Naavi.org

I started writing this blog based on the news reports that appeared mainly on TV channels and the digital copies of the preint media. The reports suggested that “X” (formerly Twitter) had filed a petition in Karnataka High Court against the Union of India alleging that the use of Section 79(3) on “Intermediaries” to get content removed is a violation of the freedom of expression.

Media made it look as if it was Elon Musk fighting against Indian Government.

Refer reports at Deccan Herald, Hindustan Times, Business Standard

You Tube: Times now : India Today : CNBC-TV 18

Thanks to one of my friends in the media, I got a copy of the petition in the night and as I read through the petition, it was clear that the essence of the objection raised was not about the power of the Government to remove the content which was damaging for India, but the due process that needs to be followed in such cases. It appeared that it was meant to teach a lesson to the Government officials who did not understand ITA 2000 even after 25 years and continued to issue notifications with their own interpretations which were wrong ab-initio.

As a person who has been in the filed of Cyber Law education since 2000, I am ashamed that so much ignorance persists even in the Government and the set of legal advisors in Delhi who advise MeitY. Had Meity Contacted a better ITA 2000 aware persons anywhere in the country, they would not have met this embarrassment of being called “Ignorant” of ITA 2000.

At first glance from the news paper reports, it appeared that X has built its petition under a wrong interpretation of Section 79(3), without appreciating that this section can only issue notice to disable the safe harbour protection and cannot mandate content take down.

However, on a detailed perusal of the petition, it was clear that the petitioner was actually educating MeitY, MHA and the Ministry of Railways and pointing out the several mistakes made by them in issuing orders to X.com. I therefore think that the petitioner’s law firm must have enjoyed this exercise of drafting a petition that was meant to highlight the difference of two sections of ITA 2000 namely Section 69A and Section 79. This could be a great case study for students of law.

The impugned petition is based on the take down notice issued by the Ministry of Railways which is a demonstration of how not to interpret the law and how not to issue a notice of such nature.

On 11th February 2025, the Ministry of Railways had issued a mandate to X.com to remove some content within 36 hours of the “Issue of the communication”. (Not from the time of receipt). This order was issued under the earlier gazette notification issued by MeitY on 24th December 2024 which notified the Executive Director of Railways as an authority for the purpose of issuing notice to the intermediaries in relation to “any” information which is prohibited under any law for the time being in force pertaining to the Ministry of Railways and its attached offices.

The MeitY Gazette notification which designated the Executive Director as the authority for taking down content was wrongly quoting Section 79(3) instead of Section 69A as its legal basis.

Further, the order was conveyed through an email from the Deputy Director Public Relations of Railway Board and not the Executive Director Directly. The email was from Gmail domain and was obviously not digitally signed also.

The order conveyed to Twitter appears to have demanded that “…links be taken down immediately”.

Any prudent legal advisor would have suggested that it was preferrable in such cases to state something to the effect…..

” It is hereby notified that the content referred to in the links quoted in the annexure are false and misleading and if it is not removed as per Section 79(3) of ITA 2000, the platform shall be considered ineligible for protection under the said section and we reserve the right to proceed against the platform as per the laws of the land”.

As a result of these multiple childish mistakes, the order can be used to argue as an example of how the Ministries by their ignorance may misuse the provisions.

Because of the mistakes committed , a ground has been given to the petitioner that there is an attempt to bypass due process of law under Section 69A and it would be challenging to defend against this accusation.

I would like to advise the Government that instead of trying to defend this petition, it should immediately withdraw the earlier notices, issue modified notices duly drafted and file an affidavit in the Court so that the Court can dismiss the petition at the first stage itself as redundant.

If the case is pursued and Court takes a stand in favour of the petitioner, the media would project a wrong impression that Government does not have the power to regulate content under ITA 2000 and the entire Intermediary Guidelines which is under challenge in Delhi High Court would also be jeopardised.

I am apprehensive that this could even lead to the Court even scrapping Section 79(3) as it happened in the faulty judgement in the Shreya Singhal Case .

It is therefore advisable for the MeitY to admit in its affidavit that it inadvertently failed to follow certain procedures and would take appropriate steps to handle such instances properly in future.

The Sahyog Portal is just a facilitation of communication and we hope it has no role to play on the wrongful process used in this particular instance. If necessary, corrections could be applied to the statements made on the portal also.

I would also advise “X” to accept the admission of inadvertent error in using the process (if given) and not stand on its own ego since a proper trial would also raise the question whether X is an Intermediary under ITA 2000 and whether it is entitled to any protection at all.

In this era of AI and data analytics, no social media can fulfil the conditions mentioned under section 79(2)(b) of ITA 2000 and neither X nor Face Book nor Instagram can avail the benefits of Section 79 despite the earlier wrong interpretations.

If Karnataka High Court looks at this angle of “Who is an Intermediary”, then another new chapter would be written in the Cyber Jurisprudence in the country. In case the petition goes into detailed trial, I wish the high Court uses this opportunity to focus on the concept of an “Intermediary” and why under the current practices of the Social media platforms to read though all messages, filter it, use it for machine learning etc., they can never be considered as mere conduits of messages which is essential for them to be considered as an “Intermediary”.

If X is held as “Not an intermediary”, then Government does not need either Section 79 nor Section 69A to launch proceedings against social media platforms violating any provisions of BNS 2023. This would be an unintentional backlash that X would suffer as a petitioner in this case.

The petition itself is doing a great service to the community of Cyber Law educators and is welcome since it has thrown up an opportunity to educate the Government of India about it’s own law which some body like Naavi could have explained in one single sitting. Meity could have even contacted Padma Shri Dr T.K.Vishwanathan who drafted ITA 2000 who was nearby.

I request the Karnataka High Court also to limit it’s order to the scope of educating the Government on what is the scope of Section 79 vis-à-vis Section 69A and not jump to the actions like scrapping the section like what Supreme Court erroneously did in the case of the Shreya Singhal for which we have been calling out again and again in the last one decade that Supreme Court also did not understand the law before it scrapped Section 66A.

I should also express my appreciation of M/s Poovayya @Co for giving a lesson to the Government through their petition on the scope of Section 79 and Section 69A.

Naavi

P.S: This article is meant for education of Cyber law students. It has undergone an extensive edit from the time I started writing last night to this morning when I edited it further. Kindly ignore the earlier versions if you had an occasion to view it before the edit…. Naavi)

After Mr Trump took over as President of USA, we have been anticipating some changes in the Data Protection regime specially related to HIPAA/HITECH Act and the EU-US Data transfer.

The DOGE activity will sooner or later catch up with the operations of Medicaid and Medicare programs which were the favourites during the Obama regime and this could affect some changes in the HIPAA/HITECH regulations. However, this has not happened and we are waiting for the NPRM to be finalized.

In the meantime, US and EU are under loggerheads politically and this could affect the EU-US data transfer regime which can have an impact on India also.

The trigger for this seems to have been noticed now in a decision to reconstitute the FTC’s five member bench with removal of two Democratic commissioners has left the Commission with two Republican nominees without representation from the minority parties.

The EU has been demanding in the past that US judicial system adopts itself to GDPR regulations and provide two guarantees namely

1. The Law Enforcement agencies shall not have the power to seek the personal information of EU Citizens being processed in USA
2. The EU Data Subjects shall have adequate judicial remedy in USA against the US based Data Controllers/Data Processors.

There was an uneasy truce on this aspect in the previous negotiations leading to the current EU-US Data Transfer Framework. This is likely to be disturbed by the recent developments particularly since the two removed commissioners are Democratic party representatives with a clout in the EU administration.

Soon this is likely to raise a demand for cancellation of the Data Transfer arrangement and consequential business disruptions.

India receives a lot of Data Processing business from EU through US Data Controllers. Now this could be affected if the EU-US data transfer agreement gets suspended or otherwise disrupted. It is interesting that at the same time, Indian DPDPA is also coming into operation. Will the Indian business take advantage of the EU-US differences and establish more direct business with the EU Data Controllers under GDPR is worth watching out.

Indian DPDPA is flexible and provides setting up of notified Data processing centers for processing EU data under a GDPR Contract by an Indian Data Processor with an exemption of DPDPA. (ITA 2000 however is not exempted). Hopefully, innovative data processors in India will take advantage of the notification of DPDPA to increase their business share with EU.

The discussions in Chennai on why Cyber Crimes are increasing in the current days with individuals transforming themselves into a different mental state when on Internet has given thought to a comparison of the “Mental States of Cyber Individuals” with the ways we normally look at “States of Matter”.

We are all aware of three basic states of matter namely the Solid, Liquid and the Gas. We also know that when the energy in the matter increases further, it reaches the state of “Plasma”. When the energy in the matter decreases to zero degree kelvin, the matter reaches the state of the Bose-Einstein Condensate.

These are concepts of physics like the Matter wave theory of de Broglie, Heisenberg Principle of uncertainty and the Quantum principles of “Super positioning” and “Quantum Entanglement” which have all been discussed here in naavi.org at different points of time with reference to data. We have also discussed concepts like “AI enabled Data Analytics” as a “Complex Data” and several concepts of behavioural analysis including Cyber hypnotism and adopted them into the Data Protection scenario. We have used some of these concepts in discussing Neuro Rights and Dark Patterns also.

Now a time has come to discuss another concept of Physics namely “States of Matter” in the context of the “Cyber Space”.

I will dwell with it in my new book “The Raise of the Planet of Cyborgs”, where I will discuss how the “Meta State” of an individual transforms into “Cyber State”, “Meta Verse State”, “Augmented Reality State” as different states of existence. Further there could be new Particles of Data Matter such as the AI enabled Humanoid Robots and the Cyborgs which are like the Bosons and Boson-Einstein condensates which need to be understood.

Look forward to such interesting thoughts in the upcoming book which could be a crazy combination of concepts from Physics, Psychology etc brought into the explanation of Privacy and Data. It could be an interesting journey even for me as the author.

Naavi

HESCOM is the Hubli Electricity Supply Company responsible for managing the electricity supply activities on behalf of the Government of Karnataka including management of electricity connections, metering, collection of usage charges etc.

The organization is headed by an Ex-MLA of Haveri namely Mr Sayeed Azeempeer Khadri. The Managing Director of the Company is Ms Vyshali M.L. IAS, (md@hescom.in). Mr Gaurav Gupta, IAS, (prs.energy@gmail.com) is a senior Director and Dr Vishal R, IAS secyfr-fd@karnataka.gov.in is secretary to Government (Fiscal Reforms). There are many other Directors in the Board responsible for the management of BESCOM.

I have observed that on 7th March 2025, I have received SMS from CP-HESCOM about bills payable on the following two accounts.

1. 2427142 in the name of Nasibsab A Lokapuri for Rs 238/-
2. 2424310 in the name of of F.N. Lokapuri for Rs 208/-

While I had ignored the SMS, I now find that FINTECH companies like CRED have been listing the dues for automatic payment through my accounts with them. I could have ended up making such payments without verification had I not been alert.

I can presume that CRED had my permission to read my SMS and could have picked up the information. However, I donot find any reason why HESCOM should have listed my phone number with the electricity accounts of some body in Hubli while I reside in Bangalore.

I have demanded that HESCOM provide me the details of how they accessed my mobile number and how did they associate my mobile number with two of the Hubli’s electricity meters.

It is clear that HESCOM has violated my privacy and the principles of DPDPA 2023.

I have sought explanation from MD of HESCOM and has not received any reply for 24 hours. I will raise the issue with other senior Directors also if I donot receive any reply by tomorrow.

I am also apprehensive that this indicates a possible scam to create fake electricity meter account to collect “Electricity Subsidy” under the Grihajyothi guarantee of the State Government under fake meters .

I am not sure at this point of time if my other identities such as Aadhaar has also been used in the account in which case it would appear that I am financially supporting the two Lokapuris of Hubli with its own consequences.

HESCOM is responsible for any adverse impact of this wrongful linking of my mobile account with unknown meters in Hubli and also for any scams that may be running under the Grihajyothi scheme.

I therefore demand that the officials of HESCOM in Hubli send me full details of who are these two persons and why is their meters are being billed to my mobile number? and whether there are any other identity documents of mine associated with the accounts.

I am now sending copy of this public notice and disclaimer that I have no association with the Nabisab or F.N Lokapuri to whom the bills relate to both through the web and also through email .This may be considered as an official notice to HESCOM.

Naavi

Yesterday there was an event in Chennai organized by CYSI in which FDPPI was also a partner. It was a well attended program at Anna University Centenary Library auditorium and graced by two Judges namely honourable Justice N Ananda Venkatesan and honourable Justice (Rtd) Mr P. N. Prakash.

The topic for discussion was “Is Cyber Security more essential for Humans or for Information”? Most of the speakers anticipated that we will discuss about the how the law addresses the need to secure a cyber crime victim and how technology addresses “Security” in terms of “Data” being secured and not the person to be secured.

Every body including the speakers were expecting a discussion on how to balance the security efforts between protecting the Privacy of the person behind data and the security of the data itself in the CIA concept. But it was interesting to note that the entire discussion was diverted into a fundamental discussion on the philosophy of Cyber space. It was perhaps unintended but nevertheless very interesting and probably will be a watershed moment in such discussions in India.

It has always been one of the starting points of our discussions on how “Data Security” is not “Securing Data” per-se but securing the person behind “Data”. In this regard we discuss how law like ITA 2000 which is focussed on Cyber Crime prevention is invokable when there is a cause of action for an individual having suffered a loss on account of some contravention of ITA 2000 where as a law like DPDPA is more concerned on how an organization protects “Personal Data”.

The discussion in Chennai took an unexpected turn after the Chief Guest honourable Justice Mr Anand Venkatesan raised the fundamental philosophical thought of whether “Cyber Space” is a distinct “Space” different from the “meta Space” we live on and whether a person transfers himself into the Cyber Space when he is in front of the screen. He highlighted how the society is evolving in the use of Internet and why it is necessary for us to think differently when we address Cyber Security.

The introduction of this new thought by Justice Anand was a refreshing revelation of how the society is thinking of this concept whether “Cyber Space” as defined by Mr William Gibson in Neuromancer needs to be re-visited in the context of “Cyber Security”.

Naavi has in the past discussed this in the context of “Digital Contracts” and whether “Jurisdictional issues” in E Commerce transactions can be settled on the basis of whether the visitor of a E-Commerce website travels from his physical location to the location of the Website owner when he enters into a transaction on the website.

To some extent this has been answered by the ITA 2000 by stating that the “location” from which a message is deemed to have been sent is the “Usual Place of Residence” of the sender irrespective of the physical place from which the message was sent.(Section 13 of ITA 2000).

While discussing the status of “Netizens” I have also discussed the concepts of “CiNezens” as a hybrid category of persons who are “Citizens” of a sovereign state while also being “netizens” of a “borderless state”.

This concept also went into the background since the discussion “Cyber Laws is for Netizens” and can be distinct including punishments such as “Banishing from Cyber Space” did not get the traction as rules of the physical space went on to claim the “Cyber Space” as their own extended jurisdiction like the sea or the airspace around the geographical space. It became a fait accompli that “Implementation of all Cyber Laws” was not for the “Cyber Space” but for the “Residents of the Physical Space using Internet”. Hence though Internet had no geographical boundaries, Internet laws created jurisdictional boundaries artificially.

Now Justice Anand pointed out the “Psychological” perception of an Internet user and how he immerses himself in a Cyber Transaction and forgets the world around him even without an AR device or a Meta Verse interaction.

While discussing the “Blue Whale” game and finding a rationale for the victim’s behaviour, I have often referred to the concept of “Cyber hypnotism”. I have also alluded to the same principle to rationalize the recent “Digital Arrest” cases also.

While discussing “Artificial Intelligence Regulation”, I have also discussed the thought that AI is just a software and the Section 11 of ITA 2000 attributes it to an individual and therefore all legal consequences that may be attributed to an AI can be attributed to the human behind the AI and consequently, there is no need to discuss if AI is a “Juridical Person” or not.

While preparing for the event at Chennai I however reflected on how the society is evolving from the days when there were no computers to current day where Computers and mobiles are the life. As this evolution took shape, Internet ushered in a concept of “Cyber Space” as a “Binary Transaction space” independent of the “Internet and the device space”. The “Information” became distinct from the device in which it was stored, transmitted or experienced by the humans”. This “Disassociation” of the “Information” from the device has also been discussed by me while discussing Section 65B/63 concept justifying the need for human intervention in the form of “Certification”. This concept syncs with the concept of “Matter wave theory” of de Broglie the Physicist and concept of “Maya” by Adi Shankaracharya.

While it was easy to answer the question raised in the panel discussion “Is Cyber Security for humans or for information” in once sentence that even “Information Security” is for the benefit of the humans only, the actual discussions have opened up the “Deemed Cyber Space” concept where a person behaves as if he is in a different world when he is on the Internet. The issues arising out of such “Deemed Cyber Space” will be more relevant in the “Meta Verse” scenario where individuals transform themselves into “Avatars” and interact on the Cyber space.

This thought of a “Deemed Cyber Space” arising the instant a person enters the Internet space such as Face Book or Instagram gives me a new logical explanation of how “Cyber Hypnotism” takes place in the case of “Digital Arrest” instances.

This concept has been discussed by us in another concept when we argued for “Neuro Rights” legislation where we have discussed how by recognizing “Neuro signals” as equivalent o “Binary Signals” (Which they actually are), we can extend the ITA 2000 to the manipulation of human thoughts with the use of technology. This thought can be further explored as the creation of the “Deemed Cyber Space”. I will try to explain this concept in greater details some times later.

Yet another thought I got during the preparation of this topic was whether we the current day humans as a society are a dying species and we need to accept the ” Cinezens” as part of the current society and prepare ourselves to accept Cyborgs and Super Intelligent AI embedded humanoid robots as part of the society. The end result of this is that the human race as we know today will become second class citizens shortly and extinct over time and the world will be ruled by the Cyborgs and humanoid robots. The Cyborgs will be the masters and the humanoid robots will be their servants. By 2026, Mr Elon Musk is expected to send a humanoid robot to Mars and when this humanoid robot meets the aliens in a few decades hence, perhaps it will represent the primitive natives of the the then evolving “Planet of the Cyborgs” which Earth will be.

I am not sure that the audience were able to meet their expectations of the half day seminar or the discussions went tangentially away from the expected topic. However I was pleased with the vindication of some of my 25 year old concepts and opening up of some new thoughts for discussion in the future.

Naavi

It is a common practice in business that a successful “Brand” tries to monetize its brand value by extending it to other products of the brand owner. The brand owner may operate multiple entities in different locations which will all be part of the same entity.

Some times, the brand is also shared with others under a “Franchise” scheme with a different legal entity. Franchise contracts may be of different types. Some franchisers place complete restrictions on the way the business is presented in terms of the decor so that all franchise outlets of a particular brand look similar to the customer.

Where possible, the recipe of the service is also controlled by the franchisor though the execution still remains with the franchisee. This is expected to provide confidence to customers that the service would also be similar across all franchisee outlets of a brand. There could however be situations where the franchisee may have a set of services which are additional to that of the brand owner. The franchisee may or may not properly disclose whether the additional services are within the brand or outside the brand.

In the DPDPA scenario this popular marketing concept provides its own complications if the franchisee collects personal data of customers, stores it, processes it, shares it with the brand owner, transfers it across borders etc. Often data breaches occur at the franchisee unit and the questions of liability under DPDPA also may come under question.

Since franchisee units are owned by a different legal entity, the role of the franchisee unit may be that of a “Data Fiduciary” in respect of personal information collected. The customer however provides his information and permissions to use based on the perception that he is providing it to the brand owner.

Currently DPDPA recognizes the role of entities as “Data Fiduciaries” when the purpose and means of processing of personal data is determined by an entity. When more than one entity is involved in determining the purpose and means, all may be called “Data Fiduciaries”.

DGPSI, the framework of compliance has coined a term “Joint Data Fiduciaries” for such contexts though the term is not used in DPDPA 2023 or its rules at present.

However in cases where the Franchisee has complete control on the services or part of the services, the brand owner will be lending his name but not determine the purpose or means of processing.

In such cases the franchisee should ensure that there is a separation of services within the brand and outside the brand so that there is no “Consumer Confusion” which is a trademark violation.

However, if the disclosure is not adequately highlighted, the consumer may consume the services only as a part of the services from the brand owner. When consumer complaints arise in such cases, it will be natural for the consumer to raise the complaint against the brand owner and not on the entity that delivers the branded service.

This raises a huge responsibility/liability for the brand owner since the service contract may not cover all the liabilities that are associated with non compliance of DPDPA 2023 either because the ‘Faulty contract” is the responsibility of the franchisor or because the resources of the franchisee may be inadequate.

In terms of “Risk Management”, in such cases the franchisor holds “Unknown Risks” for the activities of the franchisee.

DGPSI considers that such cases need to be covered both by contract as well as the prominent disclosures (like in a dotted line contract with a dominant party). To address such situations DGPSI recognizes the franchisor as a “Super Data Fiduciary” as he is a “Data Fiduciary” of “Data Fiduciaries”.

Surprisingly, this situation arises in more situations than we recognise, whether it is the Telecom Marketing agent or the Insurance marketing agent or a Bank marketing agent calling on you as a representative of the service provider and not disclosing that he represents a vendor. It also applies to hospitals with independent doctors as consultants, Taxi service aggregators, or the Hotels under common brand name such as OYO, Fab etc.

This interpretation comes out of the unique DGPSI framework of compliance which is rightfully called the “Crown Jewel” of DPDPA Compliance frameworks.

It will take some time for other frameworks and even the rules under DPDPA 2023 to add the word “Super Data Fiduciary” into its lingo. But at present It is the endeavour of Naavi to develop “Jurisprudence on DPDPA” through the DGPSI framework.

When such franchisors evaluate themselves for “Significant Data fiduciary” status, they should consider both the volume of data processed by all franchisees and also the “Risk of the Unknown” and self determine that they are “Significant Data Fiduciaries”. When an officer is appointed by MeitY to issue clarifications, it is better MeitY refers to DGPSI for determining the status of an entity as “Significant Data Fiduciary” or not.

Naavi