Naavi.org

Digital Forensics is the art and science of discovering information. We often use this term related to a situation where we need to find information which is not clearly visible in the ordinary course of a transaction. The key aspect of  “Forensics” is that the information discovered through the process has to be  acceptable to an independent third party leading the investigation or judicial process. Hence the information discovered through a forensic process need to be capable of being an “Evidence” in a judicial process.

A Discovery that does not lead to an “Acceptable Evidence” is of limited use. In an investigation of a crime, Police often extract statements from the accused which are used for further investigation but are not admissible as evidence at the time of trial. However, a statement made before a magistrate may be acceptable as “Admissible Evidence” at the time of trial. Similarly, a technical extraction of information could be loosely called “Forensic Discovery” but for it to be respected as “Forensic Discovery”, it needs to be acceptable as “Evidence”.

How a piece of information becomes acceptable as “Evidence” is a mater determined by the “Law of the Land”. What is accepted as evidence in Courts in USA may not be acceptable as Evidence in a Court in India. Similarly, what is accepted in a Civil Court may not be accepted in a Criminal Court. What is accepted in a departmental enquiry or a Family Court or an Arbitration may not be acceptable in another forum.

Thus, a Forensic investigator needs to always keep in mind the objective of his forensic activity and ensure that the end result of his effort becomes useful as a “Forensic Evidence”.

Sometimes an investigator may acquire information through means which are not straight forward or may involve deception or even illegal methodology. In such cases, the Courts may hold different views about the admissibility of the evidence in the first place and on the liability of the investigator who has used unethical or illegal methods of acquisition of evidence.

In the case of Digital Forensics in India there are two specific laws that need to be taken note of by the Forensic investigator to ensure that his work is admissible as evidence in a Court without dispute or do not create a reverse charge of illegality.

First is the more familiar requirement of a Certificate under Section 65B of Indian Evidence Act 1872 as amended by the Information Technology Act 2000 effective from 17^th October 2000. According to this 20-year-old law, the forensic investigator presenting a report about information in electronic form has to be provide an appropriate description of the process through which the evidence was obtained, and the tools or devices used for observation along with his signature and certain warranties that the presented material (say in print out) is a faithful copy of what he observed, the computer used was working in a proper condition etc. As regards the legality of the forensic investigation, the investigator is required to hold an authorization from the person who is the owner of the device in which the observation was made. In this context it is immaterial who owns the data residing inside the computer resource as long as the permission is obtained from the person in charge of the device.

In case the owner of the data is different from the owner of the device and suffers a damage on account of the activity of the forensic investigator, he may make claim for compensation from the investigator but he may be indemnified from the liability in case he has a proper authorization. The vicarious liability for the damage if any falls on the device owner unless the investigator has exceeded the authority given to him by the device owner as regards what data he can observe and whether any collateral damage is properly indemnified.

In the coming days, another important law of the country is likely to have a significant impact on the activities of a forensic investigator and expected to add more complication to the above situation. This would be the “Data Protection Act of India” which is presently in the form of a Bill (DPB2021) in the Parliament and is expected to be passed in February of 2022.

The DPB 2022 is a law that is designed to protect the Right to Privacy of an individual which is recognized as a fundamental right of the citizens of India under Article 21 of the Constitution, subject to reasonable exceptions as enumerated in Article 19(2). A decision to this effect was provided by a Nine Member bench of the Supreme Court of India in its verdict on 24^th August 2017 in the now well known case referred to as Justice K S Puttaswamy Vs Union of India.

This act is applicable for “Personal Information” in most of its scope but has one provision regarding the need to disclose a data breach of even “Non-Personal Information”.

The organization which has the control on the personal data of an individual and determines its purpose of usage and means of usage is called the “Data Fiduciary” under the Act and is expected to take care of the right of privacy of the individual to whom the personal information relates. The act also recognizes that a Data Fiduciary may engage the services of a “Data Processor” under a contractual arrangement to whom the personal data may be entrusted for further processing. Such a data processor will be bound to follow the contractual obligations and to some extent also the provisions of the law during the process of process.

The Act has provisions to impose hefty fines upto 4% of the total worldwide turnover of an organization in case of any failure of the data fiduciary to comply with any of the provisions of the law. Some of the provisions also apply to the Data Processor who also may be liable for penalties. If an organization is projecting itself as a “Forensic Company” then the expectation is that the company has its own tools and methods of investigation (considered as “Processing” under the DPB 2021) and the contract with the data fiduciary cannot specify the complete details of how the process can be undertaken. In such circumstances the forensic company may take on the role of a “Joint Data Fiduciary” and cannot rely entirely on the contractual document with the Data Fiduciary which may have a clause indemnifying the investigator from any consequential liabilities.

In the case of an individual forensic investigator, if he is using his own tools and methods of investigation which is often the case, he would be also considered as a “Joint Data Fiduciary”.

In view of the above, the Forensic professionals need to be fully aware of the liabilities that may arise in the course of their professional activity and prepare themselves for compliance like a “Data Fiduciary” and ensure that the contract with the company appointing them as a forensic investigator is comprehensive and sufficient  to protect the interest of the investigating company as well as its investigators.

It may be noted that the essence of “Privacy” is keeping information “Confidential “and not disclosed except as “Permitted by law” or as “Consented” by the data principal to whom the personal information belongs to. On the other hand, the essence of “Forensic investigation” is to “dig for truth”. Often the investigator does not know what will come forth of his investigation.  Most of the times a successful forensic investigator will dig up such information which not only unravels the truth behind a transaction which he is appointed to investigate and is investigating, but also information which is not related to the designated investigation and many times information belonging to other  persons. Some of these may reveal what could be considered as misdemeanours or even cognizable offences.

In such a situation, the investigator would come under an ethical and legal scrutiny of whether he is obligated to keep the information confidential to himself or reveal it to his employers or reveal it to the company whose information is being investigated.  Even if he wants to keep the information confidential, he needs to decide how does he archive the information and keep it secure so that the information does not leak out from his custody unintentionally.

The Information Technology Act 2000 already has both civil and criminal penalties prescribed for acts that contravene the act. Though Courts do accept evidence as a revelation of truth even when it is obtained illegally, the persons who provides the evidence may not automatically be protected from the legal liabilities arising out of the illegal collection of the evidence.

Often Journalists engage in “Sting” operations which could be not legal and may even involve “Unauthorised access to information amounting to hacking”, they normally try to claim immunity because they do the sting operation in “Public Interest” and in the course of their journalistic activities. In the case of forensic investigators, there may or not be “Public Interest” in the primary investigation and whether there is public interest in disclosure or non disclosure of information unearthed during the investigation is left to the wisdom of the investigator. The investigator may have to exercise his mature judgement on whether the information has to be disclosed and if so to whom. If the disclosure was inappropriate, then it could cause damage to the reputation of some innocent persons and cause harm that could lead to penalties under the DPB 2021 besides ITA 2000.

The harm recognized under DPB 2021 is more complex than under ITA 2000 and without a proper understanding of the law, an investigator would be endangering his profession if he does not ensure that both the “Contract” and the “Conduct” are well within the legal boundaries.

DPB 2021 does provide certain exemptions whereby an organization may undertake fraud investigations or information security related activities involving processing of personal data without the specific consent of the data principal. Similarly, law enforcement and Judiciary may enjoy some exemptions. Further public interest and Medical emergencies may also be having exemptions from consent.

Where the activity of processing of personal information is not covered under exemptions, the investigator needs to be ready to face the liabilities either directly or under the shield of an effective indemnity built into the contract.

Since this subject is new and “Consent” for “information that a data principal or the data fiduciary does not know it exists” is not clearly addressed in law, the professional forensic investigator needs to arm himself with sufficient knowledge of data protection law and develop a proper methodology to address the compliance requirements.

Foundation of Data Protection Professionals in India (FDPPI), an organisation that leads the data protection related activities in India and is lead by the author, has developed a standard called “Data Protection Compliance Standard of India (DPCSI) where an attempt is made to suggest some methodologies for compliance by the forensic investigating organizations. This is a pioneering effort on a global scale and also includes the evaluation of an organization for its maturity in implementing the data protection measures in the form of “Data Trust Score”. Forensic investigators need to make themselves equipped with the DPDPSI framework which is applicable not only for the Data Fiduciaries being investigated but also to the investigator himself to set up his own systems and practices.

Thus the advent of the new legislation in the form of DPB 2021 will make a significant change to the activities and operations of a forensic investigator and a professional forensic investigating agency. To preserve and promote the career in Digital Forensics it is required that professionals take efforts to be also proficient in the emerging legal changes in he country.

Naavi

We are  mostly informed from time to time about the GDPR fines imposed by supervisory authorities on different companies for non compliance. However GDPR also provides that a data subject may claim compensation on account of GDPR data breach through an action in the Court.

In this connection it is interesting for academic students of GDPR to follow the recent cases in Germany.

Article 82 of GDPR states:

Article 82: Right to compensation and liability

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.

6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

One of the  issues that arise in implementing this provision is  whether  the data subject entitled to compensation even if they have not suffered any kind of material damage?

In 2019 a case had been filed by a customer of an organization who had received a marketing mail from a data controller claiming a compensation of EUR 500, in the Gulsar Local Court. The Magistrate Court rejected the claim ruing that he failed to show suffering of any relevant damage from the unsolicited email that met the “Minimal threshold of impairment”.

The complainant later made a complaint with the Constitutional Court arguing  that the Magistrate Court had wrongly applied its own interpretation of the law rather than referring to the ECJ the question of whether it is necessary to meet a de minimis threshold of impairment to be entitled to compensation of non-material damages under Article 82 GDPR.

The FCC (Federal Constitutional Court) agreed with Plaintiff, ruling that the Magistrate Court was indeed obliged to turn to the ECJ in accordance with Article 267 para. 3 TFEU. The  FCC  found, whenever a question of EU law arises in a proceeding to be decided by the national court unless (i) the court has determined that the question is not relevant to the decision, (ii) the provision in question has already been interpreted by the ECJ , or (iii) the correct application of the law is so obvious that there is no room for reasonable doubt .

The FCC referred the matter to the Magistrate Court, which is to hear it once again and is to decide on it, in particular on the referral to the ECJ.

On 14th January 2021,  the Constitutional Court of Germany held that the question has to be referred to the European Court of Justice. (Refer here)

In case the EUCJ holds that it is not essential for the data subject to prove suffering of a quantifiable damage to make claim of compensation, it is expected that there would be a flood of litigations from the public whenever a data breach occurs. The “Data Subject Compensation Risk” would be additional to the risk of penalty to be imposed by the supervisory authorities and will be an additional burden to the industry though it could be covered by an insurance policy.

In the meantime, there was another Regional Court of Munich order related to Scalable Capital which was ordered to pay non material damages of EUR 2500 to a data subject. (Refer here) The data breach through a cyber attack had been reported to the data subject on 19.10.2020. A total of 389,000 records of 33200 affected persons had been breached in this incident. Because data subject feared for identity theft and other fraud, they brought the action before Court and claimed compensation.

In this case of appeal against the compensation granted by the lower Court,  the personal information of the customers had been transferred to a data processor whose contract had been terminated  at the end of 2015. The company assumed that the data had been deleted but not verified it. The credentials of the data processor was used by the hackers for the attack.

The Court held that , when assessing the amount of the non-material damages, it must be taken into account that the data in dispute has obviously not yet been misused, at least not to the detriment of the plaintiff, and therefore at most a more or less high risk can be assumed. However, the deterrent effect of the damages intended by the legislator must also be taken into account – as mentioned above. Weighing up all these aspects, the court considers (non-material) damages in the amount of 2,500 euros to be appropriate.

It appears that in this case the need for ECJ reference was not insisted for certain technical reasons. The Court said in this reference

“Insofar as the defendant believes that a preliminary ruling by the ECJ is mandatory, which was recently established by the BVerfG, decision of 14.1.2021 – 1 BvR 2853/19, it overlooks Article 267 (3) TFEU.* Whereas in the facts underlying the aforementioned decision, neither the appeal complaint had been reached nor the Local Court had allowed the appeal, this is undoubtedly given in the present case (cf. section 511 (1), (2) no. 1 of the Code of Civil Procedure), so that no decision of last instance is given.”(Decision published on 21.12.2021”

(Comments are welcome)

Naavi

• Article 267(ex Article 234 TEC)

  The Court of Justice of the European Union shall have jurisdiction to give preliminary rulings concerning:

  (a) the interpretation of the Treaties;

  (b) the validity and interpretation of acts of the institutions, bodies, offices or agencies of the Union;

  Where such a question is raised before any court or tribunal of a Member State, that court or tribunal may, if it considers that a decision on the question is necessary to enable it to give judgment, request the Court to give a ruling thereon.

  Where any such question is raised in a case pending before a court or tribunal of a Member State against whose decisions there is no judicial remedy under national law, that court or tribunal shall bring the matter before the Court.

  If such a question is raised in a case pending before a court or tribunal of a Member State with regard to a person in custody, the Court of Justice of the European Union shall act with the minimum of delay.

Reference:

Article in lexology.com

Article in gdprhub.eu

I would like to remind professionals that the next training program on the Data Protection Regulations in India would be conducted by FDPPI-Cyber Law College online as Week end batch. Tentative dates are April 30, May 1,7,8,14.

1. The program is leading to the Certification of FDPPI -“Certified Data Protection Professional-Module I” and is part of the larger “Certified Data Protection Compliance Management System Auditor/Consultant” (CDPCMS Auditor/Consultant). This program includes includes two other modules namely Module on Global Laws (Module G) and another on Audit (Module A).
2. The program is based on the new JPC approved version of the Data Protection Bill. It will be conducted online on Zoom platform.
3. Appropriate reading material would be provided during the course.
4. At the end of the course a multiple choice an online examination of 90 minutes would be available. Those who are successful will get a certification “Certified Data Protection Professional-Module I”.
5. The course content would be as follows

1. 1. Evolution of Privacy Laws in India
   2. Applicability
   3. Obligations of a Data Fiduciary
   4. Rights of Data Principal
   5. Exemptions
   6. Restrictions on Data Transfer outside India
   7. Penalties and Offences
   8. Data Protection Authority
   9. Adjudication and Cyber Appellate Tribunal 
   10. Data Audit
   11. Data Protection Compliance Management System (DPCMS) and Data Protection Compliance Standard of India (DPCSI)

Registration can be done here.

6. The fees for the course is Rs 12,000/- plus GST of Rs 2160/- . Total Rs 14160/-.

7. Those who attended the FDPPI-IACC seminar on April 4th  are entitled to a discount of Rs 2000/- and the fees payable to them would be Rs 10,000/- plus Rs 1800/- (GST). Total Rs 11800/-. (An email has already been sent to all the registered participants of the program)

8. The registrants will also be provided a complimentary “Basic Membership” of  FDPPI which otherwise costs R 4000/-.

9. For further clarifications if any contact Naavi

Naavi

Naavi was adopted by me as a name as an short version of my Kannada name Nagaraja Rao Vijayashankar.

The website naavi.com was launched on 14th December 1998 as a personal website and later converted into a Cyber Law website.

We can extract the first looks of the website from the Wayback machine where the earliest available page is 12th October 1999.

The first looks of the website look interesting though very archaic now.

When I launched my first book in 1999 “Cyber Laws for Every Netizen in India”, the name was published as the name of the author of the book.

While adopting naavi as my popular name, the word “Navi” was avoided because it phonetically could be spoken as in Navi Mumbai and also Navi was a registered trademark of Nokia and otherwise in Japan.

When the film “Avtar” was launched the first clash with phonetic “Naavi” was felt and a trademark application was formally launched.

However naavi.com was cyber squatted and later sold to a company in Australia. But Naavi.org which was hosted as a mirror site for Naavi.com remained in my custody and continued to host my content.

The Trademark registration in India for service marks were not available when the website naavi.com/naavi.org was launched and also the system of Trademark registration is steeped in inefficiency.

Now Sachin Bansal of the Flipkart fame has applied for trademark on Navi and the trademark office would perhaps grant it.

On the other hand I can record that for my trademark application of CEAC, the trade mark officer raised objections on CEAT  and several other marks which had no relation to the trademark category. Similarly the trademark application of  Cyber Law College was objected to and trade mark application of Naavi was not attended to for ages. With my experience I can state that the Trademark registration is only for those with deep pockets who can manage the corruption in the system and not for those who pursue it only as a legal right.

Anyway now it is interesting that Honda has launched a vehicle in the name “Navi” but phonetically the videos speak of “Naavi”.

Sensing  this type of disputes, I had submitted a patent application and launched the service Verify4lookalikes.com which is now hosted under lookalikes.in. The services I envisaged here are now implemented by many others in the world and I could not take the patent application beyond getting the approval of the PCT.

It is too late now for getting disappointed about these failed encounters with Trademarks and Patents and sit back and enjoy that the name “Naavi” reverberates with the sound of the Honda motorcycle.

Naavi

[Discussions here are part of the Naavi’s Theory of Data]

Data Governance in an organization requires identification of what is data, how data can be created or collected,  what is its value, who is the custodian, who is the owner, who will have access?, What are the permitted uses?, What are the permitted ways of modification that creates new data assets, how the data can be shared or how it can be destroyed.

A detailed discussion of these are part of Naavi’s discourse on the Theory of Data for an academic discussion at some other time.

We have already discussed the concept of “Nuclear theory of Data” in the context of personal data in the following articles.

1.Fission and Fusion of data elements

2.Atomic structure of Data

In the recently released Draft India Data Accessibility and Use policy, the Government has set an objective to draw up an inventory of data assets in each of the Ministries and Departments and in this context, I would like to place a discussion on how do we classify “Non Personal Data” in a similar atomic model.

The “Atomic Model” of data envisages that

1. 1. There is a core element of identity of the data
   2. There are peripheral associate elements that give depth and width to data

In the Personal data context, the Name is like the proton but does not constitute a stable atom on its own. If it is associated with another stabilization element such as say the Aadhaar number or PAN card or Social Security number which gives a “Unique Identity” atleast within a large enough universe (Eg: Aadhaar is a unique identity in India but may not be considered so in another country). This combination of the Name and one or more unique identity factors form the nucleus. But Nucleus alone does not give the property of the atom. We need a set of electrons that revolve around like the other information such as the email address or mobile number etc which together give shape to the data set as a stable atom. When two such atoms combine together there can be a molecule and when more molecules get bonded, we may get a compound or a complex organic molecule.

In the non personal data, (NPD) defining a data set requires identification of a core identity element for the data set and then the associated information. NPD does not have the name of an individual to whom the data relates. But it could have an “event” or an “Object” to which the data relates. For example, data about a company or about a market research or about a cricket match are “NPDs but related to a core activity or object”. This core object is the defining sub atomic particle of the NPD element.

The depth and width of the element is determined by how may neutron like core elemental particles and how many electron type peripheral particles are associated.

A NPD data set can be a PDF document or a video or an entire data base. A document about a cricket match or a video about the same cricket match can eb considered as two distinct data sets. They can be combined with information on  several cricket matches in a data base in which case the data base is an NPD set.

When an inventory is being created, we need to identify and define the data set, give it an identity tag so that it can be accessed by users. In such an inventory, the data set has to exist in some stable form such as a video clip of atleast a few seconds for the data to have any meaning. The PDF document and the Video clip can be considered as stable data sets. They can be included in a data base an access may be defined either to specific stable elements or to a larger document depending on the requirement.

When a search facility need to be created, the search term has to be for a stable data element. For example, while we can do a text search for “sta” and index it, the more useful search term would be “stable”. Similarly the “Searchable component” of a data set could be such a term that can be useful to the person trying to locate the document.

These concepts need to be debated and refined further to enable “Data Governance” around “Non Personal Data Sets” generated, created, collected, used, disclosed and destroyed by an organization whether it is a Government department or a Private Company.

Industry representatives may comment if this concept has any relation to the way they define a data set under their control for Data Protection requirements under GDPR or other similar laws.

Naavi

Reference Articles:

Atomic model of Data
Fission and Fusion of Data

Theory of Dynamic personal data

The new theory of data

Hindu Business Line today carries an article stating that according to “ITU-APT”, the data protection Bill as envisaged may impede the right of foreign nationals.

The report also holds a threat that foreign jurisdictions may bar use of servers located in India.

This threat has come in the form of a letter written to the TRAI.

ITU-APT Foundation of India claims to be a non-profit, non-political, non partisan industry foundation registered under the Societies Act in India. The parent organization is a Geneva based  international organization having presence in other countries such as USA. The representation appears to have been led by FaceBook/Meta.

While we donot have the copy of the representation, the Business Line report indicates the following views expressed by the Association in the letter.

1. The DPB 2021 does not contain provisions that prevent Government access to data of foreign nationals stored in India.
2. The draft law will hamper user rights and could prevent cloud service providers and other entities from locating their servers in India
3. “Critical Personal Data” (a term that is yet to be defined) cannot leave except in very limited circumstances such as health and emergency services or where the Central Government allows such transfer.
4. The association contends that the draft DPB 2021 currently does not expressly consider the case where personal data may be located in India due to localization requirements but could be subject to the laws of the country in which such data originated. It does not address the possibility of Government access to such data in a way that over rides the protection provided to personal data in other jurisdictions.  This may, in turn, hinder the ability of cloud service providers and other entities to locate their servers in India as foreign jurisdictions may bar them from doing so on account of data security concerns (for instance, due to the inability to get approval from foreign jurisdiction regulators to store data in India owing to concerns such regulators may have about protection of their citizens’ data).

We are not clear if this representation has been made by the parent body directly or the local arm of which Shri Tilak Raj Dua  is the Chairman, Shri Bharat Bhatia is the President.

We would like to however point out that the argument of the organisation is based on incorrect interpretation of the Bill and we would like to explain why we feel that India requires a stronger Data Localization law than what is proposed in DPB 2021 in the light of the risk that has been highlighted due to the Russia-Ukraine conflict.

Russia Ukraine Conflict has exposed a new Risk

We donot want to go into who is correct or who is wrong in the Russia-Ukraine/Nato/US conflict. We donot want to argue whether USA’s destruction of Iraq suspecting nuclear arms was  justified or Russia’s invasion of Ukraine suspecting Bio Weapon factories run under the US patronage (like the Wuhan lab which could have manufactured the Covid virus), is more justified.

We can however focus on the action of many US companies which stopped services not only in Russia but also in India to private companies who had some business commitments to fulfil.

It is the prerogative of these companies to join a war for any cause but when their interests threaten Indian interests, we need to recognize it as a risk. Today we have recognized that there is a “China Risk” in depending on Chinese telecom equipment. But a similar risk appears to have emerged in the services of the US companies. The VISA for example stopped its Card processing services in Russia. What prevents them from bringing similar pressure on India if they are unhappy with the RBI regulation on data localization?

If FaceBook exits from India, there is no problem. It would be a blessing in disguise for the Indian society. But what if Microsoft or Adobe is arm twisted by the US Government to stop their services in India through the backdoors they maintain on their software?

Microsoft , and Apple also have a huge data collected from their “One Drive” feature which is more or less mandatory to be used for users. Google again is another US company which holds data about Indians beyond what is reasonable. If they ever stop access to such data then Indian citizens and Government will feel the real pinch of an Information war.

Is there a guarantee that these companies will not join a war in a fit of anger on India’s Kashmir policy or if Pakistan disintegrates and Baluchistan requests India’s help on humanitarian grounds to be liberated like Bangladesh?.

Like US sending their aircraft carrier during the Indo-Pak war of 1971, what is the guarantee that all windows computers in India stop working and all Adobe PDF documents vanish?

To counter such risks however remote they may be, India needs to take action through its current law namely ITA 2000 as well as the proposed Data Protection Law.

In this background let us see if ITU-APT ‘s objections hold any value.

1. ITU-APT says that DPB 2021 does not contain provisions that prevent Government access to data of foreign national stored in India.

Though it is our sovereign right under which any asset any where in India can be accessed in the national security interests, we must draw the attention of ITU-APT to section 37 of the Bill which states

Power of Central Government to exempt certain data processors.

The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.

This section gives a provision that Government may grant exemption from the Indian law for personal data of foreigners stored in India subject to a notification. Hence all the arguments built by ITU-APT are false and qualifies to be  called a deliberate mis information.

It is not however necessary that India should become a safe haven and any data processed in India which may hold a global humanitarian threat or Indian national security,  should not be touched by the Indian law enforcement  agencies.

For example, if the data pertains to a foreign agency running a Bio Weapon facility anywhere in the world, or related to planning of a terrorist activity anywhere  in the world, it would be the bounden duty of the Indian Government to investigate not withstanding the data being that of a foreign national and being processed in a server belonging to a US entity.

When laws are made, there have to be empowerment for such eventualities along with appropriate checks and balances to ensure against misuse. Presently we are only discussing the basic provisions of the Bill where for empowerment purpose, provision of access under emergent situations must exist. The checks and balances will have to be discussed when the rules are framed by the DPA.

We already have Section 69/69A/69B/70B of ITA 2000 which ITU-APT should study and raise any objections if they have got. Probably they are not even aware of the law called ITA 2000 which is the current data protection law of India and will continue even after DPB 2021 becomes a law.

Hence the objection of ITU-APT on this ground is unfounded.

2. Regarding the hampering of the Cloud service providers, it is a business decision that these service providers may take whether they should have their services in India or not. There will be around 2 years time and India will try to develop its own services for data storage if these cloud service providers want to deny their services.

Even if the cloud service providers are prevented by their respective Governments to store the data originating from their country in India, it is their choice. If the cloud service providers are aware of a technology called “Encryption” or “Pseudonymization”, they can still use Indian servers and manage the local legal requirements. Perhaps ITU-APT does not think that the companies who have a need to store data in a cloud are not aware of such access control measures to address the concerns.

We strongly feel that there is no need for Indian Government to create a safe haven for International data to satisfy the concerns of ITU-APT. We need to take care of our national interests first and the protection of the legal obligations of the cloud service providers to a foreign country has to be subordinated to the Indian interests.

3. Critical personal data was an empowerment that the Government of India built into the law to protect contingent concerns. Now the Russia-Ukraine war and the private sanctions of commercial MNCs on other commercial organizations in India ignoring international law have underscored the need for this provision to be clarified if required.

Government may therefore declare that

“Critical Data” includes personal and non personal data, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.

For the purpose of implementing the cross border restrictions on Critical personal data, all organizations handling such data shall be considered as “Significant Data Fiduciaries” and assure the DPA through a registration agreement to protect the Indian interests at all costs.

4. The ITU-APT has not considered the fact that DPB 2021 basically applies only to data that has its origin in India, It does not affect the personal data of a foreign citizen originating abroad and processed aboard.

If such data is brought to India for processing, then Section 37 exemption as well as the security tools such as Pseudonymization, Encryption and Anonymization can be  used by the Data Exporter to protect the interests of the foreign citizens.

There is no need for India to dilute its laws for the sake of data exporters from other countries who donot want to invest in appropriate security technology.

It therefore appears that the representation  of ITU-APT is devoid of merits and has to be rejected.

I request the TRAI not to initiate any action in this regard. Additionally we urge the Government to tighten the Section 33/34 provisions of DPB 2021 and make it mandatory for a copy of all data transferred out of India henceforth has to be  kept in India. Additionally as recommended by the JPC outside the Bill, all data transferred out of India in the last 3 years need to be brought back to India as a copy.

Naavi