Naavi.org

To

All Chairpersons
Banks in India

Dear Sirs

It has been reported in the media as if RBI has granted a new relief to the Bitcoin community by stating that  “Banks should not quote the 2018 circular” for not allowing Banking transactions to Bitcoin exchanges.

The Bitcoin community is spreading the fake news that the Government is diluting its policy on Bitcoin.

To an independent observer RBI appears to have only warned the Banks that if they want to take any action in this regard, they should not quote the said circular since the Supreme Court in its wisdom held that the circular was not properly worded and had to be treated as withdrawn.

What this means is that the Banks are left to take their decision but as their own decision. They cannot either ban or  allow Crypto transactions taking  shelter under RBI regulations. They will have to stand on their own legs and have to face the consequences.

We are aware that the Bitcoin community has corrupted the thinking of many and only well informed Bankers can understand that allowing a private crypto currency to function is killing the currency system in India and causing chaos in the Indian economy.

RBI is under pressure from the lobby to give as much long rope as possible so that exchanges can do some business before the doors are shut. The Supreme Court through some strange logic struck down the circular though it did not declare Bitcoin as legal otherwise. Finance Ministry also wants to give as much time as possible to all the Bitcoin exchanges to push through as many transactions as possible.

All this will not alter the situation that Bitcoin along with all the private Crypto currencies represent digital black wealth and the main currency of Cyber Criminals, Cyber terrorists and enemies of the sovereign Government of India who want to undermine our currency system.

In the event any Banks fall for the propaganda of the Bitcoin lobby and considers that RBI clarification is a license for them to allow digital black money transactions through their Banks, they will be providing assistance for money laundering since substantial part of the trading of Bitcoins and other cryptos have once gone through an illegal drug trade or arms trade or a crime and as an asset which is not a negotiable instrument, will carry the tainted past with every further transfer. (There are no holder in due course for such assets).

Hence Banks which will allow transactions of Cryptos will be committing offence under AML regulations.

As an ex Banker, I request all the Bank Chair persons to instruct their branch managers to keep their distance from Bitcoins and other cryptos.

Regards

Naavi

Indian PDPB2019 has made “Consent” as a mandatory requirement unless it is exempted. On the other hand GDPR considers Consent as only one of the legal basis under which personal data may be processed. The six different recognized ways by which personal data can be processed under GDPR are,

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

On the other hand, at first glance it appears as if Indian PDPB has tied itself up by the “Non Scalable Consent” as a mandatory basis by stating under Section 11(1)

“The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.”

However, Indian PDPB has considered a broad set of cases in which consent may be exempted.

For example the exemptions can be available

a) Performance of the functions of the State

b) for enforcing judicial orders

c) medical emergency and medical treatment (like Vital interest in GDPR)

d) for Disaster management

e) Related to employment for recruitment, termination, assessment etc (only non sensitive personal information)

f) Reasonable purposes (for non sensitive personal data) in respect of legitimate interest, public interest, detection of unlawful activity, information security, whistle blowing, mergers and acquisitions, recovery of debt, Credit scoring, search engine operations etc.

From the above, it is clear that Indian PDPB 2019 has thought more in depth to provide essential exemptions which GDPR has forced Data Controllers to interpret under the “Legitimate Interest” argument.

However, apart from these exemptions which dilute the argument that “Consent Dependency” may make it “Unscalable”, Indian PDPB 2019 has provided for “Consent Manager”  and “Sand Box” arrangements which can be used in appropriate occasions and also made the Data Controller a “Fiduciary” so that he has a duty to care and not merely go blindly by the consent which might have been obtained by clever misrepresentations.

Thus though India depends on consent and rigidity in consent could cause some issues for the processors, PDPB 2019 has addressed the issue through alternate means. This is a welcome feature of the Indian law and makes it better than GDPR.

Naavi

CISO Platform has organized the 13th Virtual Summit on June 2nd and 3rd.  The event is accessible online and free. Interested persons may use this opportunity to attend and enhance their knowledge.

Naavi will be speaking on the topic DPO, A new destination for CISOs. In this discussion, scheduled at 19.30 IST to 22.30 on June 2nd, Naavi will be discussing why CISO has to look upto the DPO as the next destination and what are the requirements of a good DPO along with an overview of the Indian PDPB 2019.

Those who are interested in attending the event may visit here for registration.

Naavi

The much awaited comprehensive Certification Program for DPOs in India from FDPPI is set to commence on June 19, 2021 as per the following tentative schedule.

The program consists of 36 hours of online training covering the Data Protection laws of India in full detail, GDPR in reasonable detail and laws of several other countries.

The sessions would be primarily conducted by Naavi, a veteran who started virtual education way back in the year 2000 through Cyber Law College and is the founder of www.naavi.org, as well as Chairman of FDPPI.

The discussion on Indian law will be on the basis of PDPB 2019 and ITA 2000/8. As and when the Bill is passed, a free bridging session will be offered to all the participants to discuss the changes so that the participants would be fully aware of the Indian Law.

The focus of the program will be to equip a Data Protection Officer with relevant knowledge required to take on the responsibility . The participants will get a certificate as
“Certified PDP-CMS Auditor” or “Certified PDP-CMS Consultant” depending on their performance in the examination.

The online examination will consist of 3 papers which will be held  on July 31st (Paper 1 and Paper 2) and August 1st 2021. (paper 3)

PDP-CMS audit is an audit for “Personal Data Protection Compliance Management System” which will be mandatory to be implemented  by every organization in India handling personal data. Those organizations which are classified as Significant Data Fiduciaries would be required to mandatorily get an audit conducted annually by an external auditor.

The PDP-CMS audit will include Evaluation of “Data Trust Score” (DTS) which is a unique proposition of the Indian Law.

The Evaluation of DTS will be based on a unique system established by FDPPI under the Personal Data Protection Standard of India (PDPSI).

In view of the  collaboration between FDPPI and DNV, the globally recognized organization which is known for Management audits, the Certificates would be issued under the joint names of FDPPI-DNV.

The online examination will consist of thee separate online multiple choice examination for 90 minutes each. There will be two cutoff marks for certification. Participants who clear the higher cutoff would be provided the certificate as PDP-CMS Auditor. Participants who clear a lower cutoff would be provided the certificate as PDP-CMS Consultant.

Certified PDP-CMS auditors would be accredited by FDPPI under their PDPSI audit program and will be eligible to conduct audits in association with Certification Bodies who are organizations accredited with FDPPI. PDP-CMS consultants would be able to provide consultancy to organizations to prepare themselves for audit and also upgrade themselves to the auditor grade based on experience.

The total fees for the program would be Rs 40,000/- (Or approximately US$ 575/-)

The application can be completed here

The Fees may be paid here.

Registrations are set to close on June 10, 2021.

 P.S: It may be noted that the Minister of Law and IT, honourable Mr Ravi Shankar Prasad in an interview on 28th May 2021 with Times now has indicated that the Government will push the passage of PDPB 2019 in the next Parliamentary session. Excerpts from this interview is available here.

It is likely that the Government would provide some time for implementation and will require around 3 months to set up the Data Protection Authority. However it appears that Jurisprudence has already developed in India to consider the principles of Personal Data Protection  discussed in the PDPB 2019 as  “Due Diligence” under ITA 2000/8. (Refer court judgements referred to in this article) .

Professionals are also aware that implementation of a comprehensive privacy program for an organization is not as simple as drafting a Privacy Policy for the website. It involves establishment of a Privacy culture in the organization which requires time. Hence prudent professionals and organizations need to  start early to retain a competitive advantage.

FDPPI hopes that professionals would take advantage of this opportunity.

For more information contact fdppi@fdppi.in.

Naavi

The Net4India domain names which were stuck up due to the mishandling of the insolvency petition by NCLT, are now getting resolved in stages.

ICANN has transferred the domains to Bigrock.in and the company has been in the process of sending intimation to the erstwhile net4india customers.

It is expected that .com, .net etc are in progress and it would be completed in a day or two.

Those who are interested, may call the call center 0824 2868080 for more information.

Most of the registrants had left some balance in their accounts with Net4India. NCLT and its RPs might not have accounted these dues. We have to wait and see how this would be disposed off.

It is the duty of the NCLT and the RP to account for this money.

Naavi

Over the last few days, developments regarding Cyber Law in India have overwhelmed most of us and left us engaged full time on following the developments.

In these discussions the future role of digital media is being re-defined and consequently  introduced some complications that require to be resolved quickly.

ITA 2000/8 identified “Intermediaries” which required a safe harbor provision to ensure that the mere act of being a conduit of a message does not make the intermediary liable for any contravention of law by the user of the intermediary service.  While this definition was more suitable for ISPs and MSPs, the inclusion of other services such as E Commerce platforms in the 2008 version introduced some confusion.

The definition of an intermediary under ITA 2000 version was

“Intermediary” with respect to any particular electronic message means any  person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message;”

In amended version passed in 2008 and notified on 27th October 2009, the definition was expanded as follows.

“Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

The introduction of additional services as an explanation mixed up “Intermediaries” with entities which exercised control on the messages like what Twitter does. The moment an organization exercises control on initiating the transmission, selecting the receiver of the transmission and selecting or modifying the information contained in the transmission, they lose the status of an intermediary. Hence only such of those platforms which retain minimal control (excepting mandated control by law) will be eligible to be called Intermediaries. Most of the E Commerce platforms may have a small part of their activities such as “Advertising” in which they will be intermediaries. But in rest of their activities, they will not come under Section 79 but will fall under Section 43A for seeking any protection against vicarious liabilities.

In the meantime, PDPB 2019 introduced a term “Social Media Intermediary” stating

 “social media intermediary” is an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services, but shall not include intermediaries which primarily,—

(a) enable commercial or business oriented transactions;

(b) provide access to the Internet;

(c) in the nature of search-engines, on-line encyclopedias, e-mail services or on- line storage services.

The objective of this definition was to state that Social media intermediaries above a threshold of user base were to be classified as “Significant Data Fiduciaries” and were required to provide a voluntary technological means for users to identify themselves and display that identity in front of their messages.

With these statutory definitions behind us, the Intermediary Guidelines and Digital Media Ethical Code of February 25, 2021 gave further definition of a Social Media Intermediary as

‘social media intermediary’ means an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services;

While the PDPB 2019 definition excluded the normal intermediaries such E Commerce entities, ISPs and search engines, the definition in the Intermediary guidelines was an extension from the definition of intermediaries without a proper explanation of what it does not include.

At the same time, the Intermediary guidelines defined the “Digital Media” as

‘digital media’ means digitized content that can be transmitted over the internet or computer networks and includes content received, stored, transmitted, edited or processed by-
(i) an intermediary; or
(ii) a publisher of news and current affairs content or a publisher of online curated content;

The Intermediary guideline also defined the “News and Current Affairs Content” so that a digital media who is also a publisher of of news and current affairs content could be identified for application of the ethical code and the self regulation.

This defined news and current affairs content as follows

‘news and current affairs content’ includes newly received or noteworthy content, including analysis, especially about recent events primarily of socio-political, economic or cultural nature, made available over the internet or computer networks, and any digital media shall be news and current affairs content where the context, substance, purpose, import and meaning of such information is in the nature of news and current affairs content.

From out of these “Social Media Intermediaries”, the class of “Significant Social Media Intermediary” was defined with a user base of 50 lakhs and above and were subjected to the specific guidelines as envisaged in the notification. Some part of the guideline such as the Grievance redressal as well as furnishing of information was applicable to a “Publisher of news and current affairs content and publisher of online curated content operating in India” for which a form was notified on May 26, 2021.

One important part of the guideline was that the “Publisher” was to preserve records of content transmitted by it for a minimum period of 60 days and make it available to the self regulating body of the Central Government.

All publishers were also required to follow the Level I self regulating mechanism which included the establishment of a grievance redressal mechanism, display of contact details etc and to become a member of a self regulating body formed under Level II.

The self regulatory bodies under Level II were to get themselves registered with the MIB.

In this entire maze of definitions and compliance requirements, many bloggers and companies publishing digital information are confused if they come under the definition of a “Digital Media” or a “Publisher” and whether they need to have new compliance measures.

We must consider that the regulations are evolving and there are many grey areas that need to be clarified.

Unfortunately the Level III regulatory mechanism which includes designation of a an “Authorized Officer” and publishing of a charter for self regulating bodies including Codes of Practices for such bodies has not yet been announced  by the MIB.

Without the MIB coming up with the Charter under which the Level II self regulatory bodies get themselves registered, Level I self regulation cannot be completed.

Further if the Level II regulatory bodies are headed by a retired Supreme Court judge etc, they will tend to be high cost bodies and the cost of maintaining a membership with such organizations will be prohibitive except for large digital publishing entities.

Currently these regulations are applicable (Clause 8 of the February 25 notification)  to all publishers where such publisher conducts systematic business activity of making its content available in India.

 “systematic activity” shall mean any structured or organised activity that involves an element of planning, method, continuity or persistence. 

Naavi.org has been trying to understand the applicability from the perspective of a website such as Naavi.org or FDPPI.in or dpji.in  or privacy.ind.in, etc. Obviously it is a question of interpretation whether Naavi.org is a “Digital Publishing” activity for the purpose of these regulations because it includes publication of some news and analysis of news.

The legislative intent of the notification obviously does not appear to make every blog owner register himself or even if he registers himself for the purpose of “Contact information” and “Grievance officer”, make it mandatory for him to be a member of a self regulatory body and incur costs.

Hence there is an urgent need for the MIB to clarify that ” Mandatory membership with a Level II Self Regulatory Body” is not applicable to all web site/blog owners.

Hence Rule number 11(2)(d) should be applied only to “Significant Social Media Intermediary” and not to all “Publishers”.

I request MIB to issue a clarification on this immediately since some Level II Self Regulatory Bodies are speaking of membership fees of Rs 50,000/- and above and it is unthinkable for blogs like Naavi.org to pay such fees.

If MIB remains silent, then there will be a new scam of Level II self regulatory bodies using this opportunity for exploiting small digital media establishments.

It must however be noted that at present, the February 25th notification is under Section 79 of ITA 2000 and hence does not come with any direct penal provisions. Hence no fines can be imposed for non compliance nor the non complying organizations will be required to shut down operations. The only loss if any would be the safe harbor protection.

Instead of letting the uncertainty prevail, it is better for MIB to provide a clarification that  a non significant social media intermediary needs to conform only to rule 11 (2) (a),(b) and (c) and membership of the Level II self regulatory body is optional.

In the meantime, Naavi is encouraging some like minded persons to come together in establishing  Level II Self regulatory body which will not charge Rs 50000/- membership and managed by media professionals though it is not headed by a retired Supreme Court judge.

Further, it must be recognized that just as PDPB 2019 declares that the regulator (DPA) is himself a Data Fiduciary, a Level II self regulatory body will also require to introduce  Level I self regulation. In other words the Level I and Level II regulation will be managed by the same organization unless the Government makes it mandatory that Level II self regulatory bodies introduce some cross certification of their self regulatory process. Alternatively, “Peer Review of Self Regulation” can be opened out to all Level I self regulation of non significant social media intermediaries.

It is possible that the Government has not thought through all these issues and were forced to fast track the system due to the Twitter controversy. But it would be necessary to fine tune the procedures to ensure that it does not create confusion in otherwise compliance oriented establishments.

(Comments are welcome)

Naavi