“Supreme Court Slams UIDAI”.. Is it a fake news created by Economic times?

There are “Mischievous journalists” around today in the media. Some of them are considered senior journalists and include the likes of Shekhar Gupta who try to pick up wrong narratives only with a view to discredit the Government. Mr Shekhar Guta was also seen as the brain behind the Four Supreme Court judges going to the public with the “Democracy in Danger” press release.

There are also few senior advocates of Supreme Court who are active members of political parties some with dubious reputation in meddling with judicial appointments. Some of them are also members of the Parliament who threaten the Chief justice with “Impeachment” and try to create an atmosphere of fear for the judiciary to go soft on the cases in which opposition parties like Congress are involved.

It is a matter of fact that the Supreme Court takes an unreasonably long time to even hear cases like National Herald case against the Congress leaders where as is in a hurry to hold mid night hearings if the cases are against terrorists and urban Naxalites because influential advocates are moving the petitions. I will not be surprised if the Supreme Court does not hear the National herald case until the 2019 elections are over despite Dr Subramanya Swamy trying his best.

The public are confused on why the Supreme Court is more concerned on the rights of the people who belong to the Tukde Tukde Gang rather than those who are on the otherside of the political divide.

We are concerned that Supreme Court should preserve it’s reputation as the last resort for justice in India acting without bias and within the parameters of the role assigned to it under our constitution.

In the recent days, two instances related to the “Social Media hub” have come before the Supreme Court and in both cases, it appears that the members on the bench have passed some comments which have been picked up by the mischievous journalists to create a narrative as if the Government is making a blunder and Supreme Court is trying to save the country’s democracy by intervening.

We would like to highlight why this narrative is wrong and request that Supreme Court to avoid them being used as a tool to adversely affect the Governance of the country by the political opponents.

In our previous article on the “Social Media Hub” proposed to have been created by the I & B Ministry, we had indicated how the comment made by one of the judges at the time of admission led to the Government to withdraw the proposal itself.

The result was neither to the credit of the Government nor to the credit of the Supreme Court because it showed that both the Government and the Supreme Court could be blackmailed into taking decisions without a proper trial.

In this case, even the Attorney General should be considered as having failed in his duty to properly explain the issue and remove the misconceptions of the Judges which were further compounded by the Government withdrawing the proposal itself.

Mr Ravi Shankar Prasad, the honourable minister also seems to have erred in this case. The team of advisors available to the MeiTy seems to be incapable of putting across the Techno Legal issues properly for the executive to take the right decisions.

As we have pointed out, the purpose for which such “Social media Hubs” can be created and perhaps are needed to be created is for “Monitoring the Media for information” and not for “Arm twisting the media”.  Just as the Police and the intelligence gather information, a corporate (in this case the Government) has to also keep watching the Cyber space for information that is floating around itself so that its own reputation is not damaged and its own name is not used to commit frauds.

It is possible to argue that availability of information can be misused but this cannot be the speculation under which the Supreme Court can pass its judgements.

In the last month we have also highlighted how the names of a former Chief Justice of India, along with the Current President of India and an Union Minister in the PMO have been used for a suspected scam and despite this being brought to the attention of the relevant persons, no action seems to have been taken to prevent the public from being mislead through such an exercise.

It is a standard practice in the Corporate sector that their public relation cells monitor the print publications, the TV media as well as the social media to find out what is the positive and negative reporting about their activities that is getting published. In case of stock market sensitive companies, if any report is published, it is even necessary to respond both to the public as well as to the regulatory agencies whether the news is correct or wrong.

As part of the “Due Diligence” under Section 79 of ITA 2000/8, we normally recommend companies to undertake such activities particularly when  similar looking domain names are registered for committing frauds.

This is called “Reputation management Exercise” and the Supreme Court needs to be aware of this.

I donot credit the petitioners like Mahua Moitra who are political workers of parties like TMC whose objectives are well known to understand the difference between “Media Montiring” and “Media Control”.

But senior advocates like Mr Abhishek Manu Sighvi or Ranjeet Rohtgi should be more intelligent and informed and if they are arguing with the Supreme Court that the I&B ministry’s social media hub and now the UIDAI proposal to monitor the media are attempts to gag the media, then they are dishonest and are misleading the Supreme Court.  If they are really think that the measures of UIDAI or I&B ministry is for media control, then they should produce evidence of misuse and make a case out of it.

If information available on Google search, on platforms like Twitter or Facebook (with public view settings) or on open blogs or online news papers are monitored with a specific search engine, then that does not amount to “Curbing the freedom of speech”. It is perfectly legitimate for the Government or UIDAI to monitor the content which are in public domain and in fact as a citizen of India I consider that it is a part of the necessary duties of the Government.

Any judicial interference in this space would amount to intereference in the law and order preservation responsibility of the Government of India.

In the case of the I&B ministry, the petitioners projected that “WhatsApp” will be monitored. I did not find evidence of this in the scope of work described in the RFP document.

Now emboldened by  the media effect of comments passed by Judges during admission stage in the presence of the Press which are twisted and  published  with wrong headlines to create “Fake News”, Madam Mohua Moitra has filed another petition, this time against UIDAI taking objection to their releasing a tender proposal for setting up a Social media hub to monitor the online media about what is being written about UIDAI.

I draw attention to the RFP released by UIDAI which is the subject matter of the petition filed by Mahua Moitra  S/D/W/ Thru:- Dwipendra lal Moitra, 74, Judges Court Road, District Alipore, Kolkata, West Bengal, naming the Union of India through the Secretary of the MEITY and the UIDAI as respondents. The petition has been filed by advocate Ranjeeta Rohatgi under Case No W.P. (C) No 000916/2018 dated 02/08/2018.

Last Friday the 7th September 2018, the petition came up for hearing before a bench comprising of CJI Dipak Mishra, AM Khanwilkar and DY Chandrachud.

Economic Times reporting on the hearing reported with a head line “SC Slams UIDAI tender to conduct online surveillance”.  The report is shown below.

The report is attributed to a comment made by Justice Dy Chandrachud who is quoted as saying “You are trying to do indirectly what we told you cannot do directly”.

In the earlier case against I&B ministry, the same bench is quoted as commenting “The Government wants to tap Citizen’s WhatsApp messages”. It is not clear where from the judges got this information because it was not part of the RFC under question. Either the Judge was making a personal unsubstantiated and unrelated comment or the publication was publishing a fake news. It is for the Bench to check with Financial Express why the bench was reported to have made such a statement.

Similarly, in the current case, Economic Times says “Supreme Court Slams UIDAI”

Has Judge Chandrachud “Slammed UIDAI?”  or

“Is it a fake news created by Economic times”

is a point that needs to be sorted out. If Judge Chandrachud had raised a question to UIDAI to clarify, the report should have been clear in representing the context and tone. But by using strong words like “Slamming” and attributing it to the Supreme Court itself, Economic Times has created fake news and there is a need to flag such headlines and bring the persons responsible to book.

Mr Abhishek Manu Sighvi who is more a servant of the Congress party rather than the servant of the Court  (who he is supposed to be) made a reference to the previous case of the I&B ministry and has sought to draw a parallel perhaps suggesting that in the earlier case since the Government withdrew like a coward, it has admitted guilt and hence even in this case the Government should withdraw.

The Attorney General who meekly surrendered the ground in the last instance Mr K.K.Venugopal perhaps has no clue on what he should do and will run back to the Minister Mr Ravi Shankar Prasad who also seems to be confused on what action is to be taken.

Had the AG and the Minister responded properly in the earlier instance, today it would not have put them on a spot.

Now it is necessary for them to defend both the current instance (UIDAI) as well as the earlier instance. (I&B Ministry)

Judge Chandrachud and CJI Dipak Mishra are also part of the bench which has reserved the judgement on the main Aadhaar case and the Government is afraid that if they rub them on the wrong side, the larger battle will be lost. We are therefore seeing that the Supreme Court has created a “Chilling Effect” on the functioning of the Government and even before the Election is to be announced and code of conduct has to come into play, the Supreme Court is imposing its influence in paralyzing the Government into inaction.

For the Government, there may be political reasons to lie low and let the Supreme Court act in whatever manner it deems fit so that Government is not adversely impacted by an adverse judiciary.

But it is a well known principle that if you give into an extortionist once, you will be hounded again and again. Because the Government withdrew from the battle  in the I&B instance , Government will now have to face this complaint against UIDAI  and later they may also face a complaint against the I& B ministry itself.

Hence this trend has to be checked and it is in the interests of the citizens of India to ensure that the Supreme Court realizes where it is going wrong.

I therefore request the Supreme Court to appreciate

“Monitoring what is being published in different media vehicles is a legitimate activity for any individual, corporate or Government. This should not be faulted and not adversely commented to force the Government to change its administrative actions under threat.”

If there is any evidence that the Government is indulging in any illegal activities, the Court can very well intervene post the occurrence of such an event. Court should not intervene in routine tenders of the Government on a speculative basis with a wrong reading of the tender document or worse still not reading the tender document.

I now draw the attention of Mr K.K. Venugopal and Mr Ravishankar Prasad to kindly refer the Court’s attention to the “Scope of Work” indicated in the tender which is reproduced here:

a. The Agency shall conduct a comprehensive media search on daily basis and present an update report within prescribed time limits in soft copies on appropriate news reports and content with regards to UIDAI, Aadhaar and other related issues as per the requirements of UIDAI. Hard copies of specific news reports/clippings/tracks/content should be provided on demand to UIDAI within the time period specified.

b. The Agency shall also conduct a comprehensive media search on daily basis and present an update report within prescribed time limits in soft copies on UIDAI’S campaign through print, audio video mediums.

c. The summary of daily reportage with regard to print media along with the published clippings should be sent in .jpeg/.pdf format.

d. The Agency shall provide daily update on electronic/web/digital/ Media Monitoring tracks/clips and prndtive of the same shall be provided on demand within the specified time.
e. The update must be a detailed report covering the entire gamut of media that will includes but not limited to, as per UIDAI’s specifications:

i. Print:

a) All DAVP empanelled national, regional and vernaculars dailies (English, Hindi and regional languages).
b) All magazines including news magazines: weekly, fortnightly and monthly/bi-monthly issues.

ii. Electronic: all National and Regional TV news channels.
iii. Digital/Online/Media Monitoring: Online news & magazines, facebook, twitter, blogs,micro sites, social network sites, etc

I would like the  Government to highlight  that by no stretch of imagination, this activity indicated in the scope of work can be considered as “Media Surveillance”. If some corrupt political minds think so and raise objections, it is not possible for the Government to take cognizance of such objections nor the Supreme Court should take cognizance.

The background of the petitioners and the advocates arguing the case is well indicative of their motive and the Supreme Court has to be objective in its evaluation of the petition and dismiss it in the first place. By admitting such flimsy petitions, the precious time of the Court is being wasted.

Additionally by letting media create fake news based on the innocuous comments and questions raised during the conversation in the Court which is a perfectly legitimate exchange of thoughts between the Court and the Servant of the Court (if the role is being played honestly).

If the Government does not defend its position in this case, it will have an adverse impact on the Corporates also since any Public Relation exercise involving systematic monitoring of news by any Company would be termed as a violation of Privacy of citizens and should be considered punishable under the Personal Data Protection Act 2018 (proposed).

I therefore request MR K K Venugopal and Mr Ravi Shankar Prasad not to succumb to political doubts about what media will write if the RFP is justified. Media consists of motivated writers like Shekahar Gupta and Sagarika Ghosh and will write negatively whatever the Government does. Kindly Ignore and proceed.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , , , | 2 Comments

Social Media Hub… Was the Supreme Court mislead by the political canvas

The Supreme Court is the ultimate hope for justice in India and deserves to be respected and supported.

But in recent days, it appears that Supreme Court is spending a disproportionate share of  its time in resolving political issues and policy issues rather than addressing the citizen’s needs. The special treatment shown to the petition against the arrest of the Naxal sympathisers  of the Bhima Koregao agitation who were allegedly plotting the assassination of the Prime Minister of India, has attracted criticism of a differential soft treatment to Naxal sympathizers and unless this trend is checked, the Supreme Court  is in the danger of losing  some of its respect in the eyes of the common citizens.

Sometimes, the comments made by judges during the hearings get blown up in the media and projected as if it is the final judgement. The Court does not seem to exercise proper control over such motivated reporting of the proceedings creating misconceptions in the public posing a challenge to Governance.

After the unprecedented Press Conference by four senior judges commenting that “Democracy was in danger”  the judges have by their own actions painted themselves as having a political leaning of their own. Now with the change in the Chief Justice with one of these judges taking over as the Chief Justice just before the next election, there will be a higher level of public scrutiny of the actions of the Court. After all, the same judges justified the press conference stating that Citizens need to be aware of certain goings on within the Supreme Court management in the interest of democracy and now they should also be open to the scrutiny of  the fairness of their decisions.

If the Supreme Court has to retain its respect amongst the citizens, it is necessary that the judges display an extraordinary sense of restraint when admitting petitions against normal Government actions filed by the political opponents and also passing adverse comments before hearing out the evidence.

The case of the “Social Media Hub” proposed by the Ministry of Information and Broadcasting which was withdrawn by the Government was an example of how the Supreme Court can interfere in the normal functioning of the Government by just passing strong adverse comment during preliminary hearings at the time of admission of a petition.

In the case of the proposal for setting up of the Social Media Hub which was challenged by a TMC MLA, the comment passed during the hearing by one of the Judges was reported to be “the proposal will be like creating a surveillance state”

If we look at the Financial Express report, it clearly indicates that “Supreme Court Says..” and calls the proposal “E Spying”. Has the Supreme Court taken any objection to this type of reporting? …which is more or less repeated in many other media publications also?

Should not the Supreme Court have asked the Journalist to clarify that it is not the statement of the Supreme Court but only an observation or a question put to one side such as “Is it not amounting to surveillance”?..etc. Has the Supreme Court at this stage gone through the RFP in detail and heard the explanation of the Government?…

Without giving an opportunity to the Government to explain its stand for which the Court is bound, the Court should have avoided jumping into conclusion and not allow the Press to report the matter as if the Court has made up its mind.

If this is allowed, why should there be any trial at all? and in what way this “Expression through Comments” different from “Media Trial”?

It is necessary for the Supreme Court to seriously think about its own conduct in such cases and if any journalist has mis-reported, it should be objected to by the Court itself.

However, this requires the Court to monitor what the media is saying about itself  and on specific matters under trial.  Such monitoring means, scanning the public media vehicles to observe what comments have been made. This is not “Surveillance” of the Citizens of the country.

The Supreme Court failed to recognize that there is a difference between “Surveillance over people” and “Scanning of media” before arriving at the conclusions on the social media hub and its objectives.

The Social Media hub proposal was nothing but creating a set up which could scan the online media including Twitter kind of social media to know what is being published. If such publications are subject to legal action in terms of defamation etc., then there is nothing wrong in the Government or any individual or a company monitoring them.

The business calls it as “Reputation Management”. It is necessary for Supreme Court to understand the term “Reputation Management” and how it is done by the industry. If the means used is unethical or in violation of privacy, objection can be taken to the specific methods used. But it was not prudent on the part of the Supreme Court to flag the “Media Monitoring Exercise” as “E-Spying or Surveillance”.

The petitioner was Mahua Moitra, of TMC and neither the party nor the person has an immaculate reputation themselves and the advocate representing them was a Congress leader Mr A.M.Singhvi. The Supreme Court  ought to have considered the background of the petitioner before making judgemental comments and allowing it to be carried by the media as if it is the final view of the Court.

It is possible that political persons make unsubstantiated allegations as part of their political agenda but the Court should stick to evidences and not accept political allegations and pass comments to be reported in the media.

Going by the report of the Financial Express, it is quoted that the bench said “ The Government wants to tap Citizen’s WhatsApp messages”. I wonder where from they got this idea that the Government wants to tap WhatsApp messages from out of the evidence available before it.

I suppose that the petition was filed on the basis of an RFP a copy of which is here.

If we look at the scope of work in the RFP, the following media vehicles have been indicated.

Twitter, You Tube, Google+, Instagram, LinkedIn, Flickr,Tumblr, Pinterest, Playstore, eMail, News, Blogs, Forums, Complaint Websites.

There is no “WhatsApp” in this RFP at all and if the Supreme Court just took the petitioner’s word for it, then it has let itself be mislead by the politically motivated petitioner.

Out of the social media vehicles indicated in the RFP, the only questionable inclusion is eMail. A clarification could have been asked on what it means and the Court could have ordered its removal. Some of the other media mentioned here have “Private” and “Public Settings” and what a user indicates as “Public” is what a media monitoring agency can monitor.

If there is any attempt to break into “Private” messages or eMail, then it would amount to an offence under Section 66 of ITA 2000/8 as “Unauthorized Access” and neither the Government can ask for it nor the service provider can give it. Any prudent service provider responding to the RFP would have pointed out that “EMail and Private messages are out of scope of the service provided”.

Once the information is in public domain and is collected, what software is used to monitor them is left to the intelligence of the service provider. As long as the data analysis is restricted to “Profiling of the general trend on public response to various Government initiatives” and not “Profiling the behaviour of individuals”, the proposal would even go through the current Personal Data Protection Act 2018 (Draft). Privacy infringement would arise if there is profiling of individuals and not otherwise.

One disclaimer that “Monitoring would be restricted to only such circumstances where there is no violation of law or privacy of an individual”, would have taken care of all the concerns which the Supreme Court would have on the matter.

Instead of showing patience to get the views of the Government, the members of the bench appeared to have been unduly influenced by the weight of the counsel representing the MLA and made harsh comments which were not warranted.

It is tragic that Government did not want to contest the observations of the Court and yielded to the wishes of the political opponents by withdrawing the proposal. Perhaps the Government was not confident that a fair and unbiased view could not be taken by the Court in a surcharged  political atmosphere which had left a threat on the judiciary in the form of impeachment motion and softened the judiciary.

In the process, Government expressed its own no-confidence on the highest court of the land and this should be actually considered as an undesirable offshoot of this incident.

In many of the matters concerning the Internet activities, even the senior counsels on either side are not necessarily well informed and hence they are unable to take a principled stand. In this case also as in the earlier incident of Section 66A scrapping, the Government Counsel did not have the self confidence to argue with the Court that their observations were wrong and contested the case to the logical end with an assurance that if the Court wanted any modifications to meet some concerns, it could be accommodated.

Unless the Supreme Court as well as the Attorney General are able to have a reasoned debate based on the points of law and not get swayed by the media reports and the politically motivated advocates and petitioners, and come to practical solutions of Governance, the Citizens of the Country will consider that there is a fight going on between the Supreme Court and the Government .

When cases like National Herald take endless time, Cases against Jayalalitha are shelved until the death of the accused, while cases against terrorists are taken up in the middle of the night, the general perception of the common man is to consider that the Court has some concerns of its own in discharging its duties.

This is not a good perception for the Court to build.

We anticipate more such instances in future as the election day approaches. We appeal to the Supreme Court to take suitable steps to ensure that such a perception is avoided.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

PDPA 2018: Is Data Localization related to Privacy?

[This is in continuation of earlier articles on PDPA 2018]

There is a strong opposition to the proposal in PDPA 2018 about the Data Localization requirement which has already been discussed in the earlier articles.

There are a few specific questions that are coming up in the discussion about Data Localization, namely

 “Is Data localization has any relation to Privacy”? ..

“If only a copy is being maintained in India and another copy is anyway going to be maintained elsewhere, how does it provide more security”?

” What is the meaning of a Serving Copy”?

I am sure that different view points will prevail on some of these matters but I would like to place my personal views on these.

 “Is Data localization has any relation to Privacy”?

According to the diktat of the Supreme Court in the Puttaswamy judgement, Privacy Right is a fundamental right in India. There is therefore an obligation for the Government to take all measures to ensure that the Privacy of an Indian Citizen is protected.

To repeat what we have said earlier, “Privacy” is an “Individual Preference” of a person on what makes him feel “left alone”. What is “Privacy” for one is “Not Privacy” for another. What is Privacy for a person at one time is not Privacy for the same person at another time. This being the nature of Privacy and it being a matter of  individual preference and choice, it is difficult to provide privacy protection by a law applicable to all.

What we are therefore doing is to focus only on “Information Privacy” meaning that we give control to the data principal to determine how some information can be collected, processed and shared. The entire exercise is therefore only related to “Personal Data Protection” and nothing else. To call this exercise as “Privacy Protection” is perhaps a misnomer but we need to put up with the situation as there may not be an alternative.

In this “Personal Data Protection Approach” to “Privacy Protection”, we need to define what is “Personal Data” and “What kind of protection we should provide”.

In order to design a guideline for such data protection, the PDPA 2018 defines data in different categories namely “Personal Data”, “Sensitive Personal Data”, “Critical Personal Data” and also “Personal Data exempted from some restrictions” for reasons of “necessity” and “strategic interests of the State”.

Coming specifically to the Data Localization, it is felt that if the Government of India needs to protect the personal data of an individual then it should have the control on the personal data. If I send my personal data to some unknown person in Timbaktu and expect the Government of India to take responsibility for its protection, it will be an unreasonable expectation.

Therefore it is reasonable for the Government to propose that “Data Shall Remain In my control” and this translates into the “Data Localization” in the Act. The industry however looks at only the commercial aspect of the requirement and thinks that any change from the current scenario may involve additional cost and therefore they donot want Data localization. If Cost is the only criteria, let us appreciate that the Privacy Protection itself imposes a cost and if there was no PDPA 2018, there would be no cost.

The industry is behaving in a strange fashion by first fighting with the Government for the legislation and now trying to stall its implementation by irrelevant arguments on data localization.

Recognizing this opposition perhaps, Government has actually diluted the Data Localization principle by providing that only the “Sensitive Personal information” is subject to strict data localization. The “Critical Personal Information” will also be subject to similar strict data localization but it will be restricted to some specific categories that the Government may have to notify. On the other hand the “Personal Information” which is not considered sensitive can continue to be processed and stored any where except that one “Serving Copy” has to be kept within the boundaries of India.

This need for local storage is restricted to data that is originating in India or is being processed in India and should therefore first be stored here and then a copy forwarded outside.

The Government has also been considerate in not insisting that the entire processing has to take place in India since only a “Serving Copy” needs to be retained. The processing can still take place elsewhere.

Thus Government is trying to yield to the industry pressure and allowing the cross border outflow of personal information for which it has prescribed under Section 41 the various means such as standard contractual clauses, adequacy of protection in a given country or sector, or upon specific consent and also when there is a “Situation of Necessity”.

The provisions are therefore very flexible and perhaps too flexible for hard core privacy activists.

The objections raised on this ground therefore lacks conviction.

“If only a copy is being maintained in India and another copy is anyway going to be maintained elsewhere, how does it provide more security”?

This is the genuine grievance of a hard core Privacy Activist and needs to be addressed through a proper system of approving of countries on “Adequacy” principle, incorporation of “Standard clauses” and “Informed Explicit Consent”.

The Data protection Authority should be expected to take necessary measures in this regard.

” What is the meaning of a Serving Copy”?

The meaning of “Serving Copy” can be interpreted in any manner based on our expectations. I feel that the intent is to ensure that it should mean a current live copy which is dynamically updated with every transaction and not a back up copy.

Since the Act applies only for data which originates from India, the local server copy can be the first instance of the data which then can be sent outside for back up storage.

Where there is a need for processing abroad, the local server should be the gateway through which the data goes out and it should return to India after processing. The facility outside India should work like a “Processing System” and not a “Processing cum storage system”. After the processing the data can be received back in India and stored here. A back up of this stored copy can be sent outside for back up storage if required.

If any company adopts a different process then they should satisfy the authorities on “Unfailing Synchronization” so that the copy in India is always the latest copy from which further transactions have to take place. The Data Protection officer should take care of this during his impact assessment.

(P.S:. As said earlier, this is only one opinion and it is possible that there may be alternate opinions also. I welcome sharing of any views and comments on the above)

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | Leave a comment

PDPA 2018: Privacy Activists and RTI Activists fight with each other

[This is in continuation of the earlier article on PDPA 2018]

There were three major criticisms against the PDPA 2018 (draft) which was presented by the Srikrishna Committee. One was on whether Aadhaar Act was to be amended. Second was on “Data Localization”. The third major objection was raised in respect of the proposed amendment to RTI Act 2005.

According to this report in dnaindia.com  RTI Activists in Mumbai have started a campaign against “Amendments to the RTI Act through the proposed Data Protection Bill” because they believe that this will ensure that officials will not be held accountable and transparency will be affected. A RTI activist named Mr Bhaskar Prabhu has been quoted as stating “As per data protection, it seems they have suggested changes to 8 (1) (j) or strike it odd altogether. If they take that stand and data protection has an overriding effect, then all information will be termed a personal and will not be provided,”

Another activist Mr Shailesh Gandhi has reportedly started a campaign for people to call up law makers and states “”The more serious amendment to RTI Act has been proposed in the Data Protection Bill. It seeks to make Section 8 (1)(j) an omnibus exemption which could be used to deny most information where there is the name of an individual,”

PDPA 2018 proposes that in place of the current clause (j) of sub-section (1) of section 8 of the Right to Information Act, 2005 the following clause (j) of sub-section (1) of section 8 shall be substituted.

Coinciding with these views, comments made by the Central Information Commissioner Sridhar Acharyulu in a lecture in Hyderabad on the Right to Information (Amendment) Bill 2018 stating that it will weaken the Act was super imposed by the media to project as if he has a strong objection to the proposed amendment through the PDPA 2018.

However, if we observe the proposed amendment it appears that this is a propaganda launched by the motivated media to oppose the PDPA 2018.

The two versions namely the present version and the proposed version are provided below:

Present
Version
Proposed
Version
(j) information which relates to personal information the disclosure of which has not relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate  authority, as the case may be, is satisfied that the larger  public interest justifies the disclosure of such information: Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

(j) information which relates to personal data which is likely to cause harm to a data principal, where such  harm outweighs the public interest in accessing such information having due regard to the common good of promoting transparency and accountability in the functioning of the public authority;

Provided, disclosure of information under this clause shall be notwithstanding anything contained in the Personal Data Protection Act, 2018;

Provided further, that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

Explanation. —For the purpose of this section, the terms “personal data‟, “data principal‟, and “harm‟ shall have the meaning assigned to these terms in the Personal Data Protection Act, 2018.”

If we study the two versions, it appears that  the proposed amendment is cosmetic and tries to replace the words

“..cause unwaranted invasion of Privacy of an individual…unless the Central Public Information Officer or the State Public Information Officer or the appellate  authority,  is satisfied that the larger  public interest justifies the disclosure of such information “

with the words

likely to cause harm to a data principal, where such  harm outweighs the public interest”

There does not appear to be any ground to attribute all the motives that the Press reports to have assigned in their reports.

I request Mr Sridhar to clarify if he has any view on this specific amendment proposed by the Justice Srikrishna Committee. It is possible that the other RTI activists quoted in the DNA report might not have studied the bill and might have made an off the cuff remark based on what the journalist might have told them about the proposed bill. If so, they also need to clarify.

It is regrettable that certain sections of the media appear to be hitting out at PDPA 2018 without specific reason. It appears that they have objection to whatever Modi Government does or does not do. First they said there is no Privacy Act in India and now they donot want the Act to be passed. I wish that these Pseudo Data Protectionists should be stopped from spreading mis information about the PDPA 2018 and the Press Council should seek explanation from these journalists on the basis on which they are writing such motivated articles.

It is because of such unscrupulous journalists that Social Media is being relied more than the traditional media which situation is being exploited by the malicious individuals to spread fake news and further blame the Government for its inability to control fake information.

There appears to be a fair amount of “Fake” information in the traditional media itself working under the cover of “Freedom of Press”. This needs to be checked by “Ethical Journalists” who should come together to weed out the bad elements.

If these fake journalists are not stopped, they will prevent the PDPA 2018 from being passed in the next session of the Parliament and then they will lobby with the Supreme Court to release the Aadhaar judgement to strike it down since the Government has failed to pass the Privacy Bill and further attack Mr Modi during the next election for his inability.

Thus we are seeing the playing out of the 2019 election politics in the criticisms of PDPA 2018 that are surfacing now.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | 1 Comment

Personal Data Protection and Data Localization-2

[This is a continuation of the earlier article]

Having debated the need to “Restrict” the operation of the word “Indirectly identify” in the definition of “Personal Data”, we can now look at Section 40 once again.

We know that PDPA 2018 is a law that has been framed under the Indian Constitution (Just like the GDPR which is a law under EU Constitution) and its basic jurisdiction is for the citizens and activities that fall under its geographical boundaries. If “Privacy Protection” is the basic objective of the law then the mandate for the Government is to protect the privacy of Indian citizens. India cannot assume the responsibility to protect the Privacy of global citizens just as EU cannot assume responsibility for protecting the privacy of an Indian citizen.

However, law makers arrogate to themselves the right to frame laws with universal jurisdiction as if they are protectors of the whole world. GDPR did it and PDPA 2018 had no option but to follow suit.

Hence PDPA 2018 has stated that the law will have extra territorial jurisdiction in some respect though it is more humble than GDPR.

Basically PDPA 2018 applies under Section 2, to the following:

(a) processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India; and
(b) processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law.

Under Section 2(1)(b), processing of data by an Indian company even of a foreign national is subject to this Act.

I consider this a needless responsibility that the law could have avoided.

Under Section 2(2)

(2) Notwithstanding anything contained in sub-section (1), the Act shall apply to the processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is —

(a) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(b) in connection with any activity which involves profiling of data principals within the territory of India.

This is better worded than similar regulation under GDPR and brings the foreign companies within the ambit of the Act which is only reasonable if they are doing business in India or profiling activities in India.

Obviously some of the industry giants appear to be miffed at the courage shown by the legislators in bringing them under Indian law. While US meekly surrenders to the EU GDPR and EU GDPR tries to lord over the global IT systems, there seems to be objection only when India tries to assert its rights equal to other countries. It is in this context that the need to defend the sovereignty of India arises even in defining the provision of the data protection law.

Unfortunately our industry is dominated by vested interests and we find that this provision is being opposed as part of opposition to “Data Localization”.

The arguments presented in this opposition is

  1. Restricting cross border data flow is against the basic philosophy of Internet
  2. Imposes Additional cost
  3. A balanced view is required between Safety and Security of India and flow of global data into and from India
  4. Approach is against the fundamental tenets of our liberal economy
  5. Localization may become a trade barrier and unlikely to benefit local industry

Additionally, recognizing that the key to escaping data localization lies in the definition of data, there is an industry view point presented as a dissenting note that wants “Financial Data” and “Password” to be not classified as “Sensitive Data”.

It is not possible to give any credence to any of the objections raised above. It is like the usual arguments we see from the Pseudo liberals in our country  who plot the assassination of the Prime Minister on the one hand but wants to be protected under free speech on the other hand.

The Pseudo Data Protectionists want the law to be tuned to the advantage of other countries rather than India. They are having a skewed interest in data protection from the point of view of what helps their commercial interests rather than what helps the country and its citizens. This attitude needs to be countered for a healthy development of “Privacy in harmony with Security”.

I am sure that as in many other instances, Naavi.org will be a contrarian thought leader and the industry professionals may have discomfort in accepting the “Nation First” view point even ahead of “Privacy”.

After all I consider that “Cyber Security is a fundamental Right” and Privacy right  has to be balanced with the Security of the State without any excuse.

However, there will be many debates on this concept and this is only the beginning of a long drawn data colonisation war which India has to fight with the world data business leaders.

Let’s watch the developments as they unfold.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged | 1 Comment

Personal Data protection and Data Localization-1

(This is in continuation of the earlier article on PDPA 2018)

After the discussions on Aadhaar the other hotly debated aspect of Srikrishna Committee’s report and the draft PDPA 2018 is the “Data Localization” recommendation.

The PDPA 2018 has recommended under Sections 40 and 41, the regulations on cross border movement of data and there is a strong opposition from the industry circles on the proposed requirement that suggests that at least one serving copy of personal data generated in India has to be retained in India.

The Data Localization debate  has also triggered the concept of “Data Sovereignty” under which it is argued that the nation has the right to expect control over data that belongs to it.

We can refer to a well articulated opinion expressed in Economic Times today titled ” Data Sovereignty-Economic Implications for the country”

The Indian IT industry represented by NASSCOM which was represented in the Srikrishna Committee as DSCI has through a dissent note submitted as part of the report expressed its reservations on the recommendations of the Committee. The industry is continuing to lobby for a change so that the proposed recommendation is scrapped.

Until there was no specific data protection law in India, the IT industry lobbied for the law stating that it is important under the EU data protection guidelines. The EU guidelines even before GDPR threatened that no data would be transferred to Indian data processing industry unless there is a strong data protection law in India. The industry failed to recognize that ITA 2000/8 was itself a strong data protection law in India and was sufficient to claim the status of a “Adequate Data Protected Nation” under EU regulations. What was lacking was perhaps an effective implementation which could have been corrected administratively without another law.

However, after the Supreme Court jumped into the fray with the Puttaswamy judgement essentially to reign in the use of Aadhaar, there was no option for the Government but to develop a separate Personal Data Protection Law and the result is the PDPA 2018.  While the industry was earlier crying that data inflow has been curtailed because of lack of a law in India, now they are raising an objection that the law is restricting the data outflow. The stand taken by the industry therefore lacks conviction and looks like a lobbying by vested interests.

Let’s us first see what PDPA 2018 has proposed and what are the objections of the industry.

Section 40 of the proposed PDPA 2018,

40: Restrictions on Cross Border Transfer of Personal Data

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.

(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.

(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under sub- section (1) on the grounds of necessity or strategic interests of the State.

(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

For the purpose of this section, data has to be considered as belonging to four types namely

a) Personal data to which Section 40(1) applies

b) Critical Personal data to which Section 40(2) applies

c) Exempted categories of data to which Section 40(3) applies

d) Sensitive Personal data to which Section 40(4) applies.

Of these, Personal data and Sensitive personal data is defined in the law and the Critical and Exempted data categories need to be notified by the rules or the Data Protection Authority of India (DPAI) when established.

Essentially the restrictions under Section 40 states that “Sensitive Personal Data” has to be compulsorily retained within India. As regards Personal Data, a copy alone need to be compulsorily retained in India and otherwise the data can move freely outside. Additionally the Government has kept the power to notify any other type of data that can be mandated for processing in India as “Critical Information” and those which can be exempted for local retention (of even a copy) under grounds of necessity or strategic State interests.

We should also observe the section carefully and note that Section 40(1) applies only to personal data to which this Act applies.

To understand Section 40(1) we need to therefore visit the definition of Personal Data and the Applicability of PDPA 2018.

The definition of “Personal Data” under Section 3(29) follows the global standards of defining anything and everything as “Personal” and if we raise objection to this, the very foundation of all personal data protection laws including GDPR would be threatened.

The definition given is

Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information”

The definition is clearly omnibus with the use of the words “relating to”, “Indirectly identifiable” and “any combination”.

Data exists for a purpose and Law basically exists for the protection of a “Natural Person”. Hence almost all “Data” is indirectly related to a Natural person. In the days of “artificial Intelligence” supported by “Quantum Computing Power”, it is impossible to find data that is not related a natural person. Take for example a “Google Glass”. If I am wearing a Google Glass, every thing I see around me can be tagged to the identity of the face recognition. A Place can be identified with the people who have visited the place and it becomes “related to an individual”.

To expect any data to be “Not Related to a Natural Person indirectly or directly even with a combination of information sorrounding it and the use of technology” is a figment of imagination and living in a fools paradise.

I therefore consider that the law whether PDPA 2018 or GDPR has to recognize its own limitations and provide for a less than universal definition of “Data to which this Act applies”.

If we donot recognize this, there will be endless litigations and Supreme Court of India will have nothing to do expect interpreting how a particular piece of data is related to an individual.

This article which you are reading on the internet is a non-personal data but it is related to a person whose nick name is Naavi but who has a real name and identity associated with an e-mail address, a mobile number, aadhaar etc. Can we then say that this article is subject to Section 40(1) of PDPA 2018?. A strict interpretation will essentially agree with such an interpretation.

We therefore should recognize that if we donot confine the meaning of the “Personal Data” and remove the word “Indirectly” and stick to specific identifiers being defined (like in HIPAA), we are in for a chaotic time. This is not just for PDPA 2018 but also for all other legislation such as GDPR.

We shall however for the time being donot stir this hornet’s nest and accept the word “Indirect” as part of the definition and move on.

(To Be continued)

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , | 1 Comment