Naavi.org

Cyber Society of India (CySi)  and Foundation of Data Protection Professionals in India (FDPPI) have organzied a half day workshop on Personal Data Protection Act (Proposed law in India presently with the Parliamentary committee) on 14th March 2020.

The program is meant to provide basic information on the proposed law, how it impacts the industry.

Honourable Justice K.N.Basha, former judge of the Madras High Court and Mr P.Wilson, Honourable Member of Parliament (RS) are expected to grace the occassion.

FDPPI is also distributing the Certificates to the successful candidates from Chennai who passed out of the recent “Certified Data Protection Professional” course conducted by FDPPI, marking the beginning of a new era of trained Data Protection Professionals in India

Naavi

In recent days a lot of discussion is centered around “Proportionality” when it comes to use of Government powers to either make laws or make regulations under the specific laws.

It has become a tendency for politically motivated litigants to oppose a law first when it is being passed in the Parliament and then in the Supreme Court on the basis that it violates some aspect of Constitutional Right. The Supreme Court is also most obliging in taking up such cases and investing its time and energy in meeting the political goals in such litigation against the Government.

When the law can no longer be challenged under the Constitution, the next challenge is mounted on “Yes.. Law is Constitutional,… But the implementation is not proportional”. The recent judgement in the case of Crypto Currencies when a bench of the Supreme Court consisting of Judges  V.Ramasubramanian, Aniruddha Bose and Rohinton Fali Nariman held that RBI has powers to regulate Virtual Currencies but its circular stating that Banks should keep away from Crypto Exchanges was a disproportionate use of this power.

This “Yes..But”  judgements are a reflection of the powers some advocates have to persuade the Courts to give temporary reliefs when it is not in the interest of the society. The Nirbhaya case in which the accused are filing curative petitions even after final judgement one after another and yet getting a favourable orders from the Courts is a case in point of how law is being twisted to suit the criminals.

To put an end to this “Yes…But” judgements, it is necessary for the Courts to establish the limits to which certain principles can be applied. One such principle that needs clarification is the test of “Proportionality” which is amenable for misuse by the influential litigants and obliging judges. In not every law passed by the Parliament and held constitutional can continue to be frustrated whenever the operating notifications are issued.

The PDPA is in the danger of such an “Yes..But” attack. After the act is passed by the Parliament, it is possible that it is challenged under the ground that Section 35 is unconstitutional or even if constitutional, fails on the proportionality test. Similar objections can be made on the Section 42(2) on the constitution of the DPA. Then similar challenges can be mounted on the definition of Sensitive Personal information or Significant data fiduciary, Social media intermediary and so on… The possibility of challenges to be mounted would be end less and like in the Nirbhaya case, the challenges can come one after the other so that the law as passed may be stayed in its execution stage.

If this situation unfolds, then it would be the Supreme Court itself which will be responsible for not allowing the Government to bring legislation on Privacy Protection and preventing the Puttaswamy judgement to be implemented. It could even be a blessing in disguise for the Government since it can continue to do what it does in the absence of the Privacy law.

Unfortunately even Justice B N Srikrishna himself has gone to public with a statement that the law can be challenged and he could be the prime witness in the case or could be the petitioner himself to challenge the law.

In this depressing scenario, it is necessary for us to feel refreshed by the judgement of another bench of the Supreme Court delivered on 2nd August 2019, exactly 2 years after the Privacy Judgement, in the case of Ritesh Sinha Vs State of Uttar Pradesh, which makes some key observations on the sense of proportionality.

The case related to an accusation that Mr Ritesh Sinha collected money from public promising jobs in the Police…in 2009. The investigating authority wanted a voice sample to be matched with the recorded calls and an application was made. The magistrate issued summons to appear before the investigating officer and provide the voice sample. 

This was challenged first in the High Court of Allahabad which was negatived in 2010. Then the appeal came to the Supreme Court. Now after 10 years, Supreme Court has rejected the appeal. Though the voice sample of 2009 may now be compared with the voice sample of 2019 and the time lapse itself would be an advantage to the accused, the judgement is noteworthy from the point of view of the clarification that it has provided on deciding on the “Proportionality” aspect and “Privacy Right”.

There were two issues that came to the contention of the Court. First was whether a person can be compelled to provide the voice sample as it may be evidence against himself. The second was whether in the absence of a provision in Cr.P.C., Court is competent to interpret the provision as the legislative intent.

The Court made the following observations on whether the Right to Privacy is absolute, by stating as follows:

“Would a judicial order compelling a person to give a sample of his voice violate the fundamental right to privacy under Article 20(3) of the Constitution, is the next question.

“The issue is interesting and debatable but not having been argued before us it will suffice to note that in view of the opinion rendered by this Court in Modern Dental College and Research Centre and others vs.State of Madhya Pradesh and others11, Gobind vs. State of Madhya Pradesh and another and the Nine Judge’s Bench of this Court in K.S. Puttaswamy and another vs. Union of India and others the fundamental right to privacy cannot be construed as absolute and but must bow down to compelling public interest.”

As regards the Court trying to interpret the intentions of the law, the judgement stated

“what may appear to be legislative inaction to fill in the gaps in the Statute could be on account of justified legislative concern and exercise of care and caution.”

“The exercise of jurisdiction by Constitutional Courts must be guided by contemporaneous realities/existing realities on the ground. Judicial power should not be allowed to be entrapped within inflexible parameters or guided by rigid principles.”

Though the judgement does uphold the right of the Court to fill in the words in the legislature it is pertinent to note that it has indicated a cautious approach when a written law is to be re-written by the Court through its interpretations.

It opined

“the judicial function is not to legislate but in a situation where the call of justice …, demands expression of an opinion on a silent aspect of the Statute, such void must be filled up not only on the principle of ejusdem generis but on the principle of imminent necessity with a call to the Legislature to act promptly in the matter.”

The Court also observed 

“when a yawning gap in the Statute, in the considered view of the Court, calls for temporary patchwork of filling up to make the Statute effective and workable and to sub-serve societal interests a process of judicial interpretation would become inevitable.”

Thus the judgement states that there has to be an imminent necessity with a call to the legislature to act promptly for the Court to interpret a law as enacted. Thus the “Proportionality test applied by the Court to over ride a written law or an order (as in the bitcoin case” has to meet the requirement of “Imminent necessity”.

In the Bitcoin case, when the Government was ready with the law, it would have been prudent for the Court not to express its view on the “Circular” of the RBI and let the Government and the regulatory authority to do its function.

Similarly in the PDPA case, if there is a challenge on Section 35 or Sec 42, the Court has to wait for emergence of an imminent need such as when the Government comes out with a blatantly unfair notification and not otherwise.

In the case of Ritesh Sinha, if the Court had ordered for the voice sample to be provided immediately and deferred the analysis for a later day, it would have been possible for the sample of 2009/2010 to be collected instead of the current date. The Court failed to provide such a solution.

But presently there have been instances when the Courts have allowed the law to run pending the decision on the challenge (eg: Article 370) and similarly, if PDPA is challenged, the Court should allow the law to be enforced while the debate continues on nitty grity. The other option of granting the stay and continuing the debate if followed would be indicating that the Court is not interested in Privacy protection being legislated.

Let’s see how the scene unfolds…

Naavi

While criticizing the PDPA Bill, experts need to remember that despite what they may think, Privacy is not an absolute Right. The Privacy judgment of 24th August 2017 stated that

“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”

This also meant that the limitations of “Reasonable Exceptions” applied to the Right to Privacy also. The “Reasonable Restrictions” are …interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.

It is important to note that our Constitution however much we would like to respect, has many internal contradictions brought about by the number of amendments that were made as a part of political expediency. The Supreme Court at various points of time have not stopped this corruption of the constitution. Nothing is more relevant than the experience of Emergency in India in 1975 and the retrospective amendment of electoral laws that Mrs Indira Gandhi made to which the Supreme Court was a mute spectator.

Supreme Court on various occasions has itself ignored provisions of the Constitution and some times even imputed words not present in the Constitution. In otherwords, the Supreme Court has always been above the constitution since it has the power to interpret the constitution.

Hence even the PDPA in whatever form it comes out is within the powers of the Supreme Court to re-write or re-interpret. Hence we need not be too much concerned that the Government will usher in an “Orwellian State” etc., since the oversight of the Court is always available for any significant misuse of the law.

We need to therefore focus more on whether the law is reasonably worded to indicate the intentions that are within the powers of an executive Government.

Afterall a time has come to all of us to say whether we want the rule by the Parliament  and whether the elected representatives have any role in the Governance of the country. It is another argument to say that politicians are corrupt etc. The same argument also applies to Judges who also can be corrupted. It is important for us to recognize that there is a Government in the country and it has some duties. This duty includes the duty to protect its citizens from harm of different kinds.

Right now there is an example before us in the form of restrictions different Government agencies are imposing on citizens in the fear of the COVID-19 virus. Have we not accepted the restrictions for greater good ignoring the human rights? Hopefully some of the restrictions are temporary but as we have seen in many other security initiatives including the frisking in Airports, some security measures tend to become permanent.

The reason why the citizens accept such restrictions is because existentialism overtakes all the other rights including freedom of speech or Privacy.

We the Citizens of India are concerned that our existentialism is now under threat because of crimes around us, the Terrorism, the enemy powers, internal political divisions etc. We want any government of substance to be capable of protecting us from these threats.

It is not possible for us to provide primacy to Privacy ignoring the existential threat to our life for which the Government is the custodian.

Hence any law even the one which has to be drafted under the provisions of a constitutional fundamental right or under the mandated of the Supreme Court cannot overlook the duty of the Government to protect its citizens.

Security is as much a fundamental right as Privacy. Even if any constitutional expert wants to argue that our constitution has not specifically mentioned that “Security is a Fundamental Right”, we need to imply this intention since all “Fundamental Rights” are subject to “Reasonable Restrictions” which are essentially to protect the citizens.

Hence no argument to restrict the powers of the Government to do its duty can be sustained.

Yes… there has to be a law… it has to have the specific provisions through which some rights can be restricted… there has to be a due process for such restriction…etc.

But it is not acceptable to consider that there should be no such laws that protect the citizens because some Privacy activist feels that the right of a criminal to hide will be adversely affected from the law.

Most of the arguments against Section 35 of the PDPA is based on the “Reasonableness” of the provisions.

The law itself is within the Article 19(2) restrictions and hence there can be no objections. At present there are no rules which indicate that the restrictions will be applied arbitrarily. Hence the objections raised are like the objections raised for the CAA stating that when NRC is implemented there could be some issues for some persons who are today enjoying some privileges because the law was lax so far.

This CAA mentality of the Privacy Activists should be shed completely. We want Privacy but it does not mean that Security can be subordinated to privacy. There has to be a balance and when in doubt Security should prevail since it is an existential requirement. We can live without Privacy but not without security. Right to dignity in life is only after we have a right to life.

This distinction needs to be understood by the critics and even by the Court when it is referred to them.

We therefore need to consider that the objections to Section 35 of PDPA 2019 are motivated by extraneous considerations and need to be rejected resoundingly.

Naavi

Also Read:

Fundamental Right To Privacy Not Absolute And Must Bow Down To Compelling Public Interest: SC

On 7th march 2020, Deccan Herald, Bangalore carried an article by the title “Data Protection or Surveillance”?. The online version of the article  included a powerful video presentation from the Center of Internet and Society(CIS). Earlier in another article the CIS had also provided detailed comments on the PDPA 2019. (See here).

CIS has been in the forefront of many discussions where the inadequacies of the regulations of the Government have been brought to public notice and its contributions to the cause of “privacy” is well noted.

However, of late CIS has been advocating controversial issues as supporting Bitcoin, the “Currency of the Corruption” and now focused on  the law on Privacy. CIS has raised many objections on PDPA 2019 and it appears that it will be happy of the Bill is deferred yet again and put into the oblivion.

If however the Government obliges, CIS could be the first off the block to criticise that the Government has ignored the commitment to the Supreme Court and has no intention in protecting the privacy of individuals. This attitude of “Damned if you do and damned if you don’t” is the typical attitude of some NGOs who can never agree on any positive movement forward. and always have an erudite argument why the proposal is not acceptable.

In Management we speak of a psychological game “Yes…But” propounded by Dr Eric Berne and CIS and some other NGOs have been indulging in while reflecting on the draft PDPA2019.  We need to put such objections in its place and move on.

The objections of CIS on PDPA have been indicated in the following list

1. Executive Notification cannot abrogate fundamental rights
2. Exemptions under clause 35 donot comply with the legitimacy and proportionality test
3. Limited powers of Data Protection Authority in comparison with the Central Government
4. No Clarity on Data SandBox
5. The primacy of Harm in the bill ought to be reconsidered
6. Non Personal Data should be outside the scope of this Bill
7. Steps to greater de-centralization of power
8. Data Must be empowered to exercise responsive regulation
9. No clear road map for the implementation of the Bill
10. Lack of inter-operability
11. Legal uncertainty.

The research team of CIS has also brought to attention several other articles  mentioned here which all add very valuable information to the discussion.

Each of these articles may need separate discussions and we shall try to comment on each of the above in course of time.

I would however try to point out that the Bill is presently in a fluid state and many of the concerns expressed can be addressed through notifications of the Government that would follow and the regulations that the DPA would release in time.

Hence some of the objections are premature.

Instead of pressing on the settling of all these concerns, it is better if CIS admits that it prefers the Privacy Bill to be dropped for the time being.

….To be Continued

Also Read:

“Yes, But People Vs Yes And People”..Wyser

Views expressed here are the personal views of Naavi

The recent Bollywood judgement on Bitcoin from the Supreme Court has given a fresh lease of life to Black Money in India. This is a set back for the efforts of Mr Modi to fight corruption and could be termed as a significant victory for Digital Black Money and “Money Laundering” through legally approved means.

The impugned judgement conveniently said that RBI has the powers to regulate Virtual Currency but however the circular to ban Banks from providing banking facilities to  Bitcoin traders which facilitates money laundering was not “Proportionate” exercise of its powers.

The judgement was no doubt smart since it provided legal sanction to money laundering through Bitcoins and Crypto currency and all criminals are happy. It will benefit all parties on the right side of the Bitcoin lobby who may rejoice and throw around Sathoshis if not Bitcoins during this Holi on all their benefactors. Politicians will enjoy this new mode of payments to replace “Suitcases” if they have to engineer defections or for looting Banks like Yes Bank.

The unfolding of the Yes Bank saga where paintings were allegedly used as instruments of money laundering has brought renewed attention on the Supreme Court judgement on Bitcoins and provides a good advertisement for the use of Crypto Currency for such Money laundering instead of the Paintings. Today ED is perhaps sitting on the evidence of Money laundering in the form of paintings of Rajiv Gandhi and Rahul Gandhi on which crores might have been invested by Yes Bank. This may be even accepted by Courts as evidence since they were not valued or the value could be far less than the amount declared in the transaction etc.

Had the painting been exchanged for 40 bitcoins instead of a cheque for Rs 2 crores, the ED would not have been able to seize the evidence. If the Bitcoin wallet number had been stored secretly in a London abode then the ED could not get a scent of the wealth even in their raids.

I am not here to give a lesson on how to use Bitcoin for money laundering and I have a doubt that the Indian corrupt are intelligent enough to have already found out this route. Perhaps the M F Hussain painting of Rajiv Gandhi was only an old strategy, while several more such transactions have been done later using Bitcoins.

Those who are now rejoicing on their victory in Supreme Court must understand that just as we isolate and quarantine Corona virus victims  for the greater good of the society, the Bitcoin holders should be put under quarantine until our Finance Ministry wakes up to make an appropriate law to ban Crypto Currencies.

This was precisely what the RBI had done by using its regulatory powers on Banks to desist working with the Crypto exchanges. The Supreme Court has however found fault in this strategy because they did not find “Proportionality” in the decision.

Now we need to ask a question to the Supreme Court if they consider even the Corona quarantining is “Disproportionate” use of powers and should be withdrawn on Human Rights considerations.

This judgement has once again proven that given the right kind of advocates, the Courts can be persuaded to agree on some vague technical grounds on which any action even as severe as destroying the Indian economy can get judicial approval.

The final responsibility for doing good to the society is solely with a few persons left in the society like Mr Modi,who still have the power to make laws that Supreme Court should not be able to strike down because it was prepared to be convinced by a forceful argument.

The “Banning of Crypto Currencies” is one such law that needs to be expedited.

Also, a stay on the current judgement of Supreme Court should be sought in a review as otherwise more and more Yes Bank type of deals will be converted from Paintings to Bitcoins.

I urge RBI Governor to take a decision on filing the review petition immediately.

Naavi

P.S: Views expressed here are the personal views of Naavi

Also Read: 

India Ban Overturned, BTC owners warned They’ll lose everything, Holder’s DIgest, Mar.2-8

Kraken Announces Plans to Expand Indian Operations As Crypto Ban Lifts

The Press release by the consortium of foreign companies including the Amazon, Google, Apple, Microsoft, Facebook etc opposing several provisions of the proposed PDPA 2019, have thrown a googly at Mr Kris Gopalakrishna, the chairperson of the committee on Data Governance. 

The consortium which consists of those companies which are worldwide considered notorious for using personal data under one pretext or the other are concerned that the advent of PDPA would hamper their progress. They are therefore raising objections on PDPA though they have adopted to similar provisions of GDPR without a whimper of protest.

“We are concerned that some provisions in the PDP Bill would hamper the country’s economic growth, constrain the ability of companies operating in the market to innovate, and in some cases potentially undermine the protection of Indian citizens’ privacy,”

says the letter reportedly sent by them to the JPC. 

We are happy that they are concerned. But the objections raised by them donot reflect that they are expressing a genuine concern for the Indian citizens though they are expressing concern for themselves which we can concede as their right provided they are not hypocritical about it.

The letter continues to state

“The ambiguity in the definitions, and the restrictions on where data must be stored based on those definitions, presents a serious constraint for many companies when planning their future investments in India,”

It is agreed that every law will have some ambiguities and it will be cleared over time. Even PDPA may need clarifications and it will be clarified mostly when the DPA comes into existence. Some minor clarifications can be made in the Bill and we can hope they would be addressed. Some of these objections of the industry have already been codified by NASSCOM-DSCI whose detailed representation is now available in the public.

What the industry stalwarts are concerned is about Section 33 on Transfer of data outside India and Section 91(2) which states

(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

Explanation.—For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.

(3) The Central Government shall disclose annually the directions, made by it under sub-section (2), in such form as may be prescribed

What these companies are objecting is for  the empowerment of the Government  provided in the Act to use the “Non Personal Data” available with these companies which are generated in India to be made usable for the “Better targeting of delivery of service” and “formulation of evidence based policies” by the Government.

It is after the Government conceding the request of these Governments that they should be allowed to transfer the data outside India.

This objection requires to be assessed on the basis of the principle of data sovereignty. If Data is like Oil, the Government of India needs to have some right on the use of personal data extracted from Indian Citizens in India. The section 91 is an empowerment of this provision to be exercised under the post facto supervision of the Parliament.

The tech giants collect the information free from the Indian citizens and make enormous money out of it. But when the Government wants to retain the right to use the anonymized data for the benefit of the Citizens of India, the companies have an objection.

Is this a concern for the Indian Citizens which they are trying to announce through this press release?

These companies need to appreciate that the PDPA is more than generous to recognize their needs of “Processing the data of foreign nationals without the application of PDPA” by a total exemption from the Act under Section 37 which states as under

37. Power of Central Government to exempt certain data processors.

The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.

Have these agencies seen such provision in GDPR?

Similarly in order to support “Innovation”, the Act also provides for a “Sandbox” arrangement under which companies can seek an exemption from the law for a total period of 3 years.

Have these agencies seen such provisions in GDPR?

It is obvious that these agencies are only interested in extracting more and more concessions and if possible delay the passage of the law indefinitely.

By making a statement that they want the passage of PDPA2019 to be deferred until the Kris Gopalakrishna Committee submits its reports, they are expressing faith in Mr Kris Gopalakrishna to provide some relief to them in his recommendations. This has unnecessarily placed him under a radar so that whatever he recommends, it will be seen under the lens of whether it has been influenced by these agencies with whom he had very intimate business relationship while he was working in Infosys.

While we expect Mr Kris Gopalakrishna to be mature enough not to be influenced by the commercial interests of these agencies, it is avoidable that he is put under a pressure by such statements.

Now it will be necessary for him to issue a statement that his recommendations would not be affected by these friendly statements from the agencies who are opposed to the Data Sovereignty principle.

I hope he comes forward with a statement distancing himself from these statements.

In the meantime the JPC may take note that there is no truthful representation in the submissions of these companies and it should not hesitate to revert the Section 33 provisions to the earlier provision where one copy of  all personal data generated in India should be stored in India. This provision was consistent with the GDPR provisions and there is no need to dilute it as long as there are provisions like Standard contractual clauses and Adequacy clauses, Emergency provision and Explicit consent based transfers available to meet specific needs.

The dilution of the personal data local copy clause will hamper the Indian Law enforcement and also the potential to develop indigenous data storage related business.

The threat of these companies that their investments could be hampered, should be also taken note of by the Government and we need to promote more of indigenous competitors to FaceBook, WhatsApp, Twitter and even Google. This would enable reduction of the power these agencies are now using against the interests of the country.

This is the time to once and all determine whether these agencies respect the democratic system of India where they are allowed to flourish without confronting the genuine interests of Indian citizens and the Indian Government or prefer to be marginalized like they have been done in China.

Simultaneously, the Government should recognize that NASSCOM-DSCI has become a close advocate of the views of these foreign agencies and hence any suggestions from this lobby has to be taken with a pinch of salt.

(P.S: These are personal views of Naavi and kindly excuse if it hurts  any other professional in India).

Naavi

Also Read: Hypocrisy of the “Global Trade Bodies” who oppose PDPA