Naavi.org

On 7th march 2020, Deccan Herald, Bangalore carried an article by the title “Data Protection or Surveillance”?. The online version of the article  included a powerful video presentation from the Center of Internet and Society(CIS). Earlier in another article the CIS had also provided detailed comments on the PDPA 2019. (See here).

CIS has been in the forefront of many discussions where the inadequacies of the regulations of the Government have been brought to public notice and its contributions to the cause of “privacy” is well noted.

However, of late CIS has been advocating controversial issues as supporting Bitcoin, the “Currency of the Corruption” and now focused on  the law on Privacy. CIS has raised many objections on PDPA 2019 and it appears that it will be happy of the Bill is deferred yet again and put into the oblivion.

If however the Government obliges, CIS could be the first off the block to criticise that the Government has ignored the commitment to the Supreme Court and has no intention in protecting the privacy of individuals. This attitude of “Damned if you do and damned if you don’t” is the typical attitude of some NGOs who can never agree on any positive movement forward. and always have an erudite argument why the proposal is not acceptable.

In Management we speak of a psychological game “Yes…But” propounded by Dr Eric Berne and CIS and some other NGOs have been indulging in while reflecting on the draft PDPA2019.  We need to put such objections in its place and move on.

The objections of CIS on PDPA have been indicated in the following list

1. Executive Notification cannot abrogate fundamental rights
2. Exemptions under clause 35 donot comply with the legitimacy and proportionality test
3. Limited powers of Data Protection Authority in comparison with the Central Government
4. No Clarity on Data SandBox
5. The primacy of Harm in the bill ought to be reconsidered
6. Non Personal Data should be outside the scope of this Bill
7. Steps to greater de-centralization of power
8. Data Must be empowered to exercise responsive regulation
9. No clear road map for the implementation of the Bill
10. Lack of inter-operability
11. Legal uncertainty.

The research team of CIS has also brought to attention several other articles  mentioned here which all add very valuable information to the discussion.

Each of these articles may need separate discussions and we shall try to comment on each of the above in course of time.

I would however try to point out that the Bill is presently in a fluid state and many of the concerns expressed can be addressed through notifications of the Government that would follow and the regulations that the DPA would release in time.

Hence some of the objections are premature.

Instead of pressing on the settling of all these concerns, it is better if CIS admits that it prefers the Privacy Bill to be dropped for the time being.

….To be Continued

Also Read:

“Yes, But People Vs Yes And People”..Wyser

Views expressed here are the personal views of Naavi

The recent Bollywood judgement on Bitcoin from the Supreme Court has given a fresh lease of life to Black Money in India. This is a set back for the efforts of Mr Modi to fight corruption and could be termed as a significant victory for Digital Black Money and “Money Laundering” through legally approved means.

The impugned judgement conveniently said that RBI has the powers to regulate Virtual Currency but however the circular to ban Banks from providing banking facilities to  Bitcoin traders which facilitates money laundering was not “Proportionate” exercise of its powers.

The judgement was no doubt smart since it provided legal sanction to money laundering through Bitcoins and Crypto currency and all criminals are happy. It will benefit all parties on the right side of the Bitcoin lobby who may rejoice and throw around Sathoshis if not Bitcoins during this Holi on all their benefactors. Politicians will enjoy this new mode of payments to replace “Suitcases” if they have to engineer defections or for looting Banks like Yes Bank.

The unfolding of the Yes Bank saga where paintings were allegedly used as instruments of money laundering has brought renewed attention on the Supreme Court judgement on Bitcoins and provides a good advertisement for the use of Crypto Currency for such Money laundering instead of the Paintings. Today ED is perhaps sitting on the evidence of Money laundering in the form of paintings of Rajiv Gandhi and Rahul Gandhi on which crores might have been invested by Yes Bank. This may be even accepted by Courts as evidence since they were not valued or the value could be far less than the amount declared in the transaction etc.

Had the painting been exchanged for 40 bitcoins instead of a cheque for Rs 2 crores, the ED would not have been able to seize the evidence. If the Bitcoin wallet number had been stored secretly in a London abode then the ED could not get a scent of the wealth even in their raids.

I am not here to give a lesson on how to use Bitcoin for money laundering and I have a doubt that the Indian corrupt are intelligent enough to have already found out this route. Perhaps the M F Hussain painting of Rajiv Gandhi was only an old strategy, while several more such transactions have been done later using Bitcoins.

Those who are now rejoicing on their victory in Supreme Court must understand that just as we isolate and quarantine Corona virus victims  for the greater good of the society, the Bitcoin holders should be put under quarantine until our Finance Ministry wakes up to make an appropriate law to ban Crypto Currencies.

This was precisely what the RBI had done by using its regulatory powers on Banks to desist working with the Crypto exchanges. The Supreme Court has however found fault in this strategy because they did not find “Proportionality” in the decision.

Now we need to ask a question to the Supreme Court if they consider even the Corona quarantining is “Disproportionate” use of powers and should be withdrawn on Human Rights considerations.

This judgement has once again proven that given the right kind of advocates, the Courts can be persuaded to agree on some vague technical grounds on which any action even as severe as destroying the Indian economy can get judicial approval.

The final responsibility for doing good to the society is solely with a few persons left in the society like Mr Modi,who still have the power to make laws that Supreme Court should not be able to strike down because it was prepared to be convinced by a forceful argument.

The “Banning of Crypto Currencies” is one such law that needs to be expedited.

Also, a stay on the current judgement of Supreme Court should be sought in a review as otherwise more and more Yes Bank type of deals will be converted from Paintings to Bitcoins.

I urge RBI Governor to take a decision on filing the review petition immediately.

Naavi

P.S: Views expressed here are the personal views of Naavi

Also Read: 

India Ban Overturned, BTC owners warned They’ll lose everything, Holder’s DIgest, Mar.2-8

Kraken Announces Plans to Expand Indian Operations As Crypto Ban Lifts

The Press release by the consortium of foreign companies including the Amazon, Google, Apple, Microsoft, Facebook etc opposing several provisions of the proposed PDPA 2019, have thrown a googly at Mr Kris Gopalakrishna, the chairperson of the committee on Data Governance. 

The consortium which consists of those companies which are worldwide considered notorious for using personal data under one pretext or the other are concerned that the advent of PDPA would hamper their progress. They are therefore raising objections on PDPA though they have adopted to similar provisions of GDPR without a whimper of protest.

“We are concerned that some provisions in the PDP Bill would hamper the country’s economic growth, constrain the ability of companies operating in the market to innovate, and in some cases potentially undermine the protection of Indian citizens’ privacy,”

says the letter reportedly sent by them to the JPC. 

We are happy that they are concerned. But the objections raised by them donot reflect that they are expressing a genuine concern for the Indian citizens though they are expressing concern for themselves which we can concede as their right provided they are not hypocritical about it.

The letter continues to state

“The ambiguity in the definitions, and the restrictions on where data must be stored based on those definitions, presents a serious constraint for many companies when planning their future investments in India,”

It is agreed that every law will have some ambiguities and it will be cleared over time. Even PDPA may need clarifications and it will be clarified mostly when the DPA comes into existence. Some minor clarifications can be made in the Bill and we can hope they would be addressed. Some of these objections of the industry have already been codified by NASSCOM-DSCI whose detailed representation is now available in the public.

What the industry stalwarts are concerned is about Section 33 on Transfer of data outside India and Section 91(2) which states

(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

Explanation.—For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.

(3) The Central Government shall disclose annually the directions, made by it under sub-section (2), in such form as may be prescribed

What these companies are objecting is for  the empowerment of the Government  provided in the Act to use the “Non Personal Data” available with these companies which are generated in India to be made usable for the “Better targeting of delivery of service” and “formulation of evidence based policies” by the Government.

It is after the Government conceding the request of these Governments that they should be allowed to transfer the data outside India.

This objection requires to be assessed on the basis of the principle of data sovereignty. If Data is like Oil, the Government of India needs to have some right on the use of personal data extracted from Indian Citizens in India. The section 91 is an empowerment of this provision to be exercised under the post facto supervision of the Parliament.

The tech giants collect the information free from the Indian citizens and make enormous money out of it. But when the Government wants to retain the right to use the anonymized data for the benefit of the Citizens of India, the companies have an objection.

Is this a concern for the Indian Citizens which they are trying to announce through this press release?

These companies need to appreciate that the PDPA is more than generous to recognize their needs of “Processing the data of foreign nationals without the application of PDPA” by a total exemption from the Act under Section 37 which states as under

37. Power of Central Government to exempt certain data processors.

The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.

Have these agencies seen such provision in GDPR?

Similarly in order to support “Innovation”, the Act also provides for a “Sandbox” arrangement under which companies can seek an exemption from the law for a total period of 3 years.

Have these agencies seen such provisions in GDPR?

It is obvious that these agencies are only interested in extracting more and more concessions and if possible delay the passage of the law indefinitely.

By making a statement that they want the passage of PDPA2019 to be deferred until the Kris Gopalakrishna Committee submits its reports, they are expressing faith in Mr Kris Gopalakrishna to provide some relief to them in his recommendations. This has unnecessarily placed him under a radar so that whatever he recommends, it will be seen under the lens of whether it has been influenced by these agencies with whom he had very intimate business relationship while he was working in Infosys.

While we expect Mr Kris Gopalakrishna to be mature enough not to be influenced by the commercial interests of these agencies, it is avoidable that he is put under a pressure by such statements.

Now it will be necessary for him to issue a statement that his recommendations would not be affected by these friendly statements from the agencies who are opposed to the Data Sovereignty principle.

I hope he comes forward with a statement distancing himself from these statements.

In the meantime the JPC may take note that there is no truthful representation in the submissions of these companies and it should not hesitate to revert the Section 33 provisions to the earlier provision where one copy of  all personal data generated in India should be stored in India. This provision was consistent with the GDPR provisions and there is no need to dilute it as long as there are provisions like Standard contractual clauses and Adequacy clauses, Emergency provision and Explicit consent based transfers available to meet specific needs.

The dilution of the personal data local copy clause will hamper the Indian Law enforcement and also the potential to develop indigenous data storage related business.

The threat of these companies that their investments could be hampered, should be also taken note of by the Government and we need to promote more of indigenous competitors to FaceBook, WhatsApp, Twitter and even Google. This would enable reduction of the power these agencies are now using against the interests of the country.

This is the time to once and all determine whether these agencies respect the democratic system of India where they are allowed to flourish without confronting the genuine interests of Indian citizens and the Indian Government or prefer to be marginalized like they have been done in China.

Simultaneously, the Government should recognize that NASSCOM-DSCI has become a close advocate of the views of these foreign agencies and hence any suggestions from this lobby has to be taken with a pinch of salt.

(P.S: These are personal views of Naavi and kindly excuse if it hurts  any other professional in India).

Naavi

Also Read: Hypocrisy of the “Global Trade Bodies” who oppose PDPA

There have been a flash of Press release from a consortium of MNCs namely Amazon, Apple, Google, Microsoft, Facebook and IBM expressing “Concern” over the “Privacy Protection of Indian Citizens” and how the Indian Government is trying to create an Orwellian State. 

See the press release in ET

It was ironic that just a few days back there was a CNBC report, according to which Google had been fined $9.5 billion since 2017 by anti trust regulators, FaceBook, Amazon and Apple are facing investigations across Europe. The probes have been both from competition and Data Protection authorities. 

Google has been accused of “cheating” the public with favouring its own comparison shopping service over Competitor’s by manipulating the search results.

FaceBook has been facing several inquiries by the Data Protection Commissioner of Ireland and other countries.

Amazon is under investigation from  the anti trust watchdog of Germany.

Apple  is being accused of manipulating the App Store fees to put competitors at a disadvantage.

From the above, it is clear that these companies are commercial companies who have no concern for the public except to make money out of them. While this is not too objectionable if they are honest, when they pose as if they are beacons of virtue and start advising the Indian Government why the PDPA is harmful to the interests of Indian societies, we have to point out the credibility of these companies.

New Generation East India Companies

We in India are aware of the invaders from Europe and the Central Asia who plundered the Indian wealth and finally colonized India. All the European invaders came to India for trade and slowly occupied the country. Now the Tech giants are coming back with a similar motive, to now set up colonies in the “Data Rich” India by collecting personal data of Indians and using them for their commercial benefit.

The PDPA therefore has a responsibility to ensure that this “Data Plundering” does not happen. 

A glaring example of this is the way TransUnion took over CIBIL and today controls the critical financial information of millions of Indians. All the Indian Banks who sold their holding in CIBIL quietly to Trans Union without properly informing their share holders of the value of personal data that was going with the sale of equity.  The RBI and the Ministry of Finance remained quiet when this plundering was happening.

(Refer the articles here which detail this Trans Union take over of CIBIL)

Now the “Global Data Companies” are concerned that certain aspects of PDPA try to inassert the Data Sovereignty of India. 

Compared to the PDPA 2018 version, the data localization aspect was very much diluted in the next version and still these companies are not satisfied.

The PDPA 2018 stated in Section 40 as follows:

40. Restrictions on Cross-Border Transfer of Personal Data. —

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.

(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.

(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under sub- section (1) on the grounds of necessity or strategic interests of the State.

(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

Under PDPA 2019, this was diluted to the following version:

33.Prohibition on processing of sensitive personal data and critical personal data outside India

(1) Subject to the conditions in sub-section (1) of section 34, the sensitive personal data may be transferred outside India, but such sensitive personal data shall continue to be stored in India.
(2) The critical personal data shall only be processed in India.

Explanation.—For the purposes of sub-section (2), the expression “critical personal data” means such personal data as may be notified by the Central Government to be the  critical personal data.

In the new version the non sensitive personal data can be transferred out of India without any restriction and sensitive personal data can be transferred  subject to certain conditions but a copy has to be maintained in India.

On the other hand, GDPR under article 44 says:

Article 44: General principle for transfers

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

These Tech Companies have not so far challenged the GDPR but are only challenging the Indian law with the assistance of NASSCOM and DSCI which have been endorsing only the commercial interests of these companies ignoring the interests of the country. 

This tech coalition argues that the data localization in whatever truncated manner it remains now has adverse effect on the growth of the country’s economy. This is a false and motivated view. If there is complete data localization as per the PDPA 2018 version, then there would be a significant development of the data storage and data processing industries in India and the entire eco system around Data Centers and Data Security would grow. It is difficult to quantify the benefit without a detailed research but qualitatively, there can be substantial benefit.

It is agreed that this will cause some disruption to the operations of the Tech Consortium and also increase their costs of operation. So did the GDPR. If these giants quietly accepted GDPR and moved on, they should accept the Indian law also and move on.

The one concession that can be granted to them is that the date of implementation of the data localization can be fixed at least 6 months from the date of implementation of other aspects of the Act.

But we strongly recommend rolling back the data localization requirement to the PDPA 2018 version.

The other concern that the Consortium has expressed is about Section 91 which states as under:

91. Act to promote framing of policies for digital economy, etc

(1) Nothing in this Act shall prevent the Central Government from framing of any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse, insofar as such policy do not govern personal data.

(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

Explanation.—For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.

(3) The Central Government shall disclose annually the directions, made by it under sub-section (2), in such form as may be prescribed.

This is only an enabling provision and there is no need for these Tech firms to take offence. Once the data is anonymized, it becomes open data and if it can be used for better Governance, these companies should voluntarily come forward to share the data rather than raise objection.

Further this section only says that the Government retains the power to pass another legislation or issue policy guidelines as required to regulate the non personal data. These companies have no jurisdiction to object to this power which is inherent with the Government.

In view of the above, the concerns raised by the Tech Consortium deserves to be rejected.

Naavi

Naavi has been a champion for Cyber Insurance for a long time in the context of Cyber Crimes. Now with the advent of Personal data Protection Act (PDPA) in India, there is a fresh interest on how the liabilities arising out of the PDPA may be covered by insurance.

Recently, the NIA (National Insurance Academy) of Pune organized a seminar in Mumbai (7th February 2020) in which the undersigned expressed some of his views. The session was moderated by Mr Nndakumar Sarvade, CEO of REBIT.

A Video of the talk presented by Naavi is available below.

Naavi

We must appreciate Sri Ashim Sood, the learned counsel who convinced the eminent honourable Supreme Court judges M/s Rohinton Fali Nariman, Aniruddha Bose and V Subrmanian to issue a judgement in the Bitcoin case which is written like a film/drama script where the climax suggests that the hero wins but the villain survives for another day.

Copy of the Judgement

The judgement is written with a “Story line”, “The Setting”, “The Flashback”, “Background Score (of the petitioners), “Script” (Of RBI), “Unfolding of the Plot” and the “Climax” . It will be long debated in the academic circles for the art of judgement writing.

The judgement spread over 180 pages culminates with the ruling that the “Circular of 6/4/2018” in which RBI had restricted the Banks from dealing with the accounts of Bitcoin exchanges was “a disproportionate exercise of power” by the otherwise empowered RBI.

So far, Supreme Court was exercising its powers to intervene in the executive decisions of the Government and now it has assumed powers to also intervene in the executive powers of the regulators. All regulators now have to not only follow statutory powers as enshrined in the law but also be prepared to vet every one of their day to day circulars with the Supreme Court.

In fact it would a good idea to mark the “master copy of all the circulars issued by the regulators to the registry of the supreme court” so that objection if any can be recognized immediately. Perhaps the Cyber Security Framework CSF 2016 issued by RBI and similar notifications can also now be brought before the Supreme Court so that a special bench of the Court can be set up to go through every circular of RBI, SEBI, IRDAI, TRAI etc and check it for “Proportionality”.

The writing of the judgement indicates that the Court has considered the entire thing like a “Drama” and not a “Serious economic issue”. The Court has written a good film script but in the end given an opportunity to the villain (in this case the Bitcoin, the currency of the criminals, terrorists and Black money holders) to be marketed with the slogan… “Supreme Court upholds Bitcoin Trading”.  Most innocent members of the public will consider this a vindication of the Bitcoin as a “Virtual Currency” and will not hesitate to invest in them.

The Supreme Court however has been smart and it can always say that they have not upheld the validity of Bitcoin but only said that there was a disproportionate exercise of power by RBI. It is a clever judgement but lacks an appreciation of a duty of the Court to uphold what is good for the society.

The Reserve Bank, the ED and the Government placed a faith in the Court to clarify the status of the “Virtual Commodity” which is actually misrepresented and used as a “Currency”. Since it is not a currency but is used as a currency, there was the legal dilemma whether RBI has the power to regulate it or not.

The Court could have considered the “Perceived Status of Bitcoin” as a currency as the reality and held that the RBI has the powers to regulate it.  But it took a “Filmy route to an ambiguous climax” that will confound the confused.

It is not clear which of the judges of the bench had this “Bollywood flair” for writing a judgement of this nature but it would make an interesting academic exercise to identify if such a “Bollywood flair” was evident in any of the earlier judgments of the honourable judges of the bench or they were simply inspired by the arguments of the Counsel.

I suggest that IAMAI pay the Counsel his well deserved remuneration in the form of bitcoins and express their faith in the judgement. Never mind if the bitcoin so paid could have passed through the tainted hands and collected from cyber crime victims or the drug dealers or arm dealers or the terrorists and therefore carries the taint in its ownership as a “Non Negotiable Instrument” for which there can be no “holder in due course”.

The Sequel to unfold

Keeping the tradition of the Bollywood to come up with sequels, we should now expect the “Bitcoin Saga-2” in which the hero has to be changed from RBI to the Citizen of India. Since the Citizen of India cannot have the resources to fight the “Digital Black money power” that Bitcoin represents, it is the responsibility of the Government of India to take up the issue on behalf of the Citizens.

Presently the Government has treated Bitcoin with an approach similar to the what allowed Shaheenbagh protests on CAA to flare up into a major catastrophe. By not taking proactive action and blindly trusting the Court to do the needful, the Government erred in the Bitcoin case just as they did in the case of Shaheenbagh protests.

We must appreciate that the Courts like in the case of Nirbhaya have their own priorities. If necessary they meet midnight and take decisions and if not they allow the accused to die a natural death before publishing a reserved judgement.

The Government of Mr Modi and Shah should not be like that of Narasimha Rao or Manmohan Singh which were famous for procrastination and inaction. This Government is better known for action. It should therefore immediately start directing the sequel to this story.

Now that the Supreme Court has accepted that the RBI has the power for regulating Bitcoin but only the means of how it was exercised was wrong, it is time for the Government to understand it has its powers to go through with the draft legislation on Bitcoin which it has already developed and ban private virtual currency concepts such as Bitcoin and others to remain in circulation.

If the Bitcoin community wants to challenge the law, let them do so. Afterall today Indian Government administration is run from the Supreme Court and not the Parliament. Parliament makes the law, the President approves but the Supreme Court has to place its seal of approval to make the President’s approval valid. The supreme legislative authority for the country is no longer the Parliament but is the Supreme Court.

The law on Banning of Crypto currency will also go through the Supreme Court like many other cases which are already before the Court and the Citizens are ready to receive the verdict in the next sequel.

What is important however is that honest citizens of the country have felt that Bitcoin represents “Digital Black Money” and allowing its trading is facilitating the circulation of black money. The Supreme Court through this judgement had failed to recognize its duty to the public but taken shelter under technicalities to uphold the rights of digital black money holders  to continue their transactions in black money.

We call upon Mr Narendra Damodar Das Modi, Mr Amit Shah and Mrs Nirmala Sitharaman and others to come out with the Crypto currency bill right today or tomorrow and place it in the Parliament at the earliest. 

Naavi

Earlier articles on Bitcoin on this site are available here