Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

(This is a continuation of the previous article)

2. One of the questions that arose during the discussions was on the “Data Breach Notification requirements” under the proposed act.

There was one concern of the industry that “Data Breach” reporting to the data subjects should not be mandated and even if required it should not be as immediate as notification to some industry authority etc.

This is a standard response from industry whenever data breach notification is suggested in any data protection act. Industry wants to protect its reputation by sweeping the data breach notification under the carpet. While most industry players would jump at Aadhaar leakage when reported, they would not like a breach in a Bank coming out in the open. Hence the demand that they should be exempted from notification of data breach to their customers.

Some industry players also brought out the issue of a need for time to determine whether a “Suspected data breach” is actually a “Data breach”, whether a “Data breach” is not exactly a data breach but only a “Denial of Service attack” etc and argued that industry should not be forced to report a data breach before it is confirmed.

However the industry agrees that most data breaches need to be confirmed with an audit  and many times the recognition of data breach itself takes months and after the recognition, the completion of the internal audit takes several more months. If therefore the industry demand in this respect is to be accepted, then data breach will never become public for more than an year.

Industry is however not averse to sharing some potential breach information with an industry organisation because they know that the industry organziation can be manipulated and hide the information of the data breach. For example, many wannacry attacks on ATMs of Banks were never reported by Banks and public never came to know of them. Even a major cyber attack on a Bank after the Swift system hacking in Bangladesh, was pushed under the carpet. Given an option even the UIDAI would like not to publicise the data breach reports on UIDAI because it hurts the reputation of the system.

The strong opposition to data breach notification to the data subjects itself indicates that it is a very effective deterrent that industry would not ignore. Hence it is absolutely essential that this data breach notification must be incorporated in the law as a mandate. The time limit in other international regulations is around 30 to 60 days and it would be necessary to make a provision for “Public Notification”  before 30 days.

In case there is difficulty in confirming the data breach because of the need for an audit etc.,  the notice can say that the investigation is under progress and the notice is a “Provisional Notice”.

Some persons also raised the issue of “Cost of Data breach notification” to the data subjects. The notification can be made

a) Through advertisement

b) Through notice in the website of the Data Controller

c) Through a notification in the Data Protection Authority website

c) Through e-mail

In order to further reduce the cost of “Advertisement”, a suggestion was made that  to the effect that Data Protection Authority can create a broadcast platform.  A mention can however be made that such services are already available at www.cyber-notice.com along with Section 65B certification. Industry is yet to recognize the potential of the service and perhaps a need for mandatory data breach notification would make the industry realize the need for such services. 

(Will be continued)

Naavi

Links to all the three parts of this report of the consultation are available here

Part I

 Part II

Part III

During the discussion on the Data Protection white paper in Bangalore on 13th instant by three members of the Expert Committee led by the Chairman Justice B.N.Srikrishna, several interesting issues came up for discussion. While it is difficult to recall all the points discussed, I am trying to capture some of the interesting points raised along with my comments here.

The comments made here are not that of the expert committee members and should not be construed as views either accepted or rejected by the committee at this point of time. Justice Srikrishna was however a great listener and tried to probe the persons raising questions to understand the issue as much as possible. The ministry representatives have made suitable notes and they are likely to be discussed by the committee later and taken into account before a bill is recommended.

  1. One of the suggestions made was that the law should be people oriented and principle based.

Comment: In India, we still does not have a law on Privacy protection. Except for the fact that we know Supreme Court considers Privacy as a fundamental right of a person under Article 21 of our constitution under “Right to life and personal liberty”, we donot have a definition of what is “Privacy”.

The first question that the Indian Data Protection Act (IDPA) has to address therefore is whether we have one section in which we define what is Privacy. i.e. Do we incorporate a clause in the definitions, stating “Privacy means…..”.

The problem however is that the nine member bench of the Supreme Court itself did not take up the responsibility of defining what is “Privacy” and some of the judges in their respective individual orders (not forming part of the final signed collective operative order under the judgement of 24th August 2017 which we refer to today as the Puttawamy Privacy judgement) made different comments stating different aspects of our life as elements of “Privacy”.

This law therefore cannot take upon itself the responsibility of defining what is “Privacy”.

Currently, Information Technology Act 2000 (ITA 2000) has a definition of “Personal Information” and “Sensitive Personal Information” and has prescriptions of how it has to be protected by Body corporates,(under Section 43A) , how it has to be collected and protected by intermediaries (Section 79 of ITA 2000), what compensation may be available for wrongful loss arising therefrom (Section 43,66, 72A), how long the data has to be preserved (Section 67C), how the data can be intercepted and collected by Government agencies for national security reasons (Sections 69,79A, ,70B) etc,. All these are essential ingredients of a Data Protection Act in respect of “Data in electronic form”.

Will IDPA also address these issues?.. If so, will it be overlapping with ITA 2000/8 provisions? is one of the decisions that the committee needs to arrive at.

The IDPA as is being envisaged is addressing to what is referred to in the Puttaswamy judgement as “Information Privacy”. This definition is dependent on the definition of “Privacy” and a judgmental decision on “Which information addresses to Privacy”. For example, will an IMEI number be considered as “Personal Information”? if so, is it simply “Personal information” (PI) or is it “Sensitive personal Information” (SPI)? . Is an IP address a PI?, Is E Mail address a PI?. except for “Biometric” or “Password” there may not be a consensus of what is to be included or excluded from the definition of PI and where the line of demarcation has to be drawn between PI and SPI and whether the classification has to be even further refined as PI-Level I, PI-Level 11, SPI-Level I, SPI Level II etc needs to be decided.

In such an uncertain environment, the law cannot be “Prescriptive” at all. It has to be necessarily “Principle based”.

Now, if ITA 2000/8 already has a “Principle based”- “Due diligence” and “Reasonable Security Practice” already defined, what does the new IDPA do in repeating the same things in a different statute?

In this context, a question arises whether it is a good idea to simply make amendments to ITA 2008 to meet the objectives of the proposed IDPA.

If required, a new chapter can be added to ITA 2008 called “Chapter on Data Protection” and incorporate the requirements of registration of data controller etc., which are not adequately covered in ITA 2000/8.

 (Will be continued)

Naavi

Links to all the three parts of this report of the consultation are available here

Part I

 Part II

Part III

The Four judges of Supreme Court who recently held a press conference appealed to the public through the media with a request ‘please take care of the institution and take care of the nation’. The judges namely Justices Chelamaeshwar, Rajan Gogoi, Madan B Lokur and Jurien Joseph were complaining that the Chief Justice as “Master of the Roaster” is actually behaving as a “Master” and he should not do so. They said that their efforts to make him allocate sensitive cases only amongst the top 5 judges were not being heeded and some cases are being allocated to the junior judges.

The revolting judges agreed that this was an unprecedented situation and they wanted to go through this exercise as otherwise history would accuse them of having sold their souls.

The conference itself was held very clumsily. The judges did not have the press release nor a proper statement to be handed out to the press. There were favoured lawyers who were in the crowd of the journalists and Mr Shekar Gupta a veteran journalist was even invited to sit on the dais.  Immediately after the press meeting, the CPI party leader Daniel Raja, a known opposition party leader was seen shaking hands with Justice Chelameshwar giving a political colour to the entire episode.

The judges came out as completely inexperienced in not only the manner in which they conducted the press conference but also the manner in which they were fumbling for words during the interaction.

Justice Chelameshwar said that what they wanted to share was a letter they had written to the CJI a copy of which would be shared and that is all they wanted to say. Gagoi confirmed that there is nothing more to say beyond the letter but inadvertently admitted that the admission of the case in the Justice Loya’s death was a reason for this press meet.

Mr Dushyant Dave has been the advocate strongly advocating that the Justice Loya case should not be heard by a specific judge and it should be heard only by one of these four judges as if they would give a decision in his favour only.

Another advocate Mrs Kamini Jaiswal who is bitterly against Mr Amit Shah indicated in her subsequent statements that the possibility of Mr Amit Shah not being convicted was the reason behind this revolt. It was as if Teesta Setlwad was speaking through Kamini Jaiswal.

Yet another advocate Indira Jaising has also been vocal with similar views indicating that the politics of “Anti Amit Shah” forces were truly pushing the judges into a corner with the press conference.

It appears that these three advocates are either directly or indirectly responsible for the current mess in the Judicial system and are unmindful of the damage that they have done to the Indian judiciary for their own personal gains.

It was not surprising that Congress followed up with its own Press Conference though it was also as indecisive as the Judges press conference. It appeared as if Mr K.S.Tulsi had strongly opposed Congress getting into this controversy but Kapil Sibal and P Chidambaram pushed through the conference.  Rahul Gandhi in his usual style spoke a rehearsed sentence and ran away without taking questions.

With the Meeting of D Raja with Chlemeshwar and the Congress press conference, it was clear that the Four Revolting Judges were playing the tune of the political parties. However much they may try to whitewash their intentions, the perception with the public is clear that this was a political agenda playing out through the four judges.

It appeared that these four judges wanted to say more but were restraining themselves. Finally the charges made by the four judges appeared hollow and self defeating. Had they been more forthright, they would have atleast sounded more convincing.

Since then, several legal luminaries are expressing their views on the points raised. A large number of advocates are on the side of the Four revolting Judges while a large number of past judges are holding  the view that conducting of the press conference was wrong.

If we ignore the perceptions and focus more on the problem they have highlighted, then solution is not difficult to find.

The accusation is that while the CJI is considered as having a discretion to constitute benches and allocate cases to any of them, he should do so only with the consultation of the 5 senior most judges who form the collegium.

While the Judges 2-5 in seniority who held the Press Conference hold that CJI is only the “First amongst equals ” and not more important than any of them, they consider that other judges of the supreme court who are 6-25 in seniority are lesser mortals who are not equal to the first five.

This does not seem to be a logical l argument and has to be rejected.

Either all the judges have the privileges attached to their seniority in which case the CJI as the senior most has higher privileges that includes the management of the roaster, or they should agree that all judges of the Supreme Court are equally competent to handle any legal matter before them without fear or favour and with the legal expertise required.

Expecting that the rule of “First amongst Equals” applies only to the first five and not to all the 25 judges of the Court indicates a self serving argument.

If we admit that the roaster allocation had some “Motive” behind it as implied by these four judges, we can also imply a “Motive” behind the accusation of the four revolting judges. If CJI wants to avoid handing over some sensitive cases to any of these four and wants to give it some other judge down the line which is a departure from the procedure indicates a “Bad motive”, then the demand that such cases should be handed over only to them and not to anybody else also indicates a “Bad Motive” on the part of the four judges.

If we leave aside these perceptions since these judges are not transparent about their motives and want to hide behind the respect they enjoy as judges of the highest court of the land, let us accept that the only grievance is that the allocations are being done not in accordance with the established procedures of the past where all the five senior most judges worked together as a collegium and distributed sensitive cases only amongst themselves so that none was unhappy but the current CJI is trying to break this tradition.

Perhaps this is making these judges insecure and their friend lawyers also more insecure because they were perhaps existing in the system more by the strength of their relationship with the judges rather than their ability to fight a case on the merits.

The solution for this is not in asking the media and the public to adjudicate since what “We the people ” may say will not be palatable either to these judges nor to their favoured lawyers. Nevertheless since they have sought our advise, let us provide them the advise.

The problem is about allocation of cases to the 25 judges of the Supreme Court in an equitable manner that justice is done to the petitioners. The criteria of seniority is only relevant as a demonstration of the expertise of a judge and not otherwise. Each judge may however carry a badge of domain expertise based on the type of cases in the past where he would have examined a particular domain in depth and thereby gained an expertise. There cannot be any expertise based on qualifications since the College qualifications of all the judges are at least 3 decades old and has no relevance today. For example, Mr Chelameshwar being a student of Physics in his college does not make him a domain expert in a case involving Noise pollution or Electric outage etc.

Either the judges have to declare their top three areas of interest/specialization based on their own self introspection or based on the cases they might have handled in their career  and have to be tagged with the domain of expertise which were required to resolve them.

Assigning a “Domain Expertise Tag” to every judgement released by a judge in all the Courts is a process that has to be introduced now so that after a decade or so, it becomes a reliable barometer to tag a Judge with his area of domain expertise. Criteria for this needs to be developed and adopted.

In the meantime, an adhoc measure can be adopted where each judge of the Supreme Court is asked to declare three areas of interest that is used as his “Specialization Tag”.

Every judge will automatically have a seniority tag also. Using these two tags along with a “Random Allocation Tag”, it is possible for the Chief Justice to select a Judge or a Bench of multiple judges for assigning any case.

For this purpose, the CJI may categorize a case as “Requiring a specific domain expertise”. He can use is “First amongst equals” privilege to do so. Similarly, he can decide on whether the case requires a single judge or more judges to be in the bench.  Having decided these two parameters out of his privilege of being the CJI, he can proceed to allocate cases in the following manner. CJI can also determine the workload of a judge and determine if he has to be part of the selection for a given case or not.

a) In case of single member allocations, the choice can be completely randomized, such as picking up a judge out of the 25 (or lesser numbers if some is over burdened with cases at present). It is possible to do this by computerized allocation with priority criteria for domain expertise and seniority to be set to zero.

b) In cases where two  judges are there in a bench, one of the selections can be made on domain expertise criteria and the other on random basis.

c) In cases there there are three or more members in the bench, one member may be selected on seniority basis, second on domain expertise basis and the third randomly.

In larger benches the criteria can be repeated for the balance vacancies to be filled up.

This process leaves enough scope for the CJI to exercise his privilege and also provide opportunities for the senior members to be part of the important cases where there are at least 3 members. The single member benches which are prone to manipulation by friendly advocates would be randomized so that no advocate would gain an unfair advantage with a petitioner saying “I Know this Judge, Come to me”.

If the Supreme Court wants a software to be developed for the purpose, I am sure that there would be many software professionals who would be willing to develop it for free as their contribution to protect the institution which is the concern of these four revolting judges.

Naavi

Public Consultation on Data Protection Legislation

Posted by Vijayashankar Na on January 14, 2018
Posted in Cyber Law  | Tagged With: , , , | No Comments yet, please leave one

Yesterday, (13th January 2017), three members of the Judtice Srikrishna Committee on Data Protection Law participated in a public consultation program in Bangalore at the IISc auditorium.

Honourable Justice (Retd) B.N. Srikrishna, the Chairman of the committee was present along with two other members of the committee namely Mr Gopalakrishna and Rama Vedashree. A healthy discussion was held all through the day with around 100 participants which consisted of the elite Privacy practitioners in Bengaluru including IT professionals, Lawyers, Activists and some representatives from the academia. This was one of the four such meetings that are being held across the country while the option to submit the feedback continues on the website till January 31, 2018. The earlier meetings were held in Delhi and Hyderabad and the last meeting is being held at Mumbai.

Though this consultation was not directly related to a discussion on Aadhaar, there were many agitated Aadhaar critics in the meeting and raised their concerns. The Supreme Court which is resuming its hearing on Aadhaar on 17th January 2018 will take into account the efforts of the Government in improving the Privacy protection regime in the country both in its efforts to introduce the Virtual Aadhaar ID system as well as the introduction of a robust data protection law in India.  In that context, the efforts being taken by the committee to have a wide consultation across the country with experts from the field was important since one of the objections of the Anti-Aadhaar lobby has been that the Justice Srikrishna Committee itself did not have a proper representation of all stake holders. This consultation process therefore addresses this issue and takes the sting out of the criticism that the committee does not represent all the stakeholders.

Justice Srikrishna came through as a well informed person even in the field of Technology and gave confidence to the community that the Data Protection recommendations to be given by the committee would be fair and address most of the concerns. He was keen to listen to the views of everyone and responded where required with his own wit and humour, keeping the discussions lively throughout the day.

End of the day, the gathering was convinced that the job of framing the data protection law which has been pending since many years and passed through many versions would get another serious and fair try.

We urge professionals to take the time left to go through the white paper and submit their valuable views to the committee so that the opportunity to contribute to the law making in this important area is not missed.

Naavi.org hs been providing its views and will continue to do so in the next few days left.  So far some of the views have been expressed in the following articles.

1. Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights
2. Look beyond GDPR and Create Personal Data Trusts to manage Privacy of data subjects
3. “Compliance by Design” should be the motto of the Data Protection Act of India
4. We should forget the “Right to Forget” in Indian Data Protection Act
5. Personal Data should be considered a personal Property
6. Data Protection Act.. We should aim at Compliance with Pleasure not Compliance with Pain.
7. Right to Privacy should cease at death
8. Proposed Data Protection Legislation in India- White Paper released
9. All articles

Naavi