Naavi.org

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

Naavi.org had been advising the the Privacy Activists who were opposing the PDPB 2019 that  it would be wise to accept the version of the Bill that the Government is ready to accept and later on work for improvements through amendments. We know that CCPA went through such immediate amendment and a similar approach could have been taken in India also with the experience of a simple legislation for an year or two. Unfortunately, the Privacy Activists conspired with the Tech companies and mounted an unreasonably harsh and false propaganda against the Bill which was not feasible for the Government to accept. It must be remembered that Government would have been the worst affected if the law had been passed as it was designed earlier since there would have been many cases that would have been mounted on the Government for personal data breach under various schemes just as the Arogya Setu app was once targeted. The attention of the Government would have been drawn to defending the cases including the charge that the law was ultra-vires the constitution and should be scrapped. The Supreme Court would have looked at the complaint seriously and would have made the life of the Government miserable.

Now, by withdrawing the Bill the Privacy Activists have lost and the Government has cleverly gained an edge. The Government now has some understanding of the agenda of the Privacy activists cum Andolan Jeevies and can plan the next version better.

I am reminded of a cricket scene where the intelligent bowler stops before delivering the ball to know what is the mindset of the batsmen, whether he would come forward, move to the off side, or move to the leg side, try a reverse sweep etc., and plans his next delivery. Similarly, the Government now has some idea of the vulnerable areas of the legislation where it will be attacked by the Privacy Activists Cum Andolan Jeevies and plan the next version accordingly.

The discussion on the Shape of things to come will factor in such possibilities since we need to facilitate a legislation in a balanced approach rather than hoping that we will find a “Perfect Legislation” that will be acceptable to all. Even if the Government presents a diamond, the andolan jeevies in India are in such a mindset that they will call it only “Compressed Carbon” and will not accept its value.

We can refer to the article in Indian Express titled ” Govt withdraws data protection bill to bring revamped, refreshed regualtion” dated August 4, 2022 to respond to some of the objections raised in support of the withdrawal and how they can be addressed in the next version.

The first concern to be addressed is for the Bill to be in line with the Supreme COurt judgement of 2017 particularly since Justice D N Chandrachud would be the CJI in the next term when the new version may be challenged in the Supreme Court.

The second concern is the “Certification of hardware” against malware recommended by the JPC.

Third concern is the Local Data Storage requirements which has been the main objection of the Tech industry.

In a similar article on August 6th  the data export restrictions were again cited as the main objection of the tech companies. In this article the possibilities of “Trusted Geographies” being identified was indicated. This is nothing different from the “Adequacy” status of the GDPR unless the Government comes up with some innovative way of establishing a “Data Union”, a concept which  we shall explore in greater detail. This was part of our recommendations to the JPC and will be elaborated later.

Another point of discussion is to drop the criteria of sensitivity for cross border data transfer and retain it only for penalties.

We need to discuss each of these points in greater detail and let us start with the first aspect which  is how to ensure that the legislation is in tune with the Supreme Court judgement.

One of the comments of the Aadhaar judgement that we should take note of is as follows:

“…it is held that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21”

This is relevant for the definition of the Right to Privacy that needs to be protected and also for the definition of “Personal Information”. In particular, whether “Meta Data” is data about a “Person” is a point of debate.

The first point to be addressed is

“Whether this law should also be the basic “Right to Privacy Protection Act” or restrict itself to “Protection of Personal Data in Electronic form Act”.

Right to Privacy as is understood is “Right to be let alone”. In the Kharak Singh case, it was discussed in the context of “Home as a castle” where “Physical Privacy” is recognized as a “Right”.

In the context of digitization of personal data, the “right to be left alone” can be disturbed by an SMS message or a WhatsApp message or an e-mail from the Internet space. Just as a person sitting at home may feel his privacy disturbed by the loud speaker in the neighbourhood blaring Aazaan, a person sitting quietly at home may feel his privacy disturbed by the messages on the mobile. Unlike the “Aazaan” issue, the “Message issue” is completely in the electronic domain and hence can be addressed through a “Data Protection Law” without the need to protect privacy in the non-electronic space.

“Non Electronic Space” is not limited to the paper world but also extends to the “Oral speech” as explained in the Aazaan example.

Infringement of Privacy through speech or paper documents is different from the infringement through electronic means.

It would be preferable that the Data Protection Law restricts itself to the Data Space and does not attempt to become a “Privacy Act” by itself. In other words it can be a  “Information Privacy Protection Act” only and not a “Privacy Protection Act”.

Also, “Privacy” as a mental state of an individual cannot be captured by a Data Fiduciary except as expressed by the individual himself. Hence the dependency on “Consent” for processing of “Personal Data” is critical and cannot be over ridden by an in-determinable responsibility of the data fiduciary to understand what is in the mind of the data principal and design his data protection measures accordingly. This could be an unreasonable expectation that may be beyond the prescription of law.

This thought makes a significant change to the approach of the law as it means that the concept of “Data Fiduciary” should be pushed back to that of a “Personal Data Manager” which is closer to the concept of “Data Controller” in GDPR. Dropping the “Fiduciary” duty of the Data Controller will weaken the “Protection of Privacy” but it would be more transparent to drop what cannot be legislated just to appear the law to be like an election manifesto of promises that cannot be kept.

Hence the scope of the Act should be limited to “Protection of Personal Information in Electronic Form” and nothing else. It should leave out the personal data in paper form or personal data infringement in oral form both of which should be in the domain of the IPC or a different “Right to Privacy Protection Act”.

Alternatively, the envisaged law could be divided into “Chapters” and one chapter may apply to “Protection of Right to Privacy in Non-Digital Space” and the other on “Protection of Right to Privacy in Digital Space”.  Other chapters (if one comprehensive law is to be framed) will include the “Security of personal and non personal data”, “Governance of personal data” and “Governance of Non personal data”.

The chapter on “Governance of Non Personal data” will include the recommendations of the Kris Gopalakrishna committee. Chapter on “Governance of Personal Data” will include the “Personal data collection, processing and disposal requirements as well as the special rights of data principals, the minor’s data etc”. It will also include the cross border restrictions.

Essentially the part of current data protection law with respect to “Security”, “Code of Practice” and  “Compliance” can be added in the chapter on “Security of Personal and Non Personal Data”. This chapter will also include information security aspects included in ITA 2000 such as the digital signatures, the CERT IN powers, the ITA 2000 compliance requirements etc. (These have been included in our Data Protection Compliance Standard of India already as a compliance requirement).

The telegraph act to the extent of “Digitized communication” automatically falls under the “information security” area and if parts of the Telecom Governance is to be bundled then it should appear in the “Governance of Non Personal data Chapter”.

The Crypto currency regulations are regulations related to Electronic document and can be covered under the Chapter on “Data Valuation and Monetization” which could be a separate chapter that can be referenced both by the Governance of Personal Data and Governance of Non Personal Data.

Along with these Chapters, a “Chapter on Preliminary” issues would be required where the definitions, scope etc could be added. This is also an  opportunity to extend this “Information Privacy Protection Law” to cover the “Neuro Rights” so that India leaps ahead of other countries in recognizing the need for “Neuro Rights Protection” as an extended concept of “Privacy Protection through protection of the individual choice including protection of manipulation of the individual choice”.

With these discussions, we are arriving at a “Chapterisation” of the New Data Protection Act at the top level leaving sub chapters for further focussed provisions.

The mapping of the chapters therefore looks as under.

Chapter I:

Preliminary (includes basic definitions, applicability related definitions, the Chapter structure, repealing of other laws, segregation of personal data, non personal data, Sovereign  Data, Corporate data, community data, Joint data, Transaction data, Neuro data etc,  limitations of application to non digital data   etc)

Chapter II:

Privacy Protection in Non Digital Data Environment

Chapter III:

Governance Framework for Personal Data

Chapter IV:

Governance framework for Non Personal Data

Chapter V:

Protection Framework for Personal Data

Chapter VI:

Protection Framework for Non Personal Data

Chapter VII:

Data Valuation Framework

Chapter VIII:

Residual Miscellaneous aspects if any

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.

Next article

Naavi

PayU is a significant player in the online payment settlement system in India. It was one of the earliest payment gateways and took over significant market share from CCAVENUE. However, of late some thing has happened to this Company.  It is not responding to customer queries the way a payment gateway should do.

Last time when I observed a similar development in an online web service company, it was NEt4India and eventually it went  bankrupt sinking the money of lakhs of its customers.

The regulators of India namely CERT IN and RBI could not identify the problem of Net4India and the National Company Law Tribunal did not understand the business of Net4India and allowed it to be liquidated without valuing its digital assets of over Rs 100 crores. (check for articles on this topic on naavi.org)

Now I am afraid that similar  problem may be in the making  in PayU.

I am giving below a series of twitter messages exchanged with PayUCare regarding a complaint of payments withheld by the company. It could be for renewal of KYC in the beginning but if it was only that simple, it should have been resolved by now.

Unfortunately the correspondence indicates that there is no follow up on the complaint and the internal systems must have failed and one department is not able to communicate to other.

There is also no other communication channel between the customer and the company where responses may be expected.

It is clear that the Twitter complaints are being responded to by a bot which is supposed to be driven by AI but it is an AI with no intelligence.

In this context it is only Twitter PayUCare which is atleast returning some acknowledgements. Otherwise there is no e-mail or phone on which the company can be contacted.  There is a so called “relationship manager” on e-mail who simply forwards the mail to his “team”.

A typical response from the relationship manager is captured below.

I leave it to the technology specialists to defend these types of Bots which are more an irritant and instruments of diversion of customer complaints than instruments of resolution of grievances. I am not sure if  even the e-mail is bot generated.

But, I want to highlight the failure of CERT-IN and RBI in maintaining a trustworthy regulatory framework for payments.

Under ITA 2000/8 it is mandatory for PayU to have a grievance redressal system and publish the name of the  grievance redressal officer along with his contact details.

This is a requirement under section 79 of ITA 2000. We expect CERT IN to raise this issue with Pay U. (My complaint  with CERT IN has already been made).

Further Reserve Bank of India also has a responsibility to ensure that all these Fintech Intermediaries follow certain basic principles of customer care including providing a proper contact point.

Normally these disputes are supposed to be resolved privately but I am placing this for open debate  because the company has not left any option to contact them, escalate the grievance to a higher level. Even the regulators are not alert to their responsibilities and I am sure that RBI is considering more licenses to PayU for expanding its footprint in the Indian FINTECH industry.

Let me see if this post opens the eyes of the company and the regulators. I hope my speculation that like Net4India, PayU is on a path to withdraw from Indian business does not turn out to be true.

Naavi

At last, on16th August 2022, the pending payment was received.

Naavi

Naavi.org has published scores of articles since 2013, explaining every negative aspect of Bitcoin and Crypto currencies and why it has to be banned. We have requested, urged, nudged and criticised every body in the Government including late Arun Jaitely, Nirmala Sitharaman, Amit Shah, Narendra Modi etc, besides the bureaucrats and even the Supreme Court for having not taken steps to ban Crypto currencies in the country. We have even chided and teased media including Arnab Goswami for ignoring this issue.

The lowest point in this battle was when the Supreme Court came up with what was termed as a “Strange” or “Fraudulent” judgement supporting Crypto  and striking down an RBI circular.

Finally we had resigned to the fate that “Corruption” has won over even Narendra Modi. It even appeared that the Ministry of Finance and Ministry of IT are coming together to promote Bitcoin when the JPC on Personal Data Protection Bill came up with a recommendation from no where that SWIFT should be replaced by Ripple .

Check out for different articles on Bitcoin in this site in this link

https://www.naavi.org/wp/?s=bitcoin

https://www.naavi.org/wp/?s=crypto

Just when everything appeared lost, Enforcement Directorate has come to the rescue of the country and suddenly there appears to be a realization in the Government of Modi and Nirmala Sitharaman that Crypto Currency is the “Currency of Criminals” and an instrument of money laundering.

Even Mr Arnab Goswami has taken note of the “Money laundering” in WazirX and has taken interest in speaking about the “Crypto Scam”.

Thanks to Enforcement Directorate which is investigating the Rs 1000 crore money laundering in the Chinese loan app fraud, now the media (at least Republic) has started saying “Crypto is a Scam”.

Now it will be increasingly difficult for Nirmala Sitharaman to continue her support to Crypto and find excuses.

Crypto Currencies are an epitome of all that is evil in the Digital World. It is the sustaining force for the “Dark Web”, the Cyber Crime funding and terror funding. It is the currency which all corrupt politicians have thrived on to accumulate their black wealth.

The FaceBook (Meta) with its crypto currency “Libra” and the emerging NFTs pose further challenges to the financial markets and we cannot still be confident that the Government will come up with a complete ban on Crypto currencies which is the need of the hour.

It appears that Arnab Goswami has become the last frontier to cross for Crypto Currencies which has even tamed Narendra Modi.

We need to keep our fingers crossed whether ED and Arnab together will succeed where Modi has failed and be able to defeat the Crypto Currencies or will be over powered by the power of global corruption and crime.

Naavi

In a significant move that has indirect relation to a discussion on “Privacy”, Government of India (Central Board of Indirect Taxes and Customs-CBIC), on 8th August 2022, Ministry of Finance notification no: GSR 621(E), has notified “Passenger’s Name Record Information Regulations 2022”

The salient points of the Regulations are as under:

• The Regulations require the operator of Aircrafts (i.e airlines) to transmit specified information electronically to the designated Customs System. Passengers are not required to individually submit any information to Customs, neither do they need to furnish any additional information to the Airlines on account of these regulations. Airlines are already collecting this information under the aegis of the Chicago Convention on International Civil Aviation.
• The data exchange between the Airlines and the Customs Systems is through the PNRGOV EDIFACT message format. This is a standard electronic message format endorsed jointly by the World Customs Organisation (WCO), International Civil Aviation Organisation (ICAO) and the International Air Transport Association (IATA) and is widely used internationally.
• Although some data elements included in the Regulations are available from other sources, the objective of these regulations is to obtain this data in advance of departure or arrival of the passengers for analytics by the Customs Risk Management System.
• The information collected is subject to strict information privacy and data protection and there are adequate legal and administrative safeguards built in. Processing of the information to reveal ethnicity, race, religious or philosophical beliefs, health etc. is strictly prohibited. Hardware and software necessary for data protection has already been envisaged. The information received is used for further processing only by a senior officer of the rank of Principal Additional Director General/Additional Director General.
• In normal course, the data collected is stored only for five years after which it is disposed of by depersonalisation or anonymisation. The Regulations provide for an extensive and independent system audit and security audit to prevent misuse of the information.

These regulations are meant to enhance detection, interdiction and investigative capabilities of Customs Authorities using non-intrusive techniques for combating offences related to smuggling of contraband such as narcotics, psychotropic substances, gold, arms & ammunition etc. that directly impact national security. This mechanism is being widely used by border management agencies of approximately 60 different countries.

This should help prevent the flight of criminals both of financial crimes and terror acts and hence is part of the National Security obligations.

In the context of the NPDAI the New Data Protection Act, this reflects an exception to be recognized under the National Security obligations. In our draft being built in the series of articles under the series “Shape of Things to Come-NPDAI x” we have provided the “National Security” as a duty of the Government under the Preamble and this notification goes with it.

Naavi

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In our previous article we discussed the desired scope of the proposed act in the form of the Preamble. The Preamble recognized the need for the law to recognize all the stake holders including the commercial business, Government, besides the individuals whose “Right to Privacy” need to be protected.

Let us now continue the discussions on fixing the ” Regulatory Structure” of the Act.

The JPC on PDPB 2019 effectively muddied the process of creation of the law by trying to merge “Protection of Non Personal Data” into the data protection law. This reflected the failure of the JPC to understand the technology of “Anonymisation” which was meant to segregate “Personal Data” from “Non Personal Data” so that different laws could address the two segments of data.

Going forward, the Government could complicate matters further by merging the exercise of updating of Information Technology Act 2000 (ITA 2000)  with the passage of the NDPAI. Further there are statements that Telecom Regulation and Non Personal Data Governance may also be combined into this same legislation.

While it is the prerogative of the Government to create a complex mesh of law that could actually render it in-effective , we shall try to identify different components of these laws as different Chapters so that some effort can be made to look at each law differently.

Currently ITA 2000 addresses both personal and non personal data in the following aspects:

a) “Legal Recognition” of electronic documents and authentication,

b) A support system for Digital Signature management

c) Legal System for addressing Contraventions leading to Civil Liabilities

d) Defining Cyber Crimes

e) Defining Cyber Security framework along with the role of CERT-IN and MeitY as the de-facto regulators

The Non Personal Data Governance regulation suggested by Kris Gopalakrishna Committee addressed the following aspects.

a) Adopting the definition of Non Personal Data as “Data” which is not personal under the PDPB 2019

b) Defining Data Business related to the processing of Non Personal Data and roles of different types of types of Non Personal Data generators and processors

b) Creating a structure for monetization of Non Personal Data and their trading

c) Creating a regulatory mechanism for governing the Act

In the process, the PDPB 2019 focussed on the following aspects.

a) Defining Personal Data

b) Prescribing norms for processing of Personal Data

c) Recognizing sub rights related to personal data processing for protection of the constitutional Right to Privacy.

d) Defining compliance measures required by the industry

e) Prescribing deterrent penalties

f) Creating a regulatory mechanism for governing the Act

Now if all these are to be combined into the same Act, we need to ensure that there is clarity for avoiding overlapping of regulations.

One of the main reasons for JPC to think of combining Non Personal Data and Personal Data into one regulation was that they did not want two centres of power in the form of two regulators. However, the role of PDPB was “Protection” while role of “Non Personal Data Governance Act” was “Commercialization of Data Business”. The two regulations required regulators with different mind sets and it was logical to have two different persons responsible for the same.

Just as in a company, the Chief Financial Officer, the Chief Marketing Officer, Chief Technology Officer has different mental attitudes and they contribute towards a balanced development of the company one with a cautious attitude, another with an aggressive attitude and yet another with an innovative outlook, the regulators of ITA 2000, PDPB 2019 and the Non Personal Data Governance need to combine together but maintain different outlooks.

If we try to bring these three different mindsets together into one regulator, then he is likely to skew towards one or the other responsibilities depending on his background and bringing harmony will be tough.

One alternative approach would be to create three sub regulators and a super regulator which if handled professionally could work.

We therefore suggest the Regulatory Framework as follows:

1. Regulator for Personal Data Governance (R-PDG)
2. Regulator for Non Personal Data Governance (R-NPDG)
3. Protection of Personal and Non Personal Data  (R-Protection)

In this model, the regulator for Personal and Non Personal data (R-Protection) would be a “Security Expert” and would not only address setting standards of Cyber Security for Non Personal Data but also the requirements of Security of Personal Data (as envisaged under Section 24 of PDPB 2019). CERT-IN can be provided this role and he can work under the Super Regulator.

The Regulator for Non Personal Data Governance is a marketing function and he would be responsible for the monetization of data which inter-alia will include the responsibility for defining the standard of anonymisation that segregates personal and Non personal data. He will be like the SEBI and regulate the “Data Exchange” and will work under the overall supervision of the Super Regulator.

This leaves the Regulator of the Personal Data which is the current function of the Data Protection Authority of India under PDPB 2019. In the new model, the primary role of this regulator would be ensuring that the “Principles of Processing of Personal Data and the Rights of Data Principles” are monitored in such a way that the “Right to Privacy” is protected in the information world. He will also work under the Super Regulator.

Currently there are some quasi judicial responsibilities which are entrusted to the “Adjudicators” both under ITA 2000 and PDPB 2019 as well as CERT IN outside the more formal judicial system of “Tribunals” which integrate with the High Court/Supreme Court system.

In the new model, it is recommended that a fourth regulatory position is created under the Super Regulator to focus on the “Adjudication ” alone. The adjudicator would adjudicate both on contraventions presently under the PDPB 2019 as well as under ITA 2000 and the emerging conflicts under the Non personal data governance. These will be set up in multiple cities and appeals go to a Tribunal with benches in different parts of the country and finally appeals landing with the High Court and thereafter the Supreme Court. The criminal justice system is left untouched and hence the  regulatory authority for criminal offences would continue to be the “Police”, the legacy judicial system.

The Super Regulator would be like the CEO in a commercial organization and would be assisted by a group of experts like a Board of Directors. This structure would replace the current system of Data Protection Authority of India with a Chairman and Six Members.

The Super Regulator would be multi member body like the CVC or CEC and supported by a Super Governance Board with appropriate checks and balances. The Super Governance Board may have even broader representation than the current Six member Data Protection Authority of India.

The structure may appear as follows.

Though the regulatory structure looks too elaborate, it would be essential for the type of complex legislation presently planned.

Next article

Naavi

[This is a continuation of the previous article in the series]

P.S: We are aware that the suggestions made in this series of articles could be completely ignored by the Government which says that it already has a draft in an advanced stage. Nevertheless, let us go through suggesting a version from our side so that Government can save time in completing its exercise. It could at least be helpful in finetuning the version of the Government.

We are also aware that Privacy law is a very complex law and it is not possible to satisfy all stake holders fully. It is for this reason that the framing of this law has remained pending for over a decade. 

The suggestions made here in are work in progress and may be modified and corrected with inputs from others. 

The stakeholders for this law are

1. Individuals whose Right to Privacy has to be protected 
2. Business Entities who process data for commercial purpose
3. Government agencies
4. Non Commercial organizations

The preamble of the Act has to capture the identity of the stake holders and the objectives of the law.

PDPB 2019 recognized the need to protect Privacy and fostering growth of digital economy. It also recorded the objectives as “Protection of digital Privacy” of individuals, facilitation of the “flow and usage of data”, protecting rights of individuals, laying down norms for social media platforms, cross border transfer, accountability of entities, remedies for unauthorised and harmful processing as well as to ensure the interest and security of the State, establish a data protection authority etc.

The Preamble needs to be reworded to properly capture the objectives of the Act without limiting the scope of the Act.

One suggested draft is as follows:

Where As, the Right to Privacy of an individual is a fundamental right of an Individual in the society, and it is the duty of the Government to protect the Right to Privacy in accordance with established international norms of countries respecting human rights,

Where As it is also the duty of the Government to effectively Govern the society  and  ensure Security of State, Security of individuals in the country, Maintain law and order as well as  harmony in the society, 

Where As for protecting the Right to Privacy  of an individual, it is necessary to protect personal data from unauthorized use causing harm to individuals,

Where As for protecting personal data of Individuals, an appropriate Data Governance mechanism is required to be established for ensuring that data is processed  in accordance with the need to protect the right to privacy of an individual without adversely affecting the the legitimate needs of Business and the Government or any other members of the society.

Be it enacted by Parliament ……

Next article

Naavi