions are good for the society in the long run is difficult to say.

The EDPS involved is Mr Wojciech Wiewiórowski who was appointed on 5th December 2019 for a term of 5 years. Earlier he has serverd as Assistant European Data Protection Supervisor from 2014 to 2019.

He is certainly a highly learned person with vast experience in the field of Data Protection and served as the Polish Data Protection Commissioner since 2010 till he moved to the EDPS.

In the first instance the EDPS accused Europol of becoming a counterpart of the NSA in USA and clandestinely spy on the citizens in a mass surveillance effort.

It is said that Europol has accumulated quadrillions of bytes of sensitive data (about 4 petabytes equivalent to 3 million CDROMs).

The data has been collected from various sources including criminal records, extracted from encrypted phones and other sources. The EDPS has ordered that the data shall not be held for more than 6 months and Europol shall take steps to delete the rest of the data within one year.

Technology has been used for everything from Artificial Intelligence, Robots, 3D printing, Crypto currencies, Web 3.0 and so on. But when law enforcement wants to use technology there is objection from many quarters. This discrimination on use of technology for national security is not good for the society.

In another decision, the EDPS has issued an order reprimanding the EU Parliament for allowing transfer of data to Google and Stripe against the Schemed II principle.

Though no fine was imposed, a reprimand has been issued and an order to make changes to the notice and address other issues pointed out.

For some this may seem as a heroic commitment to privacy where the EDPS has taken on its own appointee (like the Bhasmasura syndrome referred to in another context). But if we consider the long term implications of both these decisions, it appears that the EDPS is indirectly endangering the global security by assuming itself power over and above the European Parliament and Law Enforcement and is diluting the counter terrorism efforts of the Europol.

Naavi.org had raised the red flag in June 2018 on “Whether GDPR will convert the entire Internet into Deep web” by carrying Privacy beyond its natural limitations. It appears that this prophesy is now coming to haunt us. On the one hand the “Meta Verse” mafia  has joined hands with the Crypto Currency mafia in an attempt at creating a Web 3.0 which is an attempt to create a nation beyond all nations. At the same time, people on the right side of the law like the EDPS are showing holier than thou attitude on privacy to dilute security to the extent that criminals and terrorists  will thrive.

This fight between the Privacy activists and National Security agencies in EU is not an internal issue of Europe. If the Europol is not able to gather enough intelligence required to identify terror activities, then terrorists operating from within Europe may not only attack EU but also other global citizens. We in India are therefore concerned about the stance taken by EDPS on the Law Enforcement issue in particular and wish that the Europol is not weakened by the over enthusiasm of the EDPS.

A serious global debate is required to be undertaken in this regard by all the security agencies. Perhaps NIA should take the lead to discuss with the NSA, Europol and other similar agencies to ensure that Europol is not rendered impotent.

A time has come for the Indian Government that while passing the Indian act, it should be ensured that the security concerns are not ignored. After all Right to security is as much a fundamental right as Right to privacy whether the Supreme Court agrees or not.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

We Need Accountability from HDFC Life

We are all aware that insurance companies are aggressive in marketing their policies and are in the forefront of misusing the provisions of law regarding infringing the privacy of individuals. Bigger the company, bigger are the violations.

I recently had an occasion to observe that HDFC life issued a life policy for me though I was not eligible and to make it possible for them to issue the policy they included the name of my son on whose life I had no intention of insuring. But HDFC life created the policy in such a manner that the proposal was from my son though the payment was made out of my account.

Assuming that this is an error that can be ignored though it has caused my investible resources to get stuck for some time now, immediately on receipt of the policy document, I returned it to the Mumbai office of HDFC Life asking for immediate cancellation and followed up several times through email. But HDFC life maintained a stoic silence until a representative of mine physically visited their branch in Bangalore to find out. He was informed that my email address was not registered and hence they were not responding. If I had made the payment, sent a courier and followed up with the email, it was improper for them not to try contacting me. Only when the other joint holder sent the same request they responded only with a request not to cancel.

They are also insisting that the joint holder of the policy has to visit their branch to finalize the cancellation. While issuing the policy there was no need to visit but now they are insisting on this formality, though both the holders

I have now reported the issue to the CEO of HDFC Life as well as IRDAI and waiting for the response.

I have now requested HDFC Life to let me know what process they follow when they receive a courier package containing a policy followed up with a request for cancellation. How can this request remain responded for the technical reason that the email address is not registered though the name and other details are visible in the returned policy.

This would be a classic contravention of the Data Protection Act 2021 which could result in penalty of upto Rs 10 lakhs. If on receipt of such complaint the audit or inspection shows that there is no proper process, then the penalty can be upto 4% of the total worldwide turnover of HDFC life.

The persons handling support@hdfclife.com or service@hdfclife.com need to realize that a request of the type I made is indicating a risk of a penalty that could run into crores of rupees and should log it as an “Incident”. Such incidents are auditable by the Data Protection Authority.

It is clear that HDFC life may not have a DPO at this point of time, but whoever takes up the mantle will have a huge task of repairing the lax attitude of the support/service handlers.

 

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

State Bank of India Dombivli harassing a Senior Citizen on Pension account

It is well known that pensioners are dependent on Banks for disbursal of their pensions. Once the pension is approved by the relevant Government department, the instructions are passed on to the Bank and periodical payments are initiated by the Bank. The pensioner is entirely dependent on the Bank for crediting what is due.

An instance has come to the light where the Dombivli branch of State bank of India has suddenly sent a message to a lady pensioner of advanced age that since 1st February 2011 there was an excess payment of payment in the account (average about 15%) and a total amount of around Rs 502000/- has become recoverable. The Bank has gone ahead to block the SB account of the account holder and left the pensioner in the lurch.

A question has to be raised here about whether the payment made by the Bank and credited in excess to the account holder is recoverable?.

According to Banking law applicable for wrong advice of credit, if the customer has altered his position genuinely on the basis of the advise of the Bank, the amount even if excess cannot be arbitrarily recovered. In the case of payment of pension, it is a full and final settlement by the paying authority and it is legally unfair to recover. If there was an error then the excess has to be recovered from who ever was responsible for the excess payment and the Bank has the right to absorb the loss if it deems fit.

I am bringing this incident to public knowledge here so that the authorities responsible for payment of pension in the Central Government may take suitable steps to advise State Bank of India, Dombivli branch to take appropriate corrective action in respect of the complaint which is with them.

In case the authorities want more details, Naavi.org would be providing the same.

We wish SBI and the Central Government responds to this issue immediately.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Git Hub is a Social Media Intermediary and Platform

The recent issue of Sulli deal and Bulli Bai apps being hosted on GitHub has exposed GitHub to liabilities under ITA 2000 as a Significant Social Media Intermediary (It is estimated that there are 5.8 million users from India).

According to Git hub it is primarily a “Repository” of code. At the same time it also provides services for hosting the code on a website which becomes a publishing service.

In the copyright law, software code is considered as “Literature” and an “Expression”. Hence hosting of codes to directly render services from Github servers like the Sulli deal and Bulli Bai can be classified as publishing activity.

Hence Git Hub is liable both under IAT 2000 and the new Intermediary Guidelines of February 25 as well as the new law coming under DPA 2021 applicable for Significant Social Media Platform.

As an Intermediary and a Paltform, GitHub has to provide for identification of the users, appoint a local compliance officer and be accountable. It cannot take excuse that it is not an Indian Company or it’s servers are in India etc even if it is owned by Microsoft.

Microsoft may claim that it is only the owner of the basic platform and each hosted app is a separate service provided by the users. This would mean that Microsoft itself is a cloud service intermediary and would escape direct liability as long as it can identify the wrong doers.

In the Sulli Deal and Bulli Bai cases therefore, the law enforcement has a strong case against  Microsoft to enforce the law and expect them to co-operate beyond just removing the applications, which is the first step. Now Git hub should be able to preserve the evidence under section 65 and 79 about the transactions in the account including IP address information for a minimum period of last 6 months.

I hope the Government and CERT-IN should take steps to ensure that Git Hub does not make it difficult for law enforcement to get necessary information to continue their investigations.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Avoid Norton 360 : CERT IN should send an advisory

It appears that the power of corruption and the criminals have now invaded the security guardians. As per the news report, Norton a well known company in the Anti Virus software business is added to the download of Norton 360. This is a crypto miner that would mine Ethereum which is fungible with Bitcoin and other crypto currencies.

Though Norton claims that it is an opt in feature and can be turned off, in reality it is stated that it is difficult to remove. We all know that all users are not alert enough to filter such unwanted software at the time of downloading.

It is unfortunate that anti virus companies which were identifying Crypto Miners as “Potentially Unwanted Program” have now yielded to the power of the corrupt.  Norton would be collecting 15% mining fee and use the resources of the users in terms of computing power and electricity to generate this revenue.

This is a completely unacceptable behaviour for a security company. For long time, common man as been alleging that anti virus companies themselves spread the virus and then sell removal tools. Norton has gone one step further to join hands with the “Computer Contaminant” manufacturers to promote Computer contaminants.

India is in the verge of declaring Crypto Currencies illegal and ITA 2000 already has a provision under Section 43 read with Section 66 to consider installation of any program without proper consent as a criminal offence. Even the DPA 2021 has introduced a provision for certification of software to ensure any malicious codes to be present in any software.

Hence the Norton Service is a challenge to the “Opt-in” provision and the sanctity of the consents obtained, whether they are truly well informed consent as per the standards of contract under Section 14 of Indian Contract Act (Refer section 11 of DPA 2021).

I urge CERT-IN to send an advisory to the public about the danger of installing Norton 360 and also advise all Government Agencies to refrain from using Norton Services.

By associating with the Currency of the Criminals, Norton has lost the credibility as a trusted security company and it has to be red-flagged for security purposes.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment