Naavi.org

CISO Platform has organized the 13th Virtual Summit on June 2nd and 3rd.  The event is accessible online and free. Interested persons may use this opportunity to attend and enhance their knowledge.

Naavi will be speaking on the topic DPO, A new destination for CISOs. In this discussion, scheduled at 19.30 IST to 22.30 on June 2nd, Naavi will be discussing why CISO has to look upto the DPO as the next destination and what are the requirements of a good DPO along with an overview of the Indian PDPB 2019.

Those who are interested in attending the event may visit here for registration.

Naavi

The much awaited comprehensive Certification Program for DPOs in India from FDPPI is set to commence on June 19, 2021 as per the following tentative schedule.

The program consists of 36 hours of online training covering the Data Protection laws of India in full detail, GDPR in reasonable detail and laws of several other countries.

The sessions would be primarily conducted by Naavi, a veteran who started virtual education way back in the year 2000 through Cyber Law College and is the founder of www.naavi.org, as well as Chairman of FDPPI.

The discussion on Indian law will be on the basis of PDPB 2019 and ITA 2000/8. As and when the Bill is passed, a free bridging session will be offered to all the participants to discuss the changes so that the participants would be fully aware of the Indian Law.

The focus of the program will be to equip a Data Protection Officer with relevant knowledge required to take on the responsibility . The participants will get a certificate as
“Certified PDP-CMS Auditor” or “Certified PDP-CMS Consultant” depending on their performance in the examination.

The online examination will consist of 3 papers which will be held  on July 31st (Paper 1 and Paper 2) and August 1st 2021. (paper 3)

PDP-CMS audit is an audit for “Personal Data Protection Compliance Management System” which will be mandatory to be implemented  by every organization in India handling personal data. Those organizations which are classified as Significant Data Fiduciaries would be required to mandatorily get an audit conducted annually by an external auditor.

The PDP-CMS audit will include Evaluation of “Data Trust Score” (DTS) which is a unique proposition of the Indian Law.

The Evaluation of DTS will be based on a unique system established by FDPPI under the Personal Data Protection Standard of India (PDPSI).

In view of the  collaboration between FDPPI and DNV, the globally recognized organization which is known for Management audits, the Certificates would be issued under the joint names of FDPPI-DNV.

The online examination will consist of thee separate online multiple choice examination for 90 minutes each. There will be two cutoff marks for certification. Participants who clear the higher cutoff would be provided the certificate as PDP-CMS Auditor. Participants who clear a lower cutoff would be provided the certificate as PDP-CMS Consultant.

Certified PDP-CMS auditors would be accredited by FDPPI under their PDPSI audit program and will be eligible to conduct audits in association with Certification Bodies who are organizations accredited with FDPPI. PDP-CMS consultants would be able to provide consultancy to organizations to prepare themselves for audit and also upgrade themselves to the auditor grade based on experience.

The total fees for the program would be Rs 40,000/- (Or approximately US$ 575/-)

The application can be completed here

The Fees may be paid here.

Registrations are set to close on June 10, 2021.

 P.S: It may be noted that the Minister of Law and IT, honourable Mr Ravi Shankar Prasad in an interview on 28th May 2021 with Times now has indicated that the Government will push the passage of PDPB 2019 in the next Parliamentary session. Excerpts from this interview is available here.

It is likely that the Government would provide some time for implementation and will require around 3 months to set up the Data Protection Authority. However it appears that Jurisprudence has already developed in India to consider the principles of Personal Data Protection  discussed in the PDPB 2019 as  “Due Diligence” under ITA 2000/8. (Refer court judgements referred to in this article) .

Professionals are also aware that implementation of a comprehensive privacy program for an organization is not as simple as drafting a Privacy Policy for the website. It involves establishment of a Privacy culture in the organization which requires time. Hence prudent professionals and organizations need to  start early to retain a competitive advantage.

FDPPI hopes that professionals would take advantage of this opportunity.

For more information contact fdppi@fdppi.in.

Naavi

The Net4India domain names which were stuck up due to the mishandling of the insolvency petition by NCLT, are now getting resolved in stages.

ICANN has transferred the domains to Bigrock.in and the company has been in the process of sending intimation to the erstwhile net4india customers.

It is expected that .com, .net etc are in progress and it would be completed in a day or two.

Those who are interested, may call the call center 0824 2868080 for more information.

Most of the registrants had left some balance in their accounts with Net4India. NCLT and its RPs might not have accounted these dues. We have to wait and see how this would be disposed off.

It is the duty of the NCLT and the RP to account for this money.

Naavi

Over the last few days, developments regarding Cyber Law in India have overwhelmed most of us and left us engaged full time on following the developments.

In these discussions the future role of digital media is being re-defined and consequently  introduced some complications that require to be resolved quickly.

ITA 2000/8 identified “Intermediaries” which required a safe harbor provision to ensure that the mere act of being a conduit of a message does not make the intermediary liable for any contravention of law by the user of the intermediary service.  While this definition was more suitable for ISPs and MSPs, the inclusion of other services such as E Commerce platforms in the 2008 version introduced some confusion.

The definition of an intermediary under ITA 2000 version was

“Intermediary” with respect to any particular electronic message means any  person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message;”

In amended version passed in 2008 and notified on 27th October 2009, the definition was expanded as follows.

“Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

The introduction of additional services as an explanation mixed up “Intermediaries” with entities which exercised control on the messages like what Twitter does. The moment an organization exercises control on initiating the transmission, selecting the receiver of the transmission and selecting or modifying the information contained in the transmission, they lose the status of an intermediary. Hence only such of those platforms which retain minimal control (excepting mandated control by law) will be eligible to be called Intermediaries. Most of the E Commerce platforms may have a small part of their activities such as “Advertising” in which they will be intermediaries. But in rest of their activities, they will not come under Section 79 but will fall under Section 43A for seeking any protection against vicarious liabilities.

In the meantime, PDPB 2019 introduced a term “Social Media Intermediary” stating

 “social media intermediary” is an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services, but shall not include intermediaries which primarily,—

(a) enable commercial or business oriented transactions;

(b) provide access to the Internet;

(c) in the nature of search-engines, on-line encyclopedias, e-mail services or on- line storage services.

The objective of this definition was to state that Social media intermediaries above a threshold of user base were to be classified as “Significant Data Fiduciaries” and were required to provide a voluntary technological means for users to identify themselves and display that identity in front of their messages.

With these statutory definitions behind us, the Intermediary Guidelines and Digital Media Ethical Code of February 25, 2021 gave further definition of a Social Media Intermediary as

‘social media intermediary’ means an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services;

While the PDPB 2019 definition excluded the normal intermediaries such E Commerce entities, ISPs and search engines, the definition in the Intermediary guidelines was an extension from the definition of intermediaries without a proper explanation of what it does not include.

At the same time, the Intermediary guidelines defined the “Digital Media” as

‘digital media’ means digitized content that can be transmitted over the internet or computer networks and includes content received, stored, transmitted, edited or processed by-
(i) an intermediary; or
(ii) a publisher of news and current affairs content or a publisher of online curated content;

The Intermediary guideline also defined the “News and Current Affairs Content” so that a digital media who is also a publisher of of news and current affairs content could be identified for application of the ethical code and the self regulation.

This defined news and current affairs content as follows

‘news and current affairs content’ includes newly received or noteworthy content, including analysis, especially about recent events primarily of socio-political, economic or cultural nature, made available over the internet or computer networks, and any digital media shall be news and current affairs content where the context, substance, purpose, import and meaning of such information is in the nature of news and current affairs content.

From out of these “Social Media Intermediaries”, the class of “Significant Social Media Intermediary” was defined with a user base of 50 lakhs and above and were subjected to the specific guidelines as envisaged in the notification. Some part of the guideline such as the Grievance redressal as well as furnishing of information was applicable to a “Publisher of news and current affairs content and publisher of online curated content operating in India” for which a form was notified on May 26, 2021.

One important part of the guideline was that the “Publisher” was to preserve records of content transmitted by it for a minimum period of 60 days and make it available to the self regulating body of the Central Government.

All publishers were also required to follow the Level I self regulating mechanism which included the establishment of a grievance redressal mechanism, display of contact details etc and to become a member of a self regulating body formed under Level II.

The self regulatory bodies under Level II were to get themselves registered with the MIB.

In this entire maze of definitions and compliance requirements, many bloggers and companies publishing digital information are confused if they come under the definition of a “Digital Media” or a “Publisher” and whether they need to have new compliance measures.

We must consider that the regulations are evolving and there are many grey areas that need to be clarified.

Unfortunately the Level III regulatory mechanism which includes designation of a an “Authorized Officer” and publishing of a charter for self regulating bodies including Codes of Practices for such bodies has not yet been announced  by the MIB.

Without the MIB coming up with the Charter under which the Level II self regulatory bodies get themselves registered, Level I self regulation cannot be completed.

Further if the Level II regulatory bodies are headed by a retired Supreme Court judge etc, they will tend to be high cost bodies and the cost of maintaining a membership with such organizations will be prohibitive except for large digital publishing entities.

Currently these regulations are applicable (Clause 8 of the February 25 notification)  to all publishers where such publisher conducts systematic business activity of making its content available in India.

 “systematic activity” shall mean any structured or organised activity that involves an element of planning, method, continuity or persistence. 

Naavi.org has been trying to understand the applicability from the perspective of a website such as Naavi.org or FDPPI.in or dpji.in  or privacy.ind.in, etc. Obviously it is a question of interpretation whether Naavi.org is a “Digital Publishing” activity for the purpose of these regulations because it includes publication of some news and analysis of news.

The legislative intent of the notification obviously does not appear to make every blog owner register himself or even if he registers himself for the purpose of “Contact information” and “Grievance officer”, make it mandatory for him to be a member of a self regulatory body and incur costs.

Hence there is an urgent need for the MIB to clarify that ” Mandatory membership with a Level II Self Regulatory Body” is not applicable to all web site/blog owners.

Hence Rule number 11(2)(d) should be applied only to “Significant Social Media Intermediary” and not to all “Publishers”.

I request MIB to issue a clarification on this immediately since some Level II Self Regulatory Bodies are speaking of membership fees of Rs 50,000/- and above and it is unthinkable for blogs like Naavi.org to pay such fees.

If MIB remains silent, then there will be a new scam of Level II self regulatory bodies using this opportunity for exploiting small digital media establishments.

It must however be noted that at present, the February 25th notification is under Section 79 of ITA 2000 and hence does not come with any direct penal provisions. Hence no fines can be imposed for non compliance nor the non complying organizations will be required to shut down operations. The only loss if any would be the safe harbor protection.

Instead of letting the uncertainty prevail, it is better for MIB to provide a clarification that  a non significant social media intermediary needs to conform only to rule 11 (2) (a),(b) and (c) and membership of the Level II self regulatory body is optional.

In the meantime, Naavi is encouraging some like minded persons to come together in establishing  Level II Self regulatory body which will not charge Rs 50000/- membership and managed by media professionals though it is not headed by a retired Supreme Court judge.

Further, it must be recognized that just as PDPB 2019 declares that the regulator (DPA) is himself a Data Fiduciary, a Level II self regulatory body will also require to introduce  Level I self regulation. In other words the Level I and Level II regulation will be managed by the same organization unless the Government makes it mandatory that Level II self regulatory bodies introduce some cross certification of their self regulatory process. Alternatively, “Peer Review of Self Regulation” can be opened out to all Level I self regulation of non significant social media intermediaries.

It is possible that the Government has not thought through all these issues and were forced to fast track the system due to the Twitter controversy. But it would be necessary to fine tune the procedures to ensure that it does not create confusion in otherwise compliance oriented establishments.

(Comments are welcome)

Naavi

(Continued from the earlier article)

The Delhi High Court judgement upholding the Right to forget of a person accused, tried and acquitted (on technical grounds) for Narcotics smuggling, 8 years after the initial judgement throws open a challenge to the Data Privacy community about how law should handle with such requests.

The Orissa High Court judgement which is a more comprehensive judgement was a different kind of situation where the honour of a lady who was a victim was involved.

The Delhi Judgement upheld the right of a person who prima facie was caught red handed but in the views of the Court , the investigators did not secure the evidence properly.  The judgement ordered removal of search results  not only from Google type of general search engines but also from Indian Kanoon which is a legal search facility.

Further if the Delhi High Court judgement becomes a precedent, all cases in which acquittals have taken place have to be removed from legal data base such as India Kanoon. The libraries will also have to remove access to such judgements through search facilities.

In other words, the implementation of this judgement would seriously jeopardize legal education in the country.

If India Kannon cannot provide search results of all acquittal cases, then they will have to remove hundreds of such cases.  If India Kanoon has to be disallowed then Wstlaw or LexisNexis or Manupatra also have to be disallowed.

More importantly, the “Right to Forget” alters a factual information and no news papers can keep the data in their publications which have long become part of the news archives.

If a person has been charged and arrested, it is a fact. In case it was a false case, one can sympathize with the person but atleast to safeguard the information the data has to be available for the use of the posterity. By asking such data to be removed from access, the Court is trying to alter the face of history.

Further when the Right to Forget request comes after several years, a question also arises whether there should be a time limitation before which the right has to be invoked.

The decision of the Delhi High Court is therefore un implementable as a principle and will stand out as a special case courtesy the appeal. Any case in which acquittal has been granted, the information will contain the acquittal information and if some body manipulates the news and publishes only the accused part and does not provide the information of acquittal if it was available at the same point of time, it may be considered as unfair and “Inaccurate”. Under the “Right to Correction” the data subject may demand that the fact of acquittal is published wherever the  information of accusation or trial or punishment is published.

If this issue is not sorted out by an appeal to the division bench of the Delhi High Court, and Right to Forget is not made like the death sentence which is available only in the rarest of rare cases, we will be doing a great injustice to the legal education.

I wish Indian Kanoon challenges this order and donot meekly accept the order. We may appreciate that the Indian PDPB 2019 subjects Right to forget as a matter to be referred mandatorily to the Adjudicator, in the GDPR, the decision vests with the Company.

Hence if a person has an adverse news about him on the Internet which amounts to a criminal track, by asking for exercising the right to forget, the information can be removed. While this cannot be implemented in print news papers, only the digital news papers would be required to follow this rule.

Companies which are doing “Background Verification”  to check if a prospective employee has in fact committed any fraud or terrorist activities in his previous assignments will find that no information may be available anywhere. As a result Cyber Crime prevention will be seriously affected.

I would like the Law Enforcement to take this issue strongly and oppose the decision of the Delhi High Court. Otherwise criminals cannot be traced for past offences. In many sections of IPC, different punishments are prescribed for first commission of an offence and the subsequent commission. Now information about this would be impossible to get except in rare instances where a lawyer or a judge may remember the past incident.

I therefore request the Narcotics Board to appeal against the decision in which the legal research websites like India Kanoon, Manu Patra as well as Background verification companies in the HR field and perhaps the MHA itself should file intervention petitions.

If possible this should be tried as a PIL since erasing from memory a potential repeat offender because the earlier conviction failed is an invitation for further crimes. In trying to protect the Right of an acquitted criminal, the Delhi High Court has forgotten the Rights of the society to ensure that potential repeat offenders will go un noticed.

This is not to say that a person cannot be reformed and cannot be a useful member in the society just because he once committed an offence. After all most of us might have committed traffic offences and if we exercise our right to forget, our driving license will always be clean. If a person has been charged, however unfortunate it was, it is a matter of fact which no body can block from the “Right to Information”. This principle has to be established in a review petition or an appeal against this verdict.

Naavi

Three Judgements to follow

Orissa High Court Judgement

Delhi High Court  Trial 29th January 2013

Delhi High Court 12th April 2021

We recently had an occasion where the Delhi High Court made a reference to “Right to Forget” in respect of an accused who had been acquitted.

Copy of the judgement is available here.

The facts of the case was that the petitioner who is presently residing in USA, visited India in 2009 and while departing back to USA was found to posses Narcotics in the checked in Bags.

The trial examined whether the quantity of the substances required was small or big, whether it was recovered from personal possession or in the baggage, whether the chain of custody of the material after recovery was defective or not and finally acquitted the accused. (Refer earlier judgement here)

The Court first acquitted the charge of possession of 5600 gms of Morphine under Section 50 of NDPS Act under the contention ” In a case of recovery of narcotic drug it is the paramount duty of the prosecution to prove beyond reasonable doubt that the case property allegedly recovered from the accused was kept in safe custody and no tampering was done therewith”. Then in respect of a smaller quantity of 81.1 gms on which tampering allegation could not be sustained, it acquitted the accused stating that the friend of the accused who was supposed to have handed over the subject bags was not examined by the IO, stating  ” In view of the deficiencies in the investigation carried out, I do not find it fit to convict the Respondent even for the possession of 81.1 grams of morphine”

Thus the grounds of acquittal were technical and the fact that more than 5600 gms of morphine was recovered from the checked in baggage due to some body’s action remained unanswered.

However one trial court and the appeal court found that the case was fit for acquittal. This happened in 2013.

Now in 2021, the petitioner who was the earlier accused, tried  and acquitted, prayed for removal of the judgement from the platforms of Google, Indian Kanoon and vLex.in

The Court noted that “The question as to whether a Court order can be removed from online platforms is an issue which requires examination of both the Right to Privacy of the Petitioner on the one hand, and the Right to Information of the public and maintenance of transparency in judicial records on the other hand. The said legal issues would have to be adjudicated by this Court. “

Then the judgement referred to the Puttaswamy judgement and the interim order in which it had  said

” recognising the Plaintiff’s Right to privacy, of which the `Right to be forgotten’ and the
`Right to be left alone’ are inherent aspects, it is directed that any republication of the content of the originally impugned articles dated 12th October 2018 and 31st October 2018, or any extracts/ or excerpts thereof, as also modified versions thereof, on any print
or digital/electronic platform shall stand restrained during the pendency of the present suit. “

It also referred to the Orissa High Court order in which the Right to be forgotten had been discussed in the context of a lady who had been victimized by a person who had posted sexually explicit content on the social media.

This judgement acknowledged that there was no statutory provision in India that provides for the Right to be forgotten and made references to GDPR article 17 and recitals 65 and 66. It also referred to a case in England in the Wales High Court where a similar issue of convicted person’s name appearing in Google searches and concluded that Right to Privacy is in sych with the right to privacy which was part of the Puttaswamy judgement. It also stated

“the Ministry of Law and Justice, on recommendations of Justice B.N. Srikrishna Committee, has included the Right to be forgotten which refers to the ability of an individual to limit, delink, delete, or correct the disclosure of the personal information on the internet that is misleading, embarrassing, or irrelevant etc. as a statutory right in Personal Data Protection Bill, 2019”

The order continued to say “The Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules, 2011, India’s first legal framework recognized the need to protect the privacy of personal data, but it failed to capture the issue of the Right to be forgotten….. This principle is embodied in S.5 of the yet to-be-implemented Personal Data Protection Bill, 2019”.

It further went on to refer to PDPB 2018 to sate

“Section 27 of the draft Personal Data Protection Bill, 2018 contains the right to be forgotten. Under Section 27, a data principal (an individual) has the right to prevent continuing disclosure of personal data by a data fiduciary.”

Further it stated

“Section 10 of the Bill provides that a data fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed. Further, it imposes an obligation on every data fiduciary to undertake periodic reviews in order to determine whether it is necessary to retain the personal data in its possession. If it is not necessary for personal data to be retained by a data fiduciary, then such personal data must be deleted in a manner as may be specified. “

The above views were expressed in the judgement of Justice S.K. Panigrahi and was dated 23rd November 2020

Our Conclusions and Views

Having gone through all the above judgements at the High Court level, we note that the Indian Judiciary has already taken cognizance of the Personal Data Protection Bill 2019 as if it is an established principle of jurisprudence. Hence those who are arguing that the Act is still not passed and therefore the provisions are not required to be complied with are wrong.

Naavi has repeatedly held that PDPB2018/2019 is a replacement of Section 43A of ITA 2000 and represents the “Due Diligence” required to be followed by organizations. It is with this belief that Cyber Law College and FDPPI started trainings based on the PDPB 2019 and started providing qualification certificates and also established a complete system of Certifiable audit for Compliance in the form of PDPSI (Personal Data Protection Standard of India).

Some of the professionals who are used to such concepts come only from the west, were uncomfortable that some organization in India was providing certifications based on indigenous systems of Certifications. Vested interests tried to discourage the adoption by corporate circles, though FDPPI came through all this and established itself as the premier organization in India in the field of Data Protection.

These judgements vindicate the approach of Naavi and FDPPI in trying to create awareness of PDPB 2019 before it is passed as an Act.

In the light of the controversies surrounding WhatsApp and Twitter, some media persons are questioning why the Government is not pushing the passage of the PDPB 2019 and instead going against Twitter and WhatsApp. The honourable minister of IT Mr Ravi Shankar Prasad in an interview yesterday  assured that PDPB2019 will be pushed for debate during the next Parliamentary session.

While the above leads us to conclude that PDPB 2019 is considered as the “Due Diligence under ITA 2000”, we shall debate further about the Right to forget itself … in the continuation.

The interview of Honourable Minister of IT Mr Ravi Shankar Prasad with Navika Kumar of Times Now live streamed  on 28th May 2021.

See statement at 39.56 minute where Mr Prasad refers to the PDPB2019.

( You can directly go to the part on PDPB 2019 here)

Naavi

….Continued

Also Refer:

Livelaw.in

Three Judgements to follow

Orissa High Court Judgement

Delhi High Court  Trial 29th January 2013

Delhi High Court 12th April 2021