Naavi.org

(Press note issued by Mumbai High Court for not providing timely hearing of Adjudication case)

The Adjudication system in ITA 2000 was one of the commendable features of Cyber Law in India trying to provide a fast track settlement of cases under ITA 2000. Unfortunately, many IT Secretaries donot take up adjudication cases. Some take up the cases and come  out with questionable decisions. The intention of the law to get a decision within 6 months often remains a dream.

The undersigned was fortunate to lead the first adjudication case in Chennai in 2008 which took 2 years but was held briskly. Mr PWC Davidar was the adjudicator at that time and he was highly professional in his approach. However in the case against PNB, the Bank’s advocate played all tricks of delaying and the case got held up to such an extent that the case is yet to be decided. In Mumbai,  one of the earlier IT secretaries, Rajesh Aggarwal  was a very active Adjudicator who decided many cases in his tenure.

It now appears that all adjudicators have lost interest in such cases and it is very difficult to suggest cyber crime victims to approach the Adjudication.

The Cyber Judicial system has irrevocably failed.

In such a scenario, we must  appreciate the efforts of Advocate Dr Mahendra Limaye who has approached the Mumbai High Court (Nagpur Bench) and got a notice issued to the Maharashtra adjudicator for not providing timely hearing.

A press note issued by the High Court in this regard is reproduced below.

“In a writ petition No.5058/2021 filed by Shikshak Sahakari Bank Ltd. Nagpur against 1) Govt of India through Department of Electronics and Information technology and 2) Adjudicating Officer Maharashtra, which was heard today by Hon. High Court’s Division bench consisting of Hon. Justice Atul Chandurkar and Justice Mrs. M.S. Jawalkar, a notice was issued to both the parties.

The petitioner has prayed for directions to be issued to Information Technology Secretary Maharashtra who is designated as Adjudicating Officer for timely conduction of Civil matters as mandated under Information technology Act.

It was contended by Adv. Dr. Mahendra Limaye, the lawyer for petitioner that complaint filed by petitioner bank since April 2019 has not been heard till date and many such matters are pending before Adjudicating Officer since more than 4 years. As per provisions of The Information Technology (Qualification and Experience of the Adjudicating Officers and manner of Holding Enquiry) Rules,2003, Section 4 – Scope and Manner of Holding enquiries at subsection (k) states that, “As far as possible, every application shall be heard and decided in four months and the whole matter in six months” but the respondent no.2 has not initiated and concluded the complaint filed before him on 20 April 2019, i.e. almost 35 months have been passed but no meaningful enquiry/hearing is conducted by the A.O. This amounts to non-following the due procedure established by respondent no.1 and also gross injustice to the petitioner who is also repository of public money being a Cooperative Bank.

The cyber crimes are increasing every passing day and there needs effective Civil as well as Criminal remedial measures for the same to provide justice to the victims. The statutory provisions of effectively providing the justice between 4 to 6 months, as far as possible, from reporting of the complaint is getting defeated by such inefficient judicial system which needs to be directed for speedier disposal of the matters.

Hon Court has issued directions for issuance of notices to the respondents.

Advocate Dr. Mahendra Limaye represented petitioner Shikshak Sahakari Bank Ltd. Nagpur.”

I hope this will prompt other Adjudicators  also to speed up their cases now.

We congratulate Dr Limaye for drawing the attention of the Judiciary on the lethargy of the State Government and the IT Secretary of Maharashtra.

Naavi

As India continues to dither on the passing of the Indian version of Data Protection law, our neighbour, Sri Lanka has gone ahead and passed its “Personal Data Protection Act 2022”. 

It is interesting to note the comment made by Justice Minister Ali Sabry that

“There is nothing called perfect legislation..we cannot sit and wait for tomorrow to do the legislation….Will accommodate amendments if there are serious concerns”. 

This appears to be a direct comment on the Indian approach to the legislation which is one of procrastination and lack of commitment. (Refer this article).

It is clear that even in Sri Lanka there is the same kind of opposition to the Act as in India but the Government has shown the resolve to go ahead with the legislation.

Indian law may be better in terms of the protection of privacy but still the Government seems to lack the will to pass the law. It is possible that the commercial lobbies in India are strong and have the  support of the political opposition to the Government and hence the Government is hesitant to pass the law.

Indian Parliament needs to take a lesson from Sri Lanka in this regard.

P.S: we are watching for the final published version to make further comments

Naavi

Copy of the final version of the Act is here

The Government of India had recently issued a draft India Data Accessibility and Use Policy for public comments. The policy documents  are available here

Draft Policy : Background Note : A copy of the feedback on the policy is available here. 

The India Data Accessibility Policy was meant for Central Government Ministries and public sector bodies and it was suggested that the States could adopt similar policies.

It is creditable to note that Tamil Nadu has been the first State Government off the block with its own Data Policy. This has come as a Gazette Notification and not for public comments.

Copy of the Tamil Nadu Data Policy

It appears that this TN policy has been drafted with the guiding principle of “Data For Public Good” based on the National Data Sharing and Accessibility Policy 2012 (NDSAP 2012)of the Government of India. The recent policy of the Central Government had been developed under a slightly modified objective which took into account the Kris Gopalakrishna Committee report and the Data Protection Bill 2021. Some of the changes that had been observed in the Central Government policy may not be available in the TN State policy. Probably it will be modified as and when necessary to accommodate the changes.

The Tamil Nadu Data Policy (TNDP) is built on 13 key principles such as

Openness,
Privacy, Ethics and Equity,
Flexibility,
Transparency,
Legal Conformity,
IPR protection,
Interoperability and Standards,
Quality,
Security,
Accountability and formal responsibility,
Sustainability and Usability

The policy would be applicable to all the public authorities under the RTI act within the State of Tamil Nadu.

The policy classifies data into 4 categories namely Personally identifiable information, Sensitive personal data, anonymised data and aggregated data. Some of the information could be made automatically available in the Open Data Portal of the Government.

The state is expected to adopt a mix of federated and centralized data storage system. The TN e Governance Agency (TNeGA) will be the nodal agency to monitor the policy. A state level Empowered Data Governance Committee chaired by the Chief Secretary will provide the strategic guidance. The CEO, TNeGA will be the State’s Chief Data Officer (CDO) and there will be a Data Inter-Departmental Committee to take operational level decisions.

A mention has been made on monetization of data also and it would be interesting to see how the Government would approach Data Valuation.

We need to appreciate the efforts of the TN Government for having come out with  such a policy well before other States. We need to await and see how the policy would be implemented.

Naavi

FDPPI in association with Madras Management Association and other partner organizations will be conducting an offline seminar in Chennai on April 23, 2022.

The theme of the seminar is “DPA 2021-Compliance perspective”.

There is a campaign in the media that the JPC modified version of PDPB 2019 need to be re-drafted.

Firstly the set of objections were centered around

“Government has too much powers under Section 35 of the Act”.

The second was on the “Restrictions on Data Transfer” under Sections 33/34 of the Act.

Now the third set of objections cantering around “Difficulties to Start Ups” and “Compliance Cost” has been raised.

The net objective of all these objections are to lobby with the Government that the current weak set of laws continue and the Tech Companies like the Twitter, Meta and Google can continue their Data Exploits in India without accountability.

FDPPI however believes that Compliance to the data protection regulation is in the interest of the community and even if there is some disruptions in the operations of the Data user organizations, it is not the reason to defer the law indefinitely.

In order not to let the industry slip into complacency thinking that the Data protection  law will not be introduced in India,  FDPPI would  like to present the “Compliance Perspective” so that responsible companies start working towards compliance without being under too much of stress.

On April 23rd, over a day long seminar in Chennai, FDPPI along with FDPPI will discuss the DPA 2021, from the perspective of companies who would like to work towards compliance.

Watch out for more details.

Naavi

Some people in the industry think that DPA 2021 is a compliance burden and we need to bring pressure on the Government to delay the passing of the bill.

Unfortunately they are mistaken.

DPA 2021 is already with us in the form of “Due Diligence” and “Reasonable Security Practice” under Section 43A of Information Technology Act 2000.

Courts in Odisha, Delhi and Chennai in some of their decisions last year have quoted from the PDPB 2019 to decide on some issues on Privacy. If Courts have taken cognizance of PDPB 2019, it means that the current version of PDPB 2019 which is DPA 2021 is already in the radar of the Courts as the required data protection practice in India.

The absence of an implementing agency or a regulator like the Data Protection Authority of India may be a relief. But the powers given under ITA 2000 (Sec 46) to the Adjudicators include the powers to impose reasonable penalty on a suo moto basis for “Data Breach” and hence the possibility of penalties is already hanging over the heads of those who think there is no data protection law in India.

It is like the Amazon Pay…. It is already there…and most donot know it.

Come, let us discuss the Compliance View of DPA 2021 at the seminar in Chennai on April 23, 2022.

Contact FDPPI for more details.

Naavi

Business leaders are often confronted with the dilemma… Should I make a move now….or Should I wait… Should I lead… or Should I follow…

Indian industry is flying on the wings of Technology and Data is driving the business. Data however is the new Commodity that is at the centre of a new regulatory mechanism called the Data Protection Act 2021.

It is natural for organizations to be uncomfortable with any new regulation and more so when the regulation requires  a re-structuring of some of the existing business architecture.

But there are certain regulations which are the global norms and are inevitable. They  can be delayed but not avoided. The Data Protection Regulation is one such legislation which is likely to arrive soon in the industry environment.

This is a regulation that holds a penalty risk of 4% of our turnover for non compliance. We can only ignore it at our peril.

So, irrespective of the media campaign against the immediate introduction of the bill DPB 2021 in the Parliament, industries need to look for ways to build the path towards compliance.

Come, let us discuss the Compliance View of DPA 2021 at the seminar in Chennai on April 23, 2022.

Contact FDPPI for more details.

Naavi