When countries move from a “No Data Protection Law” to a “Strict Data Protection Law”, one of the problems faced by the companies is how to handle the legacy personal data which is already with them.
This data could have been collected earlier either without proper consent or without the consent information being available for reference now. Even if the consent had been obtained earlier, it is unlikely that the information provided to the data principal would not have been made as required under the current data protection requirement.
For example, the PDPA of India when implemented would require the notice for personal data collection to include the following points
(a) the purposes for which the personal data is to be processed;
(b) the nature and categories of personal data being collected;
(c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;
(d) the right of the data principal to withdraw his consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent;
(e) the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds specified in sections 12 to 14;
( f ) the source of such collection, if the personal data is not collected from the data principal;
(g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable;
(h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable;
(i) the period for which the personal data shall be retained in terms of section 9 or where such period is not known, the criteria for determining such period;
( j) the existence of and procedure for the exercise of rights mentioned in Chapter V and any related contact details for the same;
(k) the procedure for grievance redressal under section 32;
(l) the existence of a right to file complaints to the Authority;
(m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub-section (5) of section 29; and
(n) any other information as may be specified by the regulations.
In the current regulation which was contained under Section 43A of ITA 2000/8, the Reasonable Security Practice rule no 5(3) stated
(3) While collecting information directly from the person concerned, the body
corporate or any person on its behalf snail take such steps as are, in the
circumstances, reasonable to ensure that the person concerned is having the
knowledge of —
(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of —
(i) the agency that is collecting the information; and
(ii) the agency that will retain the information.
Additional requirements were provided on minimal retention, purpose limitation, right to access and correction, Opt out option, right to withdraw consent, grievance redressal, disclosure norms, security safeguards etc were to be followed by body corporates collecting sensitive personal information, but were not mandated clearly to be part of the “Privacy Policy” to be published which was the “Notice” as we now refer to.
The privacy policy was required to indicate the type of personal or sensitive personal data or information collected, purpose of collection, usage of such information, disclosure and reasonable security.
As we can see though the intention of Section 43A was similar to the PDPA 2020, the details specified as the requirements of notice in the PDPA 2020 are far more than what was envisaged under Section 43A of ITA 2000.
It can safely be said that the consents if any in the pre-PDPA 2020 time would be insufficient to meet the requirements of PDPA 2020.
The Data Fiduciaries therefore have to obtain fresh consents by serving fresh notices to the Data Principals.
In the ITA 2000, there was no concept of a Data Fiduciary and the Data Processor though in the clarifications provided by the Government, it was indicated that the Data Processor was not responsible for the consent and only that body corporate which had a direct relationship with the data subject would be required to collect the consent.
If therefore we strictly interpret the emerging regulations, all legacy personal data with the Body Corporates will have to be forensically deleted as soon as the PDPA 2020 comes into effect or new consents should be obtained.
Assuming that the organisations would send out e-mail notifications to the data subjects and seek the consent based on a new consent, it can safely be assumed that a very large number of such data subjects would either not respond or their e-mail addresses would be no longer correct and hence they would not be able to respond.
In such cases a large number of data sets have to be purged.
When GDPR came into effect, similar problems were faced by the Data Controllers and while most of them might have purged the data, some have archieved them under legitimate interest claims and some might have not taken any action other than sending a reminder for re-permission.
There were many instances where data subjects retorted back to the re-permission request with a question, “Where and when you got my personal information? How are you processing it?, Where is the past consent? etc”.. Unable to face such questions, some companies simply purged the data without making an attempt to renew the earlier consent though this resulted in loss of earlier investment.
In the case of GDPR, since the EU Directive was already in force, perhaps it was not necessary to provide for any transition option from the legacy system to the GDPR system. But in India where the earlier system did not require the consent of the type now required, it would be unfair to penalize those organizations which were in compliance of Section 43A but may fail the current requirements.
Hence there is a need for providing a smooth transition from Section 43A (ITA 2008) based personal data collection to the Section 7 (PDPA 2020).
Such a transition has to provide relief to those organizations
a) Who hold consents as per Section 43A of ITA 2008
b) Send out Opt-In request to the new consent forms but not receive confirmation
to phase out such data over a period of time relevant in the context of the legitimate interest of the organization.
Though it would have been good if this had been covered under a clause to enable the DPA to enable a smooth transition from ITA 2000/8 to PDPA 2020, there is no reason to despair since it is possible that this provision can be covered under Section 14 by the DPA with appropriate notification.
Hopefully if this comes for discussion during the discussions of the JPC and the vested interests who want to delay the passage of the Bill hold it out as one of the reasons why the Bill should be re-considered, the Government would be able to provide an effective counter argument that it could be covered under the notifications from the DPA.
Alternatively a simple additional provision can be added to Section 14 under “Processing of personal data for other reasonable purposes” to include a provision to the following effect.
Section 14 (4) : Where the Authority considers it necessary and expedient, it may through appropriate notification provide for necessary transition from the legacy laws to the provisions under this Act, through the legitimate interest declared in the “Privacy by design policy” as per section 22 of the Act.
Naavi
Section 65B of Indian Evidence Act came into existence on 17th October 2000 along with the notification of ITA 2000.
For all the professionals in the legal circles including the Judges, understanding Section 65B and its necessity was almost impossible. Even today after 21 years, if debate is still going on on this section, one can understand….not the complexity of the law but the difficulty of unlearning and re-learning in human beings.
For decades the legal professionals are trained to look at evidence in the mould of “Oral” and “Documentary” or “Primary” and “Secondary”. As long as they continue to cling on to these concepts, it will be difficult to appreciate the need for Section 65B.
The concept of “Evidence” as we know needs to be looked afresh in the context of electronic documents. I have explained the concept several times in the past both on this website as well as on ceac.in as well as through some You tube videos.
(The latest video is available at https://www.youtube.com/watch?v=jEpEmQGjYsM&t=3s).
The concept had been admitted in a Court way back in 2004 in the Suhaskatti case (AMM Court in Chennai, where the undersigned had provided the first Section 65B certificate in India) but got derailed by the Supreme Court in the Afzal Guru case in 2005.
For those who think law is made only through Judgements and the wordings used in the statute and intentions of the law makers are secondary, the Afzal Guru judgement was proof enough to say that Section 65B certificate is not mandatory.
In the P V Anvar Vs P K Basheer judgement, (2014) the Supreme Court had made it amply clear that Section 65B certificate was mandatory for admissibility of all Electronic documents as evidence. It also over ruled the Afzal Guru judgement.
However there were still people who did not agree and they rallied behind the erroneous judgement of the Shafhi Mohammad Case (2018) which gave a strange self contradictory statement that
a) If a person is in possession of the original document, Section 65B is not mandatory.
b) If a person is not in possession of the original document, Section 65B certificate is not mandatory
In other words, where it was possible for the Court to examine the original document, the Court said that a Certificate was mandatory. If the Court itself can view the document, the relevance of the certified copy would only be a technical requirement. On the other hand where the original is not before the Court and what is produced as evidence could be a fake evidence, Shafhi Mohammad judgement said that the certificate is not required.
In this judgement the Court got confused with the difficulty in obtaining a Certificate in a case where the person having the original is not cooperative in producing the evidence and ruled in favour of making it not necessary. In the process it ignored the possibility of fake evidences being fabricated in electronic form and produced as admissible evidences without anybody taking the responsibility for the same.
To some extent the current judgement delivered on 14th July 2020 in the case of Arjun Pundit Rao addresses this issue.
In this case the petitioner who was a defeated candidate in an election challenging the election of Pundit Rao on grounds that the nominations were filed beyond the allowed time period and had to be rejected, was relying on the digital evidence which was with the Returning Officer (RO). The RO however appears to be not cooperating with the respondent refusing to provide a Section 65B certificate. Though the petitioner had a copy of the video which it appears was also available to the Court, the absence of the Certificate was sought to be used by the defendant to get the evidence rejected as it went against him.
This case was therefore a case of an official who is a neutral person in this petition being biased and not cooperating with the Court and needs to be addressed in that perspective. It is open to the Court in this case to either make the RO an accused for withholding evidence or summon the evidence to the custody of the Court.
Once in the custody of the Court, the Court could have called its own expert (may be a Section 79A-ITA 2000 accredited Digital Evidence Examiner) or allowed cloned copies to be released to the petitioner to re-submit the evidence with Section 65B certificate.
We may recall that the AMM Court in Egmore which handled the Suhas Katti Case used this process in another case where it had the CD in its possession but still felt the need to call the undersigned for a Section 65B certificate to take it on record.
We may also recall that in the last parliamentary election in Mandya, Karnataka, in a prestigious battle, a similar issue of an objection raised by a candidate and recorded in the video before the RO was sought to be summoned by one of the candidates (who eventually won) but the RO claimed that the relevant portions were erased and not available. The absence of a Section 65B certificate enabled a fabricated electronic document to be retained by the RO. Had this case been tested like the Pundit Rao case, then the question of the RO tampering with the evidence and being punishable under Section 65 of ITA 2000 or 204 of IPC would have surfaced.
The Punditrao judgement therefore has flagged such difficulties and also suggested that the Court could summon such records (Para 43 of the judgement). This cannot be a reason to expemt Section 65B Certification.
As I have held repeatedly, Section 65B certification is required to bring in a human being into the evidence and establish a method to convert the stream of binaries which is the “Original Evidence” into a “human readable/audible/visible form”.
In the P V Anvar judgement despite many points being cleared, making a reference to the CD as a “Original Document” was a small aberration. It however was not material to the final judgement but showed that the distinction between a “Container of electronic Evidence” and the “Electronic Evidence” itself was still getting mixed up.
In the Punditrao judgement we have moved a step further towards establishing the truth of what Section 65B is by categorically rejecting the Shafhi Mohammad judgement and also providing a solution to the problem which could have prompted the Shafhi Mohammad judgement.
However there is still a small omission which we may perhaps wait for some other Judgement to clarify.
I have pointed out that Section 65B(1) defines what is a “Computer Output” to which the further sub sections apply. According to the section “Computer Output” is the print out or stored, in a media produced by the computer.
The section verbatim is
(1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible.
(P.S: Emphasis added for attention)
Para 21 of the Punditrao judgement for some reasons forget to allude to the words (hereinafter referred to as the computer output). The fact that sub sections 65B(2) to 65B(5) refer to the “Computer Output” as defined under Sub Section 65B(1) is an important aspect to recognize as this provides clarity to the procedure of certification.
Many pundits interpret “Computer Output” to the original document (eg: in the Punditrao case, the video recording in the office of the RO first registered in the DVR or a memory card in a Camera in the form of binary strings) and interpret that the person who administers that device has to provide the certificate. This certificate is the first of the series of certificates that would be required as a “Contemporaneous Certificate” whenever the document is moved from one device to other.
In practice, the RO could place the first original memory card in safe custody by making a clone copy with a Section 65B certificate available to the candidates in a CD. Then these CDs may be copied by the petitioner to be produced in the Court for which a second Section 65B certificate is produced by the person who faithfully converts the document in the CD to say a pen drive presented to the Court.
The word “Computer Output” refers to each of these documents at different stages of transfer. It is not referring only to the first computer output. Hence when a CD content is re-copied, the re-copied material in print form or soft copy form is the computer output that Section 65B refers to and the certifier has to record how he converted the document in the source CD to the print out faithfully.
This recognition that the Original is in the possession of a person who allows some body else to access it who can take a print out and create a “Computer Output” is ingrained in the Section 65B. Because of this provision, if a document is viewable on the website any viewer can record it and certify it as sourced from the website and prepare a Section 65B certified copy in print or soft copy form.
As long as the Certificate contains the details of the electronic document (which is the rendition of the binary stream as viewed through a software and hardware), the method of viewing and printing it, the details of the devices used for the purpose and contains the identity and signature of the person who viewed, printed and is signing the certificate, the Section 65B certified document is admissible.
Further the PunditRao judgement also did not refer to Section 17 of Indian Evidence Act which is important to note that Indian Evidence Act recognizes “Contained in electronic form” as a statement which is different from “Oral” and “documentary”. If we recognize this, “Three forms of Statement”, we will understand the further sections of admission where Sections upto 65 refer to “Documentary Non Electronic Statements” while 65A and 65B refer to “Documentary Electronic Form of Statement”.
I suppose we will then be able to forget Sections 59 and 60 on proving by oral admissions, Sections 61 to 65 proving by documents and look at Section 65A and 65B without the pre conditioning of our mind with the concepts of “Primary” and “Secondary” etc.
I request all Evidence Experts to take a fresh look at Section 65B based on the above and the Punditrao judgement as well as the Anvar Judgement.
I would be glad to receive any further comments if any.
Naavi
We have discussed the Shafhi Mohammad judgement of the Supreme Court in the past through several articles, (Refer: The tragedy of Shafhi Mohammad). The matter had come for review in the case of Arjun Punditrao Vs Kailash Kushanrao and the SC had referred it to a larger bench on 26th July 2019.
Today the judgement in this case has been released which has rightfully reversed the judgement of the two member bench in the Shafhi Mohammad case and endorsed the earlier three member judgement in the case of P V Anvar Vs P.K. Basheer.
While a detailed analysis of the judgement can be taken up later, it is noted that the judgement reiterates that section 65B certificate is mandatory for admissibility of electronic documents as evidence in a Court of law.
Naavi
I refer to the problems in Net4India partially ceasing its activities discussed here through our earlier articles.
The refusal of the domain registrar to allow transfer of domain to another registrar is a problem of Consumers of domain name service which should be addressed through the Consumer Courts under the Consumer Protection Act.
I had requested for transfer of my domains namely cyberlawcollege.net, cyberlawguru.in and pdpsi.in to another registrar though they are not presently due for renewal.
However my other registrar has expressed his inability to transfer in the absence of the Authorization Code from the earlier domain registrar. This is a constraint imposed by ICANN in their procedures.
In my case the problem is compounded because the e-mail of the registrant registered was at vsnl.com address which Tatas have now stopped servicing. Net4India is not able to make any changes in the e-mail address.
Both Vsnl.com (Now owned by Tatas) as well as Net4India are service providers who were providing services to customers in India because of the ICANN having given them the license. The Indian Government is a party to this arrangement since they have the overall responsibility for managing the Internet Governance system. NIXI is specifically provided the authority to deal with the dot in domain names.
Now the problems consumers are facing with Net4India has exposed the deficiency in service of ICANN, Net4India, VSNL (now taken over by Tatas) and The Ministry of IT, Government of India.
There are many lawyers in Delhi who raise PILs for many irrelevant things. The Supreme Court is also pleased to take any anti Government PIL even if it is an interference of the normal Governance function provided to the executive.
The problem now posed by Net4India to domain name consumers is a matter which directly affects the Freedom of Expression, causes a denial of acccess, besides large number of people losing money. This is a far more serious issue than many other issues for which the PIL lawyers are able to get the Supreme Court act even under the COVID lock down conditions.
The Supreme Court also takes up certain cases on Suo Moto basis. Many times PILs are admitted even when the interest represented is of the elite or on the basis of religion or for political reasons or even if it is related to a Vikas Dubey the notorious criminal or the terrorists.
This is now a test for PIL advocates of Delhi as well as the Supreme Court.
Will they recognize the public interest inherent in this instance and make ICANN clean up their domain name registration system?…
Will they pull up companies like Net4India and Tatas who discontinue critical services without proper winding down of operations?
Will they make the Government or NIXI type of agencies of the Government to think of how to resolve such issues through notifications and advisories?
We await answers…
Naavi
Preliminary reports suggest that the Government is releasing the report submitted by Kris Gopalakrishna Committee on Data Governance for public comments.
The committee was formed for the purpose of recommending the regulation on Non Personal Data which is of relevance to Big Data Companies.
The copy of the report is not yet available in public domain but some details are available through this article in Economic Times
The detailed report is available here.
Public comments can be made upto August 13 here.
Some of the recommendations that the committee could have made are
The panel is reported to have suggested that
-data can be requested from businesses and government by various stakeholders — the government, citizens, startups, private organizations, and non-profit organizations — for social welfare, regulatory, sovereign, and economic purposes.
-Data for sovereign purposes may be requested for national security, legal purpose, or meeting a sectoral regulation requirement.
We may await for more information.
Naavi
Article that appeared in India Legal Print magazine