A step beyond BS 10012 and GDPR-Personal Data Protection Standard of India-PDPSI

Personal Data Protection regulation is presently a global phenomenon. While legislation like ITA 2000 try to protect “Data” in general(Section 43/66) with specific provisions for protecting “Personal Data” (Sec 72A) and “Sensitive Personal Data” (Section 43A), legislations like GDPR have focussed on Personal Data Protection only. India is set to follow the trend with its own Personal Data Protection Act in due course.

Indian companies today are eager to get themselves certified under various standards such as BS 10012 though these so called standards are nothing but a reiteration of GDPR articles in a slightly modified language.

It must be remembered that “Certification” under a certain standard is only an internal milestone for an organization to inform its stakeholders that they have indeed taken some formal steps towards compliance and is not an end in itself in the organization’s journey towards full compliance of data protection regulations..

BS 10012 is yet to formally align with the UK’s new Data Protection Act 2018 but still for the corporate managements, the tag “BS 10012 compliant” is a desirable asset for which they are willing to spare their budget. But for Indian Companies, BS 10012 may not be sufficient to be complaint with data protection regulation since Indian laws may have to be also understood and complied with.

Cyber Law College which is the academic organ of Naavi.org considers that there is a need to develop Personal Data Protection Standard for Indian Companies which goes beyond BS 100012 and be compliant not only for GDPR but also to ITA 2000/8 and the proposed PDPA.

Currently Naavi uses the Indian Information Security Framework with the following top line implementation charter which is identified as IISF309.

As one can observe, it captures most of the control requirements expected in an information security standard though the details may not be clear in the framework as presented above.

After the advent of PDPA 2018 in draft form, Naavi floated the idea of “Data Trust Score” as a measure of a “Data Audit” conducted under PDPA 2018. This was a measure of how good is the implementation of PDPA compliance in an organization.

The criteria suggested was a 5X5 matrix where 5 parameters namely

  1. Management Commitment
  2. Knowledge in the organization
  3. Controls
  4. Review mechanism
  5. Grievance Redressal mechanism

The evaluation was suggested on a scale of 0-100 in 5 steps of 20 each and hence it was called the 5X5 grid.

In order to further fine tune the approach and make it repeatable, Naavi is now working on developing a “Standard” which cover different requirements of compliance.

This “Standard” is presently the internal Audit Standard for Ujvala Consultants Pvt Ltd, the corporate entity of Naavi that addresses the audit requirements.

The standard is called “Personal Data Protection Standard of India” (PDPSI) and will be developed by Naavi.org as a part of its educational initiative of Cyber Law College.

The future  idea is to make it an open standard which any intending corporate can adopt on their own.

Auditors are free to adopt it to their own audit framework if they feel like or ignore it if they donot feel it has any value, or adopt thoughts from this standard into their own audits.

The objective is to make an “Audit under PDPSI” incorporate principles of personal data protection imbibed in other standards including BS 10012 so that an organization which is PDPSI compliant is essentially also compliant with BS10012. It is understood that a Certification of compliance under PDPSI is not a certificate of compliance under BS 10012. However, an organization which is compliant under PDPSI should easily sail through any evaluation under BS10012.

However, we believe that “Compliance to a standard is required for a faithful protection of personal data as required under law and not just to sport a tag on which a blind faith can be placed”. Such blind faith often leads to complacency and needs to be avoided.

Conceptually therefore, PDPSI has been launched as the future of Naavi’s approach to Personal Data Protection approach and will be integrated with the DTS system which is already suggested.

The details of the standard under each of the above five parameters will be developed module by module and the standard will be published through this site.

Some may feel that by making such standards public, we will be losing an opportunity to commercialize it or we will be hurting other standards providers.

But we firmly believe that a “Suggested Standard” should be made available freely while commercial exploitation can be made through the implementation consultancy.

I trust at least a few of the data protection practitioners would accept this approach as what is required to make compliance to data protection laws affordable to most of the SMEs.

Any suggestions, comments etc are welcome.

This is also an open invitation to interested persons to join me in the development of PDPSI as a standard with wider acceptance in the community.

PDPSI first version will be referred to as PDPSI-0219, and hopefully it would get updated from time to time.

Await the publication of the different elements of PDPSI-0219 in due course.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , , , | Leave a comment

Demystifying BS 10012 for Indian Companies

Naavi has time and again emphasized that “Security” is for the good of the community and if regulatory agencies want to prescribe security guidelines it has to be easily amenable for compliance.

When a regulation like GDPR or PDPA 2018 or even ITA 2000/8 is issued as a legal instrument, then every entity coming under the jurisdiction of the law need to comply with it. Normally most entities are law-abiding and will try to be compliant. But if the regulation is unclear or too complicated, compliance will be low.

It is the duty of experts to come to the assistance of the subject entities to be compliant with the necessary guidelines and the law.

Whenever such a need exists on making people aware of a law and how it has to be implemented in practice, there arises a commercial opportunity in “Training”, “Implementation Consultancy” and “Certification”.

Ideally the law has to be made by the Government and it should be left to the private sector to equip itself with the necessary knowledge and skill. If some experts are good enough to package a service to spread the knowledge and skill, it is their ingenuity.

If Government can invest on its own on outreach programs, it would be good.

However, a law-maker cannot tell a citizen that he has to make a payment to know what the law is. If the Government does so, it becomes a “Tax”. Hence Government programs have to be essentially free for the participants. If a private sector partner is used in such training, then the cost has to be subsidized by the Government to some extent through sponsorship partly or fully.

This principle that “Law should be made known to citizen free of cost”, was discussed extensively in Naavi.org when the then UPA Government came up with Section 43A (ITA 2008) guidelines in April 2011 in which they made a mention that ” Adherence to ISO 27001 standard will be deemed to be compliance of Section 43A.

Naavi took a serious objection to this rule stating that it would make the lakhs of prospective compliance organizations to first of all buy the standard at around US$160 and then spend about Rs 3 lakhs to get certified. We said then that this was a scam bigger than 2G. The MEITY of Mr Kapil Sibal at that time was very angry about this comparison with 2G Scam and many of the executives are still harboring a grudge against Naavi for this purpose.

However, in reply to an RTI, the ministry confirmed that it is not “Mandatory” to have ISO 27001 certification to be compliant with Section 43A and though the ISO organization was allowed to make commercial gain out of the inappropriate mention in the guideline, the matter rested there.

(Details are available in earlier articles of around 2011 in this site available through the link on Old Posts)

Section 43A is now being Replaced

Presently we are in the new era of Data Protection and expecting the PDPA 2018 to be passed whenever the political will manifests. Once this is enacted, Section 43A will be replaced with a whole set of regulations in the Act itself.

As a result, the compliance managers need to understand the law and interpret it in a manner it would be acceptable in a subsequent judicial scrutiny.

Naavi has through Cyber Law College already offered to provide training on PDPA 2018 in the same manner in which he has been instrumental in spreading the awareness of ITA 2008 or HIPAA or GDPR, in India. (for all the three of which, recorded Course content is available at www.apnacourse.com.)

On PDPA 2018, Naavi has adopted a slightly different mode of online coaching since the law is yet to crystalize. These courses are of course priced and are expected to generate revenue to the provider of the course. Naavi has also been discussing with some partner organizations for sponsorship such programs.

During these courses, Naavi often presents a Framework of his own under the banner “Indian Information Security Framework-IISF-309” which tries to incorporate the requirements of compliance to the extent necessary.

This framework is actually a substitution for the “Standards” though it may not be as detailed as a standards document and is explained more during the implementation training.

Being Certified Vs Being Compliant

Many Companies however are more interested in getting themselves “certified to be compliant” rather than actually “being compliant”. For this purpose they look for an agency whose “Certificate” has some blind recognition and is available even at an expensive price.

The GDPR regime as a whole is heavily biased towards making money and hence apart from imposing insane penalties for non compliance, it enables creation of  a Certification system whereby people make money for just reprinting GDPR articles as “Implementation Guidelines” or “Standards” and creating “Certification of Certifying professionals”  as well as the “Certification of compliance” itself.

Naavi believes that this entire eco-system is dishonest since it’s purpose is making money through licensed distribution of what should be a free knowledge and not oriented towards creating an eco-system of faithful compliance.

No doubt some level of compliance does come out of such activities but the value proposition is mostly inadequate and often exploitative.

New Mission to Demystify Data Protection Regulations in India

Having declared the intentions of Naavi to work towards making “Security Knowledge” as affordable as possible to the market place, Naavi’s Cyber Law College is interested in undertaking a missionary approach towards spreading the knowledge about Data Protection Regulations in India at prices that are if possible lesser than the competition.

Towards this objective, Naavi is embarking on empowering organizations for BS 10012-2017 compliance while the Certifications can be obtained by organizations that partner Naavi in this program if required.

Just as in 2004-06, Cyber Law College  embarked upon a “Cyber Law Awareness Movement”, it is now proposed that Cyber Law College and Naavi will embark on a “Demystifying Data Protection Laws” which will include compliance of GDPR to BS 10012 standard, PDPA 2018 (as proposed) and ITA 2018 in general as applicable to data protection.

This program will consist of in-house corporate awareness programs, extended training programs and educational courses.

I look forward to other professionals and organizations to provide their guidance on how this objective can be achieved and how the mission of Cyber Law College can be made a success.

One of the objectives of this proposed movement is that by the time the PDPA 2018 comes into effect, the codes and practices etc which the DPA need to provide does not become a commodity that can be used for exploitation of the user industries and the possibility of exploitation  in selling the standards and providing certifications etc are very much reduced.

I wish that DPA never allows “Standards” organizations to create copies of the legislation and call it as proprietary standards protected by Copyright. All such standards should be declared as open source or otherwise certifications based on them should not be recognized by the DPA. Commercial exploitation should be limited to the implementation of such standards and not by selling the standards specification itself.

Naavi.org is interested in creating a knowledge distribution system in such a manner and at such a price that the possibility of such exploitation is substantially reduced if not eliminated. 

Watch out for more details in this site from time to time.

Your comments are welcome.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , | Leave a comment

Adherence to a Dispute Resolution Policy could be “Due Diligence”

This is in continuation of our discussions on the Intermediary Guidelines which are proposed to be amended by the MeitY. The Government wants to urgently address the “Fake News” phenomenon which has exploded into a real mess with leaders like Rahul Gandhi taking it to ridiculous lengths and earlier respected media like Hindu falling into the gutter of lies with such political parties.

In this context we reiterate our strategy to address the concerns expressed by many companies and activists  while providing their comments by a completely different approach which no body other than one Commentator (FDPPI… Page 21-28 of the first batch of comments) has made.

The suggestion is to introduce a system of voluntary adoption of an “Intermediary Dispute Resolution Policy” (IDRP)  administered by “Intermediary Dispute Management Centers” (IDMC) which are accredited by the Ministry.

The big idea in this suggestion draws from the “Uniform Domain Name Dispute Resolution Policy” (UDRP) and the INDRP which resolves domain name disputes. It also goes along with the need to be compliant with the Data Protection Laws (PDPA 2018) which has introduced the concept of “Data Fiduciaries”, when it becomes applicable. It also takes into account the system of “Digi Lockers” which the Government has already introduced.

It uses the system similar to declaration of a company through “Prospectus” as used in IPO scenario and “Certification Practice Statement” as used in Digital Signature regulation.

When an organization commits itself to a declared policy and the consequences thereof, they also subject themselves to the requirements of avoiding “Breach of Trust” charge .

Additionally the “Due Diligence” becomes the self accepted level and if it fails to meet them, they should also accept the liabilities that may come upon them under Section 79.

Further, since the administration of the policy and its adjudication on a complaint will be through an expert non government organization and there is no need for political opponents of Mr Modi to muddy the discussion.

Before people start evaluating any suggestion, I request them to fully appreciate what Section 79 really means and what these guidelines actually indicate.

Section 79 says that if there is any contravention of ITA 2000/8 and such contravention has been done through a message which has passed through an intermediary, then the intermediary who follows the due diligence will not be held liable.  If the concerned intermediary fails to meet the definition as defined in ITA 2000/8 or is found to have abetted in the contravention or has failed in the due diligence as determined by a Court, it will be held liable along with the person/s who actually committed the contravention and caused damage to a complainant.

Section 79 is not itself a penal section which states that there will be some punishment if it is not followed. Similarly the guidelines which we are discussing does not prescribe  mandatory punishments to say that if these guidelines are not followed, the intermediary will be punished with imprisonment, fine or liability to compensate.

For these guidelines to hurt, some complainant should have a cause of action under ITA 2000/8 or other law and hold out the information handled by an “Intermediary” as the cause for his hurt. Then it is the responsibility of the Courts to consider that the Intermediary had some responsibility which he has overlooked and then hold them liable along with the original perpetrator of the crime.

Hence most of the objections that have been raised in the comments in the 608+84 page document are  untenable.

I request the interested persons to kindly peruse the suggestions and provide their feedback.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Intermediary Dispute Resolution Policy … A Solution for most concerns

In providing comments on the proposed Intermediary guidelines, the undersigned suggested a new system of Governance of Intermediaries through the comments submitted by FDPPI. The suggestion was made that a new system of dispute resolution on the lines of the domain name dispute resolution policy (IDRP) could be used for detailed due diligence guidelines for the intermediaries.

The IDRP (or whatever other name by which it may be called) is essentially a “Self Commitment” by the Intermediary to a set of due diligence guidelines.

The IDRP will be developed by voluntary agencies who will be the Intermediary Disputes Management centers (IDMC) and such agencies will accredit themselves with the MeiTy/CERT-IN.

The Intermediary in its Privacy Policy and Terms declare that they will subject themselves to the IDRP of the specific IDMC.

The IDMC will be responsible for resolving disputes that arise in the course of the activities of the Intermediary.

The IDMC can introduce three levels of dispute resolution namely

a) Ombudsman who will assess a complaint and provide his award which if accepted will close the dispute.

b) Mediation (Preferably online) as per the general principles of the Indian Arbitration and Conciliation Act as amended, which if successful result in the resolution documented as a conciliation agreement.

c) Arbitration (preferably online) as per the general principles of the Indian Arbitration and Conciliation Act as amended , which if accepted will be the final arbitration of the dispute, except for any permitted legal challenges under the said Arbitration Act.

It is envisaged that the CERT-In will take the lead in ensuring that the Intermediaries follow specified guidelines as are relevant for National Security and in conformity with the principles of the Constitution. Hence at the time of accreditation of an IDMC, the CERT-In will scrutinize the registered policy of an IDMC and approve it after discussion.

This approved policy of an IDMC will be similar to the “Certification Policy Statement” or CPS of a Certifying Authority for issue of digital certificates.

This policy which will be called IDRP of …….. (Name of IDMC) and will be tagged with a “Version Number”. It can be modified from time to time by the IDMC as it may deem fit but each such modified version needs to be approved by the registering authority (CERT-IN).

The IDMC will be bound to faithfully resolve disputes in accordance with the declared policy and any disputes thereof failing which it would be disenfranchised by the CERT-In based on a complaint.

It is envisaged that a suitable customer friendly procedure would be developed by each IDMC for the purpose of dispute resolution. It is recommended that an ODR process would be used. A recommended ODR process is available at www.odrglobal.in for consideration.

The IDRP will take into account all the legal issues that will be considered as an obligation of the Intermediary and the Privacy Policy and Terms that the Intermediary otherwise adopts would be “Subject to the IDRP Version xx of ….. ” and will only contain the functional aspects as are relevant to the services rendered by the Intermediary.

The scope of IDRP would be to settle disputes as regards “Due Diligence” and record the findings. If after a settlement under IDRP, the aggrieved party goes to Court on any contravention and seeks to arraign the Intermediary as a respondent for any liability, civil or criminal, the Intermediary can hold out the defense in the form of a faithful following of due diligence as per IDRP. It will be left to the Courts to take a final call if the Intermediary should still be considered liable or not. Hopefully Courts will in most cases respect the due diligence process if it has been properly implemented.  Hence unless the Intermediary is found to have “abetted” in the crime, it should get the protection it envisages under Section 79.

The MEITY as in the case of accreditation of agencies under the Digital Locker System, Certifying agencies etc., may issue general directions on the qualifications for accreditation (which should be predominantly Techno Legal) along with other conditions that are reasonable and necessary. The detailed procedure for dispute resolution would be developed by each IDMC for itself. It may function like a specialized Arbitration Center for Intermediary disputes.

This system will ensure

a) Different IDRPs can be constructed to suit different types of Intermediaries and hence the charge that “One notification fits all will not be correct” is addressed.

b) IDRP will offload all the legal obligations on to a Non Government organization so that the suspicion of Government interference is addressed.

c) Since IDRP will be subject to the Indian Arbitration Act, it is within the domain of the judicial system as accepted and will be further within the writ jurisdiction of the Courts so that any charge of “arbitrariness” or “Vagueness”, “Constitutional Impropriety” etc would be addressed.

I request all the agencies that have  submitted their comments now may take a deep look at this suggestion and check if all their concerns can be addressed through this system. If so, there can be a consensus on the system and the Government may be suggested to adopt it.

Towards this objective, the suggestion as filed by FDPPI (Page 21-28 of the first compendium of 609 pages) is reproduced as under:

Rule 14: to be introduced

Notwithstanding what is contained above, an intermediary at his sole option may opt to adopt the “Intermediary Dispute Resolution Policy “ (IDRP) as defined here under.

a) The Intermediary Dispute Resolution Policy may be created and defined by a “Intermediary Dispute Management Center” (IDMC) that intends to specialize in resolving consumer disputes related to the use of Intermediary services and registered with the IN-CERT

b) Any Intermediary can voluntarily associate itself to an “Intermediary Dispute Management Center” and adopt the Intermediary Dispute resolution Policy of that Center.

c) The IDRP shall represent the basic commitment provided by the Intermediary for compliance of the Act and other legal obligations and may include intermediary specific policies as may be required.

d) After adoption of IDRP the Intermediary may disclose the same in its terms and conditions and the Privacy Policy that it shall bind itself to the IDRP of the designated IDMC and that such IDRP shall also be binding on the users. It shall also inform the users that all disputes relating to the service shall be subject to the resolution through an Ombudsman/Mediator/Adjudicator as determined by the policy of the IDMC without any prejudice to the supervisory authority of any Court in India.

e) Adoption of the IDRP as a means of defining the Terms and Privacy Policy and it may restrict its policy declarations to only the functional aspects of its service which will supplement the IDRP.

f) Use of IDRP shall be purely voluntary on the part of the Intermediary.

g) The IN-CERT will receive the necessary applications from intending IDMC s along with their self developed “Dispute Resolution Policy Disclosure Document” and upon satisfaction, shall list such an agency as an accredited IDMC. Such approvals will be provided by a committee headed by the Secretary MEITY and consisting of the Director General of CERT-IN with three co-opted members from the industry with adequate experience and reputation.

We may however add an additional para to accommodate the dis-accreditation requirement in case of necessity.

This could be stated as follows.

h) In the case of any IDMC not adhering to the declared policy or if the policy is considered inappropriate, Any person may raise an objection thereof with the CERT-In and seek dis accreditation of the IDMC. The request shall be reviewed by the designated committee and after providing a reasonable opportunity to the Intermediary and a decision in writing would be issued by the committee either rejecting the request or approving the request. This request itself could be subject to further judicial scrutiny in the appropriate Courts.

I look forward to the reactions on this suggestion. Such comments can be sent to the undersigned or FDPPI or directly to the Government as part of the Counter comments that may be submitted.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , | Leave a comment

More Comments on the Intermediary Guidelines

MeitY has released an addendum to the earlier 609 page consolidation of comments received  on the proposed amendments to the intermediary guidelines under Section 79 of ITA 2000.

This document is available here

This is a 85 page document (including the cover page) and contains the comments as listed below. (Page numbers as in the downloaded document).

Addendum

Sl No Name Category Page nos
1 Pawan Kaul Individual 2-5
2 J Sagar Associates Law Firm 6-9
3 ? ? 10-18
4 ? ? 19-37
5 ASSOCHAM Industry 38-53
6 US-India Strategic Partnership Forum ? 54-65
7 Global Network Initiative ? 66-69
8 Microsoft IT 70-78
9 MEDIANAMA NGO 79-83
10 ? Individual 84
11 ? Individual 85

It is interesting to observe that Microsoft has added its views to the kitty along with several NGOs active in such deliberations namely MEDIANAMA.

ASSOCHAM has provided its detailed views which is unfortunately concluding that “the interests of the Indian Internet users would not be met by enhancing the obligations of the intermediaries”. We would like ASSOCHAM to reflect on the issue of Cyber Crimes which are aided and abetted by the negligence of the Intermediaries and whether ASSOCHAM would be able to guarantee the Internet users their security against risks caused by lack of due diligence by the Intermediaries.

Some of the international fora such as US-India strategic partnership forum, Global Network Initiative have expressed their strong criticism stating that the proposed amendments are “Untra vires” the scope of Section 79 and lacks procedural safeguards.

Role of Negligent Intermediaries in Proliferation of Cyber Crimes

The concerns of these organizations may be appreciated. However, we need to find a solution to the problem of increasing Cyber Crimes, the role of negligent intermediaries in furthering the Cyber Crimes and the compelling need for the Government to safeguard the interests of the common citizen. This requires a proper regulation of the intermediaries.

All those who have commented on the notification should realize that these guidelines represent the “Due Diligence” requirement under Section 79. They are free to ignore the suggestions provided they are able to absorb the risk  of being held liable for contravention of any of the provisions of ITA 2000/8 which may arise  out of a “Message/Information” handled by them as an “Intermediary”.

It is to be also recognized that these guidelines donot create a penal provision in the law by themselves. It is only defining the conditions under which the consequences of violation of law will not result in liability against the Intermediary.

It is therefore incorrect to interpret the guidelines itself as a “Proposed Law” and invoke the bogey of infringement of constitutional rights and international conventions.

It is hypocritical for organizations in countries who specialize in introducing Stuxnet type of viruses into the system and buy viruses from underworld to carry out Information warfare,  to advise India on what it should do to protect its citizens from the impact of the Cyber Crimes.

 We rather invite these organizations to suggest measures to regulate intermediaries from the perspective of Cyber Crime control. The domain name registrars who register phishing domains, the Tor services which support the dark web etc are part of the “Intermediary”. We would like to demand if these organizations have done anything to stop the “DarkWeb” rather than crying out that it is “Impossible” to prevent the dark web which is larger than the over the ground internet activities.

Cyber Security is a Fundamental Right of “We the People of India”

The Government has an obligation to the Citizens of India for ensuring their “Security” and “Cyber Security is a fundamental Right of the Citizens” as much as “Privacy” and “Freedom of Expression”.

We strongly object to the tendency to undermine the “Cyber Security” aspect of the Fundamental Rights in preference to the protection of “Right of Exploitation of the masses by the Intermediaries” for financial gains.

The citizens of India who are concerned about Cyber Security are very much the key stake holders in this exercise and the Government cannot listen only to the business interests and take its decisions.

We strongly oppose any move of the Government to succumb to these pressures. We are aware that these vested interests are capable of moving the Supreme Court and the Supreme Court has the power and the inclination to take over day to day administration of the Executive by interfering in every administrative order of the Government.

We are also aware that this strategy to create policy paralysis by drawing the Supreme Court into every action of the Government suits the politicians who want to shut down the Government function and harm it’s agenda of progress.

Yet, we trust that the Government will not yield and face the challenge of the objections that will be raised in the Supreme Court.

We also trust that the Supreme Court which is headed by the CJI who not so long ago held a press conference and declared that it is accountable to the people of India, does not ignore the need for “Cyber Security” as fundamental to the exercising of “Other Fundamental Rights” including “unfettered right of abuse of law under the guise of Freedom of Expression”.

In this context, Intermediaries need to contribute to the protection of Citizens and “Due Diligence” is a legitimate expectation of the society. These guidelines are meant to ensure that Intermediaries are responsible and remain responsible.

Let us once for all decide if “Cyber Security” is a fundamental right or not and in a situation of conflict with other fundamental rights, whether it is desirable to subordinate the security to other rights.

FDPPI suggestions balance out the conflicts

The suggestions made by FDPPI (Foundation of Data Protection Professionals in India: www.fdppi.in ) have several features that balance out the requirements of the industry and the need for cyber security. It addresses most of the concerns expressed by others. I invite readers to examine it in depth.

The time available before 14th February for submission of counter comments may not be sufficient to analyze all the comments individually within this time frame, though I would like to do so. However, I will try to provide some additional comments in the coming days why the suggestions made in the FDPPI note (pages 21-28 of the first document of 609 pages) address most of the concerns expressed by others.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged | Leave a comment

Intermediary Guidelines: Most tech firms uncomfortable with the changes

[Discussion continued from previous articles]

“Status Quo” is most comfortable for some of the tech companies as regards Intermediary guidelines is what comes out of the 609 page collection of public comments.

There are a total of 141  comments which are listed in the list given below.

Index of Suggestions received as Public Comments

Sl No Entity Category Pages
1 IIIT-B Academic 2-3
2 All India Professional Congress Political 4-6
3 Wipro IT Company-Indian 7-14
4 Shrutanjaya Bharadway Individual-Lawyer 15-19
5 Freedom Publishers Union NGO-Foreign 20
6 FDPPI NGO-India 21-28
7 JUUL-LABS Vaping  Product Company-Foreign 29-33
8 Asia Internet Coalition NGO-Foreign 34-42
9 ITU-APT Foundation of India NGO-India 43-47
10 Rajeev Chandrashekar Individual-MP 48-53
11 Change.org India NGO-India 54-59
12 Banana IP Legal Firm 60-75
13 The Indian Music Industry Industry-Music 76-81
14 ? ? 84-85
15 Digital Empowerment Foundation NGO-India 86-90
16 Information Technology Industry Council Industry-IT-Global 91-94
17 Amnesty International NGO-Foreign 95-104
18 Election Commission of India Government 105-106
19 Computer & Communications Industry Association Industry-Foreign 107-112
20 CCAOI NGO 113-116
21 Internet Service Providers Association of India Industry Association-IT-India 117-120
22 ESYA Center NGO-India 121-141
23 Asia Cloud Computing Assocaition Industry-IT-Global 142-148
24 Broad Band India Forum Industry-IT-India 149-154
25 ? ? 155-168
26 ? ? 169-181
27                             Internet Society NGO-India 182-186
28 IAMAI-Internet and Mobile Association of India Industry-IT-India 187-192
29 CII-Confederation of Indian Industry Industry-India 193-203
30 BSA-The Software Alliance Industry-Global 204-206
31 Harsheet Yogesh Shaah Individual-Cyber Expert 207-210
32 Internet Freedom Foundation NGO-India 211-224
33 The Bachchao Project NGO-India 225-228
34 Access Now NGO-Global 229-238
35 ? ? 239-244
36 Sankalp Srivatsava Individual 245
37 Center for Internet Society (CIS) NGO-India 246-271
38 National Institute of Public Finance & Policy NGO-India 272-299
39 ? ? 300
40 Global Network Initiative NGO-Global 301-304
41 India Internet Foundation NGO-India 305-306
42 SFLC NGO-India 307-328
43 DSCI/NASSCOM Industry-India 329-345
44 Heart Care Foundation of India NGO-Health Care 346-349
45 ? ? 350-367
46 Free Software Movement of India NGO-India 368-380
47 Dr Joan Barata Mir-CIS (USA) Individual- Professor-Law 381-383
48 Mozilla Industry-IT-Global 384-390
49 IndiaTech Industry-IT-India 391-395
50 AWS (Amazon Web Services) Industry-IT-Global 396-405
51 Samvad Partners Advocates 406-411
52 US India Business Council Industry-Global 412-413
53 CPF NGO-Global 414-415
54 COAI NGO-IT-India 416-425
55 XIAOMI IT-China 426-429
56 AMCHAM-India Industry-India 430-432
57 SFLC-2 NG-India 433-456
58 ? ? 457-
59 IRA Law Law Firm 458-471
60 Reliance Jio IT-India 472-478
61 Center for Communication Governance NGO-India 479-497
62 ? ? 498-502
63 Association of Vapers India Industry-India 503-515
64 Sharechat Industry-IT 516-522
65 ? Individual 523
66 Bingi Vivek Varun Individual 523-524
67 Divya Individual 525-526
68 ? Individual 527
69 ? Individual 528
70 Bhavin Chandarana Individual 529
71 ? Individual 530
72 ? Individual 533
73 Bombay Chamber of Commerce and Industry Industry-India 534-539
74 IBM Industry-India 540-545
75 ? Individual 546-548
76 FICCI Industry-India 549-555
77 Shubhi Trivedi Individual-CA 556-
78 ? Individual 557-
79 ? Individual 558
80 Piyush Individual 559
81 ? Individual 560
82 ? Individual 561
83 ? Individual 562
84 Aryan Individual 563
85 ? Individual 564
86 ? Individual 565
87 A Voter Individual 566
88 ? Individual 567
89 ? Individual 568
90 ? Individual 569
91 ? Individual 570
92 ? Individual 571
93 ? Individual 572
94 ? Individual 573
95 ? Individual 574
96 ? Individual 575
97 ? Individual 576
98 ? Individual 577
99 Yaogesh Tavre Individual 578
100 ? Individual 579
101 ? Individual 580
102 ? Individual 581
103 ? Individual 582
104 ? Individual 583
105 ? Individual 583
106 ? Individual 584
107-109 ? Individual 585
110-111 ? Individual 586
112 ? Individual 587
113 ? Individual 588
114 ? Individual 589
115 ? Individual 590
116 ? Individual 591
117 ? Individual 592
118 ? Individual 593
119 ? Individual 594
120-121 ? Individual 595
122-123 ? Individual 596
124 ? Individual 597
125-126 ? Individual 598
127-128 ? Individual 599
129 ? Individual 600
130 ? Individual 601
131-132 ? Individual 602
133 ? Individual 603
134 ? Individual 604
135 ? Individual 605
136-137 ? Individual 606
138-139 ? Individual 607
140 ? Individual 608
141 ? Individual 609
(Please note that the .Page numbers are from a down loaded document. One the website there will be a difference of page numbers by one page since numbering starts from the second page. Also, since in some cases the identity of the persons was not visible, they have been left blank  If any body can claim the particular comment, they can keep Naavi informed so that this index can be updated.)

Who all have provided comments

It may be noted that there are a number of foreign companies, NGOs and even individuals who have provided their comments.

As could be expected, several NGOs who are active in promoting human rights on the Internet have provided their views.

Since Naavi’s views were already contained in FDPPI’s views, no separate submission was made by either Naavi individually or from Cyber Law College or Naavi.org.

What is surprising is that most of the Premier Law Colleges including the NLSUI, NALSAR etc have not contributed their thoughts. IIIT Bangalore is however one of the academic institutions that has submitted its views.

FINTECH industry as well as the E Commerce, industry  are conspicuous by its absence in the list of contributors.

There is some thoughts contributed from the health care sector particularly regarding the part referring to smoking, alcohol and Narcotics promotion on Internet.

Bombay Chamber of Commerce and Industry,  FICCI, AMCHAM and CII are industry associations which have contributed their thoughts. US India Business Council has also provided its views.

Election Commission of India  is the Government body which has submitted its views.

Number of law firms which have submitted their views are few. Banana IP, IRA Law, Samvad partners are a few who can be identified. There are a few individual lawyers who have submitted their views. Most of the persons who promote themselves as “Cyber Lawyers” have not taken the trouble of providing their considered views. The habitual PIL lawyers who raise the Constitutional rights at the drop of a hat have also failed to record their views at this stage.

Rajeev Chandrashekar as an MP has submitted his views while comments have also been made from the Congress Party in the name of “All India Professional Congress”.

IBM, Wipro, JIo, XIAOMI, AWS, Mozilla, are the noticeable names from the tech industry.

ISPs and MSPs are represented through their associations. Few Policy research organizations have provided their views.

NASSCOM’s views are provided through DSCI.

Overall, it is heartening to note that so many people have taken the interest in submitting their views, though several more should have also contributed.  At least this indicates the wide interest being shown on Indian law making process across the world.

Negative Comments predominant

It is unfortunate to note that majority of comments are “Negative” comments and include those which keep saying, more consultation is required etc. These indicate that people are happy with policy paralysis and no action being taken rather than some action.

Many of the suggestions made also indicate lack of understanding of the context in which this notification has to be placed as an administrative notification under the statute which became effective in 2009 itself.

Shreya Singhal Judgement which was a faulty judgement with a wrong interpretation of “Messaging” as “Publication” and Puttaswamy Judgement which was related to “Information Privacy” without defining what is “Privacy” have been extensively quoted by many.

Further Comments to Follow

It is easy to say “Don’t Do this or that”. But it is difficult to say “What should be done”.  We therefore  need to ignore most of the negative comments and focus on a few which contain some suggestions. It is only from those comments that the Government would be able to bring some changes that would try to tackle the issue of “Fake News” and “Frauds through Intermediaries”.

We shall try to focus on such positive comments in our subsequent articles though it may be necessary to comment on a few others in the passing.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment