Breach Candy data breach may expedite passage of Personal Data Protection Act

According to the news reports published today medical records of over 120 million medical images of Indian patients and 1 million medical records got exposed due to a cyber incident.  The records have been made available online freely by the attackers.

The records compromised included the patient records and scans and images with details such as the name of the patient, their date of birth, the national ID, name of the medical institution, their medical history, physician names and other details that are meant to be classified.

The incident is believed to have occurred due to the compromise of industry protocol for medical image storage and could have resulted from compromise of passwords of authorized persons.

While this sort of incidents could be termed as privacy infringement and the hospital could be liable for claim of damages from the affected patients, had the PDPA (Personal Data Protection Act ) been in place (Expected to be in place shortly), there could have been a hefty penalty imposed on the hospital by the Data Protection Authority.

For the time being the Breach candy hospital may escape liability but just as the “I Love You” virus expedited the passing of the Information Technology  Act in  2000 , the Breach Candy leak could expedite the passage of the PDPA bill presently in the Parliament.

Naavi

 

Also refer: Economic times article

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

A Golden Era for Insurance Industry ushered in through Personal Data Protection Act of India

As the Personal Data Protection Act of India (PDPA2020) gets ready to make an entry into the Indian legal landscape, the Insurance industry is looking upto the new opportunities that are being opened up by the law. Following the recent global trend, the penalties under PDPA 2020 are set at 2% or 4% of the global turnover of an organization depending on the type of offence. Even the Government departments could face penalties upto Rs 5 crores. Hence the industry would be desperately looking for covering the PDPA Risks.

The Cyber Insurance industry was extremely lethargic when it came to the introduction of Insurance covers for Cyber Crimes. India came up with laws on Cyber Crimes and creation of liabilities for organizations arising out of Cyber Crimes way back in 2000 with the ITA 2000. The amendments in 2008 increased the responsibilities of intermediaries in IT service. The RBI way back in 2001 suggested the banks to cover the hacking and denial of service risks with cyber insurance. However the Insurance industry could not come up with proper insurance covers until recently. Personal cyber insurance policies in particular came on  on the scene only during the last few years and are yet to be popularized.

The Cyber Insurance policies basically cover the first party risks where the insured suffers loss of data, loss of production,loss of intellectual property, reputation loss. With Ransomware being on the prowl, payment of ransom are also covered by some of the policies. Additionally, third party risks involving claims of damages by personal data owners on account of a cyber attack is also covered in these policies. Some of the policies which cover employee misconduct or technical errors are also often called Cyber Insurance policies though they are different from Cyber Crime Insurance policies in concept and risk coverage. The policies issued to the corporates are largely based on the reputation of the organization. It is unclear to what extent the “Security Status” of an organization is factored in when the premium is fixed for such policies.

In 2015 when Naavi.org conducted a national survey to understand the Cyber Insurance preparedness in India, the results showed very little involvement of Cyber Security professionals in the determination of Cyber Insurance coverage in companies. It appears that the situation has changed for the better in the recent days since some Insurance companies are now claiming that they are looking at the security preparedness of an organisation such as whether the organization has a “ISMS policy”? whether an IS audit has been conducted? etc.

Even before the Cyber Insurance products reach a level of acceptable maturity, the PDPA 2020 will usher in a new era in Information Security that will need a fresh look at Insuring PDPA Risks.

One of the first challenges that PDPA brings in is that it takes the financial liability risks to a far higher level when the insured asset is “Personal Data” of individuals as against the “Business Data” or “IPR data”. Theoretically the risks can go upto 4% of the global turnover and any insurance for a lesser level would amount to “Under insurance”.

The second challenge is to identify the “Insurable Asset” for which an effective “Data Classification” policy and implementation mechanism should be present in the organization.

The third Challenge is to track the “Personal Data” in an organization through its “Life Cycle” when it’s insurable value may fluctuate. As “Raw Data” becomes “Persona Data” then migrates to the state of “Sensitive Personal Data”, its insurable value changes. Similarly the personal data life cycle which is “Reversible” may see a change of insurable value when sensitive personal data is de-sensitized or de-identified or pseudonymized or destroyed. When the life cycle of personal data is reversed, there would be costs to be incurred for each change of status but the market value of the data may actually decline. When reverse life cycle operations are implemented, the end result could be of lesser or zero value but the operation has a cost which the insured would like to identify as “Cost of Maintenance of Personal Data”. Will this be “relevant cost” for insuring? will the change in value of the data as it moves between different life cycle stages gets reflected in valuation of personal data either at the time of insuring or when a claim is to be assessed?

When the PDPA risks are to be computed for the purpose of underwriting, it must be remembered that liabilities of administrative fines may arise even when there is not data breach. Hence the Insurance industry may have to assess its risks based on what steps the insured has initiated for mitigation of risks. Such steps include the “Maintenance of Personal Data”, the policies of anonymization, de-identification/pseudonymization etc besides the usual policies such as access control, encryption, data breach incident identification and reporting system, grievance redressal system, the conduct of DPIA, appointment of DPO etc.

In settling claims, it would be necessary to consider all aspects which are normally considered in a Cyber Crime insurance policy such as the legal costs, investigation costs, etc., but also the valuation of personal data in the hands of the organization, the value additions that the organization might have created in the form of “Profiles” and the value of personal data in the hands of the data principals (or data subjects as they may be called elsewhere).

Hence while PDPA 2020 will usher in a golden era for Insurance Companies in India, it will need a structuring of a new policy structure and management requirements. Exciting days seem to be ahead of the insurance industry as we await the passage of PDPA 2020 in the budget session of the Parliament this year.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

The Visakha Industries judgement on Section 79 of ITA 2000

On December 10, 2019, an important judgement of the Supreme Court was published in the case of Google India Vs Visakha Industries Ltd. The judgement was delivered by Justices K.M.Joseph and Ashok Bhushan.

The most important take from the judgement is that Section 79 of ITA 2000 protects a category of IT service companies from liabilities arising out of action of third parties. But for incidents prior to 27th October 2009, protection is available only for offences under ITA2000, while protection after 27th October 2009 is for offences under any law. Hence in case of “Defamation” which is an offence under Section 499 of IPC, protection would be available only if the incident is after 27th October 2009.The instant case involved an act of publishing of some information in a google group which the petitioner (Visakha Industries) alleged was “defamatory” and it occurred prior to 27th October 2009. Therefore the owner of “google group” was not eligible for protection.

The petitioner had preferred a criminal defamation complaint in a magistrate’s court in Secunderabad based on which a summons had been issued to Google India. Google India refused to accept the summons and went on appeal to the High Court. The High Court rejected the appeal and hence Google India approached Supreme Court resulting in the judgement on December 10, 2019 again rejecting the appeal and ordering Google to attend the trial back in the Magistrate’s court.

The entire journey commenced with an article dated 21st November 2008 titled “poisoning the system: Hindustan Times” and after 11 years the case goes back to trial. During this time the entire environment has changed. There was an amendment to the ITA 2000 passed in 2008 and notified with effect from 27th October 2009. In this amendment, Section 79 of ITA 2000 addressing the vicarious liability of a Network Service Provider/intermediary was amended and Section 66A was introduced. Then on 24th March 2015, Section 66A was held “Unconstitutional” in the Shreya Singhal case and scrapped. In December 14, 2016, the Sharat Babu Digumarti Vs Union of India judgement from Supreme Court made some observations on the overlapping provisions of IPC and ITA 2000. Additionally Section 65B of Indian Evidence Act which was present since 17th October 2000 got a renewed support with the Supreme Court judgement on PV Anvar Vs P K Basheer. All these make our vision of the case blurred unless we carefully sift through the changes the law has undergone.

When the Supreme Court gave its judgement in the Visakha case, it had to decide whether it should apply the law as was prevailing on the date of the incident or take into account any of the developments that occurred subsequently.

The judgement is noteworthy since it discussed many issues of law in detail including international jurisdiction, the role of a parent company and the subsidiary, the concept of due diligence etc. There are several points of learning about the thinking of the Supreme Court on some of these issues which will be coming into discussion in the lower Courts.

However, we need to point out two specific observations while analysing the judgement which point to the shortfalls that can be attributed to a judgement of this nature.

One observation is that,

if the dispute could have been resolved by reverting the trial back to the magistrate’s court because the higher court opined that protection under Section 79 was not applicable to the appellant,

-it  would  have been sufficient if the judgement had confined itself to this point alone.

In that case, the trial Court could have examined the case in its own wisdom free from the influence of the views of the higher court as expressed in the judgement. By expressing its views on issues other than the core issue, the higher court has now placed a restraint on the lower court from taking independent view on the several collateral issues that are involved in the case.

The higher court was always capable of visiting such issues after the trial was completed in the lower court.

Hence the judgement appears to have needlessly interfered with a fair trial in the lower court.

Second observation is that the judgement missed an opportunity to suggest a solution to an allied problem of the need for an interim judgement in such cases. For example, when a take down request is made by a victim of a defamatory publication directly to the publisher, it may be refused and a Court order would be demanded by the intermediary as per the Shreya Singhal judgement.

But if the Court order takes 10+years with appeals and more appeals, the defamation continues and any relief granted thereafter could only be of no use. If however an interim stay is granted to remove the content, the publication or the author of the content may feel aggrieved that action has been taken without a proper trial. In many cases the interim stay becomes a permanent stay particularly if the respondent does not chose to contest defeating the intention of the Court to uphold freedom of speech.

Confining to the main point of dispute which is identifying the applicable law as of 21st November 2008, at that time, the amendments to ITA 2000 were already under consideration and the recommendations had been submitted by the expert committee and the draft of the Information Technology Amendment Act 2006 (ITAA 2006) was already in the public domain. This represented the legislative intent though the final approval was pending.

However when we consider the concept of “Due Diligence”, we must recognize that “Due Diligence” is not restricted to following the law as enacted. It refers to a responsibility and duty to prevent an adverse incident and hence the “intended law” is as much relevant as “Best Practice” when it comes to exercising due diligence.

Considering that a law need to be complied with only after it is notified and not any time before, even if it appears reasonable, will amount to supporting evasion of law.

In the instant case, the purpose of Section 79 is to provide exemption from liability for an intermediary if it follows certain best practices and this intention was expressed in the ITAA 2006 (which at the time of passage was renamed as ITAA 2008). If this amendment had not been passed, the earlier version of Section 79 would have prevailed. If it was passed, it would expand the applicability of protection from ITA 2000 offences to offences under other statutes.

If a decision had to be taken by an organization in this uncertain scenario when the amendment was in a state where it could either be passed or rejected in the end, a prudent organization would like to follow the principle of “Erring on the safer side”. Due diligence at such a stage with a higher degree of certainty is to consider that present law will prevail and amendment may not fructify.

In such a case the protection should have been considered as restricted only to ITA 2000 offences. It would however be a logical and reasonable decision if the company considers that the proposed amendment which has gone through the Cabinet Committee and is ready to be passed, will be passed as intended. In such case Section 79 as amended would be the “Due diligence target” of the organization. Any other decision would be arbitrary.

Hence the organization should try to be compliant first to the un-amended Section 79 and then to the amended Section 79 and be prepared to justify its decision if challenged in the Court.

The two versions of the section 79 are presented below for easy comparison.

Section 79 under ITA 2000 Section 79 under ITA 2008

Network Service Providers not to be liable in certain cases     

For the removal of doubts, it is hereby declared that no person providing any service as a Network Service Provider shall be liable under this Act, rules or regulations made there under for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention.

     Explanation.  – For the purposes of this section –

 (a)   “Network Service Provider” means an intermediary;

(b) “Third Party Information” means any information dealt with by a network   service provider in his capacity as an intermediary.

P.S: “Intermediary” with respect to any particular electronic message means any  person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message

Exemption from liability of intermediary in certain cases  

(1)    Notwithstanding anything contained in any  law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link  hosted by him.
(2)    The provisions of sub-section (1) shall apply if-
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties  is transmitted or temporarily stored; or
(b) the intermediary does not-
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf
(3) The provisions of sub-section (1) shall not apply if-
(a) the intermediary has conspired or abetted  or aided or induced whether by threats or promise or otherwise in the commission of the unlawful act
(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.
Explanation:- For the purpose of this section, the expression  “third party information” means any information dealt with by an intermediary in his capacity as an intermediary.

P.S: “Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes

When this case goes back to trial, the first thing that the court would be looking for, is to decide whether it should apply the un-amended section 79 which was the law prevailing on the date of the incident or to apply the intended amendment which was available in the public domain using the concept of due diligence.

The Supreme Court has not provided the clarity in this regard by referring to the judgement of Shreya Singhal and repeatedly to the “amended” and “Unamended” section 79.  If the Court had laid down the principle that law as applicable on the date of an offence will prevail at the trial stage, it would have helped to simplify trial proceedings in such cases where the law has undergone a change in the interim period.

Even in the case of scrapping of Section 66A, the Supreme Court did not specifically mention whether the change will have a retrospective effect or not. This led to Police some times invoking Section 66A because  it was the law on the date of the incident.

In a recent order, Karnataka High Court imposed costs on some police officers for invoking Section 66A, since in this case Section 66A was not applicable on the date of the alleged offence.

It may be observed that the two versions of Section 79 differ in many respects. Firstly the applicability of old Section is for a “Network Service Provider” who is an intermediary, defined as a person who receives, stores or transmits a message or provides any service with respect to a message. On the other hand under the new definition, an intermediary is defined with reference to an “Electronic record” and not a “message” and includes the erstwhile network service providers as well as search engines, online market places etc. 

The replacement of the word “message” with an “electronic record” and expansion of the different types of service providers is a significant change to the law.

In the Shreya Singhal case, one of the most glaring mistake the Supreme Court did was to equate a “Message sent to an addressee through a Communication device” with a “Publication available for view by the public in a Facebook or Twitter platform”.

The current judgement could have clarified on this aspect of what is a “Message” and what is a “Publication” while discussing the term “publication”. Obviously the Court did not identify the distinction between the two terms strong enough to provide a clarification.

Another distinction between the two versions of Section 79 is that the protection is available only if the service of the intermediary is limited to certain functions. Accordingly, it would not be available if the intermediary does not initiate the transmission (only provides a platform for sending it through), select the receiver of the transmission and select or modify the information contained in the transmission. If the intermediary “Pushes” the information to “Members of a group” it appears that it has to “Initiate the transmission” and on this ground Google groups may lose protection. This was not explored.

The new section 79 includes “communication link hosted by him” to data hosted by the third party for the purpose of providing protection. This goes with the expansion of the term “intermediaries” to service providers of all kinds.

Additionally the new section introduced an obligation for removal of the content without vitiating the evidence expeditiously.

In the Shreya Singhal judgement this was read down to mean that “the time for expeditious removal” would commence after receipt of a Court order.

Given the delays of our Judicial system the need to wait for a Court order is not a fair relief to the victim. The bench which heard the Shreya Singhal case failed to recognize the relevance of this provision in the Act and gave a judgement without recognizing that a defamatory case to come to a decision on whether it should be tried under the old section or new section itself takes 11 years. If therefore the process of determining whether a defamation has occurred or not, whether Google India is liable or Google LLC is liable etc will take much longer. Hence the entire process of judicial relief is a farce as far as the victim is concerned. While Google can pursue the case at High Court and Supreme Court, the victim many times an individual is denied justice merely because he has no capacity to continue this litigation for such a long period in multiple Courts.

The bench in the current case therefore failed to find a solution which was essential.

Naavi.org had way back on December  2000 under the article “How to Counter Rogue Sites” suggested that the offensive content could be “Flagged” as “Objected by …..” with a link to the notice of objection received by the hosting body. In the current context, a similar procedure can be followed by the intermediary when a notice is received directly from the victim and the legal process is pending. If required a time limit of around 90 days or 180 days may be provided within which if the Court order does not come through, the flagging can be removed or populated with the information that no court order has been received.

This procedure could have been endorsed by the Supreme Court either in the Shreya Singhal case or in this Visakha Case. Unfortunately, the Supreme court missed an opportunity for this clarification for the second time.

I appears that there is a need for the Courts to “Finding ways and means to resolve the disputes” while drafting the judgement. Then the years of wait would atleast bring some lasting improvements to the system. On the other hand, if the Supreme Court only restricts itself to the role of finding fault with the law and notification of the Government and expects the Government to come up with revisions which are again subjected to another round of critical evaluation, the legislative process would be seriously hampered.

I wish that there is a serious introspection  by the Judiciary in this respect of how to make the judgement solution oriented.

Naavi

Reference Articles

Defamation: Sections 499 to 502 of IPC

Copy of the Judgement

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Data Privacy Day at Naavi.org

Data Privacy Day is celebrated on 28th January by the international community to raise the awareness of Privacy. India is slowly adopting to the practice.

It is to celebrate this year’s Data Privacy Day that Naavi decided to release the book on “Personal Data Protection Act of India (PDPA2020)” in the E-Book format.

The book is now available on Amazon. It is in Kindle format. But a free Kindle reader is available for all PCs, Macs and Android/ioS Phones. The app can be downloaded from here

KINDLE FREE APP DOWNLOAD

There are a few questions raised from some persons why this book before the Act has been passed. I need to share my thoughts on this.

PDPA 2019 is presently in the form of a Bill which has been referred to a select committee of Parliamentarians for a final review. It is suggested that the review be completed before the last week of the budget session. The Committee has called for a final submission of views from the public within 3 weeks from 22.01.2020.

The stakeholders can send two copies of their comments and suggestions to Dr Ram Raj Rai, the Director of the JPC at the Lok Sabha Secretariat,(at Room No. G-014, Parliament House Annexe, New Delhi – 110001) or email them to jpc-datalaw@sansad.nic.in, or to the JPC chairperson Meenakshi Lekhi at mrs.mlekhi@sansad.nic.in.

It is necessary that the stakeholders understand the bill in detail before sending their suggestions and the debate takes place in a healthy manner without mis-interpretations from vested interests.

For the Companies it is better to start preparing for the emerging law. The professionals who have to start shouldering the responsibility as DPOs also need to start early.

Hence this book is being released in the E Book form quickly and the print version to follow.

The book is now available at Amazon and hopefully it will be of use for submitting the responses to the Government.

Any feedback would be welcome.

Naavi

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

E Book on Personal Data Protection Act of India published

 

It is a pleasure to announce that the first book on Personal Data Protection Act of India has been released through Kindle…Amazon. According to Amazon, the book would be listed for sale within the next 72 hours. The E-Book will be priced at Rs 449/-.

The Print version will follow in the next few days, hopefully well before the bill comes back to the Parliament for the final passage.

The book contains 28 chapters split in to two parts. Part A contains the Personal Data Protection Bill discussed section by section. Part B covers discussions on some key aspects of data protection.

Naavi had published the first book on Cyber Laws in India in December 1999 (Cyber Laws for Every Netizen in India) when the Information Technology Act was yet to be passed. The objective then was to make the details available for use by the Parliamentarians when they discuss the complex law.

A similar objective is behind release of this book on PDPA 2020. Additionally it is expected that the prospective Data Protection Officers in organizations and other professionals like the Advocates, the IT and IS professionals as well as the management professionals are expected to find it more than useful.

The table of content given below indicates the coverage.

Contents
About the Author
Table of Contents
Preface:
Fundamentals of Privacy and Data Protection
PART A:
Chapter I : Preamble, Statement of Objectives and Preliminary
Chapter II: Obligations of the Data Fiduciary
Chapter III : Grounds for processing personal data without consent
Chapter IV: Personal Data and Sensitive Data of Children
Chapter V: Rights of Data Principal
Chapter VI: Transparency and Accountability Measures
Chapter VII: Restrictions on Transfer of Personal Data outside India
Chapter VIII: Exemptions
Chapter IX: Data Protection Authority
Chapter X: Penalties and Compensation
Chapter XI: Appellate Tribunal
Chapter XII; Finance, Accounts and Audit
Chapter XIII: Offences
Chapter XIV: Miscellaneous
PART B 
Chapter XV: The exploding job opportunities for DPOs
Chapter XVI: Required qualities of a good DPO
Chapter XVII: Anonymization of Data
Chapter XVIII: Consent as an Instrument of Privacy Protection
Chapter XIX: Privacy in Public Space
Chapter XX: Conflict with other laws.
Chapter XXI: Towards being PDPA compliant
Chapter XXII Data Audit
Chapter XXIII: Data Trust Score
Chapter XXIV: Personal Data Protection Standard of India (PDPSI)
Chapter XXV: Technology Challenges and Tools of Data Protection
Chapter XXVI: Data Governance
Chapter XXVII: GDPR Vs PDPA
Chapter XXVIII: Naavi’s theory of data
Epilogue

As is usual with Naavi, the book is an expression of the years of experience in the field of Cyber Law and Data Protection and will contain his exclusive views some of which the regular readers of this website are aware.

Naavi recently conducted a web based course on PDPA during which also some of his views have been shared with the limited audience. In future, this book will be a guide for the DPOs.

As and when the bill is passed a supplement will be published to cover the changes that may occur between now and the passage of the Bill.

As soon as the confirmation is received on the listing of the book for sale at Amazon, the details will be published here.

Looking forward to the community receiving the book and encouraging this new project of Naavi.

You can download Kindle for PC/Mac from here: 

Kindle for Android mobile can be downloaded from Playstore. Kindle for iPhone can be downloaded from the Apple store.

Naavi

P.S:Print version is in the pipeline: Expected to be ready by February 15th.  Pre-order coupons at 25% discount available. Contact Naavi for details.

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Expecting the Government to provide security with its hands tied behind the back

When we look around and see the developments in India, we see a spurt of agitations and oppositions to the actions of the Government. When educated persons and successful professionals, professors in reputed universities, students of advanced legal studies all join chorus with opposition politicians and oppose legislation like CAA, Abrogation of Article 370, Triple Talaq etc., and the Media seems to endorse their opinion,  it appears as if there is an uprise against communalism in the country.

Similarly, when people and organizations oppose the Aadhaar, amendment to rules under Section 69 (ITA 2000), Intermediary Guidelines Notification, or UIDAI’s tender notification for self monitoring in the social media, and now the PDPA 2018 or PDPA 2019, it appears as if there is an uprise against an assault on democracy by the Government.

There is no doubt that the voice of opposition is strong, the gathering of people for CAA protests are impressive and there are some voices from the educated urban class also involved in such protests.  Whether it is Sadguru or Amit Shah these voices will raise in unison to condemn any attempt to support the views of the Government.

If those who support the Government try to hide their expressions for the fear of being defamed by the opposition, then the society may perceive that there are no body to support the Government views and hence what the opposition is saying must be true to some extent.

It is therefore time that such people need to boldly voice their views also. In this context, I would venture to place my views that most of the opposition is not an in principle opposition to either the CAA or Aadhaar or PDPA etc. They are all manifestations of the opposition to Mr Modi not even the BJP. By calling all these efforts as communal and anti Democratic, a narrative is being built that can hide the real intention of the people which is to hate Mr Modi and bring him down if possible.

Again if one wonders why there must be so much hate towards the man who seems to be dedicated to the welfare of the country, the truth stares in the face. The truth is  that the hate for Modi is not because  Mr Modi is fascist or communal but because he has taken to a fight against “Corruption”.  Whether it is demonetization or Linking of Aadhaar to different Government services or the CAA or NPR, the core of the opposition is that the corruption they are indulging in some times in the form of making money directly and some times creating a vote bank to get into power to make money.

The intense opposition to Aadhaar started when the Government made its intention clear to link Aadhaar to the Property ownership which could hurt the holders of benami property. The corrupt but intelligent politicians engaged the various NGOs who were themselves concerned that the money flow from abroad to manipulate the Indian political and religious developments would stop, to raise a more authentic looking opposition to the moves of the Government.  The opposition to Aadhaar, Data Localization in PDPA 2018, surveillance in PDPA 2019 etc are all manifestations of these mechanisations of the corrupt. Unfortunately some have fallen to the trap of this propaganda and taken up opposition to the various legislations under the guise of supporting Privacy or Freedom of Expression etc.

Even the CAA opposition is pure political corruption since the intention of those who oppose is to let illegal immigrants to become their vote banks.

Today, there is a very informative article in epw.in title “The politics of India’s Data Protection Ecosystem” that has traced the legislation of Personal Data Protection bill currently in the Parliament and highlights some of the key issues.

Not withstanding the valuable information that the article contains, the article in its conclusion says “Safeguards for surveillance have received a big blow” and prepares the ground for further debates with the Committee of MPs, which is presently deliberating on the final corrections on diluting the provisions of national security enshrined in the Bill.

While any discussion on improving the drafting of the bill has to be welcomed, we should ensure that the discussion  is held on a fair basis and the genuine interests of the “Security First” school of thought is not ignored. “Security First” principle is that for democracy to survive, first of all we should survive. If any opposition to the Bill is providing strength to the forces which try to destroy the country, we should recognize this before expressing our opposition.

During the struggle for independence, Mahatma Gandhi had several occasions when he suspended or threatened to suspend the agitation for freedom if the principle of non violence is violated. Similarly if the principle of national security is likley to be violated, we should not blindly support the opposition to the Government legislation that are basically meant for assisting the Anti national view point.

Let us therefore keep our eyes and ears open to discuss without forgetting that surveillance is part of good governance and refusing the Government to have some enabling power is like asking our police to use lathis against AK 47 wielding terrorists. We have made such mistakes in the past and we should not do it again.

We must understand that every law can be misused if the police or authorities have no integrity. In the previous Congress Government even the finance minister was subject to surveillance in his office. At that time also there was no law that was supportive of such surveillance. Mrs Indira Gandhi imposed emergency and suspended all Civil Rights misusing her powers. Such instances can only be corrected if we bring ethics into politics and prevent vote bank corruption.

The spirit of “Equality and Justice for all” which was enshrined in our constitution has long been forgotten and though people swear by the constitution to oppose surveillance, they forget that “Providing Security to all the Citizens” is a duty cast on the Government and it is the fundamental right of every citizen to ensure that the Government takes such measures as are required to provide safety to its citizens.

If this safety requires CCTV vigilance, or if it requires exemptions from obtaining consent before conducting intelligence activities , we should recognize that there has to be a legal enablement for the Government to do its duty. Any opposition to the surveillance aspects of the PDPA 2019 should be moderated in this context.

We should not expect the Government to secure our society with its hands tied behind its back with Privacy regulations that ignore the security interests.

Naavi

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment