Naavi.org

At a time there are discussions about ITA 2000 being revamped and replaced with a new version of a Digital India Act, a major amendment has been made to the ITA 2000 through a Gazette Notification

Though this appears to be a small notification, it significantly expands the applicability of the ITA 2000.

Presently Schedule I of ITA 2000 lists the following 5 types of documents to which the act does not apply:

1. A Negotiable Instrument (Other than a cheque) as defined in Section 13 of the Negotiable Instruments Act 1881 (26 of 1881
2.   A Power of Attorney as defined in section 1A of the Power of Attorney Act 1882 (7 of 1882)
3. A trust as defined in section 3 of the Indian Trusts Act, 1882 (2 of 1882)
4.  A will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 (39 of 1925) including any testamentary deposition whatever name called
5. Any contract for the sale or conveyance of immovable property or any interest in such property

The Modified Schedule I states as follows:

1. A negotiable instrument (other than a cheque, a Demand Promissory Note or a Bill of Exchange issued in favour of or endorsed by an entity regulated by the Reserve Bank of India, National Housing Bank, Securities and Exchange Board of India, Insurance Regulatory and Development Authority of India and Pension Fund Regulatory and Development Authority) as defined in section 13 of the Negotiable Instrument Act, 1881 (26 of 1881).”
2. A Power of Attorney as defined in section 1A of the Power of Attorney Act 1882 (7 of 1882), “but excluding those power of attorney that empower an entity regulated by the Reserve Bank of India, National Housing Bank, Securities and Exchange Board of India, Insurance Regulatory and Development Authority of India and Pension Fund Regulatory and Development Authority to act for, on behalf of, and in the name of the person executing them.”
3. A trust as defined in section 3 of the Indian Trusts Act, 1882 (2 of 1882)
4.  A will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 (39 of 1925) including any testamentary deposition whatever name called
5. (Omitted)

Implications

The type of documents mentioned in this schedule are excluded from the applicability of the Act. Since the Act includes section 4 on  “Recognition ” of documents as equivalent to paper documents, those documents omitted from the Act through this schedule have no legal recognition in electronic form.

The documents which are “Excluded” from Schedule I are within the provisions of the Act and will carry legal recognition.

Hence when Schedule I stated “Negotiable Instrument” as an excluded item in the original ITA 2000, it meant that Cheque, Bill of Exchange and Promissory Note in electronic form were not recognised in law. In February 2003, Negotiable Instruments Act 1881 was amended to introduce Truncated Cheques and Cheques in Electronic form. Simultaneously the Schedule I of ITA 2000 had been amended to include the words (Other than the cheque) in item 1. Hence Cheques in electronic form and Truncated cheques (scanned form of written cheques) were considered legally equivalent to  the corresponding physical instruments.

With this amendment, a class of one class of Demand Promissory Notes and Bill of Exchange namely those

” Issued in favour  of ” or  “Endorsed by”

“an entity regulated by” RBI, NHB, SEBI, IRDAI, Pension Fund Regulatory and Development Authority (PFRDA)

have been brought into the category of legally valid electronic documents.

However, Demand Promissory Notes and Bills of Exchange issued or endorsed by other entities still remain outside the Act. Similarly a Promissory Note which is not a “Demand Promissory Note” (Payable after a date of maturity) could be considered as not a “Demand Promissory Note under this schedule” (Subject to interpretation).

If an instrument (Bill of Exchange or Promissory Note has been issued by an entity other than the privileged entities mentioned in the schedule, if “Endorsed” by a privileged entity (RBI, SEBI, NHB, IRDAI, PFRDA etc) becomes legally recognized.

This part of the impact of this amendment (A Midas touch !) appears to be legally debatable and provides an authority to these agencies to give a “recognition as a negotiable instrument” to an instrument which was earlier not a negotiable instrument (A document which by wording was a promissory note or bill of exchange but expressed as an electronic document).

This notification requires an amendment of NI Act to introduce a new category of instruments as Negotiable Instruments under Section 13 of NI Act.

We must remember that the Negotiable Instruments Act does not end with the definition of Promissory Note, Bill of Exchange and Cheque under Sections 4, 5 and 6 read with Section 13.

A Negotiable Instrument is characterised by the property of being able to create a “Holder in Due Course” which incorporates the principles of “Indorsement” and “Delivery”. It involves “Possession” of the instrument,  and transfer of possession with an intention to make the transferee, owner there of. The definition of an “Indorsement” under Section 15 of NI act itself is dependent on “Signing on the back of the cheque or on a piece attached thereto (allonge)”.

Concept of “Endorsement” of an Electronic Promissory Note or Bill of Exchange (as per the schedule I) is therefore  inconsistent with NI Act.

Further Bills of Exchange  are documents which are compulsorily required to be stamped and an instrument in electronic form but considered as Bill of Exchange needs further changes in other laws.

A Bill of exchange is also associated with concepts of  “Presentment” and “Acceptance” to determine the due date and “Presentment” involves “Delivery” and hence in an electronic  form, there are several other issues which need to be taken together to interpret an electronic negotiable instrument and how it can be used.

“Holder’s Right to a duplicate Bill” also may create a conflict when electronic copies may be available of the Bill.

The Government appears to have not considered the impact of this notification on Negotiable Instruments Act and whether a new class of negotiable instruments can be created through a notification under ITA 2000 instead of an amendment to NI Act.

In other words, it can be argued that this notification is ultra vires the NI Act

Again, the amendment to the notification regarding Power of Attorney creates a category of Powers of Attorney that empower the privileged entities namely the RBI, NHB, SEBI ,IRDAI and PFRDA.

This could have been better addressed through an amendment of the Power of Attorney Act.

It is also surprising that TRAI (which may be replaced by a new Telecom Regulator) is missing from the list of privileged institutions.

The removal of serial item number 5 opens up the use of electronic documents in transactions involving immovable properties and transfer of interest there-in. This introduces a serious element of Fraud risks in registration of property documents since many of the practices used by the Registration department donot meet the security and legal requirements of authentication and evidentiary recording of the transactions.

In summary it appears that the Notification has not taken into consideration the legal validity of the notification and the new risks that will introduce on the community.

Criminals will now focus on how to get properties transferred in the Registrar’s office without a genuine authentication from the erstwhile owners and there will be a chaos in the real estate market bigger than the Telgi Scam.

I wish the Government re-thinks on this notification to avoid the complications.

Naavi

FDPPI and Naavi.org successfully celebrated the virtual event to celebrate the Digital Society Day 2022, on October 17, 2022. A Brief report of the event is presented below.

The event started with a brief welcome from T C Manju, Consultant Operations, FDPPI. This was followed by Naavi introducing the importance of the day and also introducing the FDPPI and its activities briefly.

This was followed by a talk from Mr Rakesh Maheshwari, Senior Director, MeitY on his experiences regarding ITA 2000 particularly in the implementation of the Intermediary guidelines.

This was followed by Dr (Advocate) Pavan Duggal who shared his reminiscences on ITA 2000. Dr  (Advocate) Prashant Mali followed with his views and suggestions on ITA 2000.

This was followed by a brief presentation by Naavi on the concept of Compliance Management Rating (CMR) for CERT-IN and ITA 2000 compliance.

There after a panel consisting of Commander Mukesh Saini, Dr A Nagarathana, Dr Mahendra Limaye and Advocate M G Kodandaram discussed the relevance of ITA 2000 in the current regulatory scenario.

In the valedictory session, Commander Rajeev Seoni, presented a summary and his views on the proceedings. A Lucky draw was held for the participants who attended the program and three persons were chosen by a spinning wheel draw and they will be sent FDPPI T-Shirts.

Vote of Thanks was provided by Ashok Kini, Co-Founder Klickstart.

Some of the pictures captured during the event are provided below.

We thank all those who made the event a success.

A link to the recording is available here.

Naavi

We in India remember August 15 as our Independence day. We also remember January 26 as our Republic Day.  Similarly October 17 is a day to remember as the day when a legally recognized Digital Society was born in India.

On October 17, 2000, the Information Technology Act 2000 (ITA 2000)  was notified and legal recognition was provided to electronic document, digital signature, electronic contracts.  With this and other provisions of ITA 2000, a new society which uses electronic documents for communication  became legally acceptable to the judicial system in India.

Without ITA 2000, an e-mail or a website or an SMS or a WhatsApp message would not be considered as a document equivalent to a document. An offer and an acceptance in electronic document would not constitute a valid contract. We were virtually living in a “Digital Jungle Raj” before October 17, 2000.

Today, we have our Supreme Court  and Parliament streaming its proceedings in Court, Parliament , Companies conducting Board Meetings and AGM on line, Digital Contracts being matters of routine, Virtual surgeries tackling matters of life and death all with an assurance of legal recognition. WhatsApp have been accepted as valid method of sending Court notices and digital money has become the order of the day. We could now move to another world of Meta Verse and humanoid robots in the coming days. Internet has become more a serious world of business and Governance and not remained only a world of fun.

Today’s Digital India therefore owes its existence to the fundamental legal changes that ITA 2000 brought to our society. Irrespective of the amendments made or to be made October 17 will for ever remain as the day to remember because of the tectonic shift that occurred this day in the year 2000.

Naavi has been therefore conducting events on October 17 trying to focus on the importance of the day. This year India is getting ready for an overhaul of Digital India regulations. The new Telecom Bill has already been up for discussion. The new Personal Data Protection Bill could be open for public comments soon and discussions on substantial amendment of ITA 2000 could follow.

To remember the day, Naavi.org and FDPPI have organized a webinar and brought together Veterans of ITA 2000 to share their thoughts on how ITA 2000 has evolved over the last 22 years and how it is likely to move further.

The webinar would start  at 4.00 pm today (October 17, 2022) on the virtual place, here

Join here

You can all participate in this celebration courtesy FDPPI and its supporting members Klickstart Business Solutions & Services LLP and Maruti Quality Management Services.

Look forward to meeting you to celebrate the Digital Society Day of India 2022.

Naavi

JOIN HERE

In the Privacy domain, the “Employee Privacy” is one aspect of Privacy Management that often has a direct conflict with the Data Protection Compliance regime.

Under GDPR we have seen that Courts and Supervisory authorities have  ruled that even an employee who uses “Customercare@company.com” email for personal communication is entitled to privacy rights.

Recently a case has also been reported from Illinois, the freight comapny BNSF Railway Co has been ordered to pay a compensation of $228 million in a class suit on behalf of its employees.

The  decision  handed Wednesday evening in Chicago federal court, came after the first trial under the Illinois Biometric Information Privacy Act (BIPA), a state law which restricts collection of biometric data like fingerprints or retinal scans.

The plaintiff, on behalf of himself and a class of other truck drivers, claimed he was fingerprinted when he entered BNSF’s railyards to make pickups and deliveries and that BNSF violated Section 15(b) of the BIPA by collecting his biometric data without first giving him written notice and obtaining his informed consent.

This decision could mean that the employees of an organization may enforce Privacy rights on par with the public.

A majority of Data Protection Professionals are themselves employees of an organization and hence they would welcome this development. So would be the Privacy Activists.

However, to be fair to all stake holders we need to question this decision of the Illinois Court (as reported in the media).

Employees are privileged persons within an organization. Law recognizes that any errors  and omissions of an employee may create a vicarious liability on the organization.  Employees work under a long term contract built on trust. They create the security systems within an organization and can collaborate with criminals to harm the organization and its third party customers.

Hence there is a need to enforce from security perspective of the company and its customers a strict regime of surveillance on the activities of the employees.

Hence having CCTVs inside an organization, monitoring the computer activity as well as collecting and using biometrics should be considered as “Legitimate Interest of an Organization” and should not be considered as “Privacy Violation”.

What may be required is an assurance based on a higher level of information security so that the employee information collected for a specific purpose of employment is not misused. Using the information to monitor employee behaviour from the perspective of security is however an exception.

Some Data Protection laws like the PDPB 2019 did provide “Exemptions” from Consent for employee monitoring activities required for performance assessment and fraud prevention.

The Illinois case could be one coming under such a requirement where the company wanted only authorized persons to enter the goods yard. Similarly the GDPR case in which an employee misusing the corporate email account for personal use had specifically violated the terms of contract. In such cases there should be no enforceable right to privacy.

It is for this reason that we advocate that “Employee Privacy” should not be equated to “Privacy of Non Employees”. Employees should be informed enough to provide their consent and understand the need for security to give up the  special privileges that comes with the Privacy.

If this right of the employer is not recognized, then employees may tomorrow claim that they will work under pseudonymous ID or even anonymous ID and receive their salaries through Bitcoins and in principle they will have a case to justify.

We must therefore consider that “Employees of an organization are privileged persons and in respect of the personal data shared by them with the company in their capacity as employees should be exempt from provisions of prior Consent (except at the time of onboarding), Rights of Portability, Right to forget. They may continue to enjoy Right to access and  Right to Correction.

Comments and views are welcome.

Naavi

Economic Times carries an interesting article on the “Shape of Things to Come” as the MeitY continues to work on the modified PDPB 2019, stating that “Reworked Personal Data Bill may relax rules on data localization”

The article quotes the MoS, IT, Mr Rajeev Chandrashekar as saying

“Cross-border flow of data will, … be permitted as long as the government is able to access the data legally and such data of citizens is safe even if it is stored in cloud architecture“

The interpretation of ET is that the Government may  change the provision regarding the “Critical Information” being necessarily stored in India.

The PDPB 2019 had already diluted the PDPB 2018 provision of cross border data transfer and removed the need for keeping even a copy of the personal data transferred out of India as long as it is not  “Sensitive”. Sensitive personal data was also freely transferable subject to a copy being retained in India and necessary consent from the data principal. No data has so far been declared as “Critical Data”.

Hence there is nothing to dilute the PDPB 2019 version in this regard as it is already diluted to the core.

As against this GDPR has been strengthening its Data Localization policy and recently even the US bent down to EU and agreed to change its Judicial System to accommodate the interest of EU GDPR. It has agreed to set up a Judicial authority that can be approached by the EU Citizens whose data is processed in USA. It can be expected that this special court will even recognize the supremacy of the EU jurisdiction over such data processed in USA.

Rajeev Chandrashekar has at present not made a statement that indicates such abject surrender of the country’s interest to foreign powers and allow a “Data Colonisation” by EU through GDPR.

If we restrict our interpretation to the words that have been quoted, it only means that the Cloud Operators need to satisfy that Indian Law Enforcement will not be denied access to data when required with the pretext that they are not subject to Indian Privacy laws.  This point is also coming up directly for discussion in the Supreme Court in the Whats App Privacy Policy case and Government cannot take different stands in the draft law and the Court.

EDPB wants Indian Data importers to commit through their contractual agreement that they will not let Indian law enforcement to enforce their rights whether they are the Police or ED or CBI. Most Indian Companies have been quietly signing off contracts with their business vendors to ensure that their businesses are preserved.

In other words, most of the Indian companies are being forced to be more loyal to EU than India. Neither Press nor the Government is aware of this development.

I challenge the MeitY to conduct a survey of data processing contracts entered into by the Indian data processors in the last 3 months and check if they have agreed to revise their SLA s to meet the EDPB guidelines. This will reveal how Indian Companies are quietly ceding data territory to foreign powers for the business they are signing. Most companies are also signing off on indemnities for data breach liabilities far in excess of their own financial capabilities pushing India to “Potential Insolvency”.

If hackers target foreign companies having data processing contracts with India and huge data breaches happen, it would be many Indian companies who will have to foot the bill.

Has information security auditors factored in this incidence of “Foreign Data breach Risk” on Indian Companies?

In my opinion these are questions which every body is afraid to ask.

We therefore conclude that

“Given the security situation in the Country, there is no way India can give into the desires of the EU GDPR to convert India into a Data Colony of EU. This is a national security issue and MeitY has to work within this framework of National Security”.

In the last two months, we have written the following 23 articles indicating what should be the “Shape of Things to Come”.

In these articles we have tried to comment on what “right” has to be protected? how we should define “data”? how we should classify “critical personal data” and how we should approach the “Data Localization” issue.

One of the suggestions made is that Data Protection by law should protect the Right to Security of a citizen of India, retain the need for consent and maintenance of copy of all personal data, processing and storing of Critical Personal data only in India etc.

We have also suggested defining of Critical personal data as

Critical Personal Data means such personal data, deprivation, incapacitation or destruction of which would cause significant harm to an individual and includes biometric data or genetic data or unique official identifiers and personal data under the control of such entities or computer resources whose activities if incapacitated or impaired may have debilitating impact on national security, economy, public health or safety.

I wish MeitY tries  to take into account the views expressed in the series of articles presented at Naavi.org before finalizing its recommendations.

We are waiting for the draft to be released by the Government to make a section by section comment and take on record the areas where there could be need for changes.

Naavi