Seek Answers to Your Queries here
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
GDPR is a regulation meant to protect the privacy rights of an individual. Principally it is meant to protect the right of a citizen of EU and tries to exercise control over the personal data collection activities in the jurisdictional boundaries of EU. UK as a faithful servant of the EU and reeling under the repentance of Brexit wants to be more loyal than the King and has pursued the UP Data Protection Act 2018 to extend GDPR to its jurisdiction.
The objectives of GDPR are laudable and extends the concern the EU legislators always had on the protection of human rights.
Having dealt with dictators like Hitler, Mussolini and Napoleon and lived a life of pirates and conquerors for generations, (of which we the Indians have centuries of experience), the population of EU has developed a culture which appear to have made them suspicious with every body else and over sensitive to some issues related to Privacy.
This is indicative in an interesting case reported below, details of which are available here.
This article “My GDPR Complaint Against Tinder (MTCH Technology Services)” is an interesting case study of how one person has painstakingly pursued his complaint with the company over a long period using the good intentions of GDPR to his advantage and in the process consuming days of effort and money of the company.
This is a typical indication of how the law can be misused by some persons for their own reasons.
To briefly explain the incident, immediately after the GDPR came into operation on 25th May 2018, on 2nd June 2018, a website PersonalData.IO submitted a request on behalf of a customer requesting the company MTCH Technology Services Ltd, to provide “all of the information collected on me”. Since then, the complainant is pursuing the complaint expressing his dis-satisfaction about the information that has been provided. The complaint has been originated with ICO in UK and later transferred to the supervisory authority in Ireland. The matter appears to be resting with the detailed reply given by the company on 29th May 2019 but the complainant is still not satisfied and is following up.
During this entire exercise, the company has patiently been replying to the complainant and it is evident that it has spent enormous corporate time with its technical team, compliance team, the legal advisors etc to draft a satisfactory reply.
We must pause at this stage and reflect whether the cost forced by the complainant on the company has been productive and whether the complainant has been inflicting unjustified losses on the shareholders of the company who are also individuals like the complainant himself.
GDPR has provided a “Right” to the data subject to request for information from a company whether personal data of himself is being processed and if so how is it being processed. The purpose of Articles 13 and related Articles of GDPR is to enable a data subject to ensure that the company adheres to the principle of collecting an informed consent and using the data only as agreed upon and not make a fraudulent or unethical and dishonest use of the personal data.
The complainant in this case on the other hand appears to have pursued his complaint dishonestly with the sole purpose of harassing the company through a series of e-mails and making a “Disproportionate request”. There is no “Data Breach” reported in this instance and the request is a fishing exercise of the complainant to find out a cause for further harassment of the company.
This complaint reflects a sadistic tendency on the part of the complaint who seem to have lot of time at his disposal to keep sending request after request and not be satisfied with any reply received.
There is a need to put an end to the development of such trend which will be detrimental to the industry. If this goes unchecked, any body and everybody may keep sending out e-mails just to make the life of the companies difficult. It may provide a sense of satisfaction to the complainant that he has achieved something great in his life by dragging the company into an endless conversation.
The responsibility to put an end to such an attempt lies with the supervisory authority which has to exercise a judicial discretion to separate a real complaint from a complaint designed as a fishing exercise where the complainant has no prima facie case of having been adversely affected.
The supervisory authorities in such cases should politely refuse the complaint and close the case so that the company can go ahead and attend it its other activities. This requires a sense of maturity for the officers who have the responsibility to uphold the real values reflected by GDPR.
Unfortunately the drafting of GDPR and more so the UK Data Protection Act 2018 is not good enough to avoid dishonest complaints being made against companies without valid and prima facie reasons. It is also not possible to avoid all inconsistencies when a law is drafted and it is the duty of the judiciary and other authorities implementing the law to read down the different provisions and ensure that the real spirit of the law is upheld.
If the supervisory authorities fail to respond properly to prevent such harassment, the Companies will also start disrespecting the authorities and we will end up with litigations all round. This will impose an unreasonable cost on the society and render the regulation an unproductive burden.
I therefore advise the complainant to be satisfied with whatever information has been provided. She has made not only this company but many others realize how GDPR can be make the life of the DPO miserable and tighten up their compliance. I suppose her genuine purpose of making Companies more responsible has been served.
She deserves a pat on the back.
But if the complainant pursues the complaint further, her intentions would be suspect and it would be proper for the Company to demand payment of costs for providing the information. Let this incident not be a lesson on how people can harass a company using the provisions of GDPR.
According to Article 12(5),
...Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
It appears that this is a fit case to test the provisions of this Article and how the supervisory authority of Ireland interprets this complaint.
The Arbitration and Amendment Act 2019 was received the Presidential assent on 9th August 2019.
The major part of the amendment is to introduce part IA related to the Arbitration Council of India. Consequential amendments have been made in the rest of the Act.
The Eighth schedule inserted in the Act deals with the qualifications and experience of the Arbitrator.
ICICI bank which has been a leading Bank in India adopting to innovative Cyber Banking in India is also in the forefront of incidents in which customers have lost money because of the negligent manner in which security of the systems is maintained as well as the fraudulent involvement of its employees.
Recently in two cases the TDSAT passed adverse orders against ICICI Bank. In the S.Umashankar Vs ICICI Bank case, ICICI Bank was held to have assisted the fraudster in commission of the crime. Though clinching evidence of criminal complicity of ICICI Bank had been adduced in the Adjudication and Tribunal in this case, since these forums were not criminal Courts, they stopped at passing adverse remarks in the orders. Had they been criminal Courts, we could have considered that ICICI Bank had been indicted of criminal offences under Sections 66 and 65 of ITA 2000/8.
In another case of Rajendra Yadav Vs ICICI Bank, an earlier order dismissing the complaint by the Adjudicator of Karnataka (in 2011) on the ground that “Section 43 was applicable only to individuals and not to Companies” has also been dismissed with costs on ICICI Bank.
ICICI Bank enjoying the power of public money however is not accepting the decisions and is challenging the decisions in higher Courts in the belief that the victims of Cyber crimes who have brought these litigation on the Bank will not have resources to continue their legal battle in higher courts for both the expenses and time involved.
Both these cases are cases which have been in litigation since 2008 and 2010.
In the latest attempt, ICICI Bank wants to get itself exempted from being liable under Section 43 by raising a bogey that the word “Person” used in the section applies only to an individual and no action can be brought against the Bank. The exemption claimed under Section 43 is also an exemption claimed under Section 66 since the two are interlinked.
This means that ICICI Bank is claiming that if it commits any offence under Section 66 which includes unauthorized access, denial of access, diminishing the value of information residing inside a computer etc., it has to be protected because it is a “Company”.
It would be interesting to see if the Courts admit such petitions or dismiss it at the first place.
Naavi has already pointed out in the judicial forums why this claim is ridiculous and cause different anomalies in law. We shall elaborate this some time later.
Refer: TDSAT order
Here is a copy of the report by the Inter ministerial committee on Crypto currencies.
The report contains the copy of the bill proposed to be introduced for banning Crypto currencies in India.
According to the Bill,
1.No person shall directly or indirectly use Crypto currency in any manner including as medium of exchange, and/or a store of value and/or a unit of account, nor as a legal tender or currency in any place in India.
P.S: Cryptocurrency, by whatever name called, means any information or code or number or token not being part of any Official Digital Currency, generated through cryptographic means or otherwise, providing a digital representation of value which is exchanged with or without consideration, with the promise or representation of having inherent value in any business activity which may involve risk of loss or an expectation of profits or income, or functions as a store of value or a unit of account and includes its use in any financial transaction or investment, but not limited to, investment schemes;
2. Mining, holding, trading etc will be offences punishable with one to 10 years of imprisonment and fine.
3. Advertising and promotion of crypto currencies is punishable with fine and/or imprisonment upto 7 years.
4. Even an attempt to commit any offences under the Act shall be punishable with half the term meant for the offence.
5. A separate investigating authority will investigate and prosecute offences under the act and actions in Courts can be initiated only by the Government.
6. Offences will be non cognizable and bailable.
7. Companies will have liability on the Officer in charge for offences attributable to them subject to usual defenses of due diligence.
8.Fines under the Act can range from Rs 1 lakh to R 50 crores under different sections
According to Zebpay which has shifted its business out of India, it still has more than 2 million Bitcoin holders in India and have more than 40000 bitcoins in their possession. According to their estimate there are about another 15000 bitcoins in the hands of Indians in other exchanges and may be a further 20,000 in dark pools which Zebpay itself calls as “Black Market”. The other Crypto currencies could add up to a further 50% of the Bitcoin holding.
The total estimated value of the Crypto currencies in the hands of Indians which we term as “Digital Black Money” could therefore be around 100,000 bit coins. At around Rs 8.5 lakhs per Bitcoin, the total value is around Rs 8500 crores. It must be recognized that this is only an estimate of the holding by Indians and the rest of the market capitalization (nearly 300 billion US dollars) is held by non Indians.
According to the industry’s own estimate, only 21% of Bitcoin transactions are deemed ” Lawful” as revealed by the research of MIT and IBM. The research said that billions of dollars are laundered through Crypto currencies every year.
The honourable Supreme Court cannot ignore these facts when it hears the arguments of the industry on legitimization of Cryptos in India.