Naavi.org

The Personal Data Protection Bill 2019 presented in the Parliament on 11th December 2019 is yet to be passed. It is presently with the Joint Parliamentary committee but seems to have not progressed much due to the Covid19 situation.

There is one section of stake holders who are happy with the delay and there is another section of stake holders who are unhappy.

The Government has been following a very cautious approach in finalizing the legislation and is listening to all vested interest groups and allowing the deferrment under one pretext or the other. The PDPB 2018 had already gone through a public consultation and the PDPB 2019 is again going through another public consultation.

It is ironic that the industry which embraced GDPR without a murmur suddenly has started raising objections to the Indian law as if India has no right to pass a law that could affect the freedom of the business entities to loot the personal data of Indians.

Several centuries ago the conquerors of the Arab world and the sea pirates from the west have plundered the Indian wealth to the extent possible and now the new business managers from the west are trying to exploit the data wealth in the country. Hence they are raising objections after objections to the passing of the Act.

This tendency is verymuch evident in the note submitted by the Asian Security Industry & Financial markets Association (ASIFMA) and Securities Industry & Financial Markets Association, a copy of which is available here.

Despite the long note submitted, it appears that these organizations donot want to see India passing this legislation and even if passed, it has to be completely in favour of the business organizations to help them continue the exploitation of personal data of Indian Citizens. The NASSCOM has already submitted its comments which is also more in the same mould in favour of the MNCs.

After perusing the unreasonable submission made by AFISMA, Naavi.org has considered it necessary to make a point by point comment on the suggestions, which is enclosed here.

 We hope the Joint Parliamentary committee will take into account the comments made herein.

Naavi

https://www.facebook.com/mpparimal/videos/531215397545246/?t=0

There was an interesting interview of Mr Mukhesh Ambani with Mr Arnab Goswami in which Mr Mukesh Ambani has spoken about “Data Ownership” and “Data Monetization”. He has strongly advocated that “Data” belongs to an individual or Corporate and no company should be able to make use of the data to make profits without sharing it with the data owner.

He used an analogy of property kept in a Bank locker and that the Bank does not have the right to take it out and use it to make profits even if the original property is returned to the property owner.

Just a few days back, we had a webinar from Justice B N Srikrishna where he highlighted his view on data ownership. He used the analogy of the terms “My House” and “My Wife” and said that we cannot apply the same principles of property ownership in these cases since in the case of “My Wife”, there is a personal “Relationship” involved which is different from the relationship with a property like the house. He therefore said that the concept of “Property” cannot be applied directly to “Data”.

I agree with Justice Srikrishna and endorse his view that “Data” whether “Personal” or “Corproate” cannot be considered similar to other properties like the movable or immovable properties. It does not even bear exact similarities to intangible properties like goodwill or intellectual properties like the trademark, patent or copyright.

The nature of data as a property  could be closer to the property such as an “Enforceable Right” (Actionable Claims). But still Data is a type of commodity or right which does not fit squarely into any of the known types of properties and hence requires to be treated as an exclusive kind of its own. 

Data is an exclusive kind because it is not static in an organization and has a life cycle. It starts it’s life cycle as raw data which is a set of zeros and ones in no specific form. Once some of these zeros and ones are grouped in a particular manner, some software-hardware combination may interpret as an ASCII character or a number or even as sound and image.

Whether the data is a word file or a note pad file or an mp4 file, it is still a series of binary representations and the first few sets of binary (Header information) identify which software is compatible and is designated to read the body of the data. Accordingly the header data invokes a specific software and we see the data as text sound or image.

Further, data is always in binary form and it is the person who is viewing it who renders a meaning to it. Hence the meaning of data is one that is ascribed by the viewer. If we remove the viewer, and the tools of viewing,  all data looks the same… a sequence of zeros and ones.. To call some thing as personal and some thing as non personal, something as sensitive is all an imagination in the eyes of different viewers using different viewing tools. (This concept has already been embedded into our legal system through Section 65B of Indian Evidence Act)

The detailed explanation of the above concepts in the Theory of Data is discussed elsewhere on this site.

Given this nature of data to be dependent on the software and hardware and the beholder for a meaning,  it is not appropriate to ascribe an absolute value to the data and identify who owns this value.

Further, through aggregation or dis-aggregation, data becomes personal data, or sensitive personal data etc. Personal data can also becomes de-identified data, pseudonymized data or anonymized data.

To ascribe a property nature to this data is therefore complicated and has to factor in the changing nature of the data through the lifecycle it goes through. Just as in the case of a human law applicable to a child is different from one applicable to an adult, a married adult, a senior citizen etc., data laws are different for different types of data. These laws determine the rights associated with the data at different life cycles and also determine the value.

Personal data P, may have a value X to a data fiduciary Y at a particular point of time. It may then be anonymized into P*. The value of P*may be zero to the same data fiduciary who was valuing it at  X till now. At the same time to another research entity Z, P* may have some value of its own. So when P is converted into P*, it reduces in value for Y but increases in value for Z. If Y is selling P as P* to Z, it is like US selling crude oil at a negative price…difficult for economists to understand the valuation…

If we try to recognize this kind of property as some thing like a movable or immovable property or an actionable right, we would not be able to capture all the glory of the personal data. It is like watching  of a pattern in the Kaleidoscope  by a person who is color blind to multiple colors or perhaps is totally blind.

Hence we should stop looking at Data as a normal property but understand that it is some thing different.

Also the instrument that is used to transfer the right on this property is neither a mortgage deed nor a hypothecation deed , nor a contract as we know in law. It is different.

What is this “Different” breed?… Let us simply call it as an entity described as “Data” as defined in ITA 2000 and “Personal Data” as defined in PDPA, There is a person recognized as the “Data Principal” who is having certain rights against a certain set of data. He can hand it over to another person called the “Data Fiduciary” and give him some rights. The “Data Fiduciary” can further transfer it to another person called the “Data Processor” and give him some limited rights.

The parties Data Principal, Data Fiduciary and the Data Processor therefore handle the entity called “Personal Data” as per the provisions of PDPA. All rights on this “Personal Data” are determined by the law called PDPA. Just as the Transfer of Property act defines what is an “Immovable Property”, PDPA defines what is the property called as “Personal Data Property”. ITA 2000 defines what is a Data Property.

PDPA also defines the kind of rights that the Data Principal possesses and the rights that he can transfer. It also defines the rights of the Data Fiduciary and what he can transfer to a Data Processor. It also defines what are the rights of the Data Processor.

Hence the “Personal Data Property” is an exclusive kind of property and has to be viewed as such without equating it to any other known forms of property except to say it is like this in one feature and like another in another feature. All laws related to “Personal Data Property” arise out of PDPA and every other law is irrelevant.

When we talk of transferring the property, we should only talk of transferring the “Personal Data Right” in the “Personal Data Property”.

These discussions may be theoretical but are important for the purpose of developing jurisprudence in the data protection domain. I therefore place it before the public for debate as part of Naavi’s Theory of Data.

Naavi

Related Articles:

October 8 2019: New Data Theory of Naavi built on three hypotheses

October 8, 2019: Theory of Data and Definition Hypothesis

October 10, 2019: Reversible Life Cycle hypothesis of the theory of Data

October 11, 2019: Additive value hypothesis of ownership of data

November 20 2019: Will Personal Data Protection Act be compatible to the Theory of Data?

March 31, 2018: Theory of Dynamic Personal Data

In a decision that has somewhat shaken up the GDPR community, the Belgian DPA imposed a fine of Euro 50000/- on a Data Controller who had appointed the Chief of Legal compliance as a DPO. The DPA ruled that there was a conflict between the two roles. (Refer here)

The Compliance officer  is normally considered reliable for the legal knowledge as well as an attitude of compliance more than some other designations such as CTO or CISO or even the CRO or HR head.  If the DPA considers that “Legal Compliance” is in conflict with “Data Protection Law Compliance”, there is an important message that we need to understand.

“Personal Data” is part of the “Total Data” that an organization manages, and the CISO is in charge of protecting that “Total Data” and the Compliance official is in charge of complying with all laws that relate to the “Data”. However this ruling appears to suggest that there could be lack of focus if a legal professional embroiled in litigations or contract drafting etc is expected to be able to manage the complexities of the Personal Data Protection.

The undersigned has often equated “Personal Data Management” as some thing similar to “Hazardous Inventory management” and always suggested that the skills and effort required to handle personal data are highly specialized.

To understand this further, we can also look at the role of the “Bomb Disposal Squad” which is often called upon to remove and investigate any suspicious looking bag in which there may be round heavy object or from which some clock sound is coming out.

In the normal course any body can open the bag and check. But the sensitivity associated with the probability that the object may be a bomb requires that an ordinary person cannot be given the responsibility for clearing the suspicious object.

If an officer of the Corporation knowing the circumstance orders some garbage removal employee to dispose of the bag, even if nothing untoward happens subsequently, the Corporation can take disciplinary action against the Officer for endangering the community and the individual himself.

We should therefore understand that the DPA of Belgium perhaps had a reason to take what appears to be a harsh decision and has sent out a loud message to all organizations to consider both the Knowledge and capability as well as the conflict situation before designating some body as a DPO in their organization.

The same is true for the Indian scenario also.

Naavi

An interesting webinar had been organized today by a group of Legal professionals from Mumbai in which justice B N Srikrishna spoke about the Data Protection Act.  As the architect of the Indian law on Data Protection which is presently before the Parliament for passage, and since in some recent encounters with the Press, Justice Srikrishna had been critical of some of the changes that had been made by the Government in the latest bill as compared to the version which he had submitted along with his report in 2018, the webinar was keenly followed and over 890 participants attended the webinar at its peak.

Justice Srikrishna gave a good overview of the legislation starting from the objectives, to the Data  Protection Principles, Data Principal’s Rights and other key provisions on some of which he has been vocal even earlier.

During the webinar a few important observations were made by Justice Srikrishna which were illuminating which need to be taken note of.  Also due to the paucity of time, some questions of the audience went unanswered. The following report tries to record the essence of the discussions and goes on to also provide our view points on the questions that had been raised during the webinar, for the general information of the interested professionals.

Justice Srikrishna started with the explanation of the objectives for which the Personal Data Protection Act (PDPA) was drafted bringing home the reference to the Aadhaar issue and consequent debate in the Justice Puttaswamy case.  He later went into the discussion of some of the key elements of current bill and areas where perhaps he had some disagreements.

On the most contentious issue of Section 35 which provides the power to the Government to exempt the application of the act in certain circumstances, he clarified that while he does concede that the Government has the power to infringe on the Privacy under certain circumstances, he was highlighting the need for appropriate checks and balances failing which the possibility of a Government official misusing the law to grossly violate the Privacy rights of the individuals could arise and an “Orwellian State” reference could become possible.

He did not discuss the other controversial issue about the Constitution of the Committee for appointment of the DPA not having Judicial representation.

He however justified the earlier provision regarding the cross border transfer restrictions under which one active copy of all personal data transferred out of India had to be kept in India, which has been diluted in the current version of the bill. He highlighted the fact that a high power delegation from US had met the Government to persuade them to dilute the provisions which the Government obliged ignoring the requirements of the law enforcement agencies.

Another point on which he did focus was that the current bill does not set a deadline for the Government to implement the Act and hence could be endlessly delayed. In the earlier version, there was a 18 month outward time limit within which the entire act had to come into existence with various other provisions being implemented at different points of time indicated in the Act itself.

He was also unhappy with the reference  made to the power of the Government to demand  transfer of non personal data/Anonymized data under certain circumstances to the Government under Section 91 of the Act and expressed that he would have preferred a separate legislation for this purpose as had been suggested by his committee.

There were a few other important points on which he shed some light from his perspective namely

a) Ownership of Personal Data

b) Definition of Critical data

c) The “Fiduciary” nature of the relationship of a Data Processor

d) Data Retention period

Data Ownership

As regards the ownership of the “Personal Data” he gave a jurisprudential view that all that we can call as “Mine” cannot be equated to a “Proprietary Right” and there are “Relationships that need to be recognized” which are not subject to property rights. He therefore reiterated that though the Data Principal calls personal data as “My Personal Data”, he may not have the rights of disposal of the personal data in the same manner as he can dispose of a movable or immovable property.

In this context he highlighted why the two parties who are in other countries referred to as “Data Controller” and “Data Subject” are in India called “Data Fiduciary” and “Data Principal”.

Definition of Critical Data

On the definition of “Critical Data” Justice Srikrishn admitted that there is no definition of the term either in his version or the current version. However, he expressed an opinion that the term can be used in the context of “Whose Personal Data” is being considered and whether that data is of relevance to national security. As an example he referred to the data of the Prime Minister or President or the Chief justice.

The view of Mr Srikrishna is at variance with the general expectation that the distinction between Sensitive and Critical data would be based on the severity of the harm that may be caused to a data principal irrespective of who the data principal is.

The distinction based on whether the data principal is a celebrity or a person of national importance will result in mixing up the type of data with the identity of the person. This distinction may not be the best way to define the criticality of the personal data.

Instead, some data such as Finger print, Iris scan, DNA profile, Skull X-Ray, Tooth X-Ray, Voice Print, or even the Photograph  have the character of being inherently identifiable and not being amenable to being “Anonymized” .

Such data are better qualified to be categorized as critical data since once lost they can never be recovered unlike a Password that can be changed.

Fiduciary Nature of Relationship

Justice Srikrishna re-iterated the need to define the relationship between the Data Subject and the Data Controller as “Data Principal” and “Data Fiduciary”.  The undersigned has discussed this several times earlier and has hailed it is the single most important contribution of Justice Srikrishna to the Data Protection Jurisprudence which would in due course be accepted world wide. (See one of the earlier articles in this regard for more clarity)

This elevation of the relationship of the Controller to that of the Fiduciary will solve many of the problems the world has seen in Data Protection regulation such as “Consent Fatigue” which is more accentuated in India because of the use of different languages by end users, lack of literacy and reduced appreciation of the culture of “Privacy” which is more an elite concept pushed down the population rather than a felt need of the market.

Data Retention Period

While speaking on the data retention period limitation, Justice Srikrishna referred to the provisions of other laws that may require retention of the data for longer period. He mentioned that though normally data has to be retained as dictated by the purpose, in cases where the other laws dictate otherwise, it can be retained for longer period.

Mr Srikrishna however failed to refer to existence of legitimate interest and evidentiary requirements that may necessitate the distinction between the need to erase the data after the purpose is completed vs the need to retain it for longer period which the new law has tried to accommodate by creating a fine distinction between the right to erasure and right to forget as two different rights under Sections 18 and 20.

Though we donot agree with the contention of Justice Srikrishna that Section 35 of the new Act leads to the possibility of an Orwellian State and his omission to recognize some of the improvements that have been made in the Act including the concepts of “Consent Manager”, “Sandbox”, “exemption of liability” etc., the discussion was very useful in putting across a perspective of the law.

Towards the end of the session, there was no time left for taking up some of the questions from the large number of participants.

In order to provide some clarity to some of the questions raised, I have picked up the questions and provided my views under the “your Queries” section in the website of the Foundation of Data Protection Professionals in India. (www.fdppi.in)

I request visitors to peruse the questions and answers provided.

Naavi

Yesterday we had a spectacle of Mr Arnab Goswami the well known journalist being subjected to 12 hours of grilling by the Mumbai Police on an FIR against  his uttering against Sonia Maino alias Sonia Gandhi, the leader of Congress party. 

What was noticeable in the day’s proceedings was that the two people who were arrested earlier for attacking Mr and Mrs Arnab Goswami were given a bail by some Magistrate probably because the Police chose to charge them on flimsy grounds. Mr Arnab Goswami’s complaint was on the lynching of two Hindu Sadhus in Palghar and the lack of investigation on the murder and the silence of the Congress leader.  

Mr Arnab Goswami has developed his own brand of journalism and his high decible complaining of the lynching in Palghar seems to have so much rattled the Congress party that its supporters filed over 200 FIRs against Mr Arnab Goswami and ultimately took to attacking him in the dead of the night when he was returning from his studios.

The incident required to be condemned by all supporters of democracy including those who are opposed to Mr Arnab Goswami. But the politicians have been mostly silent on the attack and the media is also did not raise its voice. 

At the same time Mr Arnab got a stay on the FIRs from the Supreme Court except one case in Nagpur and the Mumbai Police are trying to use this FIR to teach him a lesson. The lesson that he was required to be taught was not to raise his voice on Mrs Sonia Maino/Gandhi and for that purpose he was subjected to a 12 hour interrogation.

While Police may justify that they needed to show some video footages etc and obtain his views, there was no need for the interrogation to continue for 12 hours. It could have actually been broken up and continued on the next day. 

What this incident has shown is that Police in India remain the faithful servants of the politicians and at their beckoning can be made to drop sections on the assaulters and at the same time grill the journalist until he is tired and loses mental balance. We are all aware how Mrs Indira Gandhi imposed the Press Censorship in 1975 emergency time. What Sonia is trying to do is perhaps to follow the footsteps of her illustrious MIL.

This may not be some thing new in India and we could have ignored it in the normal course.  But  the reason why we need to highlight this here is that this kind of behaviour of the Police creates a distrust on them when we try to justify provision of  some extra powers under law. The distrust on the police will translate itself as the distrust of the Government. 

We should therefore consider the impact of this incident on the discussions that are being held on s the Personal Data Protection Bill (PDPB) where there are some exemptions provided to the Government and the Law enforcement related to the protection of Privacy. The undersigned has on many occassions defended the right of the Police for surveillance through CCTV footage and other means because security of the Citizens is an uncompromisable responsibility. 

On the other hand there are people who are opposed to the PDPB stating that it gives too much of power to the Government and/or the Law enforcement. The current incident  supports this view point and shows how a State Government can make its Police to dance to the tunes of a party controlling indirect power in the State. If this can happen in an incident like this, we can imagine that if the same party is in power in the Center, then the laws like Personal Data Protection Act and its objective of protecting the privacy of citizens would be kicked beyond the Hindu Maha Sagar into an oblivion.

There are already many motivated articles that are appearing in pliable journals stating that PDPB will “Stiffle the digital economy with overbearing regulations”. Today’s LiveMint reports one such article. This article has made  the following remarks.

The above face is a familiar face to many on the You Tube. This person has been posting many interesting videos particularly of ancient archaeological sites in India, Cambodia and many other places focussing on many interesting points which no body else seems to observe.

He has a very discernible eye to spot indications of some peculiarities in the construction of ancient temples many of whom like the Hampi and Mahabalipuram are well known to many tourists. But no body else has found certain points such as the possibility of ancient builders having used technology for rock processing, using of lathe type machines long time back, possibility of aliens being depicted in the sculptures etc.

There is no doubt that some of his findings are very significant and the scientific community could very well do a research of their own either to prove or disprove his views.

It is also an observation that when he talks of many ancient Shiva temples and interprets the Shiva Lingam and the Gopuram of temples  as a depiction of energy transmitters or communicators to the alien world, he speaks of Hindu tradition. Possibly thousands of years back only Hinduism was prevalent in these countries and hence only references to Hindu culture can be seen in these ancient temples.

I have viewed many of his videos and have not found any racist or communal thoughts in his publications.

But very recently, he published a video which he has called probably his last video a link for which is presently available here.

In this video he has pointed out that many of his videos have been subjected to moderation and some have even been removed by You Tube for no discernible reason.

We have seen Twitter always supporting Pakistani and Anti Modi subscribers and allowing fake news to be promoted against India. Now a suspicion arises whether Mr Praveen Mohan is being black listed because he takes the name of Shiva in many of his recent postings. One of the recent postings highlighted a structure in Mahabalipuram which he has called the structure as a “Olakkaneshwara temple” and discussed how it could be a light house built to guide ships approaching the coast.

He has indicated that this video was taken off by Youtube. It appears that it has been restored but it is not clear if other videos which he has referred to in his disclosure have also been restored.

But the incident indicates that there could be an anti India bias in the action of You Tube and perhaps they donot want thoughts which could re-write some of the historical concepts ignore the developments in countries like India in the ancient times and consider that all scientific developments originated only from the west.

It is time we Indians bring it to the notice of You Tube that its actions are being watched. If it thinks that it can misuse its popularity to prevent content that supports Indian culture and heritage, then its credentials as a company from US which champions free speech will be severely dented.

The Indian Government has to take note of this development and seek an explanation from You Tube as to their commitment to free speech.

A similar question has to be also raised on GMail which continues to hide the “Originating IP address of email senders” in e-mails received by g-mail account holders ignoring the right of an e-mail account holder to know from which IP address he has received an e-mail. The e-mail is a transaction between the sender and the receiver, GMail is only an intermediary under ITA 2000.

If this status of an intermediary has to be retained, GMAIL should not interfere with the communication that emanates from the sender’s computer and reaches the receiver’s computer. By changing the header information that starts its journey from the sender’s personal computing device, GMAIL is processing the information and not acting purely like an Intermediary. Hence it should lose whatever protection law normally provides to intermediaries.

Unfortunately in India our CERT-IN or the MeitY does not pull up companies when they behave illegally and irrationally and we tend to accept their actions as unquestionable.

Hope MeitY takes note of Mr Praveen Mohan’s complaint and also just as they reacted to Zoom with a project to develop an Indian counterpart, they should look for an Indian counterpart of You Tube.

Naavi