Header image alt text


Building a Responsible Cyber Society…Since 1998

The Bazee.com case which was one of the earliest criminal prosecutions to be launched under Information Technology Act 2000 appears to have finally completed its journey with the quashing of criminal prosecution against Mr Sharat Babu Digumati. This case was filed in 2004 and lingered on in different courts until this current judgement on December 2016 seems to have brought a closure.

For some reason the judgement got re-circulated in some social media groups and hence I was constrained to bring this up for debate for some academic considerations. Let me make it clear that this discussion is not to express that the relief granted was unjustified.

It was clear from the beginning that this was a case where the juveniles who committed the offence landed other adults into legal problems. First was Mr Raviraj, the IIT student whose career was killed because he chose to sell the DPS-MMS video. Secondly Mr Avnish Bajaj, the CEO of baazee.com had to fight his case in all the Courts until 2008 before he was acquitted. But the case against Mr Sharat Babu Digumati lingered on further. All the three accused namely Raviraj, Avnish Bajaj and Sharat Babu have faced disproportionate punishment, intimidation and expenses while the two juveniles went unpunished thanks to the way law is in such cases.

In the Nirbhaya case there was discussion on the need to amend the Juvenile Justice system and some changes did occur and hopefully more changes may occur in future.

In the course of the journey of this Baazee.com case, there were several precedence created. Firstly the operation of “Vicarious Liability” under Section 85 of ITA 2000 was invoked and that was what sustained the case until, the Supreme Court in 2008 came to the conclusion that the case against Mr Avnish Bajaj did not stand because the Company itself has not been arraigned as an accused.

The original case had been filed under sections 292 and 294 of IPC and Section 67 of ITA 2000 and each section was separately debated and Mr Bajaj got acquitted out of all the sections one by one.  However, Mr Sharat Babu had not got relief under Section 67 and hence the appeal was preferred with the Supreme Court.

In the current judgement, the point of legal debate was

“Whether proceedings under Section 292 can continue after being discharged under Section 67 of ITA 2008”

The final outcome of the Case indicates that the Court agreed with the view that ITA 2000 is a special law and hence Section 67 of ITA 2000 prevails over Section 292 of IPC. Since Section 67 has been quashed for other reasons, trial should not continue under Section 292 of IPC.

However, what is surprising was that this judgement made references to the Shreya Singhal case as well as prevalence of Sections 67A and 67B in the Act. These were developments which were not present when the cause of action arose.

Even if the Section 66A judgement was an opinion and could perhaps be taken as a guidance even in other cases, Sections 67A and 67B along with the diluted Section 67 are creations of ITA 2008 which did not have retrospective effect. They were effective from 27th October 2009. Hence it appears inappropriate that the Court should have quoted these two sections in this judgement.

Considering the content of this judgement, it appears that in future, Double Jeopardy could be implied when for the same offence both ITA 2000/8 and IPC are invoked and in such cases the ITA 2000/8 will prevail (In cases where electronic documents are involved). Hence police should be careful while framing charges and ensure that one section of either IPC or ITA 2000/8 alone has to be invoked for a particular offence or a step in the offence. Otherwise the charge may be quashed for double jeopardy unless the ITA 2000/8 charge prevails.

Since the problem with ITA 2000/8 is mainly in terms of production of evidence, Police prefer to use IPC sections where possible. Further during investigation stage, IPC sections provide some flexibility to start investigations based on some section which is cognizable under IPC, Police prefer to add IPC sections. These practices need to change now once the primacy of ITA 2000/8 as the law to be applied in case of offences involving electronic documents.

Further this judgement is a further vindication of the “Special Law” status of ITA 2000/8 which was stressed in the Basheer judgement on Section 65B of Indian Evidence Act.

P.S: In the S V Shekar Case discussed earlier it may be noted that the section which is non bailable was under IPC. Further the offence involved was “Forwarding of an electronic document in social media”. Hence it would be appropriate only if it is tried under ITA 2000/8 provisions and not under IPC. Hence the entire FIR in the case of S V Shekar case may have to be reviewed.




Print Friendly, PDF & Email

I refer to the recent judgement from High Court of Madras which was quoted in the media with headlines such as “Forwarding social media posts equals endorsement, says Madras HC “.

The judgement was in relation to an “Anticipatory Bail Application” by the well known Tamil Artist S.Ve. Shekar, on whom one Mithar Maideen A, State General Secretary, TN Journalist Protection and Welfare Association, Chennai registered a complaint. The FIR was registered on 21st April 2018 at CCB-1, Chennai under Sections 504, 505(1)c) and 509 of IPC and Section 4 of The prohibition of Harassment of woman Act 2002. The FIR was only against S.V.Shekar and there were no other respondents. However, in the judgement, the Court considered several other petitions (Nine petitions) all of which made S V Shekar the accused as the main person who has committed the offences under IPC and sought him to be jailed for upto 6 years.

To any unbiased observer, it was prima facie evident that the Complaints were motivated by the fact that Mr S V Shekar was a BJP leader. Mention of the old Shankar Raman murder case which is considered as one of the false cases instituted by some religious, opponents of the Hindu faith in the complaint was a definite give away for any body looking at the genuineness of the complaint.

The fact that the petitions were only against Mr S V Shekar and not against the others also indicated that the motive of the complainants was prompted by political considerations.

Despite these indications that the complainants had not come to the Court with clean hands, the Court did not dismiss the petitions forthwith and went ahead to pronounce a judgement against Mr S V Shekar. In the process the Court vindicated the complaints and provided it legitimacy.

The decision is now under appeal with the Supreme Court and we need to wait for further developments.

The political and religious issues involved in the case are a subject matter of debate in a different forum in which the Court’s failure to recognize possible ulterior motives of the petitioners is a matter that cannot be ignored.

However, it is necessary to point out that in the judgement, the Court made some comments which has attracted attention of the Social Media observers. As one can observe from the various media reports, the net effect of the judgement has been to create a fear amongst the Social Media users that “Forwarding of Messages would be considered as an endorsement”. This will also affect the WhatsApp users besides Twitter and other FaceBook users.

In a bid to harass a person solely for his political affiliation petitioners had sought to justify their case with an incorrect interpretation of the status of Social Media postings. These should have been rejected by the Court if it had made an independent assessment of the contentions made by the petitioners.

On the other hand, it is unfortunate that the Madras High Court has played along with petitioners and passed an order which incidentally is directly confronting the Supreme Court judgement in the Shreya Singhal Case (Scrapping of Section 66A of ITA 2008).

We have earlier discussed the Shreya Singhal Case in detail in these columns. We had indicated that the Shreya Singhal Judgement was prompted by the right reasons but was technically incorrect for the fact that it considered “Posting of Messages in Face Book and Liking a Message on the Facebook” as equivalent to “Sending messages through a communication device”.

At that time we had pointed out that the Police had made a mistake of booking the Palghar case under Section 66A and where as there was no cause of action under any sections of ITA 2008, instead of dismissing the case forthwith, different Courts presumed that the filing of the case under Section 66A was correct but the problem was with the Section 66A.

The Supreme Court in its judgement stated that Section 66A had created a “Chilling Effect” on the freedom of expression and had no place in the statute. It was so angry that it did not even read down the section but went ahead and scrapped it.

Now this judgement of  Judge (Mrs) Ramathilagam essentially denying anticipatory bail as requested has indirectly concurred with the views of the petitioner that “Forwarding of a Message is equivalent to Endorsement”.

The Judgement does not independently analyze the reasons to agree with such a contention nor clarified that it does not agree with such a contention and allowed the judgement to be interpreted wrongly. The judgement has simply reiterated the arguments of the petitioners and proceeded to give its judgement leading to a conclusion that the judgement endorses the arguments made in toto.

The instant case is one of “Alleged Defamation of the Women Journalistic Community” through the use of electronic documents. The cause of action under different sections of IPC are fine but they have to be backed by admissible evidence and proving of the mens-rea. Under ITA 2000/8 sections 67, 67A and 67B speak of offences involved in  publishing and transmission of electronic documents. In the absence of Section 66A, sending messages through communication devices is out of ITA 2008 list of offences.

If we go with the Shreya Singhal Judgement which is the current precedent, posting on Facebook, Twitter, Liking, (Retweeting) etc form part of the constitutional right to freedom of expression and cannot be objected on flimsy grounds.

Only in instance of “Child Pornography” under Section 67B, offences can be made out on issues such as forwarding.

The subject complaint is therefore completely out of ITA 2008 and completely against the spirit of the Supreme Court judgement on Section 66A.

If the complaint is sought to be sustained on the basis of IPC, then one has to ask the question if there was any Section 65B certified copy of the electronic document as admissible evidence?. If not, why did the Court proceed arbitrarily without admissible evidence?

If the Court wants to exercise its own discretion in the matter of evidence, questions should be asked about whether the Court considered the antecedents of the Complainants.

It would have  been appropriate if the case had been heard by a larger bench taking into account the implications of allowing arguments such as “Forwarding is equivalent to Endorsement” remaining unchallenged.

It would have been prudent for the Judge to have pointed out that she might have come to the conclusion of rejecting the anticipatory bail application for reasons other than the reason that “Forwarding of an Electronic Document in Facebook is equivalent to Endorsement”.

This statement made by the petitioners is short sighted and mischievous and should have been categorically rejected.

Whatever be the political and ideological affiliation of the petitioners, the Court should have avoided passing an erroneous judgement against the Supreme Court’s prevailing order.

If in the process S V Shekar would have got the anticipatory bail which the Court did not like, it could have satisfied it’s urge to express its emotional feelings about the effect of the Facebook post/endorsement by passing strictures on him and warned him in severe terms.

I remember that in one of the past judgements, the Judge stated to the effect… “I know that the accused is guilty but the evidence unfortunately is not sufficient to declare him guilty. I therefore acquit him”. The Judge in this case was clear of his conviction but stuck to the established system of Criminal Jurisprudence.

A similar approach could have been adopted by the Court in this case of S V Shekar’s petition and chastised Mr Shekar in strong terms without endorsing arguments such as “Forwarding is equivalent to endorsement”.

I wish Supreme Court corrects this erroneous judgement.

If Supreme Court is committed to its judgement on Section 66A and Freedom of Expression, it should call this judgement as having  “Double Chilling Effect on the Society” and scrap it forthwith. …Unless it is also swayed by the political and religious undertones in the case.



Print Friendly, PDF & Email

The earlier article on GDPR entry into India being like a Vasco Da Gama discovery of India, has attracted some interesting reactions from some industry professionals.

While we may accept that the intention of GDPR is to protect the Privacy of natural persons and therefore there are “Data Subject’s Rights” including “Right to Erasure”, “Right to Access”, “Right to Data Portability”, “Right to Restrict processing”, “Right to Correct” etc., we must point out that any attempt to impose the regulation unilaterally on Indian Citizens is to be resisted because it is a question of the sovereignty of the Country.

I consider that GDPR has provisions which recognizes that other countries including the EU member countries may have over-riding provisions in their national interests, it is the intermediary analysts who are confused and spreading a message that GDPR is applicable to all companies and to citizens of all countries etc.

We need to therefore fight against the “Self Subjugation Mentality” of some consultants to give a larger than life importance to the EU legislation.

While laws can have extra territorial jurisdiction built into it as an “Enablement”, its implementation is subject to the acceptance of the other international Governments by way of a treaty.

Hence as long as there is no specific treaty between India and EU to implement GDPR, Indian Companies are not directly liable under GDPR.

However, ITA 2008 is a local law. DISHA 2018 would be another law of India and Data Protection Act of India when passed (Justice Srikrishna Law) would be a law of India which needs to be implemented in India.

At the present juncture, the GDPR provisions can be extended to Indian Data Processors only through the Data Processing Contracts that are signed between the Indian Data Processors and their international business partners. When Indian companies sign on blank indemnity provisions without  an upper limit to the liability, they would be confronted with contractual disputes in due course if there is any claim by the international partners. Additionally, under the provisions of GDPR, Data controllers are empowered to literally extract the trade secrets of the data processors and if the Data Processors donot realize and resist, they will be subject to business secret disclosures and searching technology audits by external agencies which will hurt the business interests in the long run.

Further many of the provisions of GDPR are simply un-implementable since they are not conceived correctly though some provisions to by-pass the un-implementatble provisions is built-in. However, when there is a conflict, EU Supervisors and Courts may take a partisan view against Non Resident Companies and disallow any attempt to use special provisions that may look like an attempt to bypass the popular perception of a privacy protection provision.

In such a situation, I would have expected industry bodies such as NASSCOM and DSCI to have come up with proper guidance to the Indian Companies particularly the SMEs in the Data Processing segment.

However, by organizing a “Welcome GDPR” event in Delhi on 25th May 2018, the Government of India has indicated that it may fail to show the required concern for the welfare of the Indian Data Processors particularly in the SME sector who donot have a voice in NASSCOM or DSCI.

There is a possibility however remote it is that GDPR will be used by EU based businesses to squeeze the sweat out of Indian processors without commensurate reward. One notice from the business partner to show cause why they should not invoke an indemnity provision in the contract would render an Indian processor succumb to any pressure to reduce the price to levels where data processing for EU data will no longer be sustainable.

Slowly, EU will impose its own Certification bodies and Approved Codes which Indian processors will be forced to buy and adopt and Indian Data Processing industry will be subjugated into a Data processing colony of EU.

US will be in a similar situation but will because of its economic muscle, wriggle out of the vice  grip of the EU GDPR through a new version of Safe harbor or Privacy Shield or Standard Contract clauses supported by the strong US Courts.

But in India we are unlikely to have similar support from the Government and the current industry associations. The only saviour I see is in Justice Srikrishna Law where some provisions can be incorporated which will not allow such international hagemony. Hence my earnest appeal to the Srikrishna Committee. I am aware that the committee is dependent again on DSCI and NASSCOM for advice but Mr Srikrishna should have an independent mind of his own and can see through any attempt to dilute the soverign rights of India in resisting the attempt of international regulations undermining the freedom of existence of Indian companies through unfair legislation and unfair implementation.

It is in this context that I urge the SMEs in the Data Processing Industry in India to secure their interests by forming their own association and develop a collective strength to be heard in India and abroad.

In case Justice Srikrishna Committee does not propose the necessary protective measures within the legislation, it would be necessary for the association to seek changes. Instead of waiting for the draft to be released before crying injustice, it is preferable that the industry moves now and before the imposition of GDPR on 25th May 2018, develop a collective strategy to ensure that the Indian Data Processing Industry is not unduly harassed. The Association should move towards developing its own “Privacy Protection Codes” for implementation in the Data processing environment for Indian Citizens and Non Indian Citizens and show to the world that India can respect Democratic norms without challenging the sovereignty of another country like what GDPR proposes to do.

If we donot act now, India will face self destruction of the Data Processing business segment in India and it will be happen with the help and assistance of many Indian industry establishments and associations who may think that they are globalizing the Indian data processing industry and cornering business opportunities.

I Request Justice Srikrishna as well as Mr Ravi Shankar Prasad to respond to the concerns expressed here and assure the citizens of India that their interests would not be undermined.


Print Friendly, PDF & Email

We have many times through these columns urged the Justice Srikrishna Committee which is drafting the new Data Protection law for India to ensure that an “Umbrella Protection” is provided to Indian Companies from being unfairly targeted under EU GDPR by EU Companies and EU data protection regime.

As we approach the D-Day, 25th May 2018 when GDPR will become operational, many companies in India are getting into a panic mode on the impact of GDPR on their business.  The indications are that the companies think GDPR applies to all their activities and this is leading them to believe that they need to take many actions which they are not bound to do. Partly this panic is being induced by US companies who engage Indian Data Processors for part of their processing activities. In the process many of the Indian companies are revising their business contracts to meet the GDPR requirements as they perceive endangering their own and the country’s business interests.

These contracts typically contain indemnity obligations  which includes compensation payable for any loss caused to the vendor. Since this is likely to include the administrative fines under GDPR, Indian companies may be forced to underwrite the GDPR obligations of international companies though their revenue share is only a part of the entire industry revenues.

There is a national interest involved in ensuring that unfair and unconscionable liabilities are not introduced into the data processing contracts that Indian Companies are forced to enter into.

These contracts are “Dotted Line Contracts” and need to be fairly constructed. However, in practice, it is difficult to expect Indian companies to resist the signing of such contracts because of the business relationship considerations.

It is therefore necessary that Indian legislation provides a protection to such companies in the national interest.

One option available to us is that we are about to draft our own Data Protection laws and this will provide an opportunity to define a grievance redressal mechanism by which it should be made mandatory for international contracts for data protection to be pre-approved by the Indian Data Protection Authority without which no liability may be imposed on Indian entities.

GDPR itself recognizes that some of the member states may not permit imposition of administrative fines and has suggested that suitable alternate measures may be provided in the member state laws. [Refer Article 83(9)]. 

Indian Data Protection Act should also incorporate equivalent protection so that any payment of fines under GDPR data processing contracts shall be considered void unless it is approved by the Indian law.

Though the GDPR should be interpreted as a law applicable for “Activities in EU”, there is an attempt to interpret it as a “Global Law” and let EU determine the law for other sovereign countries. I am not sure if EU is really that arrogant to assume that in the 21st century, other countries will tolerate the EU legislate the activities that take place outside the EU even if the intention is laudable. But many in India are more loyal than the king and when required to bend are happy to crawl. This tendency should be resisted.

Though Article 2(2) clearly admits that

“this regulation does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law”

many analysts are interpreting as if under Article 3(2), Controllers and Processors not established in EU are also subject to the regulations without any restrictions.

Some non EU companies are falling into the trap of Article 24(3) and thinking that they need to appoint representatives in the EU without recognizing that the act of appointing a representative itself brings them under the EU jurisdiction even if otherwise they are not.

Indian Companies need to avoid voluntarily jumping into the jurisdiction of EU and dragging liabilities which EU law making body has no authority to make.

(Refer article here where the GDPR scope is discussed in detail by one analyst…. very informative and indicative of the perceptions of the global community)

Welcoming the Vasco Da Gama

Unfortunately, it appears that there is no adequate attempt made by NASSCOM or DSCI in advising the Indian Companies properly to ensure that their interests are protected.

On 25th May 2018, there is a high profile event organized in New Delhi as if Indian wants to celebrate the GDPR. EU commission representatives are expected to participate in this along with DSCI, NASSCOM and Government officials.

Even Justice Srikrishna is likely to attend this event and speak.

As a result of the participation of NASSCOM, DSCI, and Justice Srikrishna, it would appear as if India is endorsing GDPR.

To me this appears to be similar to Indians who welcomed Vasco Da Gama to India without realizing that it was the beginning of the colonial rule which extended for centuries there after with all kinds of economic pirates entering India including the French and the British.

Now, a similar danger seems to be in front of us in the form of GDPR. Indian companies need to be protected against unfair incidence of GDPR and prevent this being used for building an economic colony in India by EU companies.

Even if at present GDPR appears to be only a Privacy protection legislation and a good “Standard” which can be adopted as an industry practice, we must realize that adoption of GDPR will be followed by GDPR Codes and Certifications approved by the Supervisory authorities of EU countries.

These GDPR Certification process will replace ISO standards and create a huge business potential for GDPR related security services and products.

I must disclose that I could be one of the beneficiaries of such a development since I may  be providing consultancy and educational programs in the area and also is working on a patent pending software which should help Indian companies in compliance. However, in the interest of the community, it is necessary to raise a red flag against GDPR turning out to be an instrument of exploitation of Indian Business interests.

I request that EU should refrain from projecting itself as the Privacy saviour of the world community and avoid going overboard with the “Extra Territorial Jurisdiction” of its laws. If they desire to use GDPR for expanding their business network, then they need to enter into a Business treaty with Indian Government ensuring that there is a fair exchange of mutual benefits.

Since it appears that our IT Ministry might not have realized what Indian data processing industry is walking into in the guise of GDPR, I urge Justice Srikrishna to step in and introduce suitable provisions in the proposed Data Protection Act so that our national interests are not undermined with the application of GDPR directly or indirectly to the IT operations in India.


Also ReferData Protection Law should provide a Jurisdictional umbrella

Print Friendly, PDF & Email

Recently, a case was reported from Lucknow where one person by name Hamid Ashraf from a place called Basti, in UP was arrested for running a franchise chain of over 500 franchisees across the country who were indulged in cheating the IRCTC systems and the public in making Tatkal bookings through the IRCTC website.

I congratulate the Police in Bangalore who raised the alarm and took it to CBI and with the assistance of the UP police, the criminal was nabbed.

I would like to see that the 500 franchisees are also arrested and proceeded against since all of them are guilty of the conspiracy.

I understand from the above video that Hamid had put more than Rs 50 lakhs in his account at ICICI Bank. I therefore consider that the officials of ICICI Bank were aware that this person had amassed wealth much beyond his known means as it is stated that he is just 18 years old, studies in 12th class and lives in a shandy house. How did the Bank not recognize that there was some illegal activity going on in this house and the money deposited was “Money laundered” as per the definition of AML provisions?

How did the IRCTC miss the fact that the IP address from which the Tatkal bookings happened were coming from a single source day after day. I am sure that ultimately it was the log record at IRCTC that led to this person but why not earlier?

I therefore cannot absolve IRCTC from its gross negligence in letting such frauds happen for a prolonged period.

I had some time back indicated that in the case of Abhinav Srivatsava, where Aadhaar system was alleged to have been hacked, Naavi.org had highlighted the fraud possibility months in advance and UIDAI had not got the hint. Earlier there was also the case of the fraudulent website cgtmse-govt.in where also the fraud thrived for nearly three years even after Naavi.org had pointed out the fraud.

In all these cases several intermediaries may be faulted for not taking early preventive action which could have prevented the fraud. By the operation of Section 79 and Section 85 of ITA 2000/8 they may be held liable by the victims and the prosecution for civil and criminal penalties.

In the case of IRCTC also, there is a similar issue. It was on August 25, 2010, that is eight years ago that I had posted the following in my blog:

IRCTC to bar Online booking by Agents

Aug 25: After frequent complaints from individuals about the difficulties in Tatkal booking because of block bookings by agents, Railways appears to have taken steps to ban the agents from online booking for a period of one hour from 8.00 am to 9.00 am. Ref: report

In the light of the revelations about the use of “User end Scripts” to automate the bookings and breaking of Captcha, it has become evident that the system is being abused significantly. Common men were disillusioned of late with the online bookings particularly for Tatkal booking and would welcome this move whole heartedly. At the same time IRCTC needs to tighten the security to disable user end scripts and also black list the user accounts of those who use the automated scripts. They should also retain the option to cancel the booked tickets without refunds where they can record proper evidence on such wrongful use. Since technically any use of scripts such as available at Vrarun Kumar’s blog is illegal  (Offence under Section 66 of ITA 2008),  the penalty of losing the booking is a necessary measure that IRCTC should take.

It is also reported that the Railways may start an alternate online booking site to remove the monopoly of IRCTC. Report  The additional booking facility is likely to be introduced through http://www.indianrail.gov.in/

In this article, I had also quoted a blog shown below

After I had pointed this out and after one TOI reporter from Chennai contacted this techie, he removed the blog post. At that time no complaint had been filed and it appeared that the Techie had no malicious intentions and taken reasonable prompt action to remove the content on the potential offence having been brought to his notice. The TOI reporter was also responsible and did not sensationalize the issue. Otherwise it would have killed the career of a techie who was ignorant of Cyber Laws and acted just like what other techies always do.

I have called this tendency to show off the Tech Skills as “Technology Intoxication” which needs to be controlled. We see similar rebellious tendency when techies support Crypto Coins and post hacking tools in public or trade viruses in the underground.

The entire “Dark Web” is a compendium of such techies who unmindful of the damage they are doing to the society try to display their vulgar tech skills for others to exploit.

In the present case of Hamid Ashraf, he may or may not be technically qualified to develop the software. It is possible that he might have picked up this software from the dark web or other sources. We need to investigate this and try to eliminate the root.

I seriously urge the Police to take penal action on all the franchisees who made illegal money so that it would be a deterrent to others who use dark web tools to make money. Police should also question the Bank on why they allowed the money laundering and did not recognize that balance in the account was far above the known resources of the customer. The Income Tax authorities need to question themselves, why they were not able to trace the anamoly of a Rs 50 lakh Bank account by a 12th standard boy living in a modest hut.

Unless as a society we donot raise ourselves and be watchdogs, we cannot make progress in the country.

Now I have raised this issue here today and brought it to the notice of many Police officials also.

But will this case be pursued further to the logical end? or Will it be buried?

Will the 500 franchisees just ensure that a portion of their loot goes to right quarters so that the case does not proceed against them?

Will the Sicular politicians start saying that this is a vindictive action against a community?

As an honest citizen who keep watching the degradation of our society through corruption, I keep my fingers crossed and hope some honest police officials and some honest politicians and some honest media persons are still left in the society who will take this opportunity to take all steps that can be initiated to prevent such frauds in the future.


Print Friendly, PDF & Email

The European Union data protection regulation namely the EU GDPR  which has attracted global attention due to the twin provisions of “Applicable to a controller or processor not established in the union” (ed: in some circumstances) and the obnoxiously huge administrative fine set at 4% of global turnover of an undertaking, has naturally caused a stir even in India where many IT companies are facing the demand from their international business partners to be “GDPR Compliant”. The regulations will kick in from 25th May 2018 and there is a mad rush to understand and implement the compliance measures as otherwise, business organizations need to suspend acceptance of any GDPR Sensitive personal data until they are ready.

Everyone is a Data Processor

In the process of application of GDPR regulations, one dilemma which organizations both in India and abroad face is to determine if they are “Data Controllers” or “Data Processors” under GDPR?

The regulation places the main responsibility for compliance with the Data Controller and though Data Processors may also be liable under the regulation, they are under the contractual operational control of the Data Controller. Their main responsibility is to abide by the instructions of the Data Controller in terms of “Privacy by Design”, incorporating the necessary organizational and technical controls for compliance.

In any practical situation, data processing is not as simple as GDPR presumes while drafting these regulations. It is not as if there is a data subject who gives his personal data to a Company and the company keeps it with itself, processes it and uses it, and takes responsibility for its security during its life cycle until it is destroyed. In such a scenario, the use of a “Informed consent” before collecting the data and adherence to its terms is feasible as envisaged under the GDPR.

However the personal data processing that happens in the industry which includes the IoT, the Social Media, Big Data Analytics etc is not as simple as the above scenario where there is only one business entity which has a direct relationship with the data subject and therefore can assume the personal data responsibilities envisaged under GDPR.

As a rule, Data is collected by a “Data Collector”, “Processed by one or more data processing companies some of whom are spread across different countries” and processed data is “Consumed” by a “Data Consumer”.

“Personal Data” itself is not a single electronic file such as abc.doc. It consists of multiple data elements such as name, age, social security number, email address, IP address, phone number, etc., and is one element in a data base row and column. Within this data element it is a sequence of bits of zero and one and if we want we can split the data element to byte level or even bit level.

The presence of multiple handlers of personal data, their geographical spread and the nature of data as an aggregation of data elements in a data base introduce certain complications which creates conflicts when a company is genuinely trying to be compliant with the “Spirit of GDPR” which is to “Protect the fundamental right of the EU citizen for protection of his Privacy Rights”.

GDPR has failed to provide the necessary clarity and caused a huge confusion in the market.

GDPR has defined a “Data Controller” under Article 4(7) as follows:

controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

On the other hand,

a ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and 

 ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Processor” under Article 28 is the person who carries on “Processing” on behalf of a controller, providing sufficient guarantees to implement technical and organizational measures in such a manner that processing will meet the requirements of GDPR.

Since “Processing” by definition includes every IT operation that can be done on data, every person who deals with the data is a “Processor”. The Data Collector as well as the Data Consumer is also a “Data Processor”.

Under the circumstances, it is difficult to find out who is the “Data Controller” who is the principle entity which is responsible for determining how the personal data has to be processed? and obtains assurances from another “Processor”.?

If there is an “Intermediary” who only transmits the data in a network, there is clarity that he would be neither the Data Controller or the Data Processor provided he does not chose the data subject from whom the data is collected or how it is collected. Any other entity which deals with the data could be considered as “Processors”. Hence there will be many processors of data in the data processing chain within the life cycle of a data set which qualifies to be called “Personal Data of XYZ”.

This personal data takes birth at the time of its collection by the data collector and survives through processing and consumption until it is no longer required and is deleted from all the systems where it left traces during its life cycle. Such life cycle may extend from a few days to several years until the data is useful.

For example, if a health data manager (say an insurer) has collected the health of a just born baby, such data is relevant at least until the baby leaves the world as an old person after 90-100 years. (Under GDPR the data ceases to be sensitive after death while HIPAA may carry it forward for another 50 years).

Through out this 100 years of data processing, GDPR expects that the data subject should have control on the data. When collected, the Data Controller should tell him who will all be processing the data, (apart from why and how etc). If there is any change in the processing then the Data controller has to go back to the data subject and obtain a re-permission to change the data processor stating why such a change is required, who will be the new processor etc.

Contractually similar obligations will have to be carried through by the Processors with their sub-contractors.

If any of the processors or sub contractors are using manpower who are not employees but are under individual work contracts, each one of those work contractors would be a sub contractor and if there is any addition (or deletion) of a single work contract entity, then the information has to be carried through back to the data subject for his “Explicit Consent”.

Well, let us assume that EU considers all this is an obligation that the industry has to undertake because the individual’s right to Privacy is supreme.

So Who amongst the Data Processors is the Data Controller?

Our immediate problem is to have a clarity on which of the data processors amongst the many involved in a given context is to be considered as a “Data Controller”?

If we go by the definition, the person who determines the purposes and means of the processing of personal data is the controller.

In a commercial world,  “Consumer is the King” and he determines what product or service he wants to buy. If he is a “Data Consumer”, then will it be the “Data Consumer” who will be the Controller?

Though “Consumer is the King”, his rights are limited to the choices made available by a manufacturer and facilitated by a distributor or a retailer.

Then, is the “Consumer the real king”?.. Is it not the Manufacturer?… Is it not the powerful sole distributor in a region?… Is it not the powerful retailer who is offering tempting discounts?… who is really the person who determines which product needs to be supplied to the market?… are questions that we need to ask ourselves.

Beyond all these supply chain managers, what is the role of an “Advertiser” and the “Publishing Media” in determining which product is good for the consumer and which he should consume?…. Is he not the real “Controller” who determines which product is consumed by whom and why?…

If there is a similar situation where Data is being consumed by one entity but is produced by another entity, distributed and retailed by other entities, and there are Data Science experts who determine which data is reliable, which is to be consumed etc., then in this complex scenario, who is the “Data Controller”?

This is the dilemma which is now confronting the data industry.

IPR Compromised

Since GDPR expects the Data Controller to determine the processing details, whoever assumes that he is the Data Controller is demanding that all other processors share with him the identity of his sub processors, the details of processing strategies adopted, right to audit etc.

In the process the IPR of the down stream processors is seriously compromised.

If a processor shares the identity of all his sub processor to his upstream Controller, why should the Controller not short change the processor and go directly to the sub processor?. In fact he will definitely do so at the earliest opportunity.

As a result, the business of intermediary processors is seriously threatened  unless they are able to justify their existence with a value addition commensurate with the price they charge. May be this may reduce the end consumer price of a commodity or degrade the quality.

I am sure that this consumer protection was not the objective of GDPR and hence it is only an undesirable off shoot of the empowerment that GDPR had to give to the “Data Controller” so that he will be in complete charge of the down stream processing.

Why the Data Consumer should not be the Data Controller

The Data consumer is a business entity which is concerned about its business for which data is a raw material. We cannot expect the Data Consumer to be able to protect the “Fundamental Democratic Right of the Citizen”. He has direct relationship with the consumer of his product and not the data subject.

Can we expect a Car dealer to worry about the person who is supplying some component to the manufacturer and take care of his interest?.

Similarly, there is a distance between the data consumer and the data collector which makes it impossible to place the responsibility for data subject’s rights protection with the data consumer. For example, if the data subject wants to revoke his permission and withdraw the consent, will the data consumer be interested in dismantling the product he has built up and return the data? He will some how justify his legitimate interest and say that the data subject’s right to deletion or rectification cannot be protected.

Hence it is in principle in-correct to make the data consumer responsible as a Data Controller under GDPR. It is also inconceivable that the copy of the consent provided by the data subject is shared by all processors and the Data Consumer and that every body refers to it and abides by it.

Data Collector should be the Data Controller

The immediate relationship of the data subject is with the Data Collector. It is the Data Collector who provides the consent request and based on the trust that the data subject places on the data collector (or any benefit he receives in return) that the data subject  provides his consent.

Hence if there is any future requirement of rectification, portability, access, or erasure, the data subject can contact the consent collector who is also the data collector and no body else.

Hence the Privacy Right protection of an individual data subject can only be handled by the data collector.

Hence the Data Collector should be the person who should be recognized as the “Data Controller”.

The Data buyers like the Data consumers place their request for data with a category specification and donot say which data subject’s data they require to be collected. It is the Data collector who based on the demand for a particular type of data goes to the market collects data of different data subjects, sifts it to the requirements of different consumers, puts it in different buckets like in the case of a “Whole sale market” and the data consumer picks up the bucket he wants.

In this kind of a scenario the data consumer is not the “Data Controller” and it is the “Data Collector” who is the controller.

Except in the case where a Data Consumer appoints a contractual data collector to collect specified individual data subject’s data, in all other cases, it is  fair to consider that the data collector is the data controller.

This approach will be practically feasible for implementation. Accordingly, where there are multiple processors involved, the Data Consumer may specify the type of data he is looking for and leave it to the next person in the data chain to determine where he will hunt for the data.

As long as the sub processors retain the data subject’s requirement definition to generic description of the type of the data subject who needs to be targetted and donot specify the exact living natural person whose data is to be collected, they will remain to be only processors and not controllers.

The final processor who is also the data collector who goes to the living natural person from whom he collects the personal data is the only person who should be considered as the “Data Controller”. He identifies himself to the data subject and the data subject identifies himself to this data collector and they exchange the Privacy Notice and acceptance so that a contractual relationship gets established.

Any other inference would create insurmountable difficulties in implementing the GDPR provisions in toto. It will also lead to wrongful data disclosures where the data processors release data subject’s information not being able to properly identify the data subject  thinking that it is a genuine request.

Though GDPR provides for “Joint Controllers” and therefore every processor can be defined as a “Controller”, such approach may create a chaotic situation when a crisis of a data breach occurs where every one will be blaming every one else and every processor across the globe has to set up representative offices in EU etc.

I wish the above view is acceptable to the community. Please feel free to give me your feedback through a comment here in or through email


Print Friendly, PDF & Email