Naavi.org

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

If we look  back at the history of Privacy and Data Protection law in India, one of the stumbling blocks is that there are unreconciled controversies about the exemptions that the Government agencies are provided either for Governance or for Law Enforcement.

Even in PDPB 2019, the most contentious section was  Section 35 which was an enabling provision which empowered the Central Government to exempt any agency of the Government from the application of the Act. Though the power was within the “Reasonable Exceptions” under Article 19(2) of the constitution, the section was interpreted as providing disproportionate powers to the Government.

Additionally, another empowering section viz Section 92 was seriously opposed as if it provided extraordinary powers of oppression on the private sector by the Government.

In comparison, Section 36 (a) which addressed exemptions for law enforcement nor Section 36(e) which addressed exemption for journalistic purpose did not evoke opposition.

Though these discussions are now redundant, it is likely that similar objections would surface once again when the new draft is issued by the Government and they will also be subject to individual judicial scrutiny if it becomes a law.

In the new Data Protection law which is being proposed for discussion by us, we therefore suggest a simplification of the provisions related to the coverage of the law on Government bodies.

Since Right to Privacy is a fundamental Right under the constitution, there is a duty to the Government to protect the right subject to reasonable exceptions. This follows the judgement of the Puttaswamy case and is yet to be incorporated in any statutory law. This new law is an opportunity to convert the Supreme Court observations to a statutory provision.

However the more micro level specification of the obligation of the Government the law attempts to cover, the more controversies may emerge. Hence it is suggested that instead of a section like Section 35 or 36(a) or 92, the provisions related to the coverage of or exemption from the provisions of the Data Protection law for Government agencies may be summarized as a part of defining the scope and applicability of the Act.

A suggestion in this regard which can be improved by others is to introduce the following set of sections to cover the obligations of the Government in steps.

Step 1: In the first  section which specifies the Title of the Act and its date of applicability, the following can also be added

This Act shall be applicable to whole of India and shall also apply outside India to the extent necessary to protect the Rights of the Citizens of India and the interest of the Country as envisaged in the constitution of India.

With this, we are providing for the extra territorial application and deriving powers of legislation from the “Right to Privacy” as a fundamental right in the constitution and recording  at the same time that there could be other Rights of Citizens and Duties of the Government as per the Constitution. It will also keep the statutory obligations to the citizens of India and in national interests and any other extension of the provisions to non-citizens will be subject to the specific rights granted under this statute. The details will be covered under the provisions on “Rights”

Step 2: The fundamental objective of the Act is recorded by defining the purpose of the Act with the following section.

Protected Right

The right to privacy of an Indian Citizen  shall pe protected through due process set by this Act as an intrinsic part of the right to life and personal liberty as envisaged under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution of India subject to reasonable exceptions under article 19(2) of the Constitution of India.

With this section we are bringing the protection of Right to privacy into the statute in the words of the Puttaswamy judgement and providing the cover of “Due Process” for any exemptions claimed for right to privacy under the reasonable exception clause.

Step 3: We specify the obligations of the Government through the following words

Obligations of the Government

(a) All the Government bodies including the Government of India the Governments in States and Union Territories and every organization which is part of such Government or Union Territory shall have the duty to protect the Right to privacy of Indian Citizens in harmony with the Right to protect the life and liberty  as envisaged in the Constitution of India

(b) All such Government bodies shall institute reasonable and proportionate measures to meet the obligations of protecting such Rights.

(c) All such Government bodies shall designate a senior official to be responsible for compliance of the protection of the Right to Privacy and Right to life, property and liberty

(d) In the event of non compliance of the above, the designated person or in his absence the person responsible for the activities  in the subject Government body shall be liable for disciplinary action

(e) If the non compliance is associated with malicious intention, the person responsible may be liable for punishment under appropriate criminal law.

The sub section (a) defines the obligation of the Government as a “Duty” under the constitution and hence does not need any further elaboration in the law as to whether Consent is required in certain circumstances and not in others etc. This should cover even the law enforcement requirements of the Police, ED, CBI etc.

Any action of the Government which is in dispute will be a subject matter of a writ petition and hence in any case of dispute the Court can also decide about whether the action of the Government was within the powers of the constitution.

Even if a section like Section 35 of PDPB 2019 is written down, it will be challenged even before the adoption of the law itself. The suggested section protects the law being questioned in the Court until there is some specific action initiated by the Government.

Perhaps it can still be questioned for “Vagueness” but this vagueness is directly linked to the Constitution and nothing different from the vagueness prevailing now where there is no statutory provision on Right to Privacy and we need to depend only on the interpretation of the Supreme Court judgement.

Under sub section (b) all compliance measures are suggested without going into details such as whether DPIA is required, whether Privacy by Policy document is required etc. The Ministries will have flexibility to define their own “Reasonable Measures”. In PDPB 2019 this discretion was available under section 50 (Code of Practice) and the same is provided here in another manner.

Under sub section (c) a provision to bring accountability to an officer is indicated so that the head of the department may be freed from the liabilities unless no such designated person is appointed as Compliance officer.

Sub sections (d) and (e) prescribe the sanctions that can be imposed on the officials for negligence and where there could be malicious intentions.

This provision means that the Data Protection Authority need not impose any penalty upto Rs 5 crores etc. If there is a compensation payable to a data principal it can be provided by the adjudicator and the Government may be asked to pay. But one Government officer (Data Protection Authority) imposing an administrative penalty on another Government officer (Secretary of a Government department) need not arise. Under the provisions of PDPB 2019, such penalties are collected from the Government and again credited back to the Government which has no meaning and therefore can be avoided.

Having thus defined the obligations of the Government, the rest of the Act may focus on “Obligations of Non Government Organizations” where the compliance measures such as Privacy by Design Policy, Notice and Consent, DPIA, DPO, and Data Breach Notification etc can be specified.

The Grievance redressal for the data principal through Adjudication and Appellate Tribunal may still consider the Government body as a party and claims of compensation under Section 65 of the present PDPB 2019 may continue to be protected even against the Government body as the Data Guardian/Fiduciary.

The above is a suggestion for consideration by other experts. It has been made to simplify the applicability of the law to Government organizations and ensure that the problems that may arise  from them donot become a stumbling block to the passage of the law.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

Ministry of Communications had announced that a new Telecommunication regulation would be introduced in the country along with a revised ITA 2000 and revised PDPB 2019.

Accordingly, the Government has released a draft and public can send comments before October 20, 2022.

Copy of the Bill is available here:

An Explanatory note is available here:

Comments can be sent by e-mail to : naveen.kumar71@gov.in

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

Applicability of any law is generally limited to the jurisdiction in which the law making body has the power to legislate. Hence every sovereign Government has the power to make laws within a given jurisdiction.

In some countries there is a federal governance system and there could be multiple sub geographical areas where law can be made independently while the federal law may apply to all such sub units.

For example the Union of India or USA or EU can make federal law applicable to the entire country of India, United States of America or all the EU member countries etc.  At the same time individual States of India may have certain powers to make laws for Governance activities listed in the state list or concurrent lists. Similarly the States of USA such as California or New York or Colorado or Connecticut can make laws applicable within the state. So also the individual members of the EU which are countries in their own right can also make laws for their countries.

Some times the Federal laws and State laws may over lap and create compliance confusions. It is for the law makers to avoid such confusions by incorporating suitable explanations in the law.

One distinct take of this law making principle is that India cannot make a law applicable in EU and EU cannot make a law applicable in India. However in certain circumstances, if the activities of a resident of a foreign country could lead to an adverse impact on a local resident, the local Government can add “Extra Territorial Jurisdiction” in its law and say that the law is also applicable for activities outside the jurisdiction of the law making body.

This extension of the jurisdiction has been used in laws like GDPR where it is provided that if the personal data of a EU citizen is processed outside EU for profiling a EU citizen/resident or for carrying on targeted business with the local resident, then GDPR is applicable to such processing.

Some times organizations which are constituted subject to laws in a particular country represent the country and its activities outside the country, need to be monitored by the Government of the resident country of the organization in order to ensure that its citizens (individual or corporate) do not become an embarrassment to the country.

In view of the above, while defining the applicability of law such as the data protection laws, we normally consider

a) What is the type of data and what activity related to such data  to which the law is applicable.

b) What type of organizations and their place of constitution to which the law is applicable

c) Whether the law is applicable to organizations constituted and operating outside the law making country and if so under what conditions

While PDPB 2019 followed the GDPR and stated that the law is applicable for “personal data” when collected, or processed in India, it also extended the law on the basis of companies constituted in India for their global operations and for foreign entities who could remotely process the data of Indians for profiling and for targeted business.

In these circumstances, it is necessary for us to remember that all laws are basically applicable within the country of origin of the law and every extension to this basic principle is an exception and should be read with the conditions attached.

Also when we speak of a duty to pass a law as part of Governance responsibilities, the duty is to the citizens of the dominion. Any extension of this to the “Non Citizens” is also an “Extra-territorial application” considering the category of people to whom the law is applicable as a “Territory”. Hence when the law says that data protection law is applicable to “Residents”, it can be made conditional and the remedies available to a resident who is not a citizen could be different from a citizen though such differences could lead to charges of “Discriminations” based on racism.

However, as long as the differences are logical and  have a purpose, they can be justified. One example is the Indian law of CAA which gave some different treatment to immigrants based on whether they are Hindus/Sikhs/Jains or not.

Laws may some times overlap not only because of the territorial reasons, or citizenship or residential status but also on the material scope such as ITA 2000 being applicable to both personal data and non personal data while PDPB 2019 is applicable only to personal data.

One of the challenges in designing the New Data Protection Law in India is to consider if we can reduce the potential overlapping of the laws by being clear about the “Applicability of law”.

Most data protection laws often state that the “Notice given to a data subject/Data Principal should be clear and precise”. Similarly the citizens have the right to expect that the law itself is as much clear as possible at least regarding its applicability though on other aspects, interpretation may be inevitable.

The argument made by one of the justices (Justice Chelmeshwar) in the Puttaswamy judgement that ” ..there is no need to define Privacy to create liability on organizations to protect privacy” is not an ideal way to handle law making. It is with such approach that today every day to day operational notification of a company (eg UIDAI tender to appoint an agency for social media monitoring and IRCTC tender to study the monetization prospect) is referred to the Supreme Court besides the notifications issued by ministries, converting the Supreme Court into a sub executive body rather than a separate judicial body.

We therefore try to define applicability of the New law by defining Privacy, Data, Roles of different stake holders properly. Once an organization or an individual understands clearly that the law is applicable to them, it becomes easy for them to consult experts on how to be compliant. If the stake holders are in doubt about the applicability then they tend to remain non compliant by ignorance or mis-interpretation.

In the new Data Protection Act, one option is just to adopt the current PDPB 2019 provision of Section 2 according to which the law will apply to “Personal Data” of “Natural persons” processed by any type of juridical entities constituted in India (Companies, Government, Partnership firms, associations of persons and also individuals collecting data for business purpose) with exceptions of foreigner’s data processed in India (Erstwhile Section 37).

While this would be a straightforward approach and would suffice with the addition of “Exemption for processing of personal data of foreigners in foreign locations also” on the lines of Section 37, we would like to explore if it is possible to adopt a different approach to define applicability.

In all laws, we define the applicability and then define rights  and obligations  of the stake holders to whom the law is applicable. What we are trying to explore is whether it is possible to define the rights and obligations first and then all those who have those rights or obligations will automatically be considered as coming under the applicability of the law. This may also re-define  the chapter on “Cross Border Restrictions or Data Localization” which becomes exercising of the rights of the data principals rather than a compliance imposition by the law enforcement agency.

This approach is radical and needs deep thinking. We shall debate this both here and also in the IDPS 2022. In the meantime, please do share your thoughts.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

A report in businessleague.in (To be confirmed independently) suggests  that SBI plans to introduce a mandatory customer ID card which will be required for deposit and withdrawal of money from accounts. This will be perhaps in addition to the Debit Card and Credit Card issued by SBI and will function as a “Unique Customer ID Card”. Soon we need not be surprised that every Bank may issue their own Unique Customer ID Card since this move is expected to raise Rs 900 crores to SBI from no where. Other Banks are unlikely to give up such windfall gain if possible.

These “Green Cards” are expected to be priced at Rs 20/- and will be in addition to the  annual ledger maintenance charges and specific charges on Cheque book issue, ATM withdrawal etc.

I am not sure if there will be a “Bank Entrance Fee” shortly to be introduced by some innovative Banker since no Bank wants its customers to come into the Bank premises if possible.

SBI has about 45 crores and in one master stroke, SBI plans to raise Rs 900 crores revenue through the issue of “Customer ID Cards”. Compared to the PAT of Rs 30,000 crores the revenue generated by these new cards is about 3%. If this adds to the bottom line, the EPS will go up and correspondingly the share price has to go up by at least Rs 20/- solely on this decision.

There is also another angle to this customer loot. At least 5% of the cards may get lost and renewed each year and hence along with issue of cards to new customers the scheme promises a perennial income to the Bank.

In the process just like the Aadhaar Card, PAN card, Kisan Card, Health Card, etc, customers need to carry one more card namely the SBI Green Card. (may be one such card for each of the Banks where they maintain accounts). Since all Bank accounts are already linked to both PAN cards and Aadhaar cards the new card is a redundant ID card with limited use. At the same time it will pose the risk of identity theft, loss of identity and frauds related to the mis-use.

However this is an innovative “Data Monetization” scheme by SBI which should be appreciated for its ingenuity.

It would be better if RBI clarifies the logic for charging money for this card even if it was required to improve the digital administration in the Bank. This cost should be absorbed by the Bank as part of its administration cost. Hope RBI will look into this.

Naavi

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

The honourable Minister of IT, Sri Ashwini Vaishnaw in an interview yesterday has indicated that

a) a new Telecom Bill will be introduced in the next 8-10 days to replace the archaic 1885 laws

b) Drafting of the bill to replace PDPB 2019 is practically complete and will be very soon uploaded for consultation and re-introduced in the Parliament in the budget session (February 2023)

c) Protection of online users will be covered in a new draft of the Information Technology Act with greater accountability among social media platforms for content that is being published.

It appears that both the revised Telecom Bill and Revised PDPB 2019 may be presented in draft from for public comments soon. Revised ITA 2000 is a more complicated exercise and the Government may immediately focus on getting a proper revised version of the Intermediary Guidelines that covers Digital Media.

In our attempt to design a New Data Protection Act (NDPAI) for discussion during the IDPS 2022 (Indian Data Protection Summit 2022) due in November 2022 based on the earlier statements of the MeitY, we had considered the possibility of a new law which combines the Governance and Security of Personal and Non Personal Data.

We had identified eight chapters in the law where chapters on Preliminary, Data Valuation Framework and Miscellaneous issues were common to both Personal and non personal data.

Chapter II was envisaged for creating the statutory law for recognizing the Right to Privacy in non digital environment so that the rest of the law could focus on “Information Privacy”

Chapters on Governance and Protection of Non Personal Data were meant to replace the ITA 2000.

We now await the new draft for Personal Data Protection which the minister has promised to produce soon. If the Government has to collect public comments and introduce it in February 2023, the  draft has to be released in October 2022.

We may continue our discussion and suggestions awaiting the draft and synch it with the draft when it is presented.

In this article we shall discuss the definition of the scope of the Act.

The scope of PDPB 2019 was defined under Section 2 and included 4 provisions. As per this section the Act would apply to

(a) the processing of personal data where such data has been collected, stored, disclosed, shared or otherwise processed within the territory of India;
(b) the processing of personal data by  any person  under Indian law;
(c) the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—

(i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(ii) in connection with any activity which involves profiling of data principals within the territory of India; and

(d) the processing of non-personal data including anonymised personal data.

The act was indicated as applicable to non personal data but only the following provisions could be attributed as applicable to processing of Non personal Data

i) Reporting of  data breach of non personal data to the data protection authority under this Act,

ii) Empowerment to direct any data fiduciary to share non personal anonymised data,

ITA 2000 on the other hand applied to all kinds of data and addressed issues of “Cyber Crimes” both with personal data and non personal data. Hence the scope of ITA 2000 was comprehensive and PDPB 2019 could only carve out some specific aspects of ITA 2000 (eg: Section 43A) and frame a separate law. The overlapping of ITA 2000 on PDPB 2019 and therefore the powers of the CERT IN over the DPAI became a difficult legal problem to sort out.

We may presume that the Government realized this conflict between ITA 2000 and PDPB 2019 and took the bold decision to withdraw the PDPB 2019 despite the embarrassment that the withdrawal caused to the country in the international circles.

Now it remains to be seen if the  Government vindicates its objective of withdrawal by framing a law which segregates the “Governance of Personal Data and Non personal Data” effectively between the new personal data protection act and new information technology act or under a combined act.

The “Protection  of Data” from unauthorized access, modification or access (CIA principle) applies both to personal data and non personal data and hence can be considered as a common requirement for both  personal data protection and non personal data protection. Additionally the data principals (owners of personal data) were recognized to have some “Rights” such as Right to Access, Right to Correction, Right to Portability, Right to Forget, Right not to be subjected to personal data processing without a legal basis, Right to withdraw consent, Right to Grievance redressal, Right to minimal collection, Right to minimal retention, Right to information about  processing before collection, (Notice).

Personal Data Protection recognized these “Rights” as an interpretation of the “Right to Privacy” extended in the form of “Information Privacy” where the “Ability to chose how the personal data of an individual could be collected and used is regulated. But ITA 2000 did not mention the “Right to Security of a Citizen” except through definition of “Cyber Crimes and Contraventions” and prescribing penalties. Each of the punishable offences or contraventions could be considered as a “Right of a Citizen against misuse of Non personal data” though the clarity was absent. Prevention of Cyber Crimes were looked at more as an obligation of the law enforcement duty of the Government rather than “Protection of the Right of Security of a Citizen of the Country”.

I feel that we now have an opportunity to define the “Duty of the Government” to provide Cyber Security by guaranteeing the “Right to Security” along with “Right of Privacy” in a single legislation.

In the NDPAI-Shape of Things to Come, we are therefore suggesting that “Rights” be defined of the Citizens of the Country in such a manner that any mis-use of personal or non personal data shall be protected. This obligation is only to the citizens of the country. Rights of “Other Residents of the country” including foreigners on transit for travel or employment must be defined separately and exclusions temporary or permanent must be added to illegal migrants, terrorists, convicted criminals and accused criminals subject to checks and balances as permitted in the constitution.

The current definition of “Scope” of the PDPB 2019 revolves around “Data” whether it is personal or non personal whether it is processed by an Indian organization or foreign organization and whether it is processed in India or outside India.

Even the GDPR defines the scope in terms of a mix of Material scope, Territorial scope and subject matter scope. In this mix, people forget the subject matter scope which says that the regulation is “relating to the protection of natural persons” . Everything else including the regulation of what is called “Personal Data” is incidental to the protection of the natural person.

In view of the lack of focus, we normally consider that the basic purpose of GDPR is to “Protect Personal Data” and derive many of our compliance requirements ignoring that the core objective of GDPR is to protect “Natural Persons” and the scope is limited by international jurisdiction to “Protection of Natural Persons who are the citizens of EU”. Extra territorial jurisdiction is only in “Hot pursuit” of the protection of the rights of the citizens.

GDPR does make reference to “Residents of EU” and try to protect them under GDPR. This is more an obligation in recognition of human rights on a global scale and not necessarily as a duty under the EU Constitution.

India can chose to also protect certain rights to legal residents of the country as a part of its global obligations. But instead of mixing up these rights with the rights of citizens, it is better to define it exclusively.

Hence we need the NDPAI to recognize

a) Rights of living natural persons who are recognized citizens of India 

b) Rights of living natural persons who are recognized citizens of a sovereign country recognized by India under authorized residence in the territory of India 

c) Rights of deceased natural persons who were recognized citizens of India

d) Rights of deceased natural persons who were recognized citizens of a sovereign country recognized by India under authorized residence in the territory of India

We therefore suggest consideration of defining the scope of the NDPAI with reference to protection of rights of natural persons on the basis of their citizenship and define the territorial scope, material scope etc with the core objective of protecting the rights of the Citizens. This would meet the constitutional obligation which the Supreme Court also highlighted in the Puttaswamy judgement. Definition of Rights in this context will automatically fix the scope of the law.

We may recognize that the term “Data Principal” in a personal data protection context may refer to persons with a right on a personal data set which includes “Guardians” of minors or Data Fiduciaries/Consent managers with contractual right to manage and monetize.

In the context of non personal data, data is owned by an organization or an individual and any mis-use affects another individual or an organization indirectly as a victim of cyber crime. The individual victim of a cyber crime always has an involvement of his personal identity being in some way compromised. Hence Cyber Crimes against individuals can always be considered as crimes under Personal Data Protection Act.

Since “Corporate entities” are not protected with a “Right of Privacy”, their right to protection is in the form of right to carry on business without disruption etc. The Non personal data protection act needs to protect such entities who are not “Natural Persons”.

Similarly deceased persons may not have all the rights of a Citizen and hence must be covered separately. So also are “Residents who are not Citizens” whose rights  are to be considered separately.

In the  case of Non personal data, we can define a term “Data Guardians” who are custodians of data and are the “Data Fiduciaries” in that context. In our earlier article on the roles, we discussed the role of a data fiduciary as “Data Manager” taking into account the possibility of profiling and monetization. May be the term “Data Guardian” is a better proposition which covers the Data Controller, Data Fiduciary, the Consent Manager and Data Processors.

Within this category of Data Guardian, different classes as “Personal Data Guardian” and “Non personal data guardian” can be identified.

In this approach we can define the applicability of the Data Protection regulation in terms of the end stake holder who is either a Data Principal or a Data Guardian and what rights of these stake holders are protected.

Data Principal is given protection of his Right to Privacy and the subordinate rights such as Right to access etc. Data Guardian has the obligation to meet the compliance requirements. Right to Security is applicable both to the Data Principal and the Data Guardian if they are citizens of India or established under the Indian law or otherwise carrying on activity in India as a resident.

We may therefore re-write the Section 2 of the PDPB 2019 appropriately.  The exact drafting of this “Scope Section” will be attempted in a follow up article.

Open for debate… Send your views. Those who are willing may contribute a video recording (not exceeding 5 minutes) on how do we define the scope of the New Data Protection Act of India, for being carried in IDPS 2022 (Expert View Section)

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

We have been discussing the need for Protection of Privacy Rights to be augmented to protection of Neuro Rights (The series of articles published in this site are also collated at www.neurorights.in).

So far the discussions have been related to the “Brain Computer interface” through electro magnetic radiation that would bring chemical changes in the brain cells leading to specified neuron activity.

The human brain is said to function with “Brain Waves” which are electro magnetic waves which function in a certain frequency range (or wave length range which is in inverse proportion to frequency) as below.

Externally there are radio waves, Cellular mobile waves and other frequency waves that we come across in the atmosphere. These waves are at a higher wavelength.

5G spectrum which we often hear are in the frequency range of 1GH to 6 GH. (One megahertz (MHz) equals 1,000,000 Hz. One gigahertz is equal to 1,000 megahertz (MHz) or 1,000,000,000 Hz or 10⁹ hertz. In wavelength terms, 1GH is approximately 0.299 metres).

We have heard that radiation from mobiles, mobile towers as well as microwave ovens do affect human brains.  Though human body system is tuned to receive certain signals and ignore certain signals the fact that “electro magnetic” is the nature of human brain activity and also the activity of other devices including computers.

The “Brain-Computer interfaces” involving electrodes fixed on top of human skull or chips inside the human skull have gone past animal experimental state and are in advanced state of adoption in our common life. Binaural beats used in music technology is an example on hand.

Current demand for Neuro Rights protection is based on the possibility of manipulation of human brain with implants and other external stimuli which are perceivable by human sensory organs.

Now a new requirement seems to be emerging with scientific developments which indicate the possibility of manipulation of human brain activity without implants and outside the human sensory organs. In other words certain waves which are not heard by our ears or seen by our eyes can be used to manipulate brain activity.

The Privacy concepts such as “Right of Free Choice”, “Expression through a written consent” etc loses meaning when some body can make a human think as per his wish. This is not in the realm of hypnotism or other known forms of psychology through external stimulation. This is a completely new method of intervention of human brain that escapes regulation in any of our known laws.

A serious thought is therefore required to discuss whether our proposed new data protection law should incorporate “Neuro Right Protection” . This will be a point of discussion that  may come up during the IDPS 2022.

In our suggestions we added “Neuro Privacy” as a category to be addressed by  this new law along with other three forms of privacy namely the Physical privacy (non interference in physical terms), Mental Privacy (Right to be mentally left alone) and Information privacy (Right to manage the use of personal information).

We defined neuro privacy as

(c) “Neuro Privacy” means the choice of an individual to determine to what extent the individual may share his neuro space with others

Perhaps for the purpose of the Act this would suffice. But when it comes to “Reasonable Security to Protect the Neuro Privacy” or “Neuro Privacy by default”, the rules need to address how the neuro intervention devices are regulated.

In one of the recent researches it is contended that “Micro waves” are being sent from drones in an US experimental site and the target population are experiencing mental harassment due to the experiment since they seem to be hearing things.  Patents are being claimed for “Microwave Voice to skull technology”.

This patent describes it as an

“invention relates to a hearing system for human beings in which high frequency electromagnetic energy is projected through the air to the head of a human being and the electromagnetic energy is modulated to create signals that can be discerned by the human being regardless of the hearing ability of the person.”

The patent applicant claims

” I have discovered that a pulsed signal on a radio frequency carrier of about 1,000 megahertz (1000 MHz) is effective in creating intelligible signals inside the head of a person if this electromagnetic (EM) energy is projected through the air to the head of the person”

Just as inputs to computer can be given in the form of key strokes or voice commands, in future, Brain-Computer interfaces may operate with sound waves instead of through  a remote computing device.

It is this sort of developments that need “Neuro Rights” to be defined now though we may need time on making rules to regulate the protection of Neuro Rights.

Psychiatrists seem to be ignoring the possibility of human brain activity manipulation through sound waves and dismissing the claims of some people in the alleged experimental area as a kind of neurosis.

Watch out for IDPS 2022 where we may take this discussion further… Provided there are speakers who can share their thoughts.

Naavi

Reference

Patents : Google Patent on Prevention of abuse which inter-alia provides information on other patents on the remote monitoring of human brains in China and elsewhere

News Report..Video below

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..	15.Prevention of Data Laundering-Policybazaar data breach
16. Should neurorights be recognized?	17. Types of Consents	18.Cross Border REstrictions on Transfer