The 18 year Journey Since the Digital Society was born in India

Information Technology Act 2000 (ITA 2000) was notified on 17th October 2000 and today is the 18th year after India legally recognized the Electronic Document as equivalent to Paper Document and Digital Signature as equivalent to physical signature leading to the possibility of a legally valid contracts being formed entirely with electronic documents. For all legal purpose, the Digital Society of India took formal birth on that day and therefore we have been recognizing this day therefore as the “Digital Society Day”.

Naavi has been tracing the developments in this field first through the domain name naavi.com and then through naavi.org.

The year that has gone by has been eventful with “Privacy” hogging the limelight. The year started in the background of the Privacy Judgement from Supreme Court holding “Privacy as a Fundamental Right”. The Justice Srikrishna Committee came up with its white paper, sought public comments and towards the end of the year came up with its report and the draft Personal Data Protection Act 2018. This is one of the biggest changes in the Cyber Law environment in India since ITA 2000 was born since PDPA 2018 is entirely about “Informational Privacy” and “Data Protection”.

The year 2019 promises to be a continuation of the Privacy and Data Protection issues and we will see many developments including the establishment of the Data Protection Authority of India. Section 43A of ITA 2000/8 would be deleted and PDPA 2018 would take over the concept of “Reasonable Security”.

The Cyber Crime scenario was dotted with two big Banking frauds namely the PNB fraud and the Cosmos Bank fraud which indicated how the digital banking system could be easily defrauded if Bankers donot manage security as is expected of them. Hopefully they would learn their lessons and fortify their defences.

The Supreme Court through its Aadhaar Judgement has given a small jolt to the industry and hopefully the situation would ease out with the use of Virtual ID as a means of e-KYC and e-Sign, once necessary formalities are completed.

During the year, the Government notified some agencies under Section 79A and activated the concept of the Digital Evidence Examiner.  However, a two member bench of the Supreme Court muddied the waters under Section 65B by trying to over turn an earlier 3 member bench decision in the Basheer case.

Technology continued to pose new challenges with Artificial Intelligence and Quantum Computing making further strides. This raises the concern that if the Indian Supreme Court cannot properly appreciate the Section 65 B concept of electronic evidence after 18 years, will it be able to tackle disputes such as the Uber Self driven car accident, or the activities of the humanoid robots like Sophia. The concepts of Super Positioning and Entanglement in Quantum Computing could be a real challenge for the Indian judiciary in the days to come.

On the home front, Naavi.org continued its fight against Bitcoin to an extent that it appears that the Government has reined in the growth of this black money instrument. We are awaiting a proper burial of the system in due course as the trend has reversed across the world in this regard disfavouring the Bitcoin recognition as an proxy for currency.

Additionally Cyber Law College conducted two offline Cyber Law Courses in Bengaluru, first in BMS Law College and then in St Joseph Law College (presently in progress). Naavi also continues to engage himself with NLSUI and NALSAR in the Cyber Law courses conducted under their banner as guest faculty.  Cyber Law College has also extended its use of the Apnacourse online platform with the introduction of a course on GDPR.

Now the biggest step of the year taken by Cyber Law College is the launch of a course on Personal Data Protection Act 2018 (PDPA 2018) to support the movement of PDPA 2018 awareness in India. The launch has just now been announced and hopefully, some professionals and students would take advantage of the opportunity to be the early learners of the emerging Privacy law in India. This course not only covers PDPA 2018 but also another emerging law called DISHA 2018 (proposed) besides discussing the impact of GDPR on Indian companies. These courses are intended to develop a truly knowledgeable Privacy professional in India who is equipped with the knowledge of laws as applicable in India.

Yet another step which is significant for Naavi personally is the promotion of a Section 8 Company namely the “Foundation of Data Protection Professionals in India” to bring together a larger section of stake holders in ensuring that Data Protection Industry in India would be represented by and managed with an Indian perspective rather than importing the perspective from the foreign markets.

The current activities of Naavi and Cyber Law College are much relevant for an organization like FDPPI and could also help  FDPPI to blossom faster than it otherwise would.  Some of the current activities of Cyber Law College could therefore be pledged and used for the benefit of  FDPPI in the coming days.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Online Course on Personal Data Protection Act 2018

Cyber Law College, which is a pioneering institution in India dedicated to Cyber Law Education is starting an online course on Personal Data Protection Act 2018.

The Course will cover the draft Act as is being discussed in the Parliament and will include the accompanying draft proposed law for Health care namely the DISHA 2018.

Details are available at Cyber Law College website.

The Course fee would be Rs 6000/- and registration would commence from 19th October 2018.

Classes would be conducted by Naavi online as per schedule to be fixed.

I look forward to the support of the community in this regard.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Bengaluru as the Data Protection Capital of India

Naavi has been in the forefront of creating awareness of Cyber Laws in India. In 2005, Naavi had taken up a program called “Karnataka Cyber Laws Awareness Movement” under which several programs were undertaken in Karnataka.

Now time has come to start a similar activity for the Personal Data Protection Act 2018 which is presently in draft stage but is likely to become an important legislation in India.

While Cyber Law College will be focussing on some structured courses in this regard, we are glad to note that the Foundation of Data Protection Professionals in India (FDPPI) would be undertaking a “PDPA Awareness Movement” by conducting Awareness lectures in Bengaluru to begin with, in different organizations on the basis of invitations.

The program is being conducted by a team of professional members of FDPPI.

It is expected that the program would spread to other parts of India also in due course.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Let Data Protection Law of India define the Instrument creating a Data Fiduciary

The Draft of Personal Data Protection Act 2018 (PDPA 2018) which is being discussed in the Parliament has one extremely important hurdle to be crossed. The hurdle is how to establish a relationship between the Data Principal and the Data Fiduciary in such a manner that the Consent is provided “Explicitly” in certain cases incorporating the several requirements of Informational Privacy  such as how the personal data may be processed by the Data Fiduciary.

The GDPR called the person whose personal data is being discussed as the “Data Subject” and the entity which determines how the data would be processed as the “Data Controller”. Though the Data Controller was to take consent from the Data subject, it is clear that it is the “Data Controller” who takes over the control over Personal data and the Data Subject lives with the hope that the Data Controller will fulfill the obligations that he has contractually agreed in the letter of consent.

Some legislations prefer to consider “Data” as a “Property” and “Personal Data” as the property who is identifiable in the set of the subject data. By considering data as “property”, the property owner’s right can be recognized as owning a property which can be sold or assigned to the Data Controller (Data Buyer?).

But the Srikrishna Panel preferred to steer clear of both the approaches namely  “Data as a Right that can be transferred by a consent contract” and “Data” as “Property” . It preferred to call the Data Subject as “Data Principal” and the Data Controller as a “Data Fiduciary”. The reason that Justice Srikrishna provided for this departure was very innovative. He felt that by recognizing the role of the Data Controller as a “Data Fiduciary”, we are imputing a certain set of expectations on the Fiduciary which is beyond what can be expressed in a Consent contract. Hence, with or without  a “Contractual Binding” created by a “Consent Form”, the Fiduciary is bound to protect the “Privacy Right” of the individual.

“Privacy” being a “State of Mind”, it is difficult to be defined. Protecting the Privacy Right by writing down a few lines in a Consent form would therefor not suffice. The Data undergoes a metamorphosis after it is delivered to the Fiduciary and the Consent is signed when neither the Data Subject or the Data Controller is aware what is the potential of the data as it undergoes processing.

This dynamic nature of data and possible discovery of value after the hand over of data by the data subject, makes the Consent meaning less as a contract, since at the time of signing of the Consent, there would be  lack of acceptance of the “Facts” surrounding the object called “Personal Data” which is being handed over.

Hence the Consent fails the definition of “Contract” as defined in the Indian Contract Act. At the same time, the Supreme Court in its Aadhaar judgement has held that at least a private company cannot contractually obtain a consent to collect sensitive personal data using a consent contract.

Hence accepting  “Consent” as a “Contract”  appears untenable both under the Contract Act and because of the the Supreme Court verdict on Aadhaar.

Had PDPA 2018 adopted the GDPR definition of Data transfer from the Data Subject to the Data Controller as a contractual agreement called “Consent”, then we would have  reached a legal dead end in passing the PDPA 2018.

It was a blessing in disguise that the Srikrishna Committee decided to adopt a “Fiduciary” concept for the Data Subject-Data Controller relationship.

While this has resolved the problem of “Consent Contract” being considered void, it has however created another problem.

The “Fiduciary” relationship pre-supposes the existence of a “Trustee-beneficiary Relationship” between the Data Fiduciary and the Data Principal.

If we consider that “Consent” is a written representation of what the “Fiduciary Relationship” implies, then the “Consent” has to pass the test of being a “Trust deed”.

In the electronic world, a trust deed suffers from two deficiencies namely lack of “Stamp duty payment” and lack of recognition under Information Technology Act by virtue of Section 1(4).

Thus the “Consent” in electronic writing which is what a “Privacy Policy” accepted by a “Click Wrap” contract means, is not legally acceptable under Indian law.

We therefore end up with a situation where the Consent Contract is neither recognized under the Contract Act nor the Trust Act.

Solution is to create a new Instrument

There is no need to get disheartened by the failure of the Contract Act and the trust Act to solve our problem of getting a legally recognized instrument that can validate an electronic consent. There are at least two ways by which this problem can be resolved.

First is to amend the Section 1(4) by providing an exemption for the Data Fiduciary Creation instrument under PDPA 2018 and also provide exemption for the instrument from the Stamp Duty.

Second is to define the “Data Fiduciary Creation Instrument” as a new type of electronic document that is neither a Contract under the Contract Act or a Trust deed under the Trust Act. If this definition is included in PDPA 2018, there will be no need to amend the ITA 2000 nor the Stamp Duty Act.

Consent in a Privacy context requires to be an “Informed Consent” where the data principal is informed of his rights and also the details of processing etc., as per law. But in practice, it is difficult to make the Consent really fulfill all the details that may be required under law to be included and even if included, the “Consent fatigue” will ensure that the data principal does not take the trouble of understanding the details.

Hence the “Fiduciary creation instrument” will  superimposes the duties imposed by the PDPA 2018 on the data fiduciary in addition to the written provisions of the Consent.

Let’s hope that this innovative approach is taken to ensure that “Consent” in electronic form would be considered as an instrument of creation of the fiduciary relationship.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , | Leave a comment

FDPPI submits its Comments on PDPA 2018

FDPPI, an organization of Data protection Professionals in India has presented its comments on the draft PDPA 2018 (Personal Data Protection Act 2018) as presented by the Ministry of Electronics Information Technology (MeitY) under the recommendation of the Justice Srikrishna Committee.

The extended last date for submission was October 10, 2018. Considering the recent Judgement of the Supreme Court, the Government is under an obligation to pass the legislation at the earliest so that a Data Protection Law will be in place in the country as envisaged by the Supreme Court.

A Copy of the recommendations submitted by FDPPI is available here

The comments/recommendations of FDPPI contain several new thoughts which have not been under discussion since the draft was available. They will be elaborated in greater detail in a series of articles here.

Naavi


Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Last Day for Comments on PDPA 2018 is 10th October

The draft of the Personal Data Protection Act 2018 has been submitted by the Justice Srikrishna Committee along with its report. Copies of both are available at  www.pdpa2018.in.

The Government of India has requested for public comments to be submitted on the draft Bill which is in the Parliament before October 10, 2018.

The comments can be submitted at http://meity.gov.in/content/data-protection-bill-feedback

Naavi.org has discussed this subject extensively ever since the Srikrishna Committee has come into existence. Some  suggestions were submitted by Naavi.org during the time the Committee held its discussions. Some were submitted after the Committee submitted its reports. After the recent Aadhaar Judgement, another list of comments on the impact of this judgement on Privacy has also been separately recorded so that there is a large number of thoughts before the public to debate about.

I wish public go through all these comments and suggestions and whether they agree or disagree, use them to stir up their own thoughts on the subject so that they can formulate their own comments and present it to the Government.

I hope that the following list of articles provide the information that one may look for as background material for forming their individual opinion.

  1. Calling attention of Justice Srikrishna Committee on Data Protection; Don’t let GDPR be the new Vasco Da Gama
  2. Srikrishna Panel Report and Aadhaar
  3. PDPA 2018 and Aadhaar-2
  4. Public Consultation on Data Protection Law…. Some points of discussion-1: Part II : Part III
  5. Personal Data protection and Data Localization-1
  6. Personal Data Protection and Data Localization-2
  7. Uphold the “Right to Know” against “Right to Privacy” in the new Data Protection Law
  8. Are Privacy Laws Getting bigger than Cyber Crime Laws?.. Is Profiteering replacing deterrence principle in law making?
  9. Privacy law cannot be only a tool for hiding oneself
  10. Look beyond GDPR and Create Personal Data Trusts to manage Privacy of data subjects
  11. Data Protection Act.. We should aim at Compliance with Pleasure not Compliance with Pain.
  12. PDPA 2018: Is Data Localization related to Privacy?
  13. PDPA 2018: Privacy Activists and RTI Activists fight with each other
  14. Aadhaar Judgement : 10 articles : The 10th Article

There could be more articles if one searches through naavi.org. Using the information available here, public may send their comments.

Additionally, FDPPI (Foundation of Data Protection Professionals in India) will be collating the comments from its members and sending it to the Ministry. Those of you who want your comments to be included in the Naavi.org comments or in FDPPI comments, can send them to Naavi or to FDPPI by e-mail, by the end of today.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment