Naavi.org

GDPR is a regulation meant to protect the privacy rights of an individual. Principally it is meant to protect the right of a citizen of EU and tries to exercise control over the personal data collection activities in the jurisdictional boundaries of  EU. UK as a faithful servant of the EU and reeling under the repentance of Brexit wants to be more loyal than the King and has pursued the UP Data Protection Act 2018 to extend GDPR to its jurisdiction.

The objectives of GDPR are laudable and extends the concern the EU legislators always had on the protection of human rights.

Having dealt with dictators like Hitler, Mussolini and Napoleon and lived a life of pirates and conquerors for generations, (of which we the Indians have centuries of experience), the population of EU has developed a culture which appear to have made them suspicious with every body else and over sensitive to some issues related to Privacy. 

This is indicative in an interesting case reported below, details of which are available here.

This article “My GDPR Complaint Against Tinder (MTCH Technology Services)” is an interesting case study of how one person has painstakingly pursued his complaint with the company over a long period using the good intentions of GDPR to his advantage and in the process consuming days of effort and money of the company.

This is a typical indication of how the law can be misused by some persons for their own reasons. 

To briefly explain the incident, immediately after the GDPR came into operation on 25th May 2018, on 2nd June 2018, a website PersonalData.IO submitted a request on behalf of a customer requesting the company MTCH Technology Services Ltd, to provide “all of the information collected on me”. Since then, the complainant is pursuing the complaint expressing his dis-satisfaction about the information that has been provided. The complaint has been originated with ICO in UK and later transferred to the supervisory authority in Ireland. The matter appears to be resting with the detailed reply given by the company on 29th May 2019 but the complainant is still not satisfied and is following up.

During this entire exercise, the company has patiently been replying to the complainant and it is evident that it has spent enormous corporate time with its technical team, compliance team, the legal advisors etc to draft a satisfactory reply.

We must pause at this stage and reflect whether the cost forced by the complainant on the company has been productive and whether the complainant has been  inflicting unjustified losses on the shareholders of the company who are also individuals like the complainant himself.

GDPR has provided a “Right” to the data subject to request for information from a company whether personal data of himself is being processed and if so how is it being processed. The purpose of Articles 13 and related Articles of GDPR is to enable a data subject to ensure that the company adheres to the principle of collecting an informed consent and using the data only as agreed upon and not make a fraudulent or unethical and dishonest use of the personal data.

The complainant in this case on the other hand appears to have pursued his complaint dishonestly with the sole purpose of harassing the company through a series of e-mails and making a “Disproportionate request”. There is no “Data Breach” reported in this instance and the request is a fishing exercise of the complainant to find out a cause for further harassment of the company.

This complaint reflects a sadistic tendency on the part of the complaint who seem to have lot of time at his disposal to keep sending request after request and not be satisfied with any reply received.

There is a need to put an end to the development of such trend which will be detrimental to the industry. If this goes unchecked, any body and everybody may keep sending out e-mails just to make the life of the companies difficult. It may provide a sense of satisfaction to the complainant that he has achieved something great in his life by dragging the company into an endless conversation.

The responsibility to put an end to such an attempt lies with the supervisory authority which has to exercise a judicial discretion to separate a real complaint from a complaint designed as a fishing exercise where the complainant has no prima facie case of having been adversely affected.

The supervisory authorities in such cases should politely refuse the complaint and close the case so that the company can go ahead and attend it its other activities. This requires a sense of maturity for the officers who have the responsibility to uphold the real values reflected by GDPR.

Unfortunately the drafting of GDPR and more so the UK Data Protection Act 2018 is not good enough to avoid dishonest complaints being made against companies without valid and prima facie reasons. It is also not possible to avoid all inconsistencies when a law is drafted and it is the duty of the judiciary and other authorities implementing the law to read down the different provisions and ensure that the real spirit of the law is upheld.

If the supervisory authorities fail to respond properly to prevent such harassment, the Companies will also start disrespecting the authorities and we will end up with litigations all round. This will impose an unreasonable cost on the society and render the regulation an unproductive burden.

I therefore advise the complainant to be satisfied with whatever information has been provided. She has made not only this company but many others realize how GDPR can be make the life of the DPO miserable and tighten up their compliance. I suppose her genuine purpose of making Companies more responsible has been served. 

She deserves a pat on the back.

But if the complainant  pursues the complaint further, her intentions would be suspect and  it would be proper for the Company to demand payment of costs for providing the information. Let this incident not be a lesson on how people can harass a company using the provisions of GDPR.

According to Article 12(5),

...Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

It appears that this is a fit case to test the provisions of this Article and how the supervisory authority of Ireland interprets this complaint.

Naavi

The Arbitration and Amendment Act 2019 was received the Presidential assent on 9th August 2019.

The copy is available here.

The major part of the amendment is to introduce part IA  related to the Arbitration Council of India. Consequential amendments have been made in the rest of the Act.

The Eighth schedule inserted in the Act deals with the qualifications and experience of the Arbitrator.

The Copy of Arbitration Act in www.odrglobal.in has been updated. (Updated Version)

Naavi

ICICI bank which has been a leading Bank in India adopting to innovative Cyber Banking in India is also in the forefront of incidents in which customers have lost money because of the negligent manner in which security of the systems is maintained as well as the fraudulent involvement of its employees.

Recently in two cases the TDSAT passed adverse orders against ICICI Bank. In the S.Umashankar Vs ICICI Bank case, ICICI Bank was held to have assisted the fraudster in commission of the crime. Though clinching evidence of criminal complicity of ICICI Bank had been adduced in the Adjudication and Tribunal in this case, since these forums were not criminal Courts, they stopped at passing adverse remarks in the orders. Had they been criminal Courts, we could have considered that ICICI Bank had been indicted of criminal offences under Sections 66 and 65 of ITA 2000/8.

In another case of Rajendra Yadav Vs ICICI Bank, an earlier order dismissing the complaint by the Adjudicator of Karnataka (in 2011) on the ground that “Section 43 was applicable only to individuals and not to Companies” has also been dismissed with costs on ICICI Bank.

ICICI Bank  enjoying the power of public money however is not accepting the decisions and is challenging the decisions in higher Courts in the belief that the victims of Cyber crimes who have brought these litigation on the Bank will not have resources to continue their legal battle in higher courts for both the expenses and time involved.

Both these cases are cases which have been in litigation since 2008 and 2010.

In the latest attempt, ICICI Bank wants to get itself exempted from being liable under Section 43 by raising a bogey that the word “Person” used in the section applies only to an individual and no action can be brought against the Bank. The exemption claimed under Section 43 is also an exemption claimed under Section 66 since the two are interlinked.

This means that ICICI Bank is claiming that if it commits any offence under Section 66 which includes unauthorized access, denial of access, diminishing the value of information residing inside a computer etc., it has to be protected because it is a “Company”.

It would be interesting to see if the Courts admit such petitions or dismiss it at the first place.

Naavi has already pointed out in the judicial forums why this claim is ridiculous and cause different anomalies in law. We shall elaborate this some time later.

Naavi

Refer: TDSAT order 

Here is a copy of the report by the Inter ministerial committee on Crypto currencies.

Copy

The report contains the copy of the bill proposed to be introduced for banning Crypto currencies in India.

According to the Bill,

1.No person shall directly or indirectly use Crypto currency in any manner including as medium of exchange, and/or a store of value and/or a unit of account, nor as a legal tender or currency in any place in India.

P.S: Cryptocurrency, by whatever name called, means any information or code or number or token not being part of any Official Digital Currency, generated through cryptographic means or otherwise, providing a digital representation of value which is exchanged with or without consideration, with the promise or representation of having inherent value in any business activity which may involve risk of loss or an expectation of profits or income, or functions as a store of value or a unit of account and includes its use in any financial transaction or investment, but not limited to, investment  schemes;

2. Mining, holding, trading etc will be offences punishable with one to 10 years of imprisonment and fine.

3. Advertising and promotion of crypto currencies is punishable with fine and/or imprisonment upto 7 years.

4. Even an attempt to commit any offences under the Act shall be punishable with half the term meant for the offence.

5. A separate investigating authority will investigate and prosecute offences under the act and actions in Courts can be initiated only by the Government.

6. Offences will be non cognizable and bailable.

7. Companies will have liability on the Officer in charge  for offences attributable to them subject to usual defenses of due diligence.

8.Fines under the Act can range from Rs 1 lakh to R 50 crores under different sections

Naavi

According to Zebpay which has shifted its business out of India, it still has more than 2 million Bitcoin holders in India and have more than 40000 bitcoins in their possession.  According to their estimate there are about another  15000 bitcoins in the hands of Indians in other exchanges and may be a further 20,000 in dark pools which Zebpay itself calls as “Black Market”. The other Crypto currencies could add up to a further 50% of the Bitcoin holding.

The total estimated value of the Crypto currencies in the hands of Indians which we term as “Digital Black Money” could therefore be around 100,000 bit coins. At around Rs 8.5 lakhs per Bitcoin, the total value is around Rs 8500 crores. It must be recognized that this is only an estimate of the holding by Indians and the rest of the market capitalization (nearly 300 billion US dollars)  is held by non Indians.

According to the industry’s own estimate,  only 21% of Bitcoin transactions are deemed ” Lawful” as revealed by the research of MIT and IBM. The research said that billions of dollars are laundered through Crypto currencies every year.

The honourable Supreme Court cannot ignore these facts when it hears the arguments of the industry on legitimization of Cryptos in India.

Naavi

Articles on Bitcoin on naavi.org

Here is a simple survey I am conducting on a question of law. I request all legal professionals to send me your personal view on this matter through e-mail or otherwise.

This looks simple and a waste of time for most of the legal professionals. But believe me, your view may be important in defining the law of Cyber Crimes in India. Hence I request you to take a few minutes to send me your views.

Naavi

Section 43 of ITA 2000 states as follows:

Penalty and Compensation for damage to computer, computer system, etc 

If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network –

(a) accesses or secures access to such computer, computer system or computer network or computer resource 

(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;

(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(e) disrupts or causes disruption of any computer, computer system or computer network;

(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;

(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder,

(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,

(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means 

(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage,

he shall be liable to pay damages by way of compensation to the person so affected.

This section uses the term “Person” many times and most importantly for the entity that has suffered a damage and the entity that has caused the damage.

This section is linked to Section 66 and any of these acts committed dishonestly or fraudulently constitutes an offence under Section 66. The two sections cover most of the so called Cyber Crimes against which all of us are fighting against.

In law the word “Person” is applicable both to an individual living person as well as a company. The General Clauses Act also specifies the same.

In this context please let me know your view as to whether the word “Person” used in Section 43 of ITA 2000 is restricted to only an “Individual”.

Thanking you in advance.

Naavi