Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Data Portability is one of the contentious issues of the GDPR from the compliance angle. We had discussed the “Theory of Dynamic Personal Data” in one of our previous articles. That concept would be relevant to address the issue of Data Portability as envisaged in GDPR.

Article 20 of GDPR states as follows:

Article 20: Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. (Ed: Right to Erasure). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

The industry is struggling to understand how it can possibly tune up its processing system so as to keep the “Personal Data of the Data Subject” in one compact identifiable package so that when necessary it can be “Ported” or “Erased”.

If a Data Processor is setting up a new system for processing the data, it would be perhaps easier to design the system to meet this objective. But if he is already processing data and is now trying to implement GDPR over the existing set up which includes past stored data and the processing system, it would be a challenge to comply with the provision.

One of the key aspects of implementing Data Portability and Data Erasure is to ensure that a data subject’s personal data is always identifiable in a package and can be dealt with together when required.

In practice however, the complete set of personal data about a data subject gets acquired over a  period of time and in bits and pieces. In this kind of “Data Aggregation”, there is one part of personal data which the data subject has handed over after an informed consent. This is a “Property” of the data subject and he has every right to deal with it as he likes.

But once this raw data is received by the data processor, it may be mixed with other data, analyzed, filtered, processed using intelligent data mining and analytical algorithms and another set of data which has a link to the raw data supplied by the data subject emerges. In course of time, the data subject also adds further data about himself which is another set of raw data that gets added.

At this point of time, the data with the data processor has two components namely raw data supplied by the data subject from time to time and the value added secondary data  in which the raw data is embedded but there is much more value because of what has happened to the raw data with the processing. It is like the data subject has given the data processor, water, fruit juice concentrate and sugar in separate packets and the data processor has created a bottle full of juice with it.

Now the data subject comes and says, please “Port” my data to another “Data Processor”. Now the problem is for the data processor to separate the water, juice concentrate and sugar from the Bottle of juice and return the “Data of the Data Subject”. Any thing else is a different data and if that has to be transferred to another data processor, it will go along with the technical know how used by the first data processor to add value to the data. Obviously this is not acceptable to the data processor since it would dilute his IPR.

The key to GDPR data portability management is to develop a data processing model which keeps a tag on the “Raw data supplied by the data subject” even when it is being churned into a value added data by the data processor, so that when required, we can pull out the raw data and return it to the data subject.

If the system is designed intelligently, the data processor may still keep the value added data with himself but return the raw data components to the data subject. It will be like having the Cake and eating it too.

In order to design such a magic system, we may have to develop a suitable system on a case to case basis. But as indicated earlier, it is easier to introduce such systems prospectively and not retrospectively.

Hence it is better if GDPR liability is accepted only for the future personal data inflow and existing system which was in place is retained for Data Protection in respect of the past data.

It does not appear that GDPR has been conceived taking this “Prospective” or “Retrospective” implementation since the authorities seem to be oblivious to the practical issues involved in implementing some of the recommendations which appear good to read but impossible to comply.

In this discussion, we have assumed that the Data Subject does not lay claim for the value added part of the processed data and would be satisfied if his own raw data is returned to him. Hence in future we may have to differentiate data as “My Data” and “Your Data” and apply different privacy and security rules for them.

The technical implementation of this concept needs development of a middle ware data processing strategy which is out of scope of this article and also involve IPR in the design.

Naavi

Definition of Undertaking under GDPR and its impact

Posted by Vijayashankar Na on April 3, 2018
Posted in Cyber Law  | Tagged With: , , , , | 1 Comment

GDPR is liked by some as a good law to protect privacy of individuals and is often looked upon as an “Emerging Standard”.  Many companies are working towards calling themselves “GDPR Compliant” since it makes a good marketing sense though GDPR does not apply to them. Even the Whitepaper on Data Protection Law which the Justice Srikrishna  Committee made references to GDPR frequently giving a perception that Indian Data Protection law will be a reflection of GDPR in some way.

At the same time GDPR is hated by the IT Companies because it increases their cost of Privacy compliance and also holds the Damocles sword on their head with the obnoxious penalty clause of Administrative Fines.

In most privacy laws, the emphasis is to provide direct protection to the data subject by giving him compensation for adverse consequences of data breach. In order to reduce the possibility of privacy breach, the law also provides certain standards of compliance and to goad the companies to take compliance seriously, imposes fines and penalties for non compliance. The fine is meant to act as deterrence against neglect of “Due Diligence” requirements.

GDPR has used Administrative fines as a means of causing a “Chilling Effect” on the industry that they are at the mercy of the “Supervisory Authorities” who have been given powers to impose unreasonably large penalties.

Article 83 (4) and 83 (5) prescribe the penalties.

Under Article 83(4), certain infringements will be subject to administrative fines upto 10 million Euros (1 Euro=Rs 80) or in the case of an undertaking , upto 2% of the total worldwide annual turnover  of the preceding financial year whichever is higher. 

Under Article 83(5) certain infringements will be subject to administrative fines upto 20 million Euros (approx Rs 160 crores) or in the case of an undertaking , upto 4 % of the total worldwide annual turnover  of the preceding financial year whichever is higher. 

The lower fine is in respect of  the following articles

Article 8: Child’s Consent

Article 11: Processing which does not require identification

Article: 25 to 39: Various obligations such as privacy by default, impact assessment, data breach notification failure etc

Article 42 and 43 : Certification related

The Higher fine is in respect of the following articles

Articles 5,6,7 and 9: violation of basic principles for processing including consent

Articles 12 to 22: Infringement of Data Subject’s Rights

Articles 44 to 49: Transfer of personal data to third countries

and non compliance of member state laws and order of a supervisory authority

In the penalty clause what strikes the eye is that in case of an “Undertaking” the penalty may be 2% or 4% of the total worldwide turnover.

To understand the impact of this clause, we need to understand what constitutes an “Undertaking” under the law applicable in this context.

The meaning of “Undertaking” is defined under articles 101 and 102 Treaty On the Functioning of European Union (TFEU).

One obvious way of determining the scope of this word is to consider that where one company exercises “Control” over another company, they form a single economic entity and hence are part of the same undertaking.

This means that if a company is a holding company and the subsidiary company is the one subject to penalty, the holding company may become part of the global undertaking. If the holding company is in EU and the subsidiary companies are in one or more other countries, then all of them will become part of the “Undertaking”.  Beyond this, it would be the specific ruling that any Court may give or which the supervisory authority may imply.

If therefore, Infosys (an example only) is an Indian company and has subsidiaries in EU where it is a Data Controller and is subject to some fine, then the turnover of Infosys becomes part of the turnover of the undertaking. Now if Infosys subsidiaries in other countries also hold cross holdings in the EU entity, then some crazy EU court may add the global turnover of Infosys as the turnover of the undertaking to determine the fine.

This may mean that the revenue generated by the employees of the Company in India out of their operations here which have no relevance to EU operations will be taxed in EU.

The legality of such a measure is considered debatable.

Also, when Infosys-EU signs a Data Controller contract and creates a charge on the earnings in India which are enforceable against the EU subsidiary, the share holder’s of the Indian Company may have reasons to ask if their wealth gets eroded.

At first glance, the addition of “Global Turnover” in the computation of the penalty appears to be an over reach in law and may not sustain a proper scrutiny. But this is some thing which NASSCOM has to address and consult international law experts such as Harish Salve and clarify.

In the meantime, Indian companies having some operations through EU subsidiaries need to ensure that the “Holding Company Turnover” does not become a factor that increases the potential liability of the EU subsidiary. This can be done through shedding the “Holding Company Status” and ensuring that the EU subsidiary and the Indian parent (hitherto) company maintain an arms length relationship without any director level control or shareholder level control.

When companies who donot require to follow GDPR want to adopt GDPR as a “Standard” they should ensure through proper disclosures that “The adoption of GDPR compliance as a business strategy across all the global units of the undertaking” is not treated as a prima facie admission that there exists a global networking relationship across all such companies exposing the aggregate turnover of all such companies to the risk of being considered for fine computation.

I look forward to a response from NASSCOM on this matter.

Naavi

Ever since Law entered Cyber space and the term “Cyber Law” was coined, the field of law has been shaken up.

When ITA 2000 (Information Technology Act 2000) was notified and conventional lawyers started reading it they soon encountered right under Section 3, terms such as “Asymmetric Crypto system” and “Hashing”. Immediately it was clear that their years of study of LLB and experience in the Bar was of little relevance in the new emerging world of “Cyber Law”.

At this point of time, a breed of “Cyber Law Specialists” were born who studied ITA 2000 from its birth and had no prior in depth knowledge on Civil or Criminal law. Gradually, many of the “Computer Savvy Lawyers” who could understand some computer terms such as hard disk, memory, hacking, denial of service etc graduated as “Cyber Law Specialists” with different degrees of specialization in civil or criminal law along with an awareness of computer technology.

Simultaneously, pure technology specialists working in the area of “Cyber Forensics” also graduated into a multi discipline specialization by acquiring awareness of ITA 2000 or Cyber Laws.

With this convergence of technology knowledge/specialization with law specialization/awareness was born a new breed of specialists who could describe themselves as “Techno Legal Specialists”.

In the Information Security domain, these specialists became “Techno Legal (TL)  Information Security Specialists”.

Some of these specialists like the undersigned recognized the importance of “Behaviour Science” in Information Security area just like in the case of “Criminology” and added the “Behaviour Science Specialization” to their forte to create a “Techno Legal Behavioural Science Specialization” to be used both for Cyber Criminology and Information Security.

We may recognize these developments as different generations of Cyber Law specializations that are developing not only in India but also elsewhere.

When we look at some of the emerging problems such as Section 65B of Indian Evidence Act and the struggle of the community to handle the Cyber Crimes emanating from the deep web, it is clear that we are still a long way off from mastering the art of “Techno Legal Behavioural Science (TLBS) Specialization” either in the Information Security area or in the Cyber Law area.

Failure to acquire this TLBS specialization in the Information Security domain results in increasing Cyber Crimes, data thefts etc including the Cyber Analytica kind of issues.

Failure to acquire this TLBS specialization in the Cyber Law domain results in increasing cases of bad Judgements such as the Section 66A and Shafhi Mohammad judgement by the Supreme Court of India or the Shapoorji Pallonji case judgement by Mumbai High Court.

Emerging Cyber Law Scenario

While there is a need to continue our work on creating better awareness and better understanding of the TL and TLBS concepts through our education system both in Law Education and in Engineering education and let it percolate through the practicing lawyers to the Judiciary, the environment has moved further with the advent of Artificial Intelligence and Quantum Computing making further changes to the interpretation of Cyber Law principles.

Just as Digital Signature concepts which included Asymmetric Crypto System and Hashing which are mathematical concepts into the domain of Cyber Law, the development of Quantum Computing has now brought “Physics” directly into the domain of Cyber Law.

Now a full rounded Cyber Lawyer needs to not only know law, computer technology and behavioural science, but also Physics.

We must remember that what we were calling as “Computer Technology” so far already incorporated “Physics” because every “Bit” that held the data in a computer device was actually a “Transistor” in miniature form and every processing on a computer happened with “Electronics” in the back end.

But just as “Classical Physics” was disrupted by “Quantum Physics” and the laws of Classical physics including the famous laws of Newton had to be re-written in the Quantum world and even the geniuses like Albert Einstein were proved wrong in parts in the Quantum Physics domain, all the current laws which we codify as “Cyber Laws” may need a complete re-look in the Quantum computing environment.

We must therefore recognize that the next generation of Cyber Law specialization is now here. I will call this the “Quantum Cyber Law Specialization”.

The Quantum Cyber Law (QuCL/QCL) specialists need to not only understand the depths of Law along with “Transistor based Classical Computers” but the emerging “Qubit based Quantum Computers” where the “Qubit” is not a transistor but a Nucleus or an Electron.

Just as the Classical Computer works on a transistor representing a “Bit” which can be either with a charge or no charge representing the binary states of one or zero, the Qubit represents an electron or a nucleus which is spinning either in the clockwise or anti clockwise direction representing the two states Zero or One.

The enigma of Quantum Computing however is the “Principle of Uncertainty” that a spin state of an electron can be one and zero at the same time but collapses into one of the two states at the time of measurement.

The readers of this blog consists mainly of Classical Cyber Law Followers. Some of them may find the concept of Quantum Computing a bundle of scientific fiction. They may have to chose to ignore some of the articles that may appear here on this “Emerging Technology” concepts and focus on improving their understanding of the “Transistor Based classical technology” and how it affects Section 65B etc .

But those crazy technology buffs who would like to explore the computer world of the future, it is necessary to slowly start grasping some of the new concepts to stay relevant in the post 2030 Cyber law world.

The undersigned is also in the process of exploring the Quantum Computing principles and is experimenting with some thoughts not all of which may be considered “Definitive”. Errors and mis-interpretation could be expected since this is considered as a learning process.

Readers may therefore treat some of these articles more as as hypothesis to be tested and tuned. The presented hypothesis may be debunked and improved. by Quantum Cyber Law (QuCL) watchers.

Understanding QuCL requires even more depth of technical knowledge than what is required for understanding Cyber Law as we know today.

Further the technical knowledge required for understanding QuCL would include the knowledge of Quantum Physics and its application to the creation of logic gateways and data store techniques which is more than what most computer science specialists possess in the natural course of their development.

I am yet to find a term to describe this “Multiple Domain Experts who know Computer Technology, Law and Physics”.

Probably they should be called “Techno Legal Physicists” or “Quantum Physics Technology Law Specialists” (QPTLS) and this specialization should be termed as Quantum Physics Techno logy law (QPTL) specialization.

Like many things in the life of Naavi, perhaps Naavi will be the first to describe himself as a Techno Legal Physicist or Quantum Physics Technology Law Specialist  (now in the process of graduation).

Even today, many of the lawyers ask me in a cross examination in a Court  “Where did you get your Cyber Law Degree” to make you an “Expert”. I normally reply that “In 1998 when I started studying Cyber Law and in 2000 when I started Cyber Law College, there was no other university or college which was qualified to give Cyber Law degrees (at least in India) and hence my Cyber Law specialization had to be and is self acquired”.

Similarly, now I have to say that the new specialization of “Techno Legal Physicist” or “Quantum Physics Technology Law Expert”  will have to be a self acquired skill which I will endeavour to acquire through self study.

With this, I have a message to the Cross examining lawyers who try to embarass me on a witness box with questions that I donot have a law degree or a computer science degree and cannot call myself as eligible to give evidence on computer aspects. They must remember that I have a Master’s degree in Physics with a specialization in nuclear physics itself that makes me eligible to talk on law that depends on transistors and quantum mechanics, as an expert.

However, I humbly submit that “Expertise” is a “Relative expression”. Knowledge is so huge that no person can call himself an “Expert”. One can be more an expert than the other in a given niche area and may be a novice at the same time in another aspect.

The description of an “Expert” under Section 45/45A of Indian Evidence Act has to absorb the “Quantum Principle” that a witness may be an “Expert” or a “Novice” at the same time and it is only when his knowledge is measured against a specific question that his “State” will collapse into either “Expert” or “Not an Expert”.

Next time when a cross examining lawyer asks me, “Are you an Expert?” “Do you know technology?” etc., I may answer, “I am an expert or a novice at the same time like a Qubit being in the state of one of zero at the same time. You try to pose a question and I may collapse into either being an expert or not”.

Problem however is that the Judge may immediately say.. Please donot argue with the counsel and put counter questions… answer Yes or No not Both…..

Practicing lawyers specialized with court procedures may kindly advise me what would be the correct answer to the question that witnesses cannot be in quantum state and say “Yes and No” but  have to be always in either “Yes” or “No” state.

In the wonderland of Quantum Cyber Law , a new specialization of Techno Legal Physics needs to be recognized to answer such questions.

Naavi