Naavi.org

For a long time many are arguing that there is a power behind chanting of Mantras. Though the mention  of  “Mantras” immediately invokes a religious feeling and triggers a “Flight Response” in some individuals, everybody will agree if we say “Music” has an impact on human brain.

The principle that these thoughts represent that “Auditory Impulses” of a certain kind can interact with the human neural system. This could a positive effect that can calm the brain from a stressed situation or even excite the brain. The “War Drums” and “War trumpet” was perhaps designed to trigger an excited response from the soldiers while the “Om” Chanting or Gayatri Mantra chanting could be a de-stressing and creation of positive brain energies.

Neuro science is discussing the effect of “Binaural Beats” and its effect on sleep, therapy, meditation etc.

The concept of “Binaural Beats” is that when two tones of slightly different frequencies are played on separate ears simultaneously (say through head phones), the human brain perceives the creation of a new third tone whose frequency is equivalent to the difference between the two tones played.

For example, if a person hears a tone of 410Hz and 420 Hz in different ears, he would be hearing a binaural beat with a  frequency of 10 Hz.

Such effect is also seen in visual perception when an Optical Illusion” is created in a image consisting of a series of bright and dark spaces.

Binaural beats are said to provide many benefits in meditation, lowering of stress etc. It is said that in order to produce a binaural beat, the two tones sounded in the ears must both have frequencies below 1,500 Hz with a difference of no greater than 40 Hz between them.

The effects of the binaural beat will depend on its frequency and the corresponding brain wave. For example, a natural beat with a frequency between 4 and 7 Hz is more likely to align with theta brain waves, promoting sleep and relaxation.

Probably this alignment of the beat with the brain waves is behind the addiction of our youngsters to headphones.

There is however a need to research if the binaural beats have any harmful effect also.

In the context of “Neuro Rights”, we can infer that if there is a phenomenon of “Binaural Beats” and certain music can create modification of brain waves as a result, it is a subject matter of Neuro Rights regulation.

Naavi

All privacy laws from GDPR to DPA 2021 define “Personal Information” (PI) and a need to “Protect Personal Information”.

In defining PI, the popular definition is that any information “about” a living human constitutes PI and should be subject to some regulation such as valid consent for processing etc.

Additionally, most laws also  define “Creating a Profile” constitutes a “Data Processing activity” that needs consent and the generated “Profile” is also part of the “Personal Information” which the data principal has a right  to control. The right of data portability extends to not only information provided by the data principal to the data fiduciary during the collection process but also to the profile created by the data fiduciary.

The Cambridge Analytica dispute was centred around the use of personal information to create a political profile for the purpose of targeted advertising.  Recently, I came across an article arguing that “We should stop automatic profiling of people”. Though this was in the context of an organized data processing activity, the article triggered some thoughts to indicate that this principle that “Profile” is part of personal information and is protected under privacy laws as an asset of the data principal requires a larger debate.

I am aware that this is a contrarian thought and is presented for the purpose of academic debate. It is not to be construed as an interpretation of the data protection law which by popular interpretation considers “Profile” is part of the personal data and needs to be protected by consent or legitimate interest. It is also subject to the right of portability and right to forget irrespective of the intellectual property rights associated with the creation of the profile, though the principles of anonymisation may be used for profiling of a group of people without violating the principles of privacy.

“Imaging a profile” is a fundamental and natural reaction of the human brain as a stimuli to any observation. This is part of the “Fight or Flight” response triggered in the human system.  The first step in this fight or flight response is to understand  the behaviour of people in a particular situation which  includes “Profiling” whether it is correct or incorrect. If the inference creates a more than threshold danger perception, it would trigger an action potential for fight or flight. Otherwise it is recorded for further processing. When the behaviour gets repeated next time, the brain may interpret that this person habitually of a particular behavioural trait and if it is not considered desirable, the brain triggers a “Mild fight or flight response”.

Thus “Drawing Inference” from any observation is a natural human trait and if it is absent we call a person un-intelligent or even an idiot.

The same tendency when carried out by a software is considered as “Profiling”. In this case the inference may lead to targeted advertising the same way human inference of a person as friendly leads to opening up a conversation.

Considering that this “Inference” is a natural human trait therefore, banning it through the privacy law is an unnatural inhibition on the human tendency and is unlikely to be effective.

On the other hand any misuse of information causing a harm to the individual whether through profiling or not can be considered as a “Civic Wrong” and be subjected to punishment.

We need to therefore debate whether “Profiling per-se” is bad in law or “Misuse of Profile alone is bad in law”.

It is therefore sufficient if privacy laws distinguish “Profiling per-se” and “Use of Profile” and not consider “Profiling per-se” as a “Violation of Privacy Right per-se” while the mis-use of profile can continue to be considered as a punishable act.

Comments are welcome.

Naavi

In a highly laudable move, the TRAI has mooted an idea that Caller IDs as linked to KYC information should be displayed when a person receives the calls on a phone device.

In effect this would substitute the True Caller service where True caller displays the popular ID of the caller as it gathers from different members over a time.

The True caller system was useful to avoid spam calls but was not accurate. It could lead to caller ID not being available for new SIM registrations. It could also be wrongly tagged either positively or negatively if a few persons could act in tandem. The True Caller system was also a Privacy Nightmare since it collected third party information for which there was no privacy consent.

On the other hand, MSPs already have KYC data for all Indian subscribers and if this data base  is linked to the incoming number display system, the receiver of the call could see both the incoming number  as well as the registered name.

Some refinements may however be required where by the disabling of caller ID display should be prevented and a secondary user name should be available to the user so that owner of multiple numbers could designate the secondary user’s name to be displayed. For example if the head of the family wants the Phone/SIM to be used by his wife, children or other family members , the caller ID may be allowed to be displayed with the primary name fed from the MSP data base while the secondary name may be a variable at the discretion of the user.

The verifiability of the caller ID will go a long way in preventing Vishing frauds particularly when OTP is collected by fraudsters by impersonated calls. Hence the measure would substantially help the Bankers in avoiding the Phishing Risk particularly after the introduction of the limited liability system.

It was surprising that RBI never thought of such a provision from its own concerns since this is likely to make even the OTP system more robust and avoid the SIM cloning frauds.

The Data Protection Law as is envisaged today and the provisions under the Intermediary guidelines under ITA 2000 has suggested that the option of “Verifiability” has to be provided to all Indian subscribers of messaging services and once verified, the verified name has to be displayed along with the message.

The TRAI has pre-empted the move for MSPs and we hope this does not remain a suggestion only on paper but is introduced shortly. We should expect that the Telecom giants will oppose the move and cite Privacy Concerns. However, there is no privacy issue here since it is the duty of the caller to identify himself with the called. It is the right of the called to know who is calling before he picks up the call since “Call” is a “Transaction between two parties and both have to consent to talking”.

As a logical step, TRAI has to extend this provision to G-Mail and other email service providers so that phishing over e-mail is also prevented.

Further, MeitY should extend this to all domain name registrars and ensure that the identity of domain name owners is made available on demand since fraudulent websites hide the identity of the registrants and escape the reach of law.

Once again, Congratulations to TRAI for the initiative. Kindly carry it through to implementation.

The move should be welcomed by all genuine business houses since they would like to interact with their customers on an identified basis. Today Banks are unable to have telephonic conversation with their customers since the moment a person says “I am calling from ……Bank”, we disconnect. Genuine business calls therefore are missed. Even when we need to call a friend, we have to take care to send him a message first that  “I will call you shortly” and call only thereafter. These inconveniences are prevented by this measure.

Naavi

FDPPI would like to form a group of professionals interested in NeuroTech and Neuro Rights to take the study further.

This will be  an exploratory group to identify the requirements of developing Neuro Rights legislation in India and application of Privacy laws in the Neuro tech context.

Interested persons may contact Naavi

Naavi

Following the several representations fired at CERT In by industry organisations opposing the directive of CERT In dated 28th April 2022 which prescribed

a) Mandatory reporting of Data breach within 6 hours

b) Synchronisation of system clocks

c) Maintenance of logs for 180 days

d) Registration of users and maintenance of KYC records for 5 years

e) Designation of a Point of Contact

CERT In has today issued a FAQ explaining the different aspects of the regulation.

The copy of the FAQ is available here: 

Naavi

Some companies and their paid media friends seem to believe that it is better if India does not pass the PDPB 2019/DPA 2021. Various strategies are being used to create doubts in the minds of people that India does not need this law for the time being.

The latest Economic Times campaign is to suggest that ITA 2000 requires amendment since it is 22 years old and hence DPA 2021 can be re-drafted from scratch. I presume that these are only the wishes of some companies who are comfortable with the lawlessness that prevails in the Privacy and Data Security in India and wants to push the Indian Government into a situation where it can be blamed for not following the directive of the Supreme Court on introducing a robust Privacy protection law.

Though there must be sympathizers of the industry in the MeitY, their sympathy may not be able to stop the passage of the DPA 2021 though delays can be expected further on the implementation of different provisions.

It is necessary for the industry to recognize that India is not really dependent only on the PDPB2019/DPA 2021 to have a data protection law in India. In fact India already has a reasonable data protection law in place in the form of ITA 2000/8 and even if the Government intends to re-draft the ITA 2000, it cannot abandon the existing provisions of ITA 2000/8.

In the recent days, we have seen the Intermediary Guidelines and the CERT IN guidelines on Data Breach Notification issued under ITA 2000 which shows flashes of intention on the part of the Government to use the existing provisions of law even if the new provisions are obstructed.

ITA 2000 has the CERT IN which through its powers under Section 70B can issue directives and enforce Data Breach related provisions. Through the Data Breach prevention mechanism, it can exercise regulation on how data needs to be handled by organisations.

Though at present CERT IN is not talking about personal data, nothing prevents them from stating that “Data Protection Responsibilities” under Section 70B includes both personal data and non personal data and the protection of personal data is in the interest of all citizens and protection of Indian constitution.

Secondly, while CERT IN has the powers to impose its own penalty regarding non compliance of its directive, nothing prevents CERT IN from filing a complaint with the Adjudicator or inform the Police about any contravention of the  ITA 2000 whether it is of Section 43A or 43 or any of the sections of Chapter XI.

The Adjudicator of ITA 2000 has the powers to start an inquiry suo-moto and need not wait for a complainant. Penalties upto Rs 5 crores can be imposed by the adjudicator of a State and money kept for the benefit of meeting the claims from prospective claimants.

These are the powers now available in ITA 2000/8 but not implemented so far because the CERT IN or the Adjudicators are not keen. But if the Government of India wants, it can make them active.

If so, companies who are opposing the DPA 2021 now would feel that it is better to have the act in place rather than being tried under ITA 2000 which has far more stricter provisions than DPA 2021.

When I look at these persons opposing DPA 2021 and feeling happy that their wishes are receiving some traction, I am reminded of the idiom “From the frying pan to Fire”.

Naavi