Naavi.org

Many times disputes that arise with service providers of various agencies are resolved easily when we are able to reach out to the right persons in the organization.

ITA 2000/8 mandates that every online service organization (who is an intermediary) needs to mandatorily provide the name and contact details of the Grievance Redressal officer on their website.

Unfortunately, most websites not only hide their contacts for receiving complaints but also hide their physical address to which any notice can be sent by a consumer.

Though this is a violation in itself that can be penalized by either an Adjudicator or perhaps by a criminal Court too, most organizations out of ignorance donot provide the contact details.

I am happy to provide a compilation of nodal officer’s contacts which have been compiled by one diligent law enforcement professional. While care has been taken to update the list, errors and omissions could be present. I hope the public will consider this useful.

List of Nodal Officers of different e commerce agencies in India.

I request these and other organizations to point out if any corrections are required. We welcome other intermediaries to share their contact addresses.

We may also bring to the attention  of readers 5t our Associate service center at ODRGLOBAL.IN provides online dispute resolution service which can be effectively used to resolve consumer disputes. We invite these agencies to use the services of ODR Global. It should be economical and also convenient.

CDMAC (Cyber Disputes Mediation and Arbitration Center) is one ADR center whose services may be invoked if a more serious arbitration of a dispute is required. First level disputes can be mediated by Naavi. For the time being, in the interest of the e-Consumers, such mediation would be provided free of charge.

Any collaboration  in developing  the ODR platform  and CDMAC are welcome.

Any enquiries in this regard  may be sent to Naavi.

Naavi

P.S: The following address in the list was corrected on 8th September 2019:

Yahoo India Pvt Ltd, Unit No 304, A wing, 3rd Floor, Satellite Gazebo East Wing, Guru Hargobindji Marg, Andheri (East),Mumbai 400093.
E Mail: in-legalpoc@verizonmedia.com

Recently, Mr Amit Shah, the honourable Home Minister of India collected information from across the country on the amendments that are required to the law to effectively counter Cyber crimes. Information coming out of the ministry seems to suggest that a new “Cyber Crime Act” may be in the anvil to supplement and partially replace the provisions of Information Technology Act 2000 as amended in 2008 (ITA 2000/8).

According to this report in Times of India  the new approach would be to amend the ITA 2000/8 to keep most of the civil offences under the present act and create a new Cyber Crime Act to address the issue of Cyber Crimes.

One of the features being considered is to ensure that there will be no inter state jurisdictional barrier for Cyber Crime investigations. This would be a good move if it is extended to the full extent including the creation of the National Cyber Crime Police cadre which is a long term necessity in India.

Other than this provisions of Chapter XI of ITA2000/8 may be shifted into the new Act. In the earlier act there was no recognition of  “Cyber Squatting” as an offence and this is due. Section 66A which covered Cyber harassment was wrongly scrapped by the Supreme Court and requires to be reinstated in some form.

The Intermediary guidelines which were sought to be amended and were opposed by some activists may now find a place in the new Act.

Hopefully some of the evidentiary issues including Section 65B of IEA that affect prosecution may get tampered with.

Let us wait and watch what more changes are going to be proposed. We hope the law will be stringent and at the time fairly implemented with checks and balances to prevent misuse by the Police and clever criminals and harassment of honest Netizens.

We need to specially watch out for lobbyists specially from the Banking sector will try to influence the changes in their favour.

Hopefully the draft would be available for public comments during the winter session along with the revised Data Protection Bill.

Naavi

The Subhash Garg Committee’s report on Fintech has touched on several aspects of the industry. It has interalia recommended on two aspects which are immediately relevant for us as observers of ITA 2000 and PDPA.

Firstly it has recommended changes to ITA 2000, to bring in the documents kept out of ITA 2000 under Section 1(4).

The recommendation is as under

Para 2.4.6: Re-engineering Legal Processes for the Digital world

The Committee recommends review by Department of Legal Affairs of all such legal processes that have a bearing on financial services and consider amendments permitting digital alternatives in cases such as power-of-attorney, trust deeds, wills, negotiable instrument, other than a cheque, any other testamentary disposition, any contract for the sale or conveyance of immovable property or any interest in such property, etc., (where IT Act is not applicable), compatible with electronic service delivery by financial service providers.

These exemptions had come in due to some specific thoughts which were relevant in 1998-2000 when the law was drafted. There are certain changes that have occurred in technology that may warrant a rethink on some of the aspects. However, the steering committee was neither tasked to think about changes in ITA 2000 nor it had the necessary expertise.

Hence the suggestions can only be taken as nothing more than an indication to the Government and should be handled with care.

Secondly, the committee has also made suggestions regarding the powers of the proposed Data Protection Authority proposed under PDPA, as under.

Para 4.4.3: Coordination with Financial Regulators:

The Committee is of the view that in some cases, data privacy requirements in existing legislation may need to be reviewed in order to tailor them to the emerging data privacy legislation. The Committee also considers that given the fact that sectoral regulators are already taking steps to maintain the security and confidentiality of consumer data in their respective jurisdictions, some obligations the Data Protection Bill seeks to place on the DPA may be given to the sectoral regulators to discharge. Regulators must therefore carefully review their existing regulatory framework and identify any changes or modifications that may be required to the current regulatory framework.

It appears that the committee was apprehensive of the loss of power of some of the other authorities who may have to work as per the directions of the DPA. It is obvious that the DPA will respect the sectoral regulators and accommodate their views in the implementation of the Data Protection regulations. But there has been a tendency by different departments of the Government to come up with their own Privacy related regulations that could overlap with the PDPA and confuse the market players.

This should be avoided. Let the DPA come into existence as per law with suitable flexibility in defining the codes and practices in different sectors and then discussions can be had with individual sectoral regulators so that their views can be accommodated.

Naavi

On 5th March 2018, GOI constituted a Steering Committee on Fintech related issues which has now come up with its recommendations. It was comprised of Secretaries of different ministries and headed by the Secretary of Economic Affairs (DEA) , Mr Subhash Chandra Garg.

Refer copy of Report here

The objective of the committee was to “Consider various issues relating to development of Fintech space in India with a view to make Fintech related regulations more flexible and generate enhanced entrepreneurship in an area where India has distinctive comparative strengths vi a vis emerging economies”.

We look at the salient features of the recommendations as briefly indicated below.

1. The committee recommends the use of fintech, especially by PSE financial service companies to bolster cybersecurity, fraud control and anti-money laundering. The Committee also recommends that fintech firms specialising in this field should be encouraged to set up their businesses in India and provided necessary regulatory approvals for expanding their services in the country.
2. The Committee recommends that the Ministry of Finance may develop a marketplace model of debt financing in India by reforming the present model of P2P lending platforms. Potential hindrance in terms of restrictions on overall and individual exposure limits may be reviewed and options like allowing Mudra Bank to directly fund or co-fund SMEs and MSMEs through P2P platforms may also be examined as an alternative credit delivery channel.
3. The Committee recommends that DFS and RBI may examine the suitability of ‘virtual banking system’ in the Indian context, costs and benefits regarding allowing virtual banks and prepare for a possible future scenario where banks do not need to set up branches and yet deliver the full scale retail banking services ranging from extending loans, savings accounts, issuing cards and offering payment services through their app or website.
4.  For facilitating KYC by Fintech industry, the Committee recommends that various options, including possibility of Video-based KYC, making available validated electronic versions of KYC related documents through DigiLocker, making these available for verification by service providers with prior customer consent, etc., may be considered early.
5. In order to increase access to credit and to stabilise the growth of such practices and keeping in view recommendations of the Justice Srikrishna
6. A Taskforce has been recommended to be set up with the participation of the regulators and make suitable recommendations to safeguard the interests of Consumers, while also enabling a positive climate for innovation.
7. The Committee notes that the poor and the unbanked are often unable to access credit due to the lack of formal credit history and non-availability of other relevant documents. Fintech companies focus on a number of unconventional sources of data and advanced data analytics to create better credit profiles of such individuals. These fintech companies collect information pertaining to social media behaviour, financial transaction behaviour, product purchase behaviour etc. These kinds of information are not captured by CICs. Fintech companies collect these kinds of information from the mobile phones of consumers with prior consent. Banks are being encouraged to explore the possibility of establishing new alliances with players like fintech companies for ease of loan sanctioning process enabled by new technologies. In order to increase access to credit and to stabilise the growth of such practices and keeping in view recommendations of the Justice Srikrishna Committee, this Committee recommends that MeitY and TRAI may formulate a policy to enable such practices through a formal, consent-based mechanism.
8. Centers of Excellence for FINTECH are recommended to be set up in 2 or 3 premier National institutions like IITs/NITs and Government Financial sector institutions like IDRBT/NIBM/NIFM
9. The Committee recommends that the Ministry of MSME should work with DFS and RBI for testing and implementing block-chain solutions in trade finance for MSMEs in public sector banks as well.
10. The Committee recommends that the Government takes up modernisation and standardisation of land records in the country on a war footing with a deadline to complete such a system in the country in a period of three years. For this purpose, a steering committee comprising of Department of Economic Affairs, Department of Financial Services, Ministry of Agriculture, Ministry of Rural Development, Department of Land Resources and MEITY with involvement of State Land and Registration departments should be constituted to draw up a blueprint for doing so.
11. The Committee recommends review by Department of Legal Affairs of all such legal processes that have a bearing on financial services and consider amendments permitting digital alternatives in cases such as power-of-attorney, trust deeds, wills, negotiable instrument, other than a cheque, any other testamentary disposition, any contract for the sale or conveyance of immovable property or any interest in such property, etc., (where IT Act is not applicable), compatible with electronic service delivery by financial service providers.
12. The Committee recommends that MEITY coordinate the process of identification of the datasets that can be shared through open APIs, setting targets for the creation of such APIs by the relevant Ministries while enabling and supporting Central, State and Local governments to create relevant open APIs. The Committee also recommends that greater nudge from all regulators combined with development of open API eco system will enable account aggregator services to take off.
13. Regulators should establish prudential regulations for fintech to enable the moderate and high impact scenarios of fintech development to emerge.
14. The Committee recommends that RBI may consider making available banking data (such as transaction and account history data) for use by the financial sector, including fintech firms, (based on consumer consent and with other appropriate safeguards) through APIs. It also recommends that all financial sector regulators study the potential of open data access among their respective regulated entities, for enhancing competition in the provision of financial services.
15. It therefore recommends that all financial sector regulators fix deadlines for on-boarding existing KYC data to the Central KYC registry and make C-KYC (central KYC) fully operational and make KYC a digital and paperless process. At least the KYC data from the time the concept of Officially Valid Documents was introduced vide PML rules should be uploaded. In respect of legacy accounts, data may be uploaded by banks during the process of re-KYC.
16. The Committee recommends that a legal framework for consumer protection be put in place early keeping mind the rise of fintech and digital services. It further recommends enacting such a law early keeping the rise of financial technologies in view.
17. The Committee recommends creating a common digital platform for all micro-pension schemes and Government pension schemes, including EPF, through which pension subscribers can subscribe to specific schemes seamlessly and reduce access barriers by allowing payments through various modes such as Jan Dhan Yojana accounts, debit card, credit card, internet banking, mobile wallets etc.
18. In order to expand the reach of small savings schemes, provide ease of access and transactions to consumers, reduce risk of frauds, enable trading in secondary markets, etc., the Committee also recommends that all Small Savings Products, which are neither accessible online nor available in demat form, should be brought on a common online platform in demat form. For vulnerable groups and weaker sections who are neither digitally and financially literate, a combination of both human interface and technological application may be effective.
19. The Committee recommends use of fintech by Public sector commercial banks to enhance credit scoring, follow up of repayments, predictive analytics, etc., so as to enable reduction of NPAs in this space.

A rough glance at the above indicate that the recommendations indicate several new business opportunities which can be explored by the industry. However, most recommendations need to be carefully evaluated for the risks before they are actually implemented.

A lot more discussion is required on the recommendations.

Naavi

In continuation of our discussions of yesterday regarding TransUnion CIBIL, further thoughts on the data protection regulatory aspects are being discussed below to draw the attention of RBI, CERT In, MeiTy, Ministry of Commerce etc.

Data Protection laws try to protect personal data handling by insisting that

1. 1. The first collector of personal data from the data subject provides a clear Privacy notice and obtains an informed consent, which shall be an “Explicit Consent” in the case of sensitive personal information. GDPR considers the collector as the “Data Controller” or a Data processor working under a contractual direction of another Data Controller.
   2. Subsequently, every transfer of the personal data is subject to consent and a contract that binds the downstream receiver to the same level of protection that the consent expects.
   3. There is also a clear “Cross border transfer” restrictions that need to be adhered to.

In the case of CIBIL, data subjects donot have any direct communication from CIBIL that they have collected the personal data which is being processed in a specific manner etc. They have silently collected the data from the Banks and using it to influence the new loan applications of the data subjects without informing them the reasons why their rating has gone up or down.

In the case of CIBIL, which was initially promoted by a consortium of Indian Banks and regulated under RBI regulations, the personal data of millions of Indian citizens were aggregated. The objective of this was to prevent bad borrowers from taking the Banks for a ride by borrowing from multiple Banks and defaulting in the repayment.

However, contrary to this original objective the Credit Information Companies (CICs) used the data to “Profile” the borrowers and assign a “Credit Rating”. Initially, this was meant to assist new lenders with an indication of the credit worthiness of the borrowers.

As days passed, many lenders took the easy way out and did not conduct their own credit check on the borrowers and depended entirely on the credit rating of the CICs. The borrowing limits were fixed on the basis of the “Credit Score”. Lower the Score, lower would be the limit. In a way, this resulted in an “Automated Decision Making” by the lenders on the basis of the credit rating.

At the back end, the CICs used parameters such as length of credit history, number of defaults, overdues, loan enquiries made etc.., and arrive at the  credit rating using some kind of an algorithm. Considering the way technology is used today, it can be presumed that the final credit score is the outcome of the processing of the set of parameters chosen in the chosen algorithm. There is most likely no human element in assessing the credit risk and the decision is “Automatic”.

Thus the decision to lend or not to lend taken by the lender is directly influenced by the credit rating which is a result of an automated decision making in itself.

Hence the credit score determination falls into the category of profiling with automated decision making under the data protection laws. This therefore requires an “Explicit Consent” from the data subject.

When the credit scores are incorrectly computed either because the algorithm is imperfect or the input data is inaccurate, the data subject is subject to a loss of reputation and denial of credit. This is therefore a serious legal issue that creates a liability on the credit rating agencies.

In this case the CICs need to be subjected to the rigorous privacy protection measures contemplated under the privacy regulations.

Data Laundering

One of the data protection requirements is the data transfer regulations. In India there is now a debate on “Data Sovereignty” and “Data Localization”. In this context , the data collected for profiling borrowers and developing the Credit scores become “Sensitive Personal Data” that should be subject to the Data Localization requirements.

To overcome the regulatory controls, some companies may use devious means to access the sensitive personal data and indulge in “Data Laundering” by taking over companies who already posses such data. In such cases a foreign company that takes over an Indian company will have access to the data and once access is availed, it is not difficult for the company to transfer it out.

Hence in case of “Critical Personal Data Processing companies”, it may be necessary to prevent the take over to prevent cross border transfer or have an increased oversight or conditions imposed on take over.

TransUnion take over of CIBIL appears to be one such transaction where, TransUnion took over CIBIL by acquiring equity and thereby got control of a huge amount of data of 550 million citizens of India.  Whether this was “Data laundering”  and whether there was a suitable over sight from RBI is a matter to be investigated.

Trans Union -CIBIL take over

When CIBIL was initially in operation, it was controlled by Indian Banks and we could presume that the data was held in India. Probably some time later the data could have been hosted on cloud servers belonging to non Indian Companies and stored abroad.

Presently we understand that Trans Union CIBIL is owned by TransUnion to the extent of 92.1%. According to the website of TransUnion in 2017, TransUnion acquired 92.1% stake in 2017 during the first Modi Government.

Initially, the shareholding of CIBIL’s was held by State Bank of India, Housing Development Finance Corporation Limited, Dun & Bradstreet Information Services India Private Limited and Trans Union International Inc. The shareholding pattern was in the proportion of 40:40:10:10 respectively.

This changed in 2009 to what is indicated  (reference:taxguru.com)  in the following diagram which shows  that as of 15th September 2009, the shareholding of CIBILwas as follows.

It is clear therefore that the initial shareholders had diluted the shareholding mostly in favour of the other Indian Banks. TransUnion also maintained its share holding at  10%.

From this stage to the current level of 92.1%, TransUnion must have grabbed the share holding of most of the other share holders.

It is intriguing that RBI allowed the Banks and each of the Banks got their shareholder’s approval to divest their holdings in favour of one US company as a coordinated approach. If the share holding of one foreign entity raised to 92.1%, then it was a matter that should be the concern of Direct Foreign Investment in a Banking related activity.

How was this FDI  permitted in 2017 is intriguing.

How did all the Banks were made to agree to sell their stakes to one foreign entity?

What was the price?

What were the board decisions at that time?

Did any board member object to this sell out? ….etc

are issues that need investigation from the CBI itself.

Modi Government needs to Clarify

A deal of this nature provides a definite scent of corruption and members of the Modi Government including Mrs Nirmala Sitharaman and Suresh Prabhu who were the commerce ministers in 2017 need to clear their positions.

Going forward, action should be initiated to disallow the majority share transfers to TransUnion and the shareholding has to be reverted back to the Indian Banks.

The heads of the Indian Banks in 2017 who must be aware of the reasons why they agreed to divest their shares also need to clear their position as otherwise it would be presumed that all the Banks were forced to sell their shares probably by the RBI and they did not raise any objections either because they were naive enough not to see anything wrong in the deal or were silenced otherwise.

It is interesting to note that Mr Raghuram Rajan was the RBI Governor of that time and he was a close associate of Mr P Chidambaram. Did he have a hand in these deals? is a doubt which naturally arises.

Mr Modi and Mr Amit Shah may be busy in other things and would like to let this pass and go un-investigated. But this will explode into a scam sooner or later and that time, questions will be asked why Mr Modi and Amit Shah decided not to pursue this. Was it because Mr Arun Jaitely was the finance minister of the time and they donot want any discredit to come to him?

Now that this issue has come to public, the public will be awaiting a clarification from the RBI, the Ministry of Finance and the Ministry of Commerce.

I have not at present obtained any direct information from TransUnion or the ministries. It is possible that the entire transaction is above board. But it needs to be clarified by the right persons.

I look forward to the clarifications from any of the parties who have been indicated here, including the 16+ share holders of CIBIL.

Academically, we need to check if PDPA provides sufficient cover to recognize and punish Data Laundering.

Naavi