Mumbai Police have rattled the Data Protection Law in India

The way Mumbai Police has handled the Republic TV case with

-the reopening of a closed case

-of what possibly was a murder and treating as a suicide

– bringing in the abetment link for a business contract dispute,

-deliberately misreporting the TRP report submitted by a market research agency to substitute one Channel to another

– arm twisting witnesses by visiting them in the night,

-bringing pressure on the research company to change its report,

-arresting the editor of a TV channel,

-moving him into a jail with criminals,

-assaulting, intimidating etc.,

is a Bollywood script which would have been a block buster movie and could have been titled ” Singham the new Don”.

This could perhaps qualify as a  human rights and freedom of press issue. However, since Human rights are normally available only for terrorists  and the freedom of press is only available to a privileged class of journalists only, this case is not perhaps eligible for the activists who are normally interested in taking up such issues and they remain in a self imposed silence.

We also presume that the hands of the Central Government are tied and the High Court and Supreme Courts which open their offices in the middle of the night to hear the Yakub Memoms, now want to enjoy their well earned week-end holidays and take their own sweet time to hear a case of this nature.

Since even Mr Subramanya Swamy or Mr Modi or Amit Shah have found themselves helpless in the matter, it is unnecessary for us to express any view on the matter.

We can only say ‘Jai Ho’ to our democracy which enables a party like Shivasena to win an election on the strength of their association with BJP and later associate with Congress, form the Government and do what it wants.

Our concern is only what does all this mean to the  Data Protection industry which we need to discuss.

Impact on Data Protection Industry

As we all know, there is a provision in laws such as GDPR that if the regulatory agency of a country finds that another country has acceptable data protection measures, then under the “Adequacy” clause, personal data can be transferred from the host country to the destination country without the restrictions otherwise imposed in this regard. As a result, in order to preserve the data processing business coming from the EU region, most countries strive towards meeting the requirements of GDPR to gain the adequacy status.

The reason why nearly 130 countries are passing personal data protection laws is that it is the first step towards gaining the attention of EU authorities to even make a claim to the “Adequacy” status.

But as we recently found out, the EU demands a heavy pound of flesh to provide the “Adequacy” status. Nothing less than an abject surrender and will satisfy the EU Courts as was indicated in the Schrems II judgement of the EU Court of Justice. In this case, the US privacy shield which was considered acceptable even by the EDPB was rejected by the Court. The reason was because it felt that the guaranteed assurances were unsatisfactory since the Ombudsman was appointed by the President of United States and the Intelligence agencies like FBI continue to have right of surveillance over the personal data transferred from EU for processing in US.

The EDPB suggested that Data Exporters in EU may get an assurance from the Data Importers through the Standard Contract clauses (SCC) in the agreement. But it must be recognized that a Data Importer of a country like India or US cannot sign a contract which is in conflict with the local laws made either by the Parliament of the country or enforced by the national security agencies.  Even if such terms are signed off in a contract, it will not prevent the local law enforcement authorities to invoke them ignoring the contractual obligations.

Hence there is no way any country can satisfy the EUCJ regulations on Data Importer’s obligations without picking up a fight with the law enforcement agencies in the local area, which has become an existential risk for the company.

It is here that the Mumbai Police has established a precedence that it is the supreme law making body in the country and not answerable to any body other than the party in power in the state. This will definitely be taken up as an argument against India in any international forum when required that in India, the local Police (not even the CBI) have the ultimate call on what data they want to ask from a company and for what reason.

Any outgoing employee of an organization or a contactor for whom the company refuses to settle dues because of any reason may commit  suicide and it is enough for that company to be in the radar of the Police for “Abetment to Suicide”.

It is time for all companies to scan their employee/contractor suicides and ensure that it does not point to any possible abetment charge.  This will be a new “Threat vector” that security professionals need to consider.

As a result of this Mumbai development, the “Adequacy” and “SCC” are unlikely to be of any use for Indian Companies to establish a case for transfer of personal data.

The only credible option is to ensure that there is an explicit consent from every data subject for transfer of personal data for processing into India for which the Data Controller has to take necessary measures.

Thus the developments have rattled the Indian position on data protection in the global environment and will set us back by a few notches in the “Ease of Doing Business”.

What JPC on PDPB can do

In order to safeguard the Indian data protection industry, one precaution that the Joint Parliamentary Committee on PDPB 2019 need to take is to prescribe in PDPA of India that

“any offence either under PDPA or under ITA 2000 or other laws against data processing organizations shall be investigated only by a central investigating authority like the CBI and NIA with the concurrence of the Data Protection Authority”

In other words,

“Data” should be declared as a new class of  “Asset” whose management and security does not fall under the jurisdiction of the state police.

The logic for this is that Data is an asset like “Spectrum” and is neither movable, immovable nor it is an intellectual property nor an actionable right.

Therefore, Data should be declared as a new and exclusive class of asset.

Just as there is a separate law for intellectual property, the Personal Data Protection Act should be regarded as the exclusive law for Data which which should be governed only under the directions of the Data Protection Authority.

This would mean that many provisions of ITA 2000 in respect of data related crimes should require permission of the DPA for the local police to investigate. This should be similar to the restriction that the local state Governments can impose on CBI investigation in the State which many of the states including Maharashtra, West Bengal etc have imposed.

Alternatively, ITA 2000 may be amended and Section 80 should be amended to make a “Central Cyber Crime Force” the sole police authority to investigate and prosecute Cyber Crimes.

Probably this will increase the efficiency of Cyber Crime management since all Cyber Crimes are inter state crimes if not international crimes.

This new definition of an asset class will be an innovative amendment that can be brought to PDPB 2019.

I hope JPC will take note.

What other State Governments like Karnataka can do

In the meantime, Naavi.org suggests that a progressive State Governments such as Karnataka, should undertake some special measures to provide assurance to the international data market that what happened or is happening in Maharashtra is an aberration and does not represent the way law is implemented elsewhere in the country.

We have to assure the international community that India is not a banana republic though Maharashtra has the right to be. We are a true federal democracy and tolerate states like Maharashtra as part of our democracy. We can assure that Karnataka is a “Data Angel” with special assurances for the data processing industry.

The least that can be done is for the state Government to give a press statement that what happened to the media companies like Republic and Hansa in Mumbai will never happen in Karnataka.

Along with such an assurance, the Government has to invite all those IT Companies like Infosys which were at one point of time unhappy with the Karnataka Government  and shifted their expansion operations to Pune to come back to Bangalore.

It is time to reassure the IT industry that Karnataka shall be a safe haven where data processing companies  that there will be no interference from the State in the day to day affairs of a commercial organization whether it is a media company or a data processing company.

This is therefore an opportunity for Karnataka Government and it should appropriately strategize to harness the opportunity.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.