Naavi.org

When ITA 2000 was enacted in the year 2000, Cyber Law College started virtual course on “Certificate in Cyber Laws”. It took several years more for traditional academic institutions to introduce formal courses on Cyber Laws. Initially Cyber Law College conducted certification courses in association with KLE Law College, Bangalore, Hubli and later the SDM law college in Mangalore and JSS law college in Mysore.

Several years later NLSUI and NALSAR followed with their own courses. I was privileged to be associated with both the courses in development of curriculum and handling some sessions.

Now we have entered the era of Data Protection Laws. Again it was Cyber Law College which pioneered Certificate courses both on the Indian law based on ITA 2000 and PDPB 2019 as well as the global laws. These courses are part of the DPO training program of FDPPI and the first course was started by the end of 2019.

Now within a gap of 2 years, NALSAR has decided to launch a course on “International Data Protection Law” as part of its courses. The undersigned is privileged to be associated with this program which will discuss GDPR, US and Canadian laws as well as DIFC and Singapore laws.

The Indian laws are presently not a subject of study yet but may soon be introduced.

The first batch of this ” ONE-YEAR ADVANCED DIPLOMA IN CYBER SECURITY ; DATA PROTECTION LAWS-2021-2022″ will commence from tomorrow.

We wish the program all the success.

Naavi

(This is in continuation of our previous article)

While discussing the PDPA 2021 and inclusion of  Section 3(23)(xi) we observe the following:

The whole concept of “Data Protection Laws” is built on the premise that an individual has a “Choice” on sharing of his personal data which can be captured and given effect to by a third party until such time the person does not “Withdraw” or “Modify” his consent.

This is in itself like skating on thin ice and to top it with a responsibility to recognize the “Psychological Manipulation which impairs the autonomy of the individual” is a cruel imposition on the DPO and the organization.

What is “Autonomy” of an individual and how it gets “Impaired” are going to pose significant challenge to the industry.

We can recall the Cambridge Analytica case where there was an allegation that the personal information was used to develop an algorithm that could predict the political leaning of a subject and that  was considered as an infringement of the privacy rights. The Cambridge Analytica reflected the global hatred for FaceBook and created a precedent that has clouded the judgement of many regulators.

It is for this reason that “Profiling” and “Automated Decision Making” has become a critical issue of data protection regulations.

While “Profiling” stops at making an educated guess to predict the behaviour of a person based on some transactional information available to a data fiduciary, the consideration of “Psychological manipulation” as a “harm” takes the regulation to a higher level since “Harm assessment” is part of Data Protection Impact Assessment and Data Trust Score Assessment.

While expert organizations like FDPPI will device some acceptable standard under PDPSI to handle such issue, academically, there is a need to debate whether the inclusion of Section 3(23)(xi) in PDPA 2021 was required and whether it could be a provision which is not amenable to regulation.

In this context, we need to understand how the “Advertising” industry works. The Advertising as well as Marketing works under the principal of AIDAS  works under the premise that the buying behaviour of a target market has to be changed from “No awareness and No desire to buy” into an action to place an order.

In this process, we follow the steps of AIDAS or creating an Awareness/Attention and Interest which should be converted into a Desire for a product before pushing the individual into the Action of buying and then follow the Satisfaction of the buyer.

What PDPA 2021 is to declare this age old principle of marketing as “Unlawful”.

If therefore an Advertising agency has to work on PDPA 2021 compliance, there is an issue  that the advertising tries to psychologically manipulate a large section of the population though the agency does not know which data principal is being targeted when it releases an advertisement in a mass media.

But it will not be long before the idea catches up where e-mail marketing, SMS marketing or advertisements in specialized media or advertising through subscription model TV broadcasting will all be red flagged as “Creating Harm”.

So far only advertisements on smoking, drinking etc were considered harmful. The Bitcoin industry is fighting against the advertisement ban envisaged for Crypto Currencies. Now PDPA 2021 is likely to place the entire advertising industry and along with it the marketing functions under a question mark.

It would be interesting to know if the industry understands this issue and reacts.

If the Government wants to make a change, it is better to delete this 3(23)(xi) and let the earlier definition of harm be considered sufficient.

Now we shall get back to the question I had placed in the previous article to highlight how legislating what goes on in the mind of a person is not wise.

The question was

What is your response to an information stimuli represented by the following binary stream.

01001101 01101111 01100100 01101001

There can be three responses which we can discuss.

1. This is a number : 1,299,145,833 or One billion 299 million 145 thousand and eight hundred thirty three.

2. Another person says it is the name of a well respected global leader, Modi

3. Another person says it is the name of a most hated Indian leader, Modi

Whether this binary stream is a number or a set of English characters ‘Modi’ depends on the choice of the binary converter which the observer uses.

This means that 01001101 01101111 01100100 01101001 is either a number or a name  based on the technology you use to convert it into a human understandable data. Hence it is neither non personal data nor personal data per-se. It is the observer who  choses to convert it into either a number or a name and hence he determines whether it is personal data or non personal data.

Once it is converted into the four letters Modi, whether it is considered as an “Objectional” word or a “Biased” expression will be decided by Twitter based on who is tagging the content.  If the binary is used in a sentence ” ….. is good”, then if you use an ASCII to to text converter it should be treated as an attempt for “Psychological Manipulation”. If you use the ASCII to number converter, it may not mean “Psychological manipulation”.

If we are assessing the harm caused by the information therefore, we need to take into account the context, the observer and the device used for observation before considering if there is any attempt for “Psychological Manipulation”.

Under these complexities of human behaviour it is a moot question if the introduction of Section 3(23)(xi) was actually required.

let us have the comments  from others…

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

PDPA is a legislation that is meant to uphold the human right concept of “Privacy”. Privacy is a concept which reflects the “State of Mind” of an individual and a feeling of “being left alone”.

According to human psychologists, Hypnotists and also the spiritual gurus, human mind is like a computer which based on the inputs received from the sensory organs creates experiences to which humans respond. If the input is wrongly perceived, the reaction would be inappropriate.

It is easy to understand that if the mind perceives the red traffic signal as green, then the human will proceed and perhaps crash against another person who sees red as red, green as green.

The human perception is based mostly on  past learning like it happens when an AI algorithm is trained with specific inputs. The theories of Thomas Anthony Harris on the life positions individuals may take as “I am OK, You are OK” etc., is based on such principles of how the individual has experienced his childhood.

The theory of Transactional Analysis the PAC model also suggests that our responses to human interactions are conditioned by the way our ego states have been developed.

The ability to “Observe”, “Perceive”, “Interpret” and “learn” is an inherent characteristic of any human being.

Some might have developed the instinct to such  an extent that they develop the skills of “Face Reading”. Some try to develop the expertise as an ability to read the “Body Language”.

Given this inherent human character of taking a mental position based on any of the sensory perceptions fed to their mind, any information is also likely to have an automatic impact on the human being. This cannot be prevented.

Those who can keep themselves immune to the external stimuli and react independently are the Sadguru’s of this world.

Law cannot be made for such Sadgurus since they are too few in number and donot represent the majority.

However the data protection laws across the world appear to take up this task of regulating not only the “State of Mind of an individual” but also what one human perceives when he receives some personal information.

Let me give an example.

Here is a binary stream and I want you to let me know what is the first reaction you have on the same:

01001101 01101111 01100100 01101001

Think over…. We shall continue our discussion in the continued article and the amendment in PDPA 2021 which has added Section 3(23)(xi) which adds a new type of “Harm” namely “psychological manipulation which impairs the autonomy of the individual”  to the list of harms that the regulation tries to protect an individual against.

(Second Part of this article)

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

Black Money in India is more powerful than even Mr Modi. Hence banning of Crypto Currencies which means banning of Digital Black Money cannot be done easily by the Government even of Mr Modi or Mr Amit Shah would swear by National Interests.

Even Mr Mohan Bhagwat of  RSS or Dr Subramanya Swamy are silent on the banning of Crypto Currency.

No body seems to have the guts to take Crypto Currencies by the scruff of its neck and banish it from India.

This week the Crypto Currency Bill in some revised form is expected to be presented in the Parliament. The Ministry of Finance would be feverishly working with all the Crypto Currency exchanges and the Corrupt media elements to draft it in such a manner that Crypto Currencies will continue to be an asset class which SEBI will regulate and IT  department will tax.

I am reminded of the story of Bhasmasura in our mythology who was given a boon by Lord Shiva that he can destroy anybody by placing his hand over his head and Bhasmasura wanted to test it on Lord Shiva himself. Likewise, if Bitcoin and Crypto Currencies get the sanction from the Government in any form, it will be a boon with which the country’s economy would be destroyed. The current drop in the stock markets is not because of the Omicron but in anticipation of the approval to be given to Crypto Currencies in the Bill and consequent shift of investment from shares and other investments in the stock market to the Bitcoin and other crypto currencies.

We respect Mr Modi and Mr Amit Shah and their intentions to do good to India but we cannot underestimate the power of black money and just as Mr Modi retreated in the Farm laws issue, it would not be surprising if Mr Modi develops a cold feet in the Crypto currency regulation and yield to the power of digital black money.

One possibility is that the Bill will be referred to a Standing Committee and the issue would be shelved for the time being.

We are therefore looking out for a black day for India when Crypto Currencies are given a license to devour the legit currency and along with it the economy built by the tax payer’s money.

Hope I am proved wrong.

We sincerely urge Mr Modi not to be the Lord Shiva who gave the boon to Bhasmasura but Lord Vishnu who saved the world by destroying Bhasmasura in the form of Mohini.

Naavi

PDPB 2019 (Personal Data Protection Bill 2019) was in its current draft stage since December 2019. In the last two years, the JPC held an incredible 78 meetings of which the first 66 were chaired by Mrs Meenakshi Lekhi who was subsequently promoted as a Minister and  the rest by Shri PP Choudhary who took over as the next chairman later on.

At the end of this exercise, a new version of PDPB now titled Data Protection Bill 2021 (DPB 2021) emerged and is now before the Parliament.

When the legislative history of PDPB 2021 is written, it is necessary to understand how the exercise which started with the suggestion of the Supreme Court judgement in the Justice Puttaswamy case resulted in the Government forming the Justice Srikrishna Committee which came up with PDPB 2018, which later became PDPB 2019 with the incorporation of public comments and which has now taken the new avatar of DPB 2021.

It is the privilege of the Parliamentarians to draft the law in whatever manner they think fit and we in the industry have to be accept it and move forward. In the professional circles, we can continue to debate what improvements could have been done and what mistakes could have been avoided, but for a Bill which has taken so long to see the light of the day, it would be cruel if we start delaying its adoption further raising demands for more correction.

The exercise for an exclusive  Personal Data Protection Bill first started with the Personal Data Protection Bill 2006 (See a copy of the Bill here)

This means that after the ITA 2000 was introduced on 17th October 2000 containing Section 43 which imposed penalties for failure of an organization to protect data (both personal and non personal), the first attempt at an exclusive personal data protection law was initiated with the PDPB 2006. It has now taken 15 years for PDPB 2006 to evolve into DPB 2021. During this long period of gestation, it was evident that the Business did not want the shackles of the law and any provision on “Surveillance” which the Government wanted to be included in the Bill came to be criticised as an undemocratic move and faced the opposition of the Habitual Nay Sayers and genuine privacy activists acting together.

As a result the Personal Data Legislation remained in the background.

Since the nudge from the Supreme Court in 2017, it has taken 4 more years to reach the current state and during this time there have been a consistent attempt to suggest changes one after the other to the extent that no consensus could be arrived at and the adoption of the bill is delayed at each stage.

Even the current version which will be before the Parliament will have 7 members out of 30 in the JPC submitting dissent notes and the Tech industry already announcing that they will challenge the law in the Supreme Court once it becomes the law.

Even if 2 years time would be given by the act for implementation, it is likely that most of the industry will use the time to wait for the Supreme Court to come up with its decision on the challenge and continue to drift in implementation of the law. The Government would have it’s own trademark “Respect” for the “Pending Supreme Court Verdict” and perhaps  focus more on the other  pressing matters  rather than getting the law cleared in the Supreme Court.

It is therefore a time of uncertainty ahead of us on the implementation schedule of the law. It is unfortunate that even Pakistan and China can now boast of “Personal Data Protection Laws” similar to GDPR or CCPA or Singapore PDPA 2012 while India is still unable to get the legislation through.

The undersigned however has been clearly advocating that the personal data protection is embedded in Information Technology Act 2000 particularly after the amendments of 2008 which introduced Section 43A and 72A.

Industries may ignore but the law is clear that penalties can be imposed for not protecting sensitive personal data under Section 43A or 72A by the Adjudicators under ITA 2000. ITA 2000/8 compliance is therefore the current “GDPR of India”.

When PDPB 2018/2019 was drafted, the legislative intent was clear that the new Bill will replace Section 43A of the ITA 2000/8 and therefore the current Personal Data Protection under ITA 2000/8 would transform into 98 sections of PDPB.

ITA 2000/8 was a single law which protected both personal and non personal data misuse and it was expected to continue its role as “Non Personal Data Protection Law” even after PDPB was enacted. However, the intervention of the Kris Gopalakrishnan Committee in between suggesting a “Non Personal Data Governance Act” (NPDGA) has confused the legislators to an extent that an idea to merge the proposed PDPB 2019 with the future NPDGA into one law and re name PDPB 2019 as Data Protection Bill 2021 (DPB 2021) has gained acceptance.

Whether this was a wise move or not only time will tell. But the Supreme Court may feel that…”we wanted you to bring in Personal Data Protection law to protect Privacy but you are ending up with designing a Cyber Security law by combining Personal Data Protection and Non Personal Data Protection into one law and also perhaps introducing Non Personal Data Governance through administrative guidelines from the Data Protection Authority in the coming days.”

As a result, the focus expected of a law to protect Privacy may get diluted when DPA tries to take over the work of Director General of CERT IN and start taking up Cyber Security issues instead of focussing entirely on Personal Data protection issues.

Consequent to this change in the legislative intent behind PDPA 2021, Section 1 (Name Clause) has been modified. More importantly, Section 2 on “Applicability” has also been modified.

In section 2 the following amendments have been made

Anonymised data by definition means data in such form that the Data Principal cannot be identified as per the standards of anonymization prescribed by the authority. Unless therefore the Authority falters in fixing the Anonymization standard, “Anonymised personal data” has no relevance to the “Privacy Protection” required under the Constitution and the Supreme Court Judgement.

The JPC has however bought the idea that “Anonymization” can be broken by use of certain techniques and therefore added it in the legislation for personal data.

However, it is necessary for us to remember that even “Encryption” and “”Digital Signature” which have special status in law can be broken by hackers and if the “Anonymisation Standard” is defective, the problem is like having a low level of encryption and finding fault with the concessions given to the breach of encrypted data or digital signature.

Calling “Anonymised Data” as requiring regulations under Personal Data protection is like treating all “Encrypted Data” as “Unencrypted”  data and all “Digitally signed document” as “Undigitally signed”.

Hence the inclusion of the words “including anonymised personal data” in Section 2(d) is unimaginative.

We can argue that even if Section 2(d) says DPA 2021 is applicable for Anonymised Personal Data, only if there are other provisions in the law about “Anonymised Personal Data”, we should consider it important and otherwise we can forget it.

However, this has opened the possibility that an imaginative DPA can place regulations on “Anonymised Personal Data” which may create issues for the Big Data Industry or the Data Science field.

In case the regulation is only that “Consent” should be obtained for “Anonymisation”, it is not difficult to implement it.

But blocking “Anonymisation” as a right of the Data Fiduciary  would seriously hurt the “Monetization Prospect” of “Anonymised Personal Data” which is actually a “Non Personal Data”.  This could be considered as an infringement of the fundamental right to carry on a business which does not affect the Right to Privacy of any person whose personal data is anonymised.

In a way the law has given into the perceived power of the hackers and considered that “Anonymisation” is not possible and hence anonymised personal data should not be available for monetization.

Instead of caving into the power of hackers, the Government should have considered increasing the penalty for “Reidentification of the De-Identified Information” from an imprisonment of 3 years to some thing around 10 years.  This would have increased the deterrence and mitigated the risk of de-anonymisation of anonymised personal information.

In the long run, this will be a point to regret. Coupled with the  section that requires the algorithm of processing to be made transparent and hardware and software used in personal data processing to be “Certified”, the Data Analytics industry and Big Data Industry would find it suffocating to carry on their activities. On the other hand these provisions donot add anything additional to the protection of Privacy.

The Government therefore appears to have opened a breach to let the Judiciary find fault with the drafting of the legislation.

At this point of time it appears that this cannot be remedied except by reverting  Section 2 to the previous version and deleting the provision on hardware software certification as well as the algorithmic transparency. All these responsibilities to the extent it adversely affects the Privacy of an individual can be implemented under the concept of “Data Fiduciary” and does not require the amendments as proposed.

As regards “Reporting of Data Breach of Non Personal Information”, it was a responsibility already assigned to the CERT IN. There was perhaps no justification to take over the responsibility of the CERT IN in this respect.

If there was a concern that some data fiduciaries could report a personal data breach as non personal data breach to the CERT IN and avoid scrutiny by the DPA, a provision culd have been inserted for sharing of all data breach reports made to CERT IN with DPA along with a comment/assurance from the CERT IN director that no personal data breach is suspected in the reported data breach.

If these issues had been addressed, there was no need to change  the perspective of the law from “Personal Data Protection” to “Non Personal Data Protection”.

However, from the compliance perspective, we must accept the changes as it would be finally passed by the Parliament and include the “Non Personal Data Protection and Governance” as part of Personal Data Protection compliance.

Naavi

(The above are the personal views of Naavi and does not represent the views of any organization.)

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

The presentation of the Crypto regulation bill in the Parliament has put the industry promotion on an over drive. Zee Business recently ran a series of panel discussions to promote crypto currency, in a well crafted advertorial exercise. People who donot know that Cryptos are the currencies of criminals would have been very much impressed with the discussions which steered clear of the illegal use of Cryptos and spoke as if it is only a technology marvel.

There is no doubt that Bitcoins and other Cryptos as a system are attractive as a “Virtual Game” but when we discuss them as a “Currency” or an “Asset” we are laying down a trap for gullible investors to start investing and bring pressure on the Government to let it survive.

A new threat is getting added to the dangers of Bitcoins in the form of “Meta verse”, the “Virtual Real Estate” and Non Fungible Tokens (NFT) all of which are meant to  promote the Cryptos as the currency of the Virtual Space.

When “Domain Names” were new, there was a medical practitioner in Salem who had bought two “Web Sites” thinking that he had bought “Sites” similar to the physical property. When after one year the web pages under the URL disappeared, he filed a police complaint that his “Site” was stolen. Salem police at that time came to Chennai to take the assistance of the undersigned in understanding what was stolen.

There have been earlier legal cases in secondlife.com where a fraudster had bought virtual plots before an official auction and another case when furniture in a virtual cafe had disappeared.

FaceBook has been running several games such as “Farmville” in which virtual properties can be acquired either through gaming or by paying upfront cash.

As long as such games remained games there was fun and everybody enjoyed the game though the problem of “Addiction” was still there.

Secondlife.com first started the trend of linking the game experience to the real world by creating the “Virtual Currency” in the name of Linden and created an exchange market for converting US dollars to Linden and Viceversa. This was not “Crypto” but they served the purpose of a digital currency outside the regulatory system for fiat currencies.

The Cryptos like Bitcoin took the concept further and created a currency without even the benefit of providing a fun through games which secondlife.com or Farmville games provided.

Now a combination of the games and cryptos are emerging with the creation of “Tokenized Virtual Property” (Non Fungible Tokens or NFTs) which can be bought and sold with the use of Cryptos. These websites which donot provide any assurance of even short term survival are offering “Virtual Property” to be bought with a payment through Cryptos. The properties may be linked to Virtual Reality apps so that one can get an immersive experience of visiting, living in or otherwise using the virtual property.

See article in NYTimes

The Metaverse allows a user to take an “Avatar” which may be our identified face or other identities and perhaps pseudo identities. One can buy and deliver tokenized digital assets including music or art etc in the Meta Verse environment…all with Crypto currencies.

The Meta verse is therefore being created to provide a use for Cryptos and increase the market for Cryptos. Hence Meta Verse and Cryptos are to be considered as associated services.

There was one report that virtual land within Metaverse was recently sold for $2.43 million and was used to host virtual fashion shows for avatars.

The currency used in sandbox.com is “SAND” and is itself available to be brought in many Crypto exchanges.

Superworldapp.com allows you to buy and sell property anywhere in the world with the use of ETH.

In one perspective, all these developments are nothing but Video games in which some betting is being placed in terms of hard currency.

Some may argue that this is entertainment and has a value. If some body thinks that it is worth the money, it is their choice.

But as independent observers in the society, one needs to look at the long term impact of such games.

Apart from these games being constructed to support the digital black money of Crypto Currencies, the games are likely to make many individuals go crazy. The experience is immersive and enjoyable as long as it is for a few minutes. But it will soon become an addiction and start driving people crazy.

If Blue Whale could drive people to commit suicides, these games will drive them to be lunatics. The unfortunate part of it is that people will spend a fortune to become lunatics.

Policy makers need to be aware of the ill effects of this developments on the society and recognize a need to ensure that our younger generation is not destroyed by such so called “Innovations”.

Technology is losing all self control and the future looks very threatening. Just as we discuss the threats from Global warming etc., it is time to start discussing the “Global Gaming Threats” arising particularly out of the MetaVerse-Crypto Currency links.

(Comments welcome)

Naavi

Also check: Decentraland