Allahabad High Court admits PIL against Section 69 notice …2

[This is in continuation of the earlier article]

The Allahabad High Court accepting the petition challenging the MHA notification on Section 69 is typical of the cases that display an attitude of some petitioners to move the top courts on flimsy grounds just linking any issue to Right of Privacy and Right to Freedom of Expression and the attitude of the Court to admit worthless petitions just because the petitioner quotes some article of the constitution.

The failure of the Court to vet the petition at the time of the admission and identify cases which indicate only a political motive or a publicity motive results in the Courts being clogged with less important cases while cases which really involves the public interest getting piled up.

Analysing the Grounds of PIL

Let’s see the grounds on which this petition has been admitted and evaluate if it could have been dismissed without a notice being sent to the Government.

Ground 1:  Section 69 of ITA 2000/8 is prima facie “seems” to be in violation of Article 14 as being arbitrary for the reason it gives “sweeping power” to the executive, is “irrational” and there is no nexus to justify the power which would result in impinging upon constitutional protected rights of person  with impunity”

Comment: It is surprising that the petitioner has woken up after 18 years since Sec 69 came into existence and 9 years since an amendment was made and 7 years after the rules were first framed to now think that the section 69 of ITA 2000/8 violates the constitution.

The petitioner has not understood the nature of the MHA order of 20th December 2019 which is only a sub notification under a notification, under a section of the law which was passed in 2000.

Article 14 of the Constitution states:

Equality before law: The State shall not deny to any person equality before the law or the equal protection of the laws within the territory of India Prohibition of discrimination on grounds of religion, race, caste, sex or place of birth.

Section 69 of ITA 2000 as is prevalent now indicates as follows:

The petitioner seems to be in a fantasy world of his own to see  a connection between Article 14 of the constitution and “Discrimination” on the basis of religion, race, caste, sex or place of birth in this section.

Ground 2. The petitioner goes on to give a sermon that “any power exercised by the executive should always be within the bounds of the constitution… and concludes that the language of Section 69 clearly manifests arbitrariness and is violative of Article 14”.

Comment: It is not clear which English Language the petitioner is referring to and deriving the meanings that he is imputing to the words.

Ground 3. The section 69 “purports” to curtail the freedom of speech and expression guaranteed by Article 19(1)(a) and makes the State a “Surveillance State”.

Again the ground stated is completely arbitrary and imaginary. The Section provides powers to the State to intercept communication only “if the person authorized for the purpose is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence”. As per the procedure the reason for interception has to be recorded in writing and is subject to review.

The section has no relation to curb the “freedom of expression”. If any body perceives that the ability of the Government to intercept for the reasons stated above means that the person is admitting that he is indulging in any of these unlawful acts or atleast behaving in such a manner that there is a prima facie indication that he is transgressing law.

Hence the apprehension is only an argument made on behalf of self admitted criminals and has no relationship to the “Freedom of Expression”.

In fact not curbing such activity would be an affront to the rights of honest citizens who need to be protected by the Government as a part of its constitutional duty.

A Government which abdicates this responsibility has no right to be in the Government. A Citizen who wants the Government to abdicate its duty is himself failing in his duty as a citizen.

Ground 4:  There is enough possibility of this law being misused by the executives as in the absence of any safeguard the fundamental rights of the citizen are at risk of being impinged by the executive.

Comments:  The petitioner has no basis for bringing a speculative argument that the law will be misused  or that there are no safeguards.  It must be noted that the  Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, which were notified on 27th October 2009 has elaborate safeguards indicated to prevent misuse of the powers and even punish an executive who violates the rules.

The petitioner appears to be unaware of the existence of the rules. Beyond the law as represented by the section and the rules, “Misuse” is of course possible of any law. The envisaged safeguards along with the punishment for any violation are meant to be a deterrent for such misuse.

In the event of any misuse, the petitioner is welcome to raise the issue and send any offending executive to jail .

Ground 5: What Section 69 purports to do is to “Impinge upon natural right to privacy” and the “sweeping Powers” to intercept, monitor, decrypt data is a violation of Article 21 of the Constitution.

Comment: This is yet another false and irresponsible Rahul Gandhi like statement that has been added under the grounds.

What the section “Purports” to do is to have a provision in  law to enable use of powers of interception, monitor and decrypt data either in transit or at rest when there is a need for the purposes provided under the Constitution as “Reasonable Restrictions” that can be placed on any fundamental right of a citizen. Its principal aim is to seek the cooperation of data holders to assist the competent authority in relevant investigations.

Without such an enabling provision, the state cannot discharge its duties as the authority that can provide the safety and protection to the liberty of its citizens and their rights to own property and carry on a peaceful living.

If the Court comes in the way of enabling  provisions relevant for public administration,  it would be  like Judicial Naxalism to prevent the normal functioning of the elected Government and would be ultra vires the judicial powers as provided in the Constitution. 

Since the Supreme Court judges themselves once went to the people with their grievance with a press conference, accepting the primacy of “People”, if the Judiciary over reacts to the situation and strikes down Section 69, it will be an act which will be “Ultra vires the people of India”.

Those who swear by the constitution has to swear by the “Primacy” of “We the People” and cannot ignore the security of people even before worrying about providing guarantee of the “Right to Privacy”.

This situation does not change because of Puttaswamy judgement.

Further if the Court decides to object to Section 69 in respect of electronic documents, it will be necessary to scrap all similar provisions in other laws including IPC or POTA and make India a haven for Criminals, Naxalites and Terrorists. It will prevent Police from undertaking any search or preventive arrests, impose restrictions on public for prevention of offences  etc., since all such provisions will be restrictive of the Right to Privacy in one sense.

Law cannot be discriminative for offences with Electronic Documents  being considered as objectionable and not other non electronic forms of interception, monitoring and decryption.

It is therefore not feasible for the Court to consider scrapping of Section 69 without being self contradictory.

Ground 6:. There has been no safeguard provided for exercising such powers.

Comment: The petitioner has to read the MHA order once again and understand that it is in exercise of the powers under Section 69(1) read with rule 4.

The professors of IIT Kharagpur appears to have not been consulted by the petitioner before he drafted this petition. Otherwise they would have told him that this order is subordinate to Section 69(1) as well as the Rule 4.

Section 69(1) itself has safeguards limiting the powers to exceptions provided under Article 19(2) of the Constitution. It also restricts the powers to be executed only by “an officer specially designated for the purpose”, mandates that the reasons “to be recorded in writing” and “subject to the procedures and safeguards as prescribed under Section 69(2).

The procedure has been prescribed under the rules notified on 27th October 2009 which contains 25 different paragraphs detailed in one of the earlier articles here. It contains the review process, punishment if violated etc.

Under Rule 3 of the October 27 rules,

“no person shall carry out interception except with a written order issued by the “Competent Authority” which should note the purpose, the designated person etc.

The Competent Authority has been defined to be the Secretary of Home.

Under Rule 4,  The competent authority may authorise an agency of the Government to intercept, monitor or decrypt information generated, transmitted received or stored in any computer resource for the purpose specified in sub-section (1) of section 69 of the Act.

Reading 3 and 4 together, it is clear that the Competent authority has the authority and it exercises it through the authorized agencies with a written order.

So far, no list of such agencies had been notified and therefore the Competent Authority had the power to authorize any agency either public or private, either the CBDT or CDAC or a CFSL or a TCS or Infosys and it would be well within its powers.

Now this MHA order has actually restricted this power to appoint “any agency” to only the designated 10 agencies. Petitioner and the Court have to understand that far from creating a “Surveillance State”, this MHA order brings focus and order to the use of power and is a significant step towards creating a healthy and organized system in which the power can be exercised according to the Constitution and the laws made there under.

The other grounds are a repetition and hence the above comment is sufficient to dismiss the petition without any detailed trial.

The order is Praisewothy

In fact, if the Courts understand the situation without a political bias, they would actually praise the Government for bringing this order.

Now that 10 agencies alone are to be used by the competent authority, and each of these will have a designated “Nodal Officer” who will be accountable for executing the interception order as per the rules such as rule 11, 15, 16,18,23, 25 etc and face the liabilities under rule 24,  there is a greater control on the  possibility of Government misusing the provisions.

So, even if malicious and Crazy political parties take over the administration of the Government in the next election, (which I hope will not happen) they cannot create a surveillance state as we had in 1975.

Professionals not to play into the hands of politicians

In the meantime, professionals who have not understood the law properly should not play into the hands of these political opponents by wrongly interpreting the Privacy and Freedom of Speech issues and obstructing the legitimate Governance functions and the security interests of the honest citizens.

Courts should also be more responsible and should refrain from encouraging such elements by admitting all such petitions and issuing notices. Such notices only work at waste of public resources and effective Governance time.

Courts are not enemies of the Government nor should  function  like political opposition. Courts are part of the Governance of the Country and should understand Governance and interpret law in the right perspective. If they assume that they are in an island of their own and ignore the context in which a law or a procedure is made and guide the Government if they need assistance, then they will stand out as a hurdle against development.

A few years back, there was a practice for the Government to make a reference to the Supreme Court if there was a complex piece of legislation. But today, Supreme Court refuses to be drawn into such advisory role and insists that the Government has to make a law and the Court will then review it and strike it down if required. In the process they will prevent the Government to progress at a rate which this Country demands.

Inconsistency is the bane of Judiciary

At the same time, we need to recognize that Courts are also not consistent with their decisions. In some cases they are ready to read down law but in some cases they want it to be struck down. In some cases they allow urgent mention and in some other cases they deliberately delay the matters.

The delays by the Supreme Court in respect of Jayalalitha Case, the Ram Mandir Case, the National herald case etc against the urgency they showed for the Sabarimala issue (while not showing the same urgency for the review petition), indicates how the Supreme Court can be considered by the citizens as inconsistent and biased.

Apart from the wrong or inconsistent decisions, Courts have in the cases like Aadhaar as well as the Puttaswamy judgement itself displayed a blinkered approach to a decision ignoring the multifaceted nature of the issues that often come up in this complicated technological world.

For example, Aadhaar decision never considered the impact on e-Sign which was a method of authentication in the digital world. If the Court had understood the link between e-KYC and e-Sign, they would have atleast read down the Aadhaar Section 57 with exemptions for the use of Aadhaar by private sector in certain functions of national importance to be declared by the Government.

The Supreme Court also went wrong on petitions opposing the tender documents floated by the I& B ministry and UIDAI without understanding the difference between “Scanning of published reports in the media” and “Interception”, just as they failed in the Shreya Singhal case in differentiating between “Publishing” and “Messaging”.

Similarly the Puttaswamy judgement itself was unclear and vague adding to the confusion of legal interpretation of what is Privacy. It went to the extent of stating that even the words mentioned in the Constitution are not sacrosanct and can be interpreted by the Judges in any manner they like (See Justice Chelmeshwar part).  There was therefore confusion confounded by the judgement which is generally hailed as “Historic”.

It would have been better if the judgement  had categorically mentioned that

“Privacy is a State of Mind of an individual and external laws cannot predict and protect the dynamic state of mind  and therefore the judgement is nothing more than expressing the intention of the constitution and the need for appropriate measures to protect information that is relevant for privacy rather than the privacy itself”.

By not defining Privacy and expecting it to be protected by the Government and also restricting the operational freedom of the private sector by a completely vague prescription, the Puttawamy judgement only created a platform for any body and everybody to link anything and everything to infringement of privacy and knock at the doors of the Court.

The current PIL is a classic example of how the Puttaswamy judgement itself will be used and reused for flimsy and motivated litigation.

There is a need to put an end to this practice by actually reading down the Puttawamy judgement itself and providing the guideline to the lower courts not to allow the hijacking of our judicial system with the PILs of the kind we are now seeing on this MHA order .

My Apologies

As a teacher of Cyber  Law, I understand and appreciate the urge of the petitioner (who I recognize  is a student of Cyber Law),  to test his knowledge and skill in litigation by launching a PIL.

I have no intention of discouraging his enthusiasm through the words used in this article. I however request him to take a second look at his petition and if he agrees with my views , consider withdrawing the petition rather than pursuing it.

There are better PIL s that need support and many Cyber Crime victims who need the support of public spirited advocates and he can focus on such issues rather than the PILs which are essentially serving the political interests of the opposition parties in India who are opposed to the current Government for vested interests of their own.

Also my remarks against Judiciary in the article, should be seen in the context of preserving the sanctity of the system in the larger interest of the country in the long run and the need for “We the People” to exercise our “Freedom of Expression” in good faith for what we consider is for the good of the nation.

Lastly, I would like my critics to consider that  though they may not fully agree with my views, they can at least try to take this into consideration as one point of view before formulating their own views. I have no objection if they want to support the opposite view.

If any body is hurt by my views expressed here, my sincere apologies.

Naavi

Reference

The MHA Notification
Section 69
Section 69 Rules of 2009

Report at bar and bench

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | Leave a comment

Allahabad High Court trapped in another political PIL

We are aware that the innocuous MHA order on designating 10 agencies through which a competent authority can order interception of electronic communication for reasons of security of state etc., has already been questioned through two PILs in the Supreme Court. These PILs have been filed by the professional PIL advocates M.L.Sharma and Amit Sahni. They are now pending for admission.

We have already discussed the issue involved through several articles listed below.

The Second Awakening… What is there in Rules of Oct 27, 2009 on Section 69?
The Second Awakening… What is Section 69?
Snooping and Section 69 of ITA 2000: Beyond Politics, Distrust and Passion..The second awakening
Agencies empowered under Sec 69. No Need to raise a false alarm

We have categorically stated that Section 69 provides for empowerment of a “Competent Authority” which is the “Secretary of Home Ministry” at the Center and the State, for interception as per the provisions of law as stated in Section 69 of ITA 2000/8 read with the accompanying rules. The law provides for such interception for reasons which are specified in Article 19(2) as reasonable restrictions to the fundamental rights of Privacy. The rules are comprehensive and provides for “Written Instructions stating the purpose of intended interception” to be valid for a limited period of 60 days (renewable for a maximum of 180 days). It also provides for a review by another committee as provided under the Telegraph Act. There is also a provision for destroying the information after its use and punishment for contravention of the rules.

Under such comprehensive guidelines, what the recent MHA order did was to indicate which were the agencies through which the competent authority may exercise its powers. By designating 10 agencies for this purpose, the Government has restricted the use of the powers of interception and prohibited it’s use except through these agencies which will be accountable for following the guidelines through the “Nodal Officers” that they need to designate.

The different PILs were therefore drafted without a basic understanding of law and only for the purpose of publicity and placing hurdles on Governance by the Government.

While the PILs in the Supreme Court are pending, it is strange that the Allahabad High Court has admitted another PIL filed by one Mr Saurabh Pandey and issued notices to the Government. It is common sense that when the superior Court is considering a similar petition, the lower Court could have avoided a duplication of efforts by suggesting the petitioner to either approach the Supreme Court and join the other petitioners or advise him that the petition is redundant.

The Court should have considered that it is sitting on public expense and there should be some discretion  in taking up such worthless petitions. It is a waste of public money and a needless obstruction of the Government in discharging its legitimate duties.

In the continuation of this article, we shall address the issues raised point by point and show why the petition is not worth admission. The same arguments also hold good against the petitions of Amit Sahni and M.L.Sharma at the Supreme Court.

… Continued

Naavi

 

 

Reference:

The MHA Notification
Section 69
Section 69 Rules of 2009

Report at bar and bench

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Anti Data Localization Lobby and Anti Aadhaar lobby working to push PDPA Bill to the June Session?

A Strong lobby in the industry is working against the Personal Data Protection Bill being passed with the current provisions which the Justice Srikrishna Committee has suggested.

The principal objection of the lobby is to the provision of the Bill which will require applicable organizations to store such data within India.

This provision is similar to the restrictions placed under GDPR that data cannot be transferred outside the EU unless certain pre-conditions are satisfied and just as the GDPR provides exceptions under which personal data can be sent across the border, Indian law also provides that the data has to be stored locally and provides exemptions under which data can be sent outside India.

But the lobby which objects to these provisions has been trying its best to convince the Government to drop the data localization aspects of the Bill. However, it appears that the current Government is not so easily amenable to such pressures and is strongly inclined to retain the data localization aspects.

So, as a strategy to delay the inevitable and hopefully kill the provision, the lobby is now trying to plant stories that suggest that the Government may not introduce the bill now and wait for the next Government to take charge after the elections.

According to a news report in Economic Times an official of the Government either from the MeiTy or the Law Ministry  is reported to have stated that the Bill is sent to the Law Ministry for vetting and the Law Ministry feels that they can take time to complete their task since the Bill is not to be presented now.

The report has all the hall marks of a fake planted news to create a perception that this is the way to go…. Delay the passage of the bill so that the bill does not get passed for the time being and hopefully the next Parliament will be favorable to the influence of the lobby.

I request the Government not to fall prey to such a design of the Anti-Data Localization lobby. Firstly it is possible that the current Government may not be able to get a brute majority it wants to run the Country without interference from the corrupt. Even if they succeed to retain majority in the Loksabha, the problems of the Rajya Sabha will continue to prevent passage of any bill which the opposition does not like.

More importantly, if the Current Government does not show the resolve to pass the Data Protection Bill, it will give ammunition to the anti-Aadhaar lobby that the Government is never serious on Privacy and hence the commitments given by the Government during the Aadhaar judgement are not going to be fulfilled. This will be one of the strongest grounds on which the Aadhaar review petition would be argued.

I therefore urge the Government not to yield to the pressures of such officials (If the report is true) who want the bill not to be presented and passed while the current Government is under control.

The bill has been drafted by none other than under the supervision of Justice Srikrishna and substantial public debate has already taken place. Whatever further changes are to be made can be done within one or two sittings if necessary. There is no reason for the Law Ministry to take more than one week or 10 days to finalize the provisions and make further progress towards the passage of the Bill. I therefore consider that there is no reason for the law ministry to take a long time to finalize the changes.

I would even suggest that the Government should pass an ordinance before the Supreme Court tries to hear the Aadhaar review petition so that the Court will not have an excuse to believe the contention of the petitioners that the Government does not have intention of passing necessary legislation to protect the privacy.

Looking forward to the Government taking suitable action to ensure that PDPA bill is presented and passed at the earliest.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | Leave a comment

Meity Needs to take assistance of techno legal experts on Section 79

It has become a fashion for some advocates to raise an alarm on anything that the Government does to curb Cyber Anarchy. These people who consider that the Supreme Court is their backyard, keep lodging PILs opposing every action of the Government trying to clog the Indian judicial system and keep the Government from doing anything worthwhile.

I am not against “Criticizing” the Government which I have done in a large measure all through the years. But Criticism should be with an honest desire to improve the Governance and not to put hurdles on normal functioning of the Government. Most of the critics on Section 69 MHA order or Section 79 consultation note are only interested in preventing the Government from pursuing its routine functions.

The Section 79 issue where the MeiTy has issued a note for public comments is yet to reach the Courts since the public consultation process is on. The Ministry has called for a Round Table with public invitation for  participation on Twitter on 5th January 2019. (Link : https://twitter.com/goi_meity/status/1080702303445889025?s=21) .

In the meantime more public debates are likely to help better clarity.

FDPPI (Foundation of Data Protection Professionals in India) will also hold a web based round table next Thursday.

In the meantime, Naavi.org would like to place its views before the professional community so that when they interact with the MeitY on 5th, they can keep the following information in the back of their mind.

But whatever be the decision of the Government with or without public consultation, the matter is likely to be also challenged in the Supreme Court. In order to ensure that media does not hijack the debate with false narratives, we are providing here some additional information for the general understanding of all including the media persons.

What is New in the Guidelines?

For the convenience of all the readers, a comparison of the present guidelines and the proposed guidelines is available here. 

It must be remembered that Section 79 has been in existence since 17th October 2000 but modified on 27th October 2009. The Intermediary guidelines have also been in existence since 27th October 2009 and what we are discussing now is a modification to this.

The Critical Changes

There are three notable changes and two significant changes that need discussion.

The first notable change is that under Rule 3, two new paragraphs have been added to the content guidelines. It suggests that the intermediaries shall advise the users not to host, display, upload, modify, publish, transmit, update or share any information that

– threatens public health or safety; promotion of cigarettes or any other tobacco products or consumption of intoxicant including alcohol and Electronic Nicotine Delivery System (ENDS) & like products that enable nicotine delivery except for the purpose & in the manner and to the extent, as may be approved under the Drugs and Cosmetics Act, 1940 and Rules made thereunder;

– threatens critical information infrastructure.

The above is an addition to other points already mentioned in the earlier version.

This is the notice to be given to users of an intermediary service and by itself does not criminalize such action.

The suggested list of information which are not to be hosted etc., can be referred to as “Objectionable Content” and it is possible to interpret it as “Placing a curb on freedom of expression”. But we need to debate if it is reasonable and recognize that it is meant to afford protection to the intellectual property rights, crimes against minors, crimes such as defamation, impersonation, obscenity, spreading of virus etc besides the reasonable restrictions under Article 19(2) of the Constitution.

The second notable change is the replacement of Rule 3(4) with new paragraphs (5) and (8). This change is attributed to the Shreya Singhal judgement and inserts the words “When required by lawful order…” the intermediary shall provide information/assistance within 72 hours. It also provides that upon an order from a Court or an appropriate authority, and when it relates to Unlawful acts related to Article 19(2) of the Constitution of India shall remove the content within 24 hours thereafter.

These two new paragraphs are reproduced here.

(5) When required by lawful order, the intermediary shall,

-within 72 hours of communication, provide such information or  assistance as asked for by any government agency or assistance  concerning  security  of  the  State  or cyber  security;  or  investigation  or  detection  or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto.

-Any such request can be made in writing or through electronic means stating clearly the purpose of seeking such information or any such assistance.

-The intermediary shall enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised.

(8) The intermediary upon receiving actual knowledge

–in the form of a court order, or on being notified by the appropriate Government or its agency under section 79(3)(b) of Act

–shall  remove  or  disable  access  to  that  unlawful  acts  relatable  to  Article  19(2)  of  the Constitution of India

–such as in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, on its computer resource without vitiating the evidence in any manner,

as far as possible immediately, but in no case later than twenty-four hours in accordance with sub-rule (6) of Rule 3.

Further the intermediary shall preserve such information and associated records for at least ninety days one hundred and eighty days for investigation purposes, or for such longer period as may be required by the court or by government agencies who are lawfully authorised.

The above two requirements are well within the reasonable powers of the Government and the legal provisions including the Supreme Court judgement.

The next important change suggested is that the intermediary shall inform its users,

-at least once every month,

– that in case of noncompliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the intermediary has the right to immediately terminate the access or usage rights of the users to the computer resource of Intermediary and remove non compliant information.

This is a question of providing monthly reminders so that if and when this right is exercised, the user is not surprised and run to the Supreme Court with a complaint.

This requirement may require a tweaking of the technology to recognize the “Last Log in” and provide a pop up notice or an e-mail notice.

This would be an interesting development since in many cases the e-mails may bounce because they are false and then the Intermediary should recognize that there is a need to redflag the user. In a way this could put a check on the “Fake Accounts” by putting the intermediary on alert.

I request the Government not to yield if the intermediaries raise an objection on this provision.

Management Localization

One of the significant changes is that intermediaries having more than 50 lakh users now need to have a local establishment with a permanent local address and a nodal officer for 24×7 coordination with law enforcement agencies.

This would be sweet news for the Police because only those who have handled Cyber Crime investigations know how difficult the intermediaries get when a Cyber Crime investigator asks for information. The Google, Face Book and Twitter are in the forefront of such stonewalling of investigations and will obviously oppose this provision tooth and nail.

Again this is an issue on which the Government should not buckle down under pressure.

Proactive Tools

Another significant change is the imposition of a responsibility on the intermediary that they deploy

–technology based automated tools or

–appropriate mechanisms,

–with appropriate controls,

– for proactively identifying and removing or disabling public access to unlawful information or content

Opposition to this change has been mounted on the ground “How do we identify what is unlawful?

I would only like to say …Well, if you know what is lawful, you know what is unlawful and it is the duty of every one of us to know what is lawful.

We are today in the era of Artificial Intelligence. All the major intermediaries are already using AI for profiling the users from the content that they post or access. Despite the privacy regulations like GDPR, the Googles and FaceBooks or Twitters are unlikely to stop profiling and using it for generating revenue through targeted advertising.

If profiling for targeted advertising is possible, it is also possible for profiling for identifying the unlawful activities.

Encrypted Information

Problems will persist with WhatsApp where the company may actually dealing with “encrypted content” and therefore not amenable for content analysis. Considering that the rule talks about “Appropriate Controls”, “appropriate mechanisms”, it is possible for WhatsApp that in the honest case of it not being able to decrypt the message, it should be exempted from the obligation to decrypt content.

Alternatively, if they are technically capable of decryption and content analysis, then they can provide the necessary technology through technical means without any manual intervention so that “Privacy” of honest users is not adversely affected. If the algorithm decrypts and analyses the content for certain key words all within the application space, then confidentiality of information can be maintained to the satisfaction of the users from the “Privacy” perspective.

It may not however be easy to make the Supreme Court understand this concept of “Algorithmic decryption and content analysis not amounting to privacy infringement”.

I hope the techno-legal advisers of MeiTy would be able to provide assistance to the AG when this matter comes up with the Supreme Court. Just as the Supreme Court called upon the Airforce officials in the Rafael matter to understand the technical issues, the Court should not hesitate to ask the assistance of techno legal experts to understand how “Information can be decrypted and searched within the application data space” with only the identified objectionable content being taken out for legal action and leaving others to be kept confidential from the Privacy perspective.

I hope the above factors will be taken note of by the MeitY.

Naavi

Previous Articles:

Shreya Singhal is Back again!

New Intermediary Guidelines… Legitimate and Well within the rights of the Government: 
Proactive technology tools to identify violation..new intermediary rules: 
New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..: 
Intermediary Guidelines.. Who is and who is not an intermediary?: 
Draft Intermediary Guidelines 2018… Public Comments invited:
Copy of the guidelines: 

P.S: The last date for submission of comments extended upto 31st January 2019. The comments would be put up on the website on 4th February and counter comments accepted upto 14th February 2019… http://meity.gov.in/writereaddata/files/Extention_Guidelines_2018.pdf

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , | Leave a comment

Naavi’s 5×5 Data Trust Score System… some clarifications

Based on some of the comments received to my article on Data Trust Scoring System yesterday,  I am providing the following clarifications:

It is a Framework

The concept named “Naavi’s 5×5 Data Trust Score”© System  is a new concept introduced to meet the suggested requirements under the Personal Data Protection Act 2018. It is a framework under assessments can be converted into a “Score”.

Assessments will however be done by individual auditors and the detailed criteria for assigning the ratings for each of the domains would be left to the auditor based on their understanding of  PDPA 2018.

In the past (March 2009), Naavi had proposed a similar measurable criteria for assessing ITA 2008 compliance under the Indian Information Security Framework (IISF-309)  Under this framework, Ujvala Consultants Pvt Ltd had published detailed assessment guideline used for its audits.

The framework started as a 21 point system in 2009 and has now evolved into a 30 point framework represented below .

Just as the framework itself evolved from a 21 point system in 2009 to a 30 point system the detailed guidelines used within these different headings have also gone through some  changes.  Additionally, the Theory of Information Security Motivation and the Total Information Assurance Concept supplemented the framework.

Similarly, the DTS system as proposed is also expected to undergo a change as we go along. A decision to publish the detailed assessment criteria therefore may be taken after the concept  attains some maturity in the testing ground of Naavi.

Probably the framework will also assist the Data Protection Authority of India when it comes up with its own thoughts on this matter.

Subjectivity

The DTS scoring is an end result of an audit which includes evaluation of Technical controls based on a Risk assessment, Policies and Procedures that meet the legal interpretations in PDPA 2018 as well as an assessment of the behavioural state of the manpower involved.

Hence the system cannot eliminate subjectivity based on the experience and understanding of the Auditor.

However, if the interpretations are from the same school of thought, the differences in DTS score between different auditors could tend to a small range of uncertainty.

Weightages

The current article presents a framework and there could be an adaptation based on assignment of different weightages to different domains used by different auditors including Ujvala Consultants Pvt Ltd.

Within the five domains, there could be several sub domain definitions to narrow down the evaluation criteria.

Naavi.org may publish its recommended  weightage criteria from time to time  based on its assessment of the market environment. At this point of time when PDPA 2018 is still a draft, it is reasonable that the weightage is kept simple and equal.  Hence all the 5 domains have been given an equal weightage of 20% each. The auditor may assign values between 0-100 in each of the five domains and fit it into the grade between E to A and also present a consolidated DTS for an organization at a given point of time.

Hygiene Factor Treatment

While discussing motivational theories, we discuss what is known as a “Hygiene Factor” which Professor Herzeberg introduced.  Under this concept certain aspects if present has zero value as a motivator but if not present, would have a value as a de-motivator.

I have tried to suggest that this concept may be adopted into the assignment of either the wieghtage itself  or to the assignment of values under each domain.

What this means is that the weightage  or  value assigned may drop suddenly to zero at a threshold point. Values may be assigned on a continuous basis only above this threshold value.

Factors such as Commitment and Knowledge were referred to as “Hygiene” factors in my article yesterday. A similar approach could be extended to other domains as well. If adopted, the threshold level represents the values below which the auditor would not to even assign any score. These are the flexibilities that need to be considered as the system evolves over time.

Level II Score

The Level II criteria which indicates the trend over a minimum three year period will have a notation as an extention of DTS such as “DTS 55+” or “DTS 55-“ indicating whether it is improving or declining and may show even an acceleration factor by representing the score as“DTS55++” or “DTS 55–“. It can also be “DTS55+- or DTS55-+”. (Here 55 is the weighted score of an organization based on the approved weightages).

The Level II scoring is a thing of the future since it requires a minimum three year span to decide

Further Development

The Data Trust Score or DTS system proposed here is a concept which can be developed in due course with the assistance of other professionals who find the concept useful.

Probably some students or academically oriented practitioners may test the concept in specific corporate environments to make the concepts clearer.

Naavi

[P.S: We are in an academic debate on this concept and views from the readers will be very valuable]

Related Article in Computer Weekly.com

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , , | Leave a comment

Naavi’s Data Trust Score Model unleashed in the New year

At the dawn of the new year, India is on the threshold of a new “Data Protection Regime”. While the critics will continue to debate the Data Localization and the RTI related objections, the Government is likely to quietly go about its Governance duties by pushing through the bill currently titled “Personal Data Protection Act 2018”.

When the law eventually comes into operation, there will be a Data Protection Authority (DPA) which needs to provide several guidelines and rules of practice.

In the meantime, “We the Professionals shall adopt our own Data Protection Constitution of India” to protect the Data Sovereignty of our country, provide adequate “Data Security” for the e-Citizens of India and provide a Citizen’s model of Data Protection Regime that can make the work of the DPA easy. In order to ensure that the regulations eventually made by the DPA are complied voluntarily and without pain, there has to be a synchronization between what the Citizens perceive to be a reasonable self regulation and what the regulator eventually imposes.

Since it may take at least one more year for the DPA’s own regulations to be out with the public, Naavi.org with its associate activities such as Cyber Law College would try to put up its own methodologies which could be the thought starters.

In this journey towards a Responsible Data Protection Regime in India, Naavi presents the Data Trust Score model that he would be adopting for Data Audits conducted by him through Ujvala Consultants Pvt Ltd. This may be considered as a thought under development and would evolve over a period of time. Presently it is referred to as the “Naavi’s 5×5 Data Trust Score Model” (5×5 DTS)

What is Data Trust Score

Data Trust Score is a suggestion of the draft PDPA 2018 presented by Justice Sri Krishna Committee. Even if the concept is modified or even deleted when the draft becomes a law, the concept will always be relevant as a  rating of different organizations against how they adopt and implement the recommendations of PDPA 2018.

According to PDPA 2018, an annual “Data Audit” is mandatory for all organizations processing personal data and the data auditor may assign a rating in the form of “Data Trust Score” to the Data Fiduciary pursuant to such audit.

According to the Act, the DPA will specify the criteria for assigning a rating in the form of a Data Trust Score having regard to various factors such as

a) Clarity and Effectiveness of Notices under Section 8 (Collection of data)

b) Effectiveness of the measures adopted under Section 29 (Privacy by Design)

c) Transparency in relation to processing activities under Section 30(Transparency)

d) Security Safeguards adopted pursuant to Section 31 (Security Safeguards)

e) Instances of personal data Breach and response of the data fiduciary

Naavi’s Approach

Naavi has developed an approach to assigning a Data Score based on an assessment of  the requirements of compliance under 5 different base Foundation criteria on a scale of 5 namely A, B,C,D and E with A being at the top and E being at the bottom. C will be the minimum acceptable criteria for considering an organization compliant.

Naavi recognizes that “Compliance is a journey” over time and it is unfair to judge an organization as a snap shot. This is the fundamental weakness in many of the current rating mechanisms.

Naavi therefore considers rating of DTS over two levels. The first level is the snapshot at a particular point of time. The second level is the change over time with a minimum period of 3 years.

Just as in the financial analysis we use the Balance Sheet as a snap shot of the financial health of an organization and the Funds flow statement as a barometer of managerial prudence in funds management, the Level I and Level II DTS rating would capture the inherent strength of an organization in Data protection compliance.

For the Second level DTS to be evaluated, there has to be a minimum time span with annual data audits of atleast 3 consecutive periods to be available. It will therefore be a rating which can be released after next 3-5 years.

Level I DTS can however be a reality even now and continue when the DPA announces a formal criteria.

Five Foundation Domains

Naavi has clubbed all the requirements of PDPA into Five basic domains namely

  1. Commitment of the management
  2. Knowledge  of the Organizational manpower
  3. Controls for implementation
  4. Review mechanism for improvement
  5. Redressal mechanism for grievances for the Data Principals

On the vertical coordinates, the assessment on each of these principals is assessed on the scale of E to A from the bottom.

To reduce the DTS Score for a single parameter, a weightage of the evaluation on this 5×5 grid would be adopted. The weightage can be equal (20%) for all five domains and the vertical scale moving from 0-20, 21-40, 41-60, 61-80,and 81-100.

In due course, a view would be taken on whether the domain weightage can be changed from an equal 0.2 for each domain to a differential rating where say Commitment could be 25%, Knowledge could be 15%, Controls could be 30%, Review would be 10% and redressal 20% etc.

In the beginning years, weightage has to be more on Commitment and Knowledge. In later years Commitment would be a hygiene factor, Knowledge would be high. Controls need to be modified from time to time because technology would change and hence greater attention would be required. Review would be a managerial discretion supported by the mandatory requirements and hence would also be a hygiene factor. Redressal will be the distinguishing factor between organizations which would be protecting data because of regulatory compulsion vs its own belief systems and hence may require to have a high weightage along with Controls.

The Second level weightage would depend on the trend of the score whether it is improving or declining or is being maintained.

A typical representation of how the assessment may look for two different organizations is shown in the accompanying picture above.

Certified Data Auditor

The suggested system above will be part of the “Certified Data Auditor” training that Cyber Law College would be undertaking in the coming days.

Comments are invited from the readers on the above concept.

I urge entities like the Foundation of Data Protection Professionals of India (FDPPI) to take this idea further and develop.

Naavi

P.S:  The word “Hygiene”has been used here as some thing which would become a mandatory need which has low positive value if it is there but will have negative value if it is not there. It is a term used in the motivational theory of Professor Herzberg.

Some additional clarifications based on comments received have been posted as a follow up.

2nd January 2019

 

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | 3 Comments