Naavi.org

(Continued from the previous article: Challenging the GDPR Fine-Decision of Greek DPA on Employee data)

The second case on GDPR fine which needs discussion is the decision by the UK ICO on a Canadian Firm Aggregate IQ Data Services Ltd (AIQ). On 24th October 2018, the UK data protection enforcement body, the ICO issued a notice specifying several breaches and a possible fine under GDPR provisions.

The charges made included

1. AIQ breached Articles 5(1)(a)-(c) and Article 6 by processing “personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.” Moreover, “the processing was incompatible with the purposes for which the data was originally collected.”
2. AIQ also breached Article 14 in that it failed to provide “data subjects with the information set out in Articles 14(1) and (2), and none of the exceptions set out in Article 14(5) apply.” (Article 14 deals with the situation in which a company obtains the personal data from one or more third parties rather than from the data subjects directly. If Article 14 applies, the controller of the data must communicate to the data subject, among other things, the category of the data collected, the purpose(s) of the data processing, and its legal basis.)
3.  Although it is not alleged in the Enforcement Notice, AIQ was also probably in breach of Article 27 in that non-EU companies that process the personal data of EU residents must designate an EU representative, which is obviously intended to provide regulators with an easy means of imposing jurisdiction. The failure to comply with Article 27 alone can result in a fine of €10 million or 2% of a company’s global group turnover, whichever is higher.

The notice to the Canadian firm has also evoked a question on the extra territorial jurisdiction under GDPR. This breach has come out of the investigation related to the Cambridge Analytica case about the use of UK citizen’s data for analysis without the knowledge of the data subjects.

The claim of ICO  is that AIQ processed UK personal data in a manner that did not include the consent of the data subjects concerned, and that (notice the date) it continued to hold this personal data after the date at which GDPR came into force (May 25, 2018).

The notice stated “The Commissioner takes the view that damage or distress is likely as a result of data subjects being denied the opportunity of properly understanding what personal data may be processed about them by the controller [which is AIQ], or being able to effectively exercise the various other rights in respect of that data afforded to a data subject.”

It is important to note that the “Damage” is speculative and not “Real”.

AIQ has objected to the jurisdiction of ICO in the matter and the matter now rests with the General Regulatory Chamber (GRC) of HM Courts & Tribunals Service.

More details will be known in due course but the case indicates how GDPR may be used to target data processing companies outside the jurisdiction of EU.

The global corporate sector needs to seriously think on how this threat could be factored into their business strategies. (Refer the article in secuirtyweek.com for more information)

Indian companies need to take appropriate precautions to safeguard their interests by ensuring that their liability if any comes only out of the processing contract with the Data Controller and not directly.

Naavi

Also Refer:

Enforcement and Remedies under GDPR

Why was AIQ targeted?

Over 2 lakh incidents in one year

More enforcement action by ICO

With an year of GDPR enforcement behind us, the Companies are now exposed to different interpretations of the law by different Supervisory authorities imposing fines on various counts.

Two recent decisions that attract special attention are

a) The Hellenic (Greek) DPA decision imposing a fine of EUR 150,000 on Price Water House coopers Business Solutions SA (PWC)

b)The UK ICO order against Aggregate IQ Data Services Ltd (AIQ)

The Hellenic decision focuses on the GDPR issues related to employee data while the UK ICO order relates to the jurisdiction aspect of the UK DPA on a Canadian Company.

In the Hellenic order, the DPA imposed the fine based on a complaint and an ex-officio investigation on the “lawfulness” of the processing of personal data of the employees.

According to the order it appears that the DPA objected to the company demanding consent to the processing of the personal data. The DPA considered that for the data to be considered as processed “lawfully”, all the conditions mentioned in Article 5(1) should be met.

Article 5(1) is reproduced below and states:

1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (1) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

The DPA further held that “The identification and choice of the appropriate legal basis under Article 6(1) should be informed to the data subject since the choice of the legal basis has an effect on the application of the rights of the Data subjects.

Article 6(1) stats that

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child…..

While Article 6(1) states that processing would be lawful if “atleast one” of the conditions stated here are satisfied, the DPA made an observation as follows.

“The principles of lawful, fair and transparent processing of personal data pursuant to Article 5(1)(a) of the GDPR require that consent be used as the legal basis in accordance with Article 6(1) of the GDPR only where the other legal bases do not apply so that once the initial choice has been made it is impossible to swap to a different legal basis”..Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.

It further held “In this case, the choice of consent as the legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest”.

The decision of the DPA appears too harsh since an employer-employee relationship which is bound by a contract and the alleged violations were too technical in nature.

Organizations therefore need to ensure that their legitimate interest is properly defined and bound to the employment contracts.

The GDPR itself does not seem to indicate the need for such  a harsh treatment of the issue since Article 88 leaves it to the individual states to provide more specific rules for protecting the employee’s personal data.

Managing employer-employee relationship is a contract in which the employer should have the right to make background checks before employment, profile the employee behaviour during employment and also conduct appropriate exit interview to document the reasons for exit etc. If GDPR interpretation should therefore not interferes in the management of the company.

The decision should therefore be challenged in an appeal to ensure that wrong precedents are set by over enthusiastic DPAs.  Every organization will have a set of employees who are disgruntled and they are likely to raise any issue of this nature just to put the employer into a legal tangle.

GDPR is not clear about the appeal process and it is to be interpreted under Article 79(1) that any legal person aggrieved by the order of a supervisory authority shall have a recourse to the normal judicial remedies in the member state.

….Continued

Naavi

We welcome the historic decision to integrate Kashmir with India.

This removes the 70 year old blot on India as a country.

Incidentally, PDPA (Personal Data Protection Act) will now apply to J&K as well as Ladakh also.

It is time to rejoice.

Hope the Supreme Court will not come in the way of the Citizens of India rejoicing with this historic development.

Naavi

Also Refer: Article here

Recently, I was posed a question from an aggrieved Bitcoin professional why I was such a strong critic of Bitcoins.  Several questions were posed to me in this regard. My strong views on Bitcoins has estranged me with many of my friends in the technology domain. Some may think I am anti-development.  In order to put my views in the right perspective, I want to clarify to the public why I sincerely feel that Bitcoin cannot be legitimized in India.

For records, I may also state that  am fully supportive of the leaked version of the Bill which is allegedly being drafted by the Government which provides for stringent punishment for Bitcoin usage while retaining the option for the Government to use Block chain technology for its own Crypto Currency if required. This is fully in line with my views expressed in the past through various articles on this blog.

My views on the questions raised by my critics recently are reproduced here. I am willing to debate this further if any of the readers want to debate. (Following is a reply sent by me to a query of a journal dedicated to Bitcoin promotion)

Before you read further, I suppose you have read my very first post on Bitcoin. Published on December 22, 2013, it was titled “Why RBI Cannot/need not/should not ban Bitcoins?”. This was immediately after the Bitcoin conference in Bangalore where I spoke on the legal status of Bitcons in India. An article was also carried in Times of India titled “RBI has no legal right to ban use of bitcoin” . This article still figures on my blog with a note about why my view has changed since.

No doubt I was also initially attracted by the innovative idea of the “Bitcoin Mining” and how the blockchain system worked. At that time, I had looked at the issue purely from the legality under Indian law and opined that “Bitcoin” is an “Electronic Document” and since it has not been excluded under Section 1(4) of Information Technology Act 2000 (ITA 2000), it carried a “Recognition” as a “Commodity”.

Even at that time, I have been clear in my perception that “Mining” of bitcoin is different from “Trading”. I said “Mining” is legal and buying from a known miner is also not bad. But when a commodity is bought, the title to the property changes over to the buyer but along with the defects in the title to the commodity. The exception to this rule are the “Negotiable Instruments” and Bitcoin is not a “Negotiable Instrument”. Since a major portion of Bitcoin that is under circulation in a trading house comes from an earlier transaction which may involve drug trade or other illegal activities, the commodity is “Tainted” with the past defective title. This taint gets transferred whenever the bitcoin is sold to another, broken down to smaller denominations etc. Hence if the buyer does not know that the previous owner bought it from another clean previous owner etc and the chain of transaction is known to be clean till the miner of that particular Bitcoin, it is risky to buy Bitcoin.

Secondly, I was also clear that Bitcoin should not be called a “Currency” since any buying, selling or otherwise dealing with a commodity as a “Currency” is interfering with the right of the RBI to be the sole issuer of “Currency”.

For this reason, I stated that Bitcoin cannot be banned by RBI since it is an issue that has to be dealt with by an amendment of ITA 2000. However, in the domain of “Currency”, RBI is the sole issuer of currency and no body else can term their commodity as “Currency”.

I have also given example where a “Club” may use plastic chips as currency within its four walls but if it tries to promote it as currency in the transactions outside its premises, there could be interference with the RBI’s powers.

This view of mine has not changed and has got strengthened over a period of time since Bitcoin managers have steadfastly stuck to their right to let the system be considered as a “Currency” and without any intrusion of the central bank like RBI.

It is true that the popularity of Bitcoin with the public did not wane despite my opposition and the perception that “Bitcoin” is “Currency” got boost because of the various developments including some online merchants accepting it for payment of purchases in lieu of legit currencies etc.

With this background, let me try to address the specific questions raised.

1. 1. Why do you think Bitcoin should be banned in India?

Comments: The way Bitcoin has been promoted as an alternative to “Currency” and without the supervision of RBI and Tax authorities because of the anonymity of its ownership, has rendered Bitcoin as the most ideal form for storing “Black Money”. Since Bitcoin can be converted to many other Crypto currencies and in some cases the legit currency also, a holding in Bitcoin becomes convertible to other anonymous currency holdings without the need to even go through the normal havala operator for conversion of Indian Rupees to a foreign currency.

This sort of status is attractive in general to any person who wants to hold assets in the form of benami properties without the Government coming to know of its existence.

Though some of the exchanges later introduced KYC and said that they can now trace the buyer and seller, the “Bitcoin Wallets” continue to be managed by international operators without any obligation to share the data about its owners to a Government agency and the KYC system itself can be abused because there are already fake PAN cards and fake Aadhaar IDs in circulation.

Hence Bitcoin is considered a haven for black money holders.

Add to this the convenience for criminals who can easily collect ransom in the form of Bitcoins and convert them into legit currency as a smooth money laundering operation and the possible use of Bitcoin for payment to terror sympathizers in India by enemy nations, it is clear that there is a need to treat Bitcoin as the “Currency of Criminals” and “Digital Black Money” and curbed.

While there are always arguments that even currency can be hoarded as black money and used for criminal activities etc., if there is an unrestricted conversion of Bitcoin into INR, then Black Money will become impossible to be controlled.

I have also highlighted that if Bitcoin is made convertible to INR, then the floating currency in India will go up by a value equivalent to the sum of the market capitalization of all Crypto currencies to which Bitcoin is convertible. Hence economically the inflation will go through the roof. Since a large part of the holding of Bitcoin is in the hands of China and may also be with Pakistan, if Bitcoin becomes fungible with INR, then China can meddle with the Indian economy by simply infusing and withdrawing Bitcoin stocks from the Indian market.

In view of these considerations, I am of the strong opinion that it would be suicidal for the country to provide any type of recognition to Bitcoin. It has to be kept out of the system along with all other Private Crypto currencies.

1. 2. In many of your posts, the common argument is that Bitcoin should not be a legal tender. Understandable. Why should Bitcoin not be treated like a commodity?

Comments: I have explained earlier that legally Bitcoin is a “Commodity in electronic form”. But being an asset of a certain value and the ownership being anonymous, it is a perfect “Benami Asset”.  Hence it would continue to be used as a “Black Money Substitute” if allowed to exist as a “Commodity”.

1. 3. Regarding Unocoin’s Bitcoin ATM. You pointed out that they are running a hawala system. You gave an example of how someone can put 4 lakh rupees cash and get a bitcoin. But in reality that wasn’t the case. Unocoin’s machine had a limit of 10000 INR per day cash deposit. That is abiding the current CBDT laws. Moreover, that money was going to be depositing into your Unocoin account. Where on the mobile or the website you can buy crypto. Each user was KYC verified. How was this a hawala system?

Comments: My comments on the Bitcoin ATM was based on the media reports and involved my perception about how it could be misused. There could be some speculation on my part but it was based on the likelihood of it being mis-represented. I think I explained this in my article “Who is lying? Unocoin advocates? Or the Press?” We also know how similar ATMs may be functioning in Singapore or Canada. Hence there was a specific possibility of the ATM being used for havala type of conversion even if it was done in small amounts.  Mr Satvik was quoted to admit that the Bangalore ATM was a trial machine and they would expand it all over India. Hence the possibility of a network being built for such conversion of INR to Bitcoin or other currencies in a basket and vice versa was very real.

The KYC was easy to abuse and hence not a reliable safeguard to allow such inherently dangerous practice.

1. 4. Regarding Facebook’s Libra. You mentioned it is doing an ICO and they will not launch in India that means it will not come via Indian banks. But that’s really not the case. Facebook’s Libra is not taking money from retail traders to launch Libra. It is supposed to have multiple partners with a minimum investment of 10 Million USD. If anyone would invest 10 Million USD into something, they are not really doing it with black money. It was never an ICO, why did you paint a picture that Libra was an investment token?

Comments: Face Book’s Libra is a recent development. Again any comment can be made only on publicly available information.  From the initial indications, it appears that some private investors would make the first investments and therefore they may be allocated Libra directly like a promoter’s initial issue of shares. Then this along with additional issues may come into the market through trading or additional issues.  Even if an investor makes an investment of US$ 10 million plus, it will create that much stock of Libra which when circulated in the public may merge with Bitcoins and other cryptos.

Additionally, FaceBook has its own eco-system where it can promote e-commerce on its platform and therefore become a bigger threat to sovereign Governments than a Bitcoin or any other individual crypto currency.

There is no reason why we should trust Face Book or any of the investors who may have their own vested interests to promote this private enterprise of generating a currency.

1. 5. You keep pointing out and use it as an argument that Bitcoin is not legal. But the fact is that Bitcoin hasn’t been deemed illegal yet. You are literally choosing the best answer that suits your narrative and then accusing other media sites and Supreme Court advocates of doing so.

Comments: Bitcoin promoted as “Currency” is illegal as I have tried to explain earlier. Even if we try to cover up the status as if it is only a commodity and not currency, the reality is different. I have once pointed out how an advertisement was released in Times of India to promote Bitcoin as a Diwali investment instead of Gold. If such attempts went unchecked, common people would be mislead into investing their hard earned money into a scam much bigger than the IMA scam in Karnataka.

What is important for media and advocates is to be honest in what they say to the public. If they want to be diplomatically stating a falsehood as if it is true, it is the responsibility of people like us to clarify.

1. 6. You have frequently associated Black money with bitcoin. We have reports that say the biggest investment of black money is in benami properties, followed by gold, followed by cash and the government has gone on record in parliament saying there is no conclusive data on illegal activities using bitcoin. What are your comments on that?

Comments: I have no disagreement on your report. But it does not mean that we should create one more instrument of black money which we all know is easier to hold, and easier to transact anonymously compared to currency, Gold or property. Government is trying to curb benami property holding by trying to link Aadhaar to property registration, trying to reduce black money in currency form through demonetization etc. These efforts may continue and we cannot allow a substitute that can even allow money to fly out of the country easily unlike currency or gold or immovable property.

1. 7. The NASSCOM chief’s statement that bitcoin is illegal was published by a media portal. Nasscom later clarified its stance but you did not correct it on the website. In July 2019, Nasscom has put a statement opposing a complete ban on Cryptocurrencies, you haven’t mentioned that either. Once again, you have chosen an answer that best fits your narrative.

Comments: If there was any clarification, it could be that the view was personal and not that of Nasscom. It was not intentional that I did not comment on this because it was not brought to my attention. Even if it had been, my general views would not have changed. There have already been people in MCX and SEBI as well as in the Ministry of Finance who were sympathetical to Bitcoin. Even if some body in Nasscom would be in favour of Bitcoin, it does not surprise me.

I suppose I have tried to provide my honest views. As an Indian just think one thing. If Bitcoin and other Cryptos become legal, then why would I and you need to keep any of our money in rupees?. We all will convert it into Cryptos because it gives us the flexibility to convert it into dollars today and Japanese Yens or Swisss Francs tomorrow. Rupee is not the first choice of the currency in the world and hence the rupee holding would come down to the barest minimum. This would seriously destabilize the economy and in fact destroy it completely.

I am an ex-Banker and firmly believe that Bitcoin would be detrimental to the economic interests of the country and hence RBI nor the Supreme Court nor the Government can take a decision to legitimize Bitcoin. I am sure that RBI understands this and Mr Modi also is fully committed to not recognize Bitcoin. I am not so confident about the Supreme Court however but hope they also realize that they cannot be seen to be supporting the “Digital Black Money” under any circumstance.

If you can try to visualize the impact of Bitcoin legitimization beyond the individual commercial benefits that you may get, then you yourself would realize why my view is in the interest of the country in general.

I hope you would publish my views faithfully.

Regards

Naavi

P.S: One more question was added subsequently and answered as follows:

• There is one more question I would like to ask. What is your opinion on an official digital currency?

  Answer: As regards the launch of an “Official” crypto currency by the Government, at this time, I consider this only as an enabling provision in the proposed bill. The Government may not go through with the proposal. Since the “Official” version is one where every Crypto currency mined and transacted is tagged and the Government would be able to track it, it will not have the status of the private Cryptos like Bitcoin. Hence, it may not acquire floating value higher than the official value of INR. Excepting the saving of printing of currency in the future, it may not have any specific value to the economy.

  Naavi

When the media cried out “Courts can rely on electronic records without certificate: SC”., based on the order of a two member bench of the Supreme Court, Naavi.org clearly stated that the order was incorrect and required to be corrected. ( Refer here)

This order was issued on January 30, 2018 and in a way negated an order of a larger bench in the case of PV Anvar Vs P.K Basheer.

Naavi.org has advanced its reasons why this order was both incorrect and also dangerous since it sought to remove an important safeguard provided in law for preventing false electronic evidence to be produced in litigation.

It is now good to know that the matter has been referred to a higher bench in the Civil Appeal nos 2407 of 2018 and 3696 of 2018 for clarification.

We presume that the decision in the P V Anvar case will be reiterated by the larger bench.

Refer:

SC order of 26th July 2019

The tragedy of Shafi Mohammad

Naavi

As soon as the new BJP Government has taken over and Mr Amit Shah became the Home Minister, an effort is being launched to examine the improvements that are required to be made for better Cyber Crime control.

Essentially, the following questions have been raised:

1. What is the existing legal framework to deal with cybercrime?
2. What are the difficulties being faced in prevention, detection, investigation & prosecution of cybercrime?
3. What specific problems/Gaps being faced in the legal framework to deal with cybercrime?
4. What changes are required in the legal framework to deal with cybercrime more effectively?
5. Whether there is need to provide a legal definition for “cybercrime”?
6. Whether any amendments are required in CrPC, IPC IT ACT, 2000 or any other law to improve effectiveness of LEA’s in dealing with cybercrimes?
7. Whether any amendment is required in any Law/Rules that will enhance Awareness/Capability of police personnel about the cybercrimes?

While the intention of the Government is good, it is necessary that the exercise does not end up with just the tinkering of a few legal sections in different laws.

Already, there is a Section 69 ITA 2000/8 notification which is being challenged in the Supreme Court and the Intermediary guidelines under Section 79 that is also being debated and eventually reach the Supreme Court. The PDPA with whatever revisions the Government may do (diluting the Data Localization and penal provisions) will also find itself in the Supreme Court eventually.

Tinkering with the laws will only have marginal impact on improving the situation. It will take a long time for the change of law to come into effect as we know how Section 66A continues to be invoked despite its removal.

While certain changes in law could be helpful, the Government needs to look beyond the tinkering with laws and change the fundamental structure of Cyber Policing. A brief suggestion therefore is as follows.

Create a National Cyber Police Force

Today, law enforcement is the State Subject and hence the state Governments have a say in the laws that affect Cyber Crime prevention, investigation and prosecution.

ITA 2000 itself is a central law for the “Cyber Space” and State Government has only powers to make follow up laws to implement the the law as it is and cannot enact new laws for the Cyber Space. If “ITA 2000” had been considered as the “Law of Cyber Space within the jurisdictional control of India”, then the entire responsibility to manage Cyber Crimes from Cyber Intelligence to Prosecution should be the responsibility of the Central Government. This makes sense because Cyber Space is known to be border less and crimes occur across national boundaries. If therefore we donot recognize that it can also occur across the State Boundaries and needs to be managed as a concept of “Crime in Indian Cyber Space”, we will not see substantial improvement in the way we prevent Cyber Crimes.

Despite the fact that ITA 2000 is a central law and States have no power to super impose local laws some states have enacted laws separately for Cyber Cafes assuming the right to make law for “Cyber Operations in a State”. Some have attacked Social Media in the State with guidelines from the local police etc. The Cyber Crime police stations are also  set up locally with police transferred from the regular cadre and shifted back after a brief stint. This structure is not conducive to efficient Cyber Crime policing.

We therefore need to beak out of this constraint and re define the legal framework for Cyber Crimes by starting with creating a National/Indian Cyber Crime Police Force. (ICCPF).

We presently have the CBI and NIA or CRPF  which act across the State Boundaries. Even these organizations are often been frustrated by the States not giving permissions for investigation due to political reasons.

As we go forward, similar obstructions will be placed on Cyber Crime investigations also when the investigation, arrest etc has to occur beyond a state boundary.

Unless we remove this hurdle, we will not make any substantial progress.

Skill Development and Career Opportunities

We often blame “ignorance” as a reason for inefficient Cyber Crime management. While the need for knowledge and up gradation of knowledge is eternal, it cannot be an excuse for every problem in Cyber Crime management.

The reason why skilled Cyber Crime investigators may not be around is that the current force of Cyber Crime police get transferred before they acquire sufficient skill and expertise and get replaced with others who have to again go through the learning cycle.

Creation of the Special Cyber Crime Police force will enable a long term stint for the police in the division and acquisition and use of their skills.

The availability of such a national Cyber Crime police force will enable a career path for the technically minded police who prefer to work with the computers rather than with the lathis.

The T.K.Vishwanathan Committee which gave a few suggestions for amending ITA 2000 suggested changes to the CrPc also which included creation of district level expert committees to assist the police and a state level DGP-Cyber Crimes. The States however did not take the hint and implement the suggestions. Now the National Force for Cyber Crimes can create such State level apex police officer who is the single apex authority for any Cyber Crime issue in the State supporting a national level structure all the way upto the National Head of the Cyber Crime Police Force.

Judicial Support

The ITA 2000 created a separate adjudication forum to settle Civil Disputes but left the handling of Cyber Crimes with the legacy criminal justice system.

This legacy system is not suitable for handling Cyber Crime prosecutions since just like the Police there is a need to build expertise in the Judicial officers also to understand the nuances of Cyber Crime, Data Protection related issues etc.

It is therefore necessary for the Government to consider special Magistrate Courts for Cyber Crimes at least for a cluster of few districts in each state.

Naturally this requires the cooperation of the Judiciary which I hope should be available.

Defining Cyber Crime

It is not necessary that there should be a legal definition for “Cyber Crime”. Any offence where the electronic document is either a target or a tool automatically qualifies to be called a Cyber Crime. Depending on the cause of action, it may be handled under ITA 2000 or IPC etc.

However, if a definition is really required, we need to define “Cyber Crime” as a “Crime in Cyber Space”.

Cyber Space is the “Imaginary space created by binary expressions”.

Cyber Crimes first affect a Cyber identity or a virtual person or property. The definition should recognize this. Later the adverse impact on the Virtual victim is felt by a physical entity.

Most of the problems we encounter today is because we try to jump directly from a Cyber Crime to a Physical victim.

Proving damage to a Virtual Victim by a Virtual offender (John Doe) is often easier. But identifying who is the victim and who is the perpetrator in terms of their physical identities and bring them under the Criminal Procedure Code often creates a problem.

We therefore needs to find a solution to separate the two issues.

While proving a Crime is a judicial requirement, identifying and mapping a virtual identity to a physical identity is a more a technical requirement.

I have suggested earlier that this “Mapping of physical identity to virtual identity” which requires IP resolution, breaking the anonymization of criminals by intermediaries needs to be tackled with stronger implementation of regulations of the intermediaries.

The Golden Hour Principle

It is well known that the failure of Cyber Crime investigation is often because the police delay the investigation for various reasons including indecision on whether a reported incident is afterall a crime or not and if so how serious it is etc.

In most cases by the time they initiate investigative action the horses would have bolted.

It is therefore necessary that “Discretion” for the police whether to investigate or not needs to be removed by making online registration of complaints mandatory.

Along with this, an enforceable notice to the intermediaries such as Gmail to reveal the privacy masks on IP address in respect of registered complaints without the need for a formal police intervention needs to be considered.

This will remove part of the corruption in the Police force that makes the Cyber Crime Police Station keep arguing with the complainant why the complaint cannot be registered and why it should be registered by another Police Station and not himself etc.

I hope some of these changes are considered by the Government.

I invite the public to send their comments either here or directly to the Secretary Ministry of Home (E Mail: hshso @nic.in) on any of the matters discussed above.

Naavi