Naavi.org

You are correct but the other side wins… says Supreme Court on Bitcoin

Posted on March 5, 2020 by 98410spice

We must appreciate Sri Ashim Sood, the learned counsel who convinced the eminent honourable Supreme Court judges M/s Rohinton Fali Nariman, Aniruddha Bose and V Subrmanian to issue a judgement in the Bitcoin case which is written like a film/drama script where the climax suggests that the hero wins but the villain survives for another day.

Copy of the Judgement

The judgement is written with a “Story line”, “The Setting”, “The Flashback”, “Background Score (of the petitioners), “Script” (Of RBI), “Unfolding of the Plot” and the “Climax” . It will be long debated in the academic circles for the art of judgement writing.

The judgement spread over 180 pages culminates with the ruling that the “Circular of 6/4/2018” in which RBI had restricted the Banks from dealing with the accounts of Bitcoin exchanges was “a disproportionate exercise of power” by the otherwise empowered RBI.

So far, Supreme Court was exercising its powers to intervene in the executive decisions of the Government and now it has assumed powers to also intervene in the executive powers of the regulators. All regulators now have to not only follow statutory powers as enshrined in the law but also be prepared to vet every one of their day to day circulars with the Supreme Court.

In fact it would a good idea to mark the “master copy of all the circulars issued by the regulators to the registry of the supreme court” so that objection if any can be recognized immediately. Perhaps the Cyber Security Framework CSF 2016 issued by RBI and similar notifications can also now be brought before the Supreme Court so that a special bench of the Court can be set up to go through every circular of RBI, SEBI, IRDAI, TRAI etc and check it for “Proportionality”.

The writing of the judgement indicates that the Court has considered the entire thing like a “Drama” and not a “Serious economic issue”. The Court has written a good film script but in the end given an opportunity to the villain (in this case the Bitcoin, the currency of the criminals, terrorists and Black money holders) to be marketed with the slogan… “Supreme Court upholds Bitcoin Trading”. Most innocent members of the public will consider this a vindication of the Bitcoin as a “Virtual Currency” and will not hesitate to invest in them.

The Supreme Court however has been smart and it can always say that they have not upheld the validity of Bitcoin but only said that there was a disproportionate exercise of power by RBI. It is a clever judgement but lacks an appreciation of a duty of the Court to uphold what is good for the society.

The Reserve Bank, the ED and the Government placed a faith in the Court to clarify the status of the “Virtual Commodity” which is actually misrepresented and used as a “Currency”. Since it is not a currency but is used as a currency, there was the legal dilemma whether RBI has the power to regulate it or not.

The Court could have considered the “Perceived Status of Bitcoin” as a currency as the reality and held that the RBI has the powers to regulate it. But it took a “Filmy route to an ambiguous climax” that will confound the confused.

It is not clear which of the judges of the bench had this “Bollywood flair” for writing a judgement of this nature but it would make an interesting academic exercise to identify if such a “Bollywood flair” was evident in any of the earlier judgments of the honourable judges of the bench or they were simply inspired by the arguments of the Counsel.

I suggest that IAMAI pay the Counsel his well deserved remuneration in the form of bitcoins and express their faith in the judgement. Never mind if the bitcoin so paid could have passed through the tainted hands and collected from cyber crime victims or the drug dealers or arm dealers or the terrorists and therefore carries the taint in its ownership as a “Non Negotiable Instrument” for which there can be no “holder in due course”.

The Sequel to unfold

Keeping the tradition of the Bollywood to come up with sequels, we should now expect the “Bitcoin Saga-2” in which the hero has to be changed from RBI to the Citizen of India. Since the Citizen of India cannot have the resources to fight the “Digital Black money power” that Bitcoin represents, it is the responsibility of the Government of India to take up the issue on behalf of the Citizens.

Presently the Government has treated Bitcoin with an approach similar to the what allowed Shaheenbagh protests on CAA to flare up into a major catastrophe. By not taking proactive action and blindly trusting the Court to do the needful, the Government erred in the Bitcoin case just as they did in the case of Shaheenbagh protests.

We must appreciate that the Courts like in the case of Nirbhaya have their own priorities. If necessary they meet midnight and take decisions and if not they allow the accused to die a natural death before publishing a reserved judgement.

The Government of Mr Modi and Shah should not be like that of Narasimha Rao or Manmohan Singh which were famous for procrastination and inaction. This Government is better known for action. It should therefore immediately start directing the sequel to this story.

Now that the Supreme Court has accepted that the RBI has the power for regulating Bitcoin but only the means of how it was exercised was wrong, it is time for the Government to understand it has its powers to go through with the draft legislation on Bitcoin which it has already developed and ban private virtual currency concepts such as Bitcoin and others to remain in circulation.

If the Bitcoin community wants to challenge the law, let them do so. Afterall today Indian Government administration is run from the Supreme Court and not the Parliament. Parliament makes the law, the President approves but the Supreme Court has to place its seal of approval to make the President’s approval valid. The supreme legislative authority for the country is no longer the Parliament but is the Supreme Court.

The law on Banning of Crypto currency will also go through the Supreme Court like many other cases which are already before the Court and the Citizens are ready to receive the verdict in the next sequel.

What is important however is that honest citizens of the country have felt that Bitcoin represents “Digital Black Money” and allowing its trading is facilitating the circulation of black money. The Supreme Court through this judgement had failed to recognize its duty to the public but taken shelter under technicalities to uphold the rights of digital black money holders to continue their transactions in black money.

We call upon Mr Narendra Damodar Das Modi, Mr Amit Shah and Mrs Nirmala Sitharaman and others to come out with the Crypto currency bill right today or tomorrow and place it in the Parliament at the earliest.

Naavi

Earlier articles on Bitcoin on this site are available here

Posted in Cyber Law | 1 Comment

Certified Data Protection Professional in India…. Second batch to commence in April

Posted on March 4, 2020 by 98410spice

Cyber Law College in association with FDPPI (Foundation of Data Protection Professionals in India) successfully conducted its first course for certification of Data Protection Professionals in India culminating on an examination held on 1st March 2020.

Now Cyber Law College has scheduled the next batch of the course to commence on April 4th for which registrations are open.

(Copy of the prospectus with application form available here)

An Earlybird discount of Rs 1000/- is available for registrations upto 15th March 2020. Registrations may close as soon as the target number of participants is reached.

The program would be conducted with weekend online sessions of 90 minutes each by Naavi commencing from April 4th at 11.00 am. Sessions would be on Saturdays and Sundays and go upto May 10th 2020.

The participants will later attend a competitive online examination and successful candidates would be issued a recognition as “Certified Data Protection Professional” (CDPP).

Payment options:

For Members of FDPPI:

(a) Course fee only for FDPPI members

Rs 8500 with Early bird discount, applicable upto 15th March 2020 or

Rs 9500/- from 16th March 2020

(b) Cost of Book on PDPA ( if not already purchased): 500/-

(Total of (a)+(b) Rs 9000 upto 15th March and Rs 10,000/– thereafter)

For Non Members:

Membership fee:

Rs 5000/- towards Foundation membership.

Option to become Supporting member at Rs 10000/- also available. (See here for details).

The total fee payable for non members(a)+(b)+(c) would therefore be

Upto 15th March 2020: Rs 14000/-

From 16th march 2020, Rs 15000/-

If the candidate has already purchased the book, they can opt out of the book and pay Rs 13500/- or Rs 14500/- as the case may be.

Payment Link is available here:

Naavi

Posted in Cyber Law | Leave a comment

Comments on Nasscom Observations on PDPA

Posted on March 3, 2020 by 98410spice

(This is a continuation of the previous article)

Nasscom has indicated 25 recommendations which are listed below with our brief comments.

Some preliminary observations on the Nasscom comments are provided in the table below.

Recommendations
on PDPA 2019 by NASSCOM-DSCI

No	Recommendation	Comments
1	The definition of SPD should be made explicit, and limited to such personal data, which could lead to profiling, discrimination and infliction of harm that are identity driven. Financial information is important as in, its breach is likely to result in harm. The remedy against harm is available even if it is not an SPD. This coupled with the ability of sectoral regulators to provide additional safeguards is the basis for us to recommend that ‘financial data’ should to be removed from the category of SPD. In case of ‘official identifier’ also, remedy against harm is available even if it is not an SPD. Accordingly, ‘financial data’ and ‘official identifiers’ should not be treated as SPD and the definition of ‘health data’ should be limited to data concerning the health of the person. The definition of SPD should ideally be exhaustive, not subject to regular updation. Should the JPC be of a contrary opinion, alternate recommendations (i.e. R 2 to R 5) may be considered.	Financial data and Health data is universally recognized as highly valuable data. Even the Darkweb places a premium on such data. Frauds are rampant with the breach of such data and the impact could be devastating. Nasscom is suggesting this only to facilitate the card processing community to benefit. Recommendation is not wise and should be rejected.
2	Financial data: In case the JPC is of the contrary opinion, SPD could include an identified sub-set of financial data, which in the opinion of the DPA would suit the definition recommended in R 1 above. For instance, the subset could be aligned to Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), where financial information is said to include bank account or credit card or debit card or other payment instrument details.	Not necessary in view of the comment on 1 above
3	Health data: The definition of ‘health data’ should be revised to mean data concerning health of the person in line with globally accepted definitions of ‘health data’. It should not cover personal data that may be processed as part of the processing of the health data.	Recommendation does not make sense. Personal data associated with health data is part of the health data. Hence recommendation is not feasible.
4	Official identifier: In line with the earlier expressed concerns ‘official identifiers’ should be dropped from the SPD classification; alternately, there should be relaxation of the requirement for seeking explicit consent for the processing of ‘official identifiers.’	Whenever the official identifier is leaked, the consequences could be a major crime. Hence there is no merit in this recommendation.
5	The power of further classification of SPD should be moved back to the DPA, and there should be a statutory mandate to provide reasons for classifying any ‘personal data’ as SPD, including an account of potential harms that could arise, and a mandate to conduct a thorough public consultation exercise before any personal data is notified as SPD.	No Comments
6	Contractual necessity should be included as a ground for processing of personal and sensitive personal data, and no additional consent should be required for fulfillment of a contractual obligation.	Consent can be provided as part of a contract. Hence there is no reason to change the consent requirement.
7	As an individual’s unwillingness to provide explicit consent could lead to a statutory non-compliance for an organisation; compliance with law, or Order of Court/Tribunal, should be added as an alternate ground to explicit consent for the processing of SPD.	Agreed…But is already part of the “legitimate interest” argument that the data fiduciary can advance for such processing.
8	The ground for prompt action in case of individual medical emergencies or in case of public health emergency should extend to personal data, as well as SPD. Alternately, a specific carve-out should to be created for the usage of health data or genetic data under this ground, otherwise the intention of creating this ground would be defeated.	Agreed.. but appears to be available even now.
9	Considering the imbalance of power between the employer and the employee to execute valid explicit consent, processing for the purposes of employment, should be an alternate ground for the processing of SPD as well.	Explicit consent could be part of the employment contract.. hence does not appear to be relevant.
10	‘Reasonable purposes’ as a ground for processing, should extend to both personal data and SPD. There should not be a blanket usage of this ground. The DPA should come out with a code of practice for how an organisation should carry out a self-determination exercise and document the same as evidentiary proof. Such self-determination should take into consideration the rights of the data principals and carry out a balancing test. A prescriptive list and pre-approved list of purposes would be detrimental for innovation and would not be flexible enough to stand the pace of technological development and offering personalised services to consumers.	This will be diluting the provision to the extent that it could be harmful. We already have the instance of Transunion which took over CIBIL through back door along with sensitive information. Cannot allow repetition of such “data laundering”. Recommendation does not merit consideration.
11	The grounds relating to ‘functions of the State’ should cover processing of personal data by the State for providing any service or benefit to the data principal from the State; or the issuance of any certification, license or permit for any action or activity of the data principal by the State. For processing sensitive data, the state should be required to take explicit consent of citizens due to the heightened degree of harm that may be caused to an individual if such sensitive data is misused in any manner.	No need to dilute the powers of the Government in this regard since the ID of an individual is an important aspect of benefit transfer.
12	The classification of Critical Data should be closely linked to the requirements of National Security. This will limit the impact of stringent localisation and offer certainty to businesses in their data processing activities. Till such time countries / destinations are not recognised as adequate, critical personal data transfers may be approved basis standard contractual clauses, with additional safeguards.	This can be left to the wisdom of the DPA
13	The requirement to obtain an additional consent for cross border transfer should be removed, since it would be onerous for companies particularly where there is a huge volume of cross border transfer on a regular basis. Moreover, it would irrelevant to the Bill’s overall intent of effective data processing, since the processing (even in the absence of this additional consent) can only take place based on permitted grounds of processing.	Whenever consent is obtained if there is an intention of cross border transfer and it is permitted, the permission can be part of the consent. Hence there is no need to consider this suggestion.
14	Standard contractual clauses and BCRs based on frameworks such as the APEC Privacy framework and the CBPR should be considered as alternate grounds to processing SPD under the Bill.	The DPA can always re-endorse the clauses. There is no reason to give up the power of the Indian DPA to the foreign agencies.
15	Upfront exemptions, for organisations’ processing foreign national’s data in India, from select provisions, should be considered. This could be important for India to achieve adequacy status from the EU and other geographies. This will suitably ring fence the applicability of the law, without any discretionary powers and process uncertainty. Accordingly, exemptions in relation of processing of foreign personal data should be explicitly provided in the PDP Bill 2019 for certain provisions, especially those referred below: a. Restriction on retention of personal data. (Clause 9, Chapter II) b. Restriction on Transfer of Sensitive Personal Data and Critical Personal Data Outside India (Chapter VII) c. Act to promote framing of policies for digital economy, etc. (Clause 91) d. Bar on processing certain forms of biometric data. (Clause 92)	Presently what is required is a request for notification which the DPA should approve. This is a minimal requirement that keeps the entity under the radar of the DPA. There is no need to make any changes.
16	In addition, the PDP Bill 2019 should provide that the Central Government may, by notification, exempt the processing of personal data of foreign Data Principals resident outside from the application of any provision of the Act, to the extent that the same is desirable to enable such processing to be in conformity with the requirements of the particular country where the: a. Data principals are located; or b. Organisation which alone, or in conjunction with others, determines the purpose of processing of personal data is located, or incorporated.	The law is for the protection of the Privacy of Individual citizens in India and hence the Non Residents are brought under the law, If the data is collected and processed outside India, it is anyway not within PDPA. PDPA cannot otherwise be subordinated to the local laws. Occassional overlap where the interest of Indian citizens are involved may be natural
17	The provision be removed from the Bill, and issues surrounding non-personal data be left to be dealt with by way of separate legislation.	Being only an enabling provision, the recommendation is irrelevant
18	If included in the Bill, the provision should have appropriate safeguards and governance frameworks built-in, in the form of – a. Enterprises that are directed to share such data, being required to establish that intellectual property rights exist, or that such data is otherwise confidential and business sensitive, and that disclosure could significantly harm the enterprises commercial interests and diminish the commercial value of such data. b. The Government being required to ask for a reasonable and proportionate volume of data (such as a sample) and required to clearly specify the ground on which the data is being directed to be shared, including the exact policy towards which such data would be utilised; c. The Government being required to prevent onward disclosure of such data beyond the purposes stated. d. Accountability provisions for the government in this regard.	What may be shared under this enabling provision is anonymized data and hence the recommendation is not relevant.
19	The Data Protection Authority should have a greater role in ensuring that the provision is exercised only in such instances where the risks of re-identification are minimal.	Once anonymized, the recommendation is irrelevant.
20	The State and all State and non-State entities with whom any data is shared must be accountable as to the use and disclosure of the data.	Once anonymized, the recommendation is irrelevant.
21	The provision must ensure that data sharing does not lead to dilution of the commercial value of the data, expropriation of intellectual property rights, or breach of contractual liabilities.	Once anonymized, the recommendation is irrelevant. IPR infringement could be protected by the company by a legitimate interest argument and sharing only such information that is not resulting any infringement.
22	A thorough assessment of the costs, benefits, and impact on competition of each direction issued under the Clause, together with a reasoned statement on the intended use of the shared data, and the potential risks of reidentification must be reported clearly and transparently by the Government agency issuing a direction.	Not relevant. There is presently no prohibition of the Companies asking for and getting any cost reimbursement. This is a matter of detail which the DPA may consider and if necessary subject to adjudication, appeal etc.
23	In order to maintain its independence as a regulator, the DPA should be independently staffed and funded. The JPC may consider reviewing the composition of the selection committee for the DPA, the composition of the DPA, and provide for an independent funding mechanism. The DPA should be advised by domain experts on data protection, privacy, technology and law, and have a hard-coded obligation to consult with industry and other relevant stakeholders including sectoral regulators, so that it can leverage domain expertise	Advise by experts is presently facilitated. Some qualification criteria for composition has been provided. Beyond this judicial oversight is possible. Hence the recommendation is not necessary.
24	The Bill should provide for clear and unambiguous principles that should form the basis of the DPA’s discharge of functions, including the issuance of rules and regulations; together with the obligation for the DPA to conduct its business in a transparent and consultative manner. While the Bill provides for DPA to undertake consultations, the process of undertaking consultation should be provided in the law. The recommendations of the Financial Sector Legislative Reform Commission (FSLRC) on regulatory governance as encoded in the draft Indian Financial Code should be used as a reference and similar provisions should be drafted in the PDP Bill 2019. A model consultative process is suggested.	The bill has provided the broad guidelines and the rest will have to follow in the regulations. There is no need to put any further constraints on the DPA
25	The Bill should remove criminal liability for contraventions of the provisions of the Bill and limit the circumstances for individual liability to situations in which it is proven that the relevant individual possesses an appropriate level of culpability for alleged violations. Given that some of the processing steps could involve new technology, and there may be good faith processing interventions that hinge on subjective opinions, an efficient enforcement mechanism with monetary relief would ensure that the rights of data principals and the interests of fiduciaries and processors are protected.	Presently only malicious re-identification qualifies for criminal punishment. Removal of this sole provision can be considered but it will dilute the deterrence effect of the act. In fact it should be considered that the section could be broadbased like “Any malicious, contravention with knowledge” would be considered as an offence. Safeguards such as the offence would be cognizable only when the DPA files a complaint can remain. Bailability can be added as a further safeguard.

More detailed discussion can follow. But at first glance the recommendations are disappointing and does not reflect the expertise that is available to NASSCOM-DSCI to suggest positive changes. Anyway more recommendations are relevant only after the Act is passed and there is no need to be too much concerned at this stage. There is power available to the DPA to make necessary regulations which meet most of the genuine concerns that NASSCOM may have and there is no need for all these to be addressed through the Bill.

Naavi

Posted in Cyber Law | Leave a comment

What is Nasscom upto?

Posted on March 2, 2020 by 98410spice

The comments submitted by Nasscom-DSCI on the Personal Data Protection Bill 2019 makes an interesting reading.

The copy of the submission is here

So far, whenever a law related to IT industry was drafted, NASSCOM was a close confidant of the MeitY and a trusted advisor. But now it appears that NASSCOM is clearly on the side of the multi national industry players who want a Privacy law which protects the MNC business interests more than it protects the Privacy of the individuals. DSCI obviously follows the views of NASSCOM and hence both have submitted a joint view.

The document is a fairly long document and consists of four parts. The first part is a recommendation of the principles for effective Personal Data Protection, the second is a list of key concerns, the third is a list of clarifications sought and the fourth is a clause by clause comment on the PDPA 2019.

Before going further into understanding what Nasscom wants and why it takes a specific stand, we must note that what we are now commenting on is the copy of the “Act” and once the Act is passed, there will be several notifications that the Government will make. There after, there will be an organization called Data Protection Authority (DPA) which will come up with many more regulatory guidelines. Each of these namely the Act, the Notifications and the regulations have a certain scope and purpose. Th Act cannot be the notification and the notification cannot be the regulation.

It is not advisable for law to be too detailed so as to make it very rigid. On the other hand, it is possible for some flexibility to be built into the Act so that the later notifications and regulations can take into account the requirements that would unfold over a time. Many of the suggestions that Nasscom has provided under the first part are already addressed in the Act and many other suggestions are meant for the notifications and regulations.

Hence we can ignore most part of the 43 page document and look at the essence of the recommendations given .

….To be continued

Naavi

Posted in Cyber Law | Leave a comment

Justice Srikrishna is needlessly harsh

Posted on March 1, 2020 by 98410spice

Justice Srikrishna calls new Data Protection Bill a blank cheque to the state..https://in.finance.yahoo.com/

This picture appeared in an article in Yahoo.com yesterday and quotes Justice B N Srikrishna who authored the famous report on Data Protection which finally led to the current version of the bill which is before the JPC for finalization. It also has DSCI representative who was part of the Srikrishna Committee and submitted a dissenting note on Data Localization. It also has other vocal champions of Privacy who have been clearly opposing the Bill for many reasons. Cumulatively the group wants the Bill not to be passed in the near future unless major changes as suggested by them are incorporated.

None of these people can say that they donot want the Bill to be passed since they have themselves once demanded for a strong legislation on Privacy Protection and their objection is that the law is not to their liking.

Considering the respect that Justice Srikrishna commands, it is necessary to check what his main objections to the latest version of the Bill are and whether they are in deed justifiable.

There are two main objections that Justice SriKrishna has.

The first is that the committee which selects the DPA consists of the Cabinet Secretary, the IT Secretary and the Law Secretary and does not consist of the Chief Justice of India as he recommended.

The Second objection is that under Section 35 of the proposed Act, the powers with the Government to exempt itself from the provisions of the Act are unwarranted.

Appointment of DPA

Let us take the first objection. According to Sri Krishna, the new provision “does away with the Judicial Oversight completely” to the selection of the DPA. According to Mr Srikrishna, judicial oversight is required right at the selection of the members of DPA.

What this means is that Justice Srikrishna wants the DPA to be elevated to the level of a Chief Election Commissioner or CVC or a Judicial appointment like a Tribunal. The Government however has considered DPA as more like a TRAI, IRDAI or SEBI. It is a body to regulate certain industry segment. While other regulators are meant to regulate all aspects of a given industry sector, DPA regulates one aspect of business namely “Personal Data” across multiple industry segments. It does not even regulate “All Data”. The objective of this law is to bring Indian Data Protection regulation on par with the global approach.
It is not necessary that every top appointment of the Country is done only with the involvement of the CJI. If this argument holds good for DPA, then questions rise why not CJI be involved in the appointment of RBI Governor, or IRDAI Chairman or TRAI Chairman. Question can also be raised on why the leader of the opposition in the Parliament should not be made part of the selection panel?.

While the demand to raise the DPA to the level of a Constitutional position is laudable, one has to point out that this expectation is impractical.

We can note that the Act prescribes some criteria such as 10 year experience in relevant field under an age group of persons less than 65 years of age for persons to be appointed to the DPA either as chairman or as members. It is well known that “Privacy” has been a concept which we the Indians never considered as a great virtue in the past. India has always supported “Freedom of Expression” as a key right much more than Privacy. The concept of Privacy and more importantly the concept of “Data Protection for Privacy Protection” is the concept popularized by EU and it is not easy to find persons with “Experience” in “Privacy Protection through Data Protection”. We may be able to find persons who are in “Information Security for more than 10 years” or “Advocates who have fought privacy related cases in the Courts”. But finding a 10 year experienced person who understands the current “Techno Legal concept of data protection for privacy protection” is not easy since not many are available in the field.

Had the CJI been in the selection committee, his knowledge of people would have been restricted to judges and advocates and not to who amongst them understands the concepts such as Artifical Intelligence, Big Data, Anonymization, Pseudonimization , Privacy by Design, a Data Protection frameworks under ISO 277001 or PDPSI etc. He would have to depend on the IT Secretary for such information. Now between the IT Secretary and the Law Secretary, a short list of knowledgeable persons can be made and the Cabinet Secretary can act as the third wise man to facilitate the final choice. A CJI in a similar position would have an overbearing influence in making the DPA look more like Judicial forum rather than a body that can regulate the Data Protection Eco system.

At the same time, since the appointment of the Chairman or other members can always be challenged in the Supreme Court if a person with no credentials is appointed.

Had the appointment was made un-impeachable even in a Court of law, the allegation could have been accepted. Just because the CJI is not involved in the appointment, holding that Judicial oversight is completely ignored is unacceptable.

Powers of the Government

The second objection raised by Justice Srikrishna is on section 35 which provides exemption to the Government under such reasonable exceptions that the constitution provides for all fundamental rights.

Justice Srikrishna appears to make PDPA more stringent than the Constitution and restrict the powers of the Government even beyond what the Constitution itself does.

In the earlier version, (pdpa2018) it had been stated

“Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.”
“Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.”

The above were in addition to the exemption provided for legal proceedings, research etc.
The essential difference was the legal implication of the way the restriction was expressed. In the new version the provision is stated differently as

” Where the Central Government is satisfied that it is necessary or expedient,—
(i) in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or

(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order,
it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed.”

Both versions provide that that exemptions are available for the security of the state and would be subject to necessary safeguards.

The objection is therefore more a clash of drafting technique. We know that the Supreme Court has read meaning into even our constitution where there were no specific mention of a provision (Read the judgement of Aadhaar and Privacy) and has ignored the specific mention of words in the law many a times (Scrapping of Section 66A of ITA 2000 is an example). Hence, whatever way the act is drafted, the Supreme Court has the power to interpret it in its own way and hence there is no harm in the wordings either in the way PDPA2019 has expressed or PDPA 2018 has expressed.

There is no doubt that Justice Srikrishna appearing in the group of traditional opponents of the Bill who mainly opposed the Data Localization part of the Bill which Justice Srikrishna himself had drafted puts the Government in an embarrassing light. But Justice Srikrishna has failed to explain why he is no longer supportive of the data localization aspect that he himself recommended and Ms Rama Vedashree who was part of the committee dissented.

The MeitY in its new version has yielded on the earlier objections on data localization which was also a set back to the persons who supported the upholding of “Data Sovereignty” principle and the possibility of economic benefits of data localization. I wish the JPC has the courage to reverse this amendment and go back to the earlier version of the data localization where it was mandatory to keep a copy of all personal data transferred out of the country.

A third aspect which Justice Srikrishna brought up in the round table reported by yahoo is a new objection he has added and it relates to the “Social Media Intermediary and inclusion of Non personal data”. He is quoted as having expressed that they should have been left out of this law, without substantiating why he feels so.

The provision on social media intermediary as well as the empowerment to seek anonymized community data have certain reasons and hence there is no need to make any changes there in.

(Views expressed here are the views of Naavi as a person and comments are welcome)

Naavi

P.S: People in the above photograph: Left to right: Saikat Datta, Ashutosh Chadha, Justice BN Srikrishna, Rama Vedashree, Shashank Mohan and Parminder Jeet Singh.

Posted in Cyber Law | Leave a comment

Let’s together build Knowledge with Attitude and Commitment

Posted on February 25, 2020 by 98410spice

Naavi.org was started (first as naavi.com) way back in 1998 with the objective of contributing towards “Building a Responsible Cyber Society”. In the process it continued to contribute towards “Developing Cyber Jurisprudence” by promoting independent interpretation of different aspects of Cyber Law such as the Electronic evidentiary aspects ingrained in the Section 65B concept of Indian evidence Act.

Time has now come for Naavi.org to extend this service to the Cyber Community in India with contributions towards the development of the Data Protection Eco system on the lines that will be beneficial to the Citizens who are looking forward to Data Protection as a means of Privacy protection, without destroying either the development of the industry or neglecting the needs of the Government.

We believe in co-existence and do not believe that “Privacy” is an objective to be reached at any cost sacrificing the need for coexistence with Security of the nation and the growth of the industry. Naavi believes that the Supreme Court means the same when it held that Privacy is a fundamental right subject to reasonable restrictions.

We therefore reject many of the criticisms of the law stating that PDPA as it is envisaged now will create an Orwellian State or that data localization will harm the industry.

Naavi.org along with the associate activities of Naavi such as Cyber Law College will therefore now focus on how to ensure that the proposed Data Protection law in India will roll out in the implementation stage achieving the delicate balance between Privacy, National Security and Industrial growth.

In this direction, Cyber Law College of Naavi conceived and implemented the first of the Certification programs creating awareness of data protection law in India in association with the Foundation of Data Protection Professionals in India (FDPPI).

FDPPI has now become the pioneer in India for development of skills required for being an efficient Data Protection Officer in India. FDPPI’s “Certified Data Protection Officer” program has already been rolled out with the first batch of the first module of the program having been completed on 23rd February 2020.

FDPPI’s program for development of skilled DPOs in India, is conceived with the vision of developing an alround DPO personality which includes “Knowledge with Attitude and Commitment”.

“Data Protection” is not simply understanding the clauses of the PDPA. Being aware of the law is only the knowledge part. The attitude part covers preparing the DPO to tackle challenges on three fronts namely being answerable to his boss within the organization which pays him the salary, the DPA which has a duty to protect the Privacy of Indian individuals and the Data Principals who look at the DPO as the custodian of their Privacy Rights.

While most of the international certification programs end with the testing of knowledge of the law, FDPPI’s program as of now recognizes this as only different modules of the development of the awareness about the law.

The Module 1 (or Module-I) which was completed recently, covered the knowledge level of Indian law as at the present level along with a comparison with GDPR which is the other globally known law.

The future modules envisaged are

Module 2: (Module I+)

More on Indian law when the law is passed into an Act, a DPA is appointed and the DPA issues some basic regulatory guidelines. This program will be only undertaken after the required developments take place. Hence we need to wait for some time to roll out this module. (Eventually, Module I and I+ would be merged into one)

Module 3: (Module T)

This module will cover the technology related knowledge essential for an efficient DPO. This will cover the technologies required for compliance and will also discuss the challenges to data protection arising out of the new technologies particularly in the field of AI, Big Data, Encryption etc.

Module 4: (Module B)

This module will cover the behavioural aspects related to an efficient DPO. This will cover interpersonal relationship skills including Leadership, Decision Making, Motivation, Team Building, Counselling, Conflict resolution etc.

Module 5: (Module G):

This module will cover a study of at least 5 international data protection laws including an in-depth study of GDPR and Data Protection Laws applicable to USA along with some other relevant laws such as Singapore, Australia as well as one optional country. This would be more an extension of the “awareness of law” from the Indian laws covered in Modules I and I+ to the global scenario

Module 6: (Module A)

This module will cover the skill requirements of a “Data Auditor” and follows the modules I, I+,T and B. This will encompass the system audit, information security audit and focus more on the harm audit, the DPIA and the annual data audit requirement under the law.

It is expected that in due course I and I+ will be merged into one and the other modules such as T, B, A and G will remain independent.

FDPPI has rolled out this plan of action and Naavi’s Cyber Law College will initially implement many of these modules as if it is an in-house implementation agency of these ideas. The objective is that when the Indian DPA is looking out for professional help for itself in designing the codes and practices and the conscientious industry players are getting ready in advance to be compliant before it is Compulsory, there will be a helping hand nearby with trained DPOs and Data Auditors.

At the same time, FDPPI wants to extend the partnership opportunities to other professional organizations who may have expertise in specific areas suitable for the different modules. They will work on a non exclusive basis to design and implement the training programs under these different modules. Some of the partners could work with regional focus and some could work pan India. Cyber Law College will assist this effort by gradually moving out of training responsibilities to the responsibility of coordinating the evaluation aspects involved in the Certification.

It is time therefore for interested organizations to come together and support FDPPI in its endeavor to build a Knowledgeable, Efficient and Ethical eco-system for the Data Protection industry in India. On behalf of FDPPI, I urge organizations and individuals interested in being the training partners for the FDPPI Certified Data Protection Officer program to get in touch with FDPPI at the earliest.

Naavi

Posted in Cyber Law | Leave a comment