Calling attention of the Chief Minister of Karnataka and The Commissioner of Police

It has been reported yesterday that several robberies took place in the Nice Road. One of the persons who met the victims has filed the following report:

Quote:

Guys, there was an attempted robbery at knife point on me at Nice road a couple of hours ago. Thankfully, I could escape in time or I’d have lost everything.
After me, the thieves have robbed 6 more people in the same stretch. One couple going in Activa, one couple going on a Pulsar AS200 and one family going in car. The thieves had longs, daggers and sharp knives and other lethal weapons.

Multiple phones, debit and credit cards, gold ornaments have been stolen from those 3 other cases. Their vehicles have been damaged and their keys were thrown off as soon as they stopped them to rob them.

One guy has assault marks on his face, one girl was slapped hard, one more guy was at knife point while the girl with him escaped to the opposite side to shout for help.

I ripped and escaped from them and came to Hosur toll and informed authorities. Highway Patrol was sent out and the thieves were searched but in vain.

By the time I was done reporting this incident at the toll, the other 2 couples came in and reported their incidents. While we were talking to the authorities, a live news came in saying that a car glass was shattered using a long and the family was robbed.

All of us are at Electronic City police station right now to lodge FIR’s on our respective incidents. Nobody is injured. All are safe. Only one guy was bleeding from his nose and head but it was minor.

This is to inform you all to be safe and DO NOT travel on NICE road at night. I have tweeted to Ashok Kheny on the safety measures and have informed my lawyer on the same. If at all any legal proceedings happen, I will keep you all updated.

I’m safe, the bike is safe, just in the nick of time and sheer luck and thinking.

Be careful….

Unquote:

This is a serious law and order situation that needs to be addressed by the Police and the Government immediately. The Karnataka High Court should take cognizance of the incident and order immediate remedial action.

The Nice Road is gated at both ends and there is CCTV surveillance at the entrance and exist. It is a “Private Road” owned and operated by a company and the entire responsibility for the incident should be borne by the owners. It is necessary for the Police to immediately arrest Mr Ashok Kheny and hold him responsible.

The robbery could not have taken place without the connivance of the staff at either end of the tolls and all the staff members who manned the relevant gates should be questioned.

It is possible for the public to boycott Nice Road but this will create more traffic problems within the city.

Hence the Government should immediately take over the Nice Road from private management cancelling the maintenance contract and take necessary security measures including setting of police pickets at frequent intervals, CCTVs through out the road with proper lighting.

The High Court normally favours the contractor in such cases but it should take citizen centric decision in ensuring that the contractor is responsible.

If some body can file a PIL in this regard, it is welcome.

Will watch the developments to see how the Police handles this issue.

Naavi

 

Posted in Cyber Law | Leave a comment

Breach Candy data breach incident could be the “I Love You” moment

In India, we are 20 years into the period since civil liabilities arising out of  Cyber Crimes became legally enforceable through a process of Adjudication. Since then, victims of Cyber Crimes are searching for Cyber Crime insurance. In June 2001, the RBI mandated that Banks should hold Insurance against losses arising out of hacking, denial of access etc. However, it was not until the last few years that individuals in India could take Cyber Insurance policies. Corporates were offered cyber insurance policies since  few years earlier where the first party losses and third party losses were covered. 

The industry is however still far below the state of maturity that is acceptable to the consumers in the country. To put it mildly the policies are constructed without an adequate risk assessment and consumers may be left feeling that the risk coverage is far less than what they would expect at the given premium.

The reasons could be many. For a long time the insurance industry could say that the law was inadequate, the judicial system was ill equipped, crime metrics were not available, the risks were too huge to be covered etc. But these excuses are not unique to Cyber Risks. Such risks have been there in every field and the industry has found ways and means to address them. What has been lacking is the willingness of the insurance industry to take the plunge.

In such a fluid state, the new Act namely the Personal Data Protection Act (PDPA) will come into operation shortly and cause disruption of unprecedented magnitude in the coming days in the industry. 

The data breach reported about the Breach Candy hospital in Mumbai where 1 million patient records and 120 million medical images have been breached has jolted the health care industry. Most of the prudent managements would like to know what could be their liabilities in such cases after PDPA comes into force. The impact of this breach will be extending beyond the health care industry and affect other industries as well.

In India the possibility of individual patients making a claim for loss arising out of the data breach may still be low. Most individuals cannot quantify the loss and their claims would therefore look arbitrary. However, the Data Protection Authority (DPA) in such cases can easily impose an administrative penalty which in the minimum could be Rs 15 crores given the sensitivity of the information and the volume of the breach. 

There is however a possibility that thousands of patients who ever had undergone any treatment in Breach candy hospital may send out e-mails to exercise their “Right to information” and ask if their personal information has been breached?. They may also ask for porting of their information including their medical profile back to them for better safety and erasure of the data in the hands of the hospital. The insurance companies may be fishing for information that would help them reject claims of some of their customers or rework their premium upwards based on the leaked information.

Acknowledging and answering such e-mails and resolving the disputes without creating another “Bhopal Tragedy type litigation in the Courts” will require a new “Dispute Resolution Company” to be set up by the Breach Candy hospital. 

In all this confusion, there would be a doubt as to whether the leaked data is in fact the correct data. There would be many Phishing fraudsters who would try to come with their versions of fraud to further cheat the victims of the data breach in their own innovative manner. All the patients of the Breachcandy hospital may receive e-mails from fraudsters offering them help in getting compensation and this could itself lead to identify theft and further banking frauds.

Mumbai police have to warn the public about such a possibility.

It is obvious that the society cannot let an incident of this type to run riot and damage the business of private hospitals. What has happened today to Breach candy hospital can happen to Apollo tomorrow and Fortis day after. The community should therefore ensure that this type of incident is treated like a disaster which is definitely unwanted but some thing that needs to be faced with courage and pragmatism.

The  Insurance industry has a big role in finding a way forward to how we face such data breaches in the current legal regime before PDPA and after PDPA comes into existence. Currently it is the duty of the CERT In to investigate and find out why and how this breach happened and how it can be prevented in future. The Ministry of Health has come up with guidelines on EHR management and the protocols used for storing of medical images are supposed to be a global standard.  It is possible that Breach Candy hospital had implemented Privacy and Information Security standards equivalent to HIPPA requirements.

It is clear that these measures have not helped in preventing the breach. It is possible that the root cause of the breach may not be a sophisticated hack but only  a simple password related negligence or lack of encryption. The reasons should be analysed and lessons learnt.

If all hospitals now rush to get Cyber Insurance covers the policies there is a need for the insurance companies to to be able to respond positively. But in writing any policy at this time, they need to take into account  the emerging PDPA law that may be in place in the next few months. Hence, the first version of the “Post PDPA Cyber Insurance Policy” should be what these insurance companies need to offer.

For the industry which is still struggling to structure policies for the 20 year old Cyber Crime risks, the challenge of writing the policy for PDPA risks would be almost impossible at least for now. The Indian Companies may only look at the Re-insurers abroad and structure their policies based on what the re-insurers suggest. This may require time and may continue to be deficient in  meeting the requirements.

The IRDAI should therefore step in and form an expert committee of the Insurance industry to study the impact of PDPA on the Insurance products and draw up a specific PDPA Risk coverage policy template, much the way RBI set up the S R Mittal working group in 2000 immediately after ITA 2000 was notified, which came up with the Internet Banking guidelines in June 2001.

Other sectoral regulators should also take cognizance of the emerging law and within their own sectors come up with PDPA related codes and practices that could be adopted by the DPA when it comes into existence.

The process of understanding the law and coming up with a set of suggestions is a time consuming affair. Hence these sectoral managers should start their action now rather than waiting until the Government passes the bill, appoints a DPA and the DPA in turn sets up its office and be ready to issue guidelines of its own.

It is to enable such introspection within each industry that the undersigned published his book on PDPA which is presently in e-book format and shortly would be available in print form too. Hopefully the industry would be equally concerned in starting their compliance exercise without any excuses.

When the Information Technology Bill 1999 was introduced in the Parliament in December 1999, Naavi had released his first book on Cyber Law titled “Cyber Laws for Every Netizens” with the hope that it would help the legislators while passing the law. It is with a similar objective that the book on PDPA has also been released though many may feel that it is premature to read the law before it actually gets passed. Even in 1999, the Bill was languishing in the standing committee and no body was sure when it would be passed. But suddenly a virus called “I Love You” hit the global scene and the standing committee suddenly woke up and the law got passed in a hurry.

It appears that the Breach Candy incident will be a similar jolt to the Ministry which may ensure that the Bill gets passed in the current budget session as planned.

If that happens, we can say “I Love you Breach Candy”….because  some thing good can happen to the community as a result of this mishap.

There is a wise saying that “It is not the way we fall that matters, but the way we get up”. This applies to the Breach Candy hospital as well as the regulators and the legislators who are considering the passage of the Bill.

Naavi

Posted in Cyber Law | Leave a comment

Breach Candy data breach may expedite passage of Personal Data Protection Act

According to the news reports published today medical records of over 120 million medical images of Indian patients and 1 million medical records got exposed due to a cyber incident.  The records have been made available online freely by the attackers.

The records compromised included the patient records and scans and images with details such as the name of the patient, their date of birth, the national ID, name of the medical institution, their medical history, physician names and other details that are meant to be classified.

The incident is believed to have occurred due to the compromise of industry protocol for medical image storage and could have resulted from compromise of passwords of authorized persons.

While this sort of incidents could be termed as privacy infringement and the hospital could be liable for claim of damages from the affected patients, had the PDPA (Personal Data Protection Act ) been in place (Expected to be in place shortly), there could have been a hefty penalty imposed on the hospital by the Data Protection Authority.

For the time being the Breach candy hospital may escape liability but just as the “I Love You” virus expedited the passing of the Information Technology  Act in  2000 , the Breach Candy leak could expedite the passage of the PDPA bill presently in the Parliament.

Naavi

 

Also refer: Economic times article

Posted in Cyber Law | Leave a comment

A Golden Era for Insurance Industry ushered in through Personal Data Protection Act of India

As the Personal Data Protection Act of India (PDPA2020) gets ready to make an entry into the Indian legal landscape, the Insurance industry is looking upto the new opportunities that are being opened up by the law. Following the recent global trend, the penalties under PDPA 2020 are set at 2% or 4% of the global turnover of an organization depending on the type of offence. Even the Government departments could face penalties upto Rs 5 crores. Hence the industry would be desperately looking for covering the PDPA Risks.

The Cyber Insurance industry was extremely lethargic when it came to the introduction of Insurance covers for Cyber Crimes. India came up with laws on Cyber Crimes and creation of liabilities for organizations arising out of Cyber Crimes way back in 2000 with the ITA 2000. The amendments in 2008 increased the responsibilities of intermediaries in IT service. The RBI way back in 2001 suggested the banks to cover the hacking and denial of service risks with cyber insurance. However the Insurance industry could not come up with proper insurance covers until recently. Personal cyber insurance policies in particular came on  on the scene only during the last few years and are yet to be popularized.

The Cyber Insurance policies basically cover the first party risks where the insured suffers loss of data, loss of production,loss of intellectual property, reputation loss. With Ransomware being on the prowl, payment of ransom are also covered by some of the policies. Additionally, third party risks involving claims of damages by personal data owners on account of a cyber attack is also covered in these policies. Some of the policies which cover employee misconduct or technical errors are also often called Cyber Insurance policies though they are different from Cyber Crime Insurance policies in concept and risk coverage. The policies issued to the corporates are largely based on the reputation of the organization. It is unclear to what extent the “Security Status” of an organization is factored in when the premium is fixed for such policies.

In 2015 when Naavi.org conducted a national survey to understand the Cyber Insurance preparedness in India, the results showed very little involvement of Cyber Security professionals in the determination of Cyber Insurance coverage in companies. It appears that the situation has changed for the better in the recent days since some Insurance companies are now claiming that they are looking at the security preparedness of an organisation such as whether the organization has a “ISMS policy”? whether an IS audit has been conducted? etc.

Even before the Cyber Insurance products reach a level of acceptable maturity, the PDPA 2020 will usher in a new era in Information Security that will need a fresh look at Insuring PDPA Risks.

One of the first challenges that PDPA brings in is that it takes the financial liability risks to a far higher level when the insured asset is “Personal Data” of individuals as against the “Business Data” or “IPR data”. Theoretically the risks can go upto 4% of the global turnover and any insurance for a lesser level would amount to “Under insurance”.

The second challenge is to identify the “Insurable Asset” for which an effective “Data Classification” policy and implementation mechanism should be present in the organization.

The third Challenge is to track the “Personal Data” in an organization through its “Life Cycle” when it’s insurable value may fluctuate. As “Raw Data” becomes “Persona Data” then migrates to the state of “Sensitive Personal Data”, its insurable value changes. Similarly the personal data life cycle which is “Reversible” may see a change of insurable value when sensitive personal data is de-sensitized or de-identified or pseudonymized or destroyed. When the life cycle of personal data is reversed, there would be costs to be incurred for each change of status but the market value of the data may actually decline. When reverse life cycle operations are implemented, the end result could be of lesser or zero value but the operation has a cost which the insured would like to identify as “Cost of Maintenance of Personal Data”. Will this be “relevant cost” for insuring? will the change in value of the data as it moves between different life cycle stages gets reflected in valuation of personal data either at the time of insuring or when a claim is to be assessed?

When the PDPA risks are to be computed for the purpose of underwriting, it must be remembered that liabilities of administrative fines may arise even when there is not data breach. Hence the Insurance industry may have to assess its risks based on what steps the insured has initiated for mitigation of risks. Such steps include the “Maintenance of Personal Data”, the policies of anonymization, de-identification/pseudonymization etc besides the usual policies such as access control, encryption, data breach incident identification and reporting system, grievance redressal system, the conduct of DPIA, appointment of DPO etc.

In settling claims, it would be necessary to consider all aspects which are normally considered in a Cyber Crime insurance policy such as the legal costs, investigation costs, etc., but also the valuation of personal data in the hands of the organization, the value additions that the organization might have created in the form of “Profiles” and the value of personal data in the hands of the data principals (or data subjects as they may be called elsewhere).

Hence while PDPA 2020 will usher in a golden era for Insurance Companies in India, it will need a structuring of a new policy structure and management requirements. Exciting days seem to be ahead of the insurance industry as we await the passage of PDPA 2020 in the budget session of the Parliament this year.

Naavi

 

Posted in Cyber Law | Leave a comment

The Visakha Industries judgement on Section 79 of ITA 2000

On December 10, 2019, an important judgement of the Supreme Court was published in the case of Google India Vs Visakha Industries Ltd. The judgement was delivered by Justices K.M.Joseph and Ashok Bhushan.

The most important take from the judgement is that Section 79 of ITA 2000 protects a category of IT service companies from liabilities arising out of action of third parties. But for incidents prior to 27th October 2009, protection is available only for offences under ITA2000, while protection after 27th October 2009 is for offences under any law. Hence in case of “Defamation” which is an offence under Section 499 of IPC, protection would be available only if the incident is after 27th October 2009.The instant case involved an act of publishing of some information in a google group which the petitioner (Visakha Industries) alleged was “defamatory” and it occurred prior to 27th October 2009. Therefore the owner of “google group” was not eligible for protection.

The petitioner had preferred a criminal defamation complaint in a magistrate’s court in Secunderabad based on which a summons had been issued to Google India. Google India refused to accept the summons and went on appeal to the High Court. The High Court rejected the appeal and hence Google India approached Supreme Court resulting in the judgement on December 10, 2019 again rejecting the appeal and ordering Google to attend the trial back in the Magistrate’s court.

The entire journey commenced with an article dated 21st November 2008 titled “poisoning the system: Hindustan Times” and after 11 years the case goes back to trial. During this time the entire environment has changed. There was an amendment to the ITA 2000 passed in 2008 and notified with effect from 27th October 2009. In this amendment, Section 79 of ITA 2000 addressing the vicarious liability of a Network Service Provider/intermediary was amended and Section 66A was introduced. Then on 24th March 2015, Section 66A was held “Unconstitutional” in the Shreya Singhal case and scrapped. In December 14, 2016, the Sharat Babu Digumarti Vs Union of India judgement from Supreme Court made some observations on the overlapping provisions of IPC and ITA 2000. Additionally Section 65B of Indian Evidence Act which was present since 17th October 2000 got a renewed support with the Supreme Court judgement on PV Anvar Vs P K Basheer. All these make our vision of the case blurred unless we carefully sift through the changes the law has undergone.

When the Supreme Court gave its judgement in the Visakha case, it had to decide whether it should apply the law as was prevailing on the date of the incident or take into account any of the developments that occurred subsequently.

The judgement is noteworthy since it discussed many issues of law in detail including international jurisdiction, the role of a parent company and the subsidiary, the concept of due diligence etc. There are several points of learning about the thinking of the Supreme Court on some of these issues which will be coming into discussion in the lower Courts.

However, we need to point out two specific observations while analysing the judgement which point to the shortfalls that can be attributed to a judgement of this nature.

One observation is that,

if the dispute could have been resolved by reverting the trial back to the magistrate’s court because the higher court opined that protection under Section 79 was not applicable to the appellant,

-it  would  have been sufficient if the judgement had confined itself to this point alone.

In that case, the trial Court could have examined the case in its own wisdom free from the influence of the views of the higher court as expressed in the judgement. By expressing its views on issues other than the core issue, the higher court has now placed a restraint on the lower court from taking independent view on the several collateral issues that are involved in the case.

The higher court was always capable of visiting such issues after the trial was completed in the lower court.

Hence the judgement appears to have needlessly interfered with a fair trial in the lower court.

Second observation is that the judgement missed an opportunity to suggest a solution to an allied problem of the need for an interim judgement in such cases. For example, when a take down request is made by a victim of a defamatory publication directly to the publisher, it may be refused and a Court order would be demanded by the intermediary as per the Shreya Singhal judgement.

But if the Court order takes 10+years with appeals and more appeals, the defamation continues and any relief granted thereafter could only be of no use. If however an interim stay is granted to remove the content, the publication or the author of the content may feel aggrieved that action has been taken without a proper trial. In many cases the interim stay becomes a permanent stay particularly if the respondent does not chose to contest defeating the intention of the Court to uphold freedom of speech.

Confining to the main point of dispute which is identifying the applicable law as of 21st November 2008, at that time, the amendments to ITA 2000 were already under consideration and the recommendations had been submitted by the expert committee and the draft of the Information Technology Amendment Act 2006 (ITAA 2006) was already in the public domain. This represented the legislative intent though the final approval was pending.

However when we consider the concept of “Due Diligence”, we must recognize that “Due Diligence” is not restricted to following the law as enacted. It refers to a responsibility and duty to prevent an adverse incident and hence the “intended law” is as much relevant as “Best Practice” when it comes to exercising due diligence.

Considering that a law need to be complied with only after it is notified and not any time before, even if it appears reasonable, will amount to supporting evasion of law.

In the instant case, the purpose of Section 79 is to provide exemption from liability for an intermediary if it follows certain best practices and this intention was expressed in the ITAA 2006 (which at the time of passage was renamed as ITAA 2008). If this amendment had not been passed, the earlier version of Section 79 would have prevailed. If it was passed, it would expand the applicability of protection from ITA 2000 offences to offences under other statutes.

If a decision had to be taken by an organization in this uncertain scenario when the amendment was in a state where it could either be passed or rejected in the end, a prudent organization would like to follow the principle of “Erring on the safer side”. Due diligence at such a stage with a higher degree of certainty is to consider that present law will prevail and amendment may not fructify.

In such a case the protection should have been considered as restricted only to ITA 2000 offences. It would however be a logical and reasonable decision if the company considers that the proposed amendment which has gone through the Cabinet Committee and is ready to be passed, will be passed as intended. In such case Section 79 as amended would be the “Due diligence target” of the organization. Any other decision would be arbitrary.

Hence the organization should try to be compliant first to the un-amended Section 79 and then to the amended Section 79 and be prepared to justify its decision if challenged in the Court.

The two versions of the section 79 are presented below for easy comparison.

Section 79 under ITA 2000 Section 79 under ITA 2008

Network Service Providers not to be liable in certain cases     

For the removal of doubts, it is hereby declared that no person providing any service as a Network Service Provider shall be liable under this Act, rules or regulations made there under for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention.

     Explanation.  – For the purposes of this section –

 (a)   “Network Service Provider” means an intermediary;

(b) “Third Party Information” means any information dealt with by a network   service provider in his capacity as an intermediary.

P.S: “Intermediary” with respect to any particular electronic message means any  person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message

Exemption from liability of intermediary in certain cases  

(1)    Notwithstanding anything contained in any  law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link  hosted by him.
(2)    The provisions of sub-section (1) shall apply if-
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties  is transmitted or temporarily stored; or
(b) the intermediary does not-
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf
(3) The provisions of sub-section (1) shall not apply if-
(a) the intermediary has conspired or abetted  or aided or induced whether by threats or promise or otherwise in the commission of the unlawful act
(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.
Explanation:- For the purpose of this section, the expression  “third party information” means any information dealt with by an intermediary in his capacity as an intermediary.

P.S: “Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes

When this case goes back to trial, the first thing that the court would be looking for, is to decide whether it should apply the un-amended section 79 which was the law prevailing on the date of the incident or to apply the intended amendment which was available in the public domain using the concept of due diligence.

The Supreme Court has not provided the clarity in this regard by referring to the judgement of Shreya Singhal and repeatedly to the “amended” and “Unamended” section 79.  If the Court had laid down the principle that law as applicable on the date of an offence will prevail at the trial stage, it would have helped to simplify trial proceedings in such cases where the law has undergone a change in the interim period.

Even in the case of scrapping of Section 66A, the Supreme Court did not specifically mention whether the change will have a retrospective effect or not. This led to Police some times invoking Section 66A because  it was the law on the date of the incident.

In a recent order, Karnataka High Court imposed costs on some police officers for invoking Section 66A, since in this case Section 66A was not applicable on the date of the alleged offence.

It may be observed that the two versions of Section 79 differ in many respects. Firstly the applicability of old Section is for a “Network Service Provider” who is an intermediary, defined as a person who receives, stores or transmits a message or provides any service with respect to a message. On the other hand under the new definition, an intermediary is defined with reference to an “Electronic record” and not a “message” and includes the erstwhile network service providers as well as search engines, online market places etc. 

The replacement of the word “message” with an “electronic record” and expansion of the different types of service providers is a significant change to the law.

In the Shreya Singhal case, one of the most glaring mistake the Supreme Court did was to equate a “Message sent to an addressee through a Communication device” with a “Publication available for view by the public in a Facebook or Twitter platform”.

The current judgement could have clarified on this aspect of what is a “Message” and what is a “Publication” while discussing the term “publication”. Obviously the Court did not identify the distinction between the two terms strong enough to provide a clarification.

Another distinction between the two versions of Section 79 is that the protection is available only if the service of the intermediary is limited to certain functions. Accordingly, it would not be available if the intermediary does not initiate the transmission (only provides a platform for sending it through), select the receiver of the transmission and select or modify the information contained in the transmission. If the intermediary “Pushes” the information to “Members of a group” it appears that it has to “Initiate the transmission” and on this ground Google groups may lose protection. This was not explored.

The new section 79 includes “communication link hosted by him” to data hosted by the third party for the purpose of providing protection. This goes with the expansion of the term “intermediaries” to service providers of all kinds.

Additionally the new section introduced an obligation for removal of the content without vitiating the evidence expeditiously.

In the Shreya Singhal judgement this was read down to mean that “the time for expeditious removal” would commence after receipt of a Court order.

Given the delays of our Judicial system the need to wait for a Court order is not a fair relief to the victim. The bench which heard the Shreya Singhal case failed to recognize the relevance of this provision in the Act and gave a judgement without recognizing that a defamatory case to come to a decision on whether it should be tried under the old section or new section itself takes 11 years. If therefore the process of determining whether a defamation has occurred or not, whether Google India is liable or Google LLC is liable etc will take much longer. Hence the entire process of judicial relief is a farce as far as the victim is concerned. While Google can pursue the case at High Court and Supreme Court, the victim many times an individual is denied justice merely because he has no capacity to continue this litigation for such a long period in multiple Courts.

The bench in the current case therefore failed to find a solution which was essential.

Naavi.org had way back on December  2000 under the article “How to Counter Rogue Sites” suggested that the offensive content could be “Flagged” as “Objected by …..” with a link to the notice of objection received by the hosting body. In the current context, a similar procedure can be followed by the intermediary when a notice is received directly from the victim and the legal process is pending. If required a time limit of around 90 days or 180 days may be provided within which if the Court order does not come through, the flagging can be removed or populated with the information that no court order has been received.

This procedure could have been endorsed by the Supreme Court either in the Shreya Singhal case or in this Visakha Case. Unfortunately, the Supreme court missed an opportunity for this clarification for the second time.

I appears that there is a need for the Courts to “Finding ways and means to resolve the disputes” while drafting the judgement. Then the years of wait would atleast bring some lasting improvements to the system. On the other hand, if the Supreme Court only restricts itself to the role of finding fault with the law and notification of the Government and expects the Government to come up with revisions which are again subjected to another round of critical evaluation, the legislative process would be seriously hampered.

I wish that there is a serious introspection  by the Judiciary in this respect of how to make the judgement solution oriented.

Naavi

Reference Articles

Defamation: Sections 499 to 502 of IPC

Copy of the Judgement

Posted in Cyber Law | Leave a comment

Data Privacy Day at Naavi.org

Data Privacy Day is celebrated on 28th January by the international community to raise the awareness of Privacy. India is slowly adopting to the practice.

It is to celebrate this year’s Data Privacy Day that Naavi decided to release the book on “Personal Data Protection Act of India (PDPA2020)” in the E-Book format.

The book is now available on Amazon. It is in Kindle format. But a free Kindle reader is available for all PCs, Macs and Android/ioS Phones. The app can be downloaded from here

KINDLE FREE APP DOWNLOAD

There are a few questions raised from some persons why this book before the Act has been passed. I need to share my thoughts on this.

PDPA 2019 is presently in the form of a Bill which has been referred to a select committee of Parliamentarians for a final review. It is suggested that the review be completed before the last week of the budget session. The Committee has called for a final submission of views from the public within 3 weeks from 22.01.2020.

The stakeholders can send two copies of their comments and suggestions to Dr Ram Raj Rai, the Director of the JPC at the Lok Sabha Secretariat,(at Room No. G-014, Parliament House Annexe, New Delhi – 110001) or email them to jpc-datalaw@sansad.nic.in, or to the JPC chairperson Meenakshi Lekhi at mrs.mlekhi@sansad.nic.in.

It is necessary that the stakeholders understand the bill in detail before sending their suggestions and the debate takes place in a healthy manner without mis-interpretations from vested interests.

For the Companies it is better to start preparing for the emerging law. The professionals who have to start shouldering the responsibility as DPOs also need to start early.

Hence this book is being released in the E Book form quickly and the print version to follow.

The book is now available at Amazon and hopefully it will be of use for submitting the responses to the Government.

Any feedback would be welcome.

Naavi

 

 

Posted in Cyber Law | Leave a comment