Naavi.org

Complaints from an employer against an employee for data theft is a common occurrence in the corporate world particularly when the employee has exited the company and also started a competing business.

In the current business environment where the corporate work is carried on with the use of e-mails and from home computers, it is natural that in most cases, employees will have corporate data in their personal custody and in personal computers.

Most companies will also have employee contracts which typically has an NDA clause in which the employee is supposed to return corporate data in his hands in the event of his leaving the company etc. However, some of the provisions of the employee NDA contract are impractical and is ignored in practice.

Hence disputes do arise in every resignation of an employee and quite often when a critical employee leaves the organization, the organization may also be unreasonable in pursuing criminal cases against the employee using the business practice to which both were parties during the employment including sharing of the corporate data in the personal domain of the employee.

In resolving such cases, the Courts need to appreciate corporate practices, the “Data Protection/Information Security policies” of the Company, the intention of the parties etc besides the provisions under law such as ITA2000/8.

One such interesting case was recently decided at TDSAT in the case of Dr Rishi Dixit & Ors Vs PreventiNe Life Care Pvt Ltd.  PreventiNe Life Care is a  genetics laboratory based in Mumbai (India), offering genetic screening and predictive testing services in association with various Hospitals.  It obviously handles “Sensitive Personal Data” which is the subject of data protection obligations under ITA 2000/8 and the upcoming PDPA and industry standards such as HIPAA etc. Dr Dixit is a medical professional employed in the organization and delivering his professional services as head of diagnostic services. He appears to have resigned in 2012 along with some of his research colleagues and later set up a rival company.

The Company had alleged that the accused had stolen software and also corporate data  in the form of confidential algorithm, formulas, process, client/customer list, project, research paper,diagnostic procedure and other important information, which were the properties of the Company, through  emails sent from the company network to the personal e-mails. Using the said information the accused are alleged to have started a rival company Navigene Genetic Science Pvt Ltd and adopted a similar business model.

The Adjudicator had therefore granted a compensation of Rs 30 lakhs to be paid by the accused to the Complainant (PreventiNe Life Care) which was challenged in an appeal to TDSAT and was disposed off recently on 31st May 2019.

This case has implications for study under ITA 2000/8, Data Protection regulations, and also Copyright laws. There are similar cases that may be under litigation in many courts including the civil and criminal courts outside the Adjudication/TDSAT system and the judgement could have its indirect influence in such cases.

 A Copy of the Judgement is available here . 

Some observations on the judgement are recorded here for academic discussion.

1. The rival company was opened while the accused were still in the service of the earlier company and therefore violated one of the clauses of the employment contract. This was however a matter for the civil courts to adjudicate as regards the compensation and was rightly noted as not falling under Section 46 of ITA 2000/8.
2.  The Adjudicator also noted that he is not considering the IPR issues involved in the dispute. However the possibility of some of the information being “Copied” from e-mails sent by the Company to the accused has been taken note of and hence Copyright violations have been recognized.
3.  The defense that the information was sent by the company to the personal e-mails of the employees and thereby the company relinquished its right on the confidentiality of the information has been rejected.
4.  The use of such information for purposes other than for which they were shared by the Company has been held as a contravention of Section 43 of ITA 2000. Accordingly contravention of Section 43(b), 43(i) and 43(j) along with Section 66 of ITA 2000/8  was taken into account by the Adjudicating Officer.
5.  TDSAT has made a specific comment that the complainant is free to pursue the matters of employment contract and copyright which have not been taken into account in this adjudication in a separate action and proceeded to look at the appeal in the context of the application of ITA 2000/8 both for the misuse of data in the form of software on which the company had rights as well as the business data.
6. TDSAT has after comparing the reports generated by the systems used by the two parties come to the conclusions that there are significant differences between the two which may not indicate that the software was stolen. (This is relevant for the copyright issue also).
7. It was recognized that if the software was stolen and modified, the person responsible was a person who was not a party to the dispute and hence some of the charges regarding conspiracy to steal, modify and misuse the software cannot be validated.
8. As a result of the observations recorded by TDSAT,  the charge that the appellants had stolen, copied or misused the proprietary software developed by the respondent for generating the diagnostic reports is held not sustainable against the appellants. This substantially eliminates the “Copy Right” aspect and any remedies under the copyright law might have been seriously dented by the observations.
9. As regards the other allegation, some data has been provided as proof from the hard disk of the computer system used by the accused. It is not clear if the electronic evidence produced in this respect was appropriately certified under Section 65B. The defense appears to have failed to challenge the evidence and therefore the evidence might have been admitted by deemed mutual consent. Considering that the final outcome of the case was very much dependent on this evidence, the omission could be considered catastrophic. (Ed: This observation of Naavi is not to dispute whether the accused deserved to be punished but to flag a common mistake that many litigants do which enables the accused to escape liability on technical grounds)
10. It has been held by TDSAT that one of the accused who was also the promoter of the rival company cannot be held liable under Section 43 since there is no evidence against him of the data being stolen from the victim company and has only used his domain knowledge to interpret whatever data was made available to him by the other co-accused.
11. Since one of the two allegations (Software theft) failed and one of the accused was also held not liable, the damage of Rs 30 lakhs granted by the Adjudicator was reduced to rs 15 lakhs.

It is also noted that the judgement appears to have been written by honourable Sri A.K. Bhargava, member of the TDSAT since it involved significant technical issues besides the legality of the applicability of Section 43(b), 43(i) and 43(j) of ITA 2000/8 to the dispute.

The advantage of a two member TDSAT with a technical member has been highlighted in this case. Cyber Appellate Tribunal when first formed was a single Judicial member body and though subsequently a technical member was appointed, no hearing could be held by the two member body until it was merged with TDSAT.

Naavi has also for a long time advocated that the Adjudication body under ITA2000 should be fortified by adding the Law Secretary of the State to the panel. Hopefully, this suggestion will be considered by the Government and I request the IT Minister to consider this amendment to ITA 2008 when the next opportunity arises.

It must be noted that this case was a complicated Techno Legal Issue involving ITA 2000/8 as well as Copyright issues and TDSAT has shown dexterity and finesse in arriving at the final judgement. The judgement makes a good case study for academicians.

Naavi

Time has come now to analyze the draft PDPA 2018 bill in depth so that when the final version of the bill is passed, contradictions can be minimized.

One aspect that needs discussion in this regard is the distinction between “Consent” and “Explicit Consent”.

” Consent” is defined under Section 12 of the Act and “Explicit Consent” is defined under Section 18.

Consent as per Section 12 is defined as under.

12. Processing of personal data on the basis of consent.—

(1) Personal data may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing.

(2) For the consent of the data principal to be valid, it must be—

(a) free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 (9 of 1872);

(b) informed, having regard to whether the data principal has been provided with the information required under section 8;

(c) specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing;

(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and

(e) capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.

(3) The data fiduciary shall not make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose.

(4) The data fiduciary shall bear the burden of proof to establish that consent has been given by the data principal for processing of personal data in accordance with sub-section (2).

(5) Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal.

Under Section 18, Explicit Consent is defined as:

18. Processing of sensitive personal data based on explicit consent. —

(1) Sensitive personal data may be processed on the basis of explicit consent.

(2) For the purposes of sub-section (1), consent shall be considered explicit only if it is valid as per section 12 and is additionally:

(a) informed, having regard to whether the attention of the data principal has been drawn to purposes of or operations in processing that may have significant consequences for the data principal;

(b) clear, having regard to whether it is meaningful without recourse to inference from conduct in a context; and

(c) specific, having regard to whether the data principal is given the choice of separately consenting to the purposes of, operations in, and the use of different categories of sensitive personal data relevant to processing.

It appears that the sections make little distinction between “Consent” and “Explicit Consent”. Both need to be valid under the Indian Contract Act and have to be informed, clear and specific.

Further Section 12 itself suggests that the data fiduciary shall bear the burden of proof to establish that consent has been given by the data principal for processing .Hence the Data Fiduciary has to collect appropriate proof both for Section 12 and Section 18. Additionally, the burden of proof under Section 18 for “Explicit” consent has to be stronger than what is necessary for Section 12.

Presently the business practice is to take a consent through an electronic document presented online to which the data subject expresses his approval by clicking the “I Agree” button.

This “Click Wrap” contract is only considered a “Implied Contract” under ITA 2000/8 since there is no “Signature” for the electronic document as approved under ITA 2000/8. If such an implied contract is acceptable for Section 12, then the higher degree of authentication for Section 18 has to be with the application of the approved “Digital Signature” such as through an “eSign”. Unfortunately due to the Supreme Court decision on Aadhaar, eSign cannot be used by private parties. (unless the eKYC system is modified for the use of Virtual Aadhaar ID). Hence it is practically difficult or impossible to obtain an online digital signature to make an “Explicit Consent” an effective authentication under law.

There is also another problem that needs resolution. The “Consent” under Section 12 of PDPA makes a reference to Section 14 of the Indian Contract Act making it look like a process to be compliant with the Indian Contract Act. At the same time, under Section 4 of PDPA 2018, it is stated that the “Data Fiduciary” “owes a duty” to the “data principal”. The use of the words “Fiduciary” and “Duty” indicate that what PDPA envisages as the role of the Data Fiduciary is that of a “Trustee” and not as a “Contractor of the Data Subject”.

Hence the nature of the document that creates the Data Principal-Data Fiduciary relationship should be considered as one that creates a “Trustee relationship where the data subject/Principal is the beneficiary”.

If the online consent document has to be considered as a document that is equivalent to a “Trust deed”, there is a conflict with Section 1(4) of the ITA 2000/8 according to which an electronic document purporting to be a Trust deed is not recognized under Section 4 of ITA 2000/8.

Hence the online consent which is a purported click wrap contract is not valid and even if considered as an “Implied Contract”, it cannot create the “Fiduciary” relationship as envisaged. Such a contract would also be treated as a standard form contract and the onerous clauses need to be specially highlighted.

Considering the conflicts arising out of the PDPA 2018 and ITA 2000/8 and the Indian Contract Act, there is a need to take some special care when the PDPA bill is finalized.

Firstly, through PDPA 2018, an exception has to be provided to Section 1(4) specifically to state that Section 1(4) of ITA 2000/8 does not apply to a “Document Creating a Data Fiduciary Relationship” as per Section 12/18 of PDPA 2018.

Secondly, “Explicit Consent” should be defined as a “Consent” which is authenticated by a digital/electronic signature under Sections 3/3A of ITA 200/8. Simultaneously, exemption should be provided by a reference to the Supreme Court if necessary that “Explicit Consent” can be provided with the use of eSign. If however the CCA re-notifies its eSign notification by substituting the use of Virtual Aadhaar ID  or offline verification for eKYC , no reference is required to be made to Supreme Court.

These issues need to be addressed when the PDPA Bill is discussed in the Parliament.

Naavi

The allocation of portfolios to the ministers in the Modi cabinet was delayed but finally fell into place. It was good to see Mr Amit Shah as Home Minister instead of the Finance Minister and Mrs Nirmala Sitharaman as the Finance Minister. The return of Mr Ravishankar Prasad as IT minister provides a much needed continuity so that the pending issues can be continued without much of a break.

In particular, return of Mr R S Prasad means that the Personal Data Protection Bill will be reintroduced at the earliest. It may still go to a standing committee but at least the process will be set in motion. Similarly in the last few months of the last Government, the opposition had created un necessary hurdles on the Intermediary Guidelines under IT 2008, Aadhaar and the Section 69 of ITA 2008 notifications. Now that Mr Prasad will be back, there would be a commitment to resolve all these pending issues.

On Aadhaar, the amendment bill which Srikrishna committee had suggested should be taken up on a priority. If necessary Government should go for a review with the Supreme Court to enable use of Aadhaar infrastructure more productively. (our views on the ordinance is available here)

Hopefully, the Supreme Court will not continue keep interfering in the day to day administration of the Government at the behest of the political opponents.

Naavi

During the final days running upto the 2019 elections, Congress and its Lutyen’s media created a controversy about EVMs that engaged the attention of the whole country including the Supreme Court. But for the resolve of the two of the Election Commission members, Chandrababu Naidu and Congress would have succeeded in disrupting the election process. By not accepting the demand for the first counting of VVPAT slips, EC perhaps saved the day.

Supreme Court Set a wrong Precedent

But it must be placed on record that the honourable Supreme Court failed to uphold the integrity of the Election Commission by acceding to the request of the opposition for counting VVPATs in 5 machines per constituency.

It is not a question of what is the harm in such counting even if the result had to be delayed by 4 hours?

The net result of the Supreme Court agreeing to the count of 5 VVPATs instead of one was that VVPATs were given a presumptuous recognition as if they were “Voting Slips” similar to the ballot papers of the olden day manual voting. Had the scenario speculated by the undersigned  , there would have been a constitutional crisis. Supreme Court would have been solely responsible for creating such a crisis.

As long as the Supreme Court cannot rid itself of the influence of a few politically motivated senior counsels who can set the agenda for the Court, such incidents will keep recurring. The CJI is personally facing the wrath of such advocates and their supporting lobby in his personal case which has eroded the reputation of the Court itself.

Hence the Government, Election Commission and the Supreme Court has to jointly work for the restoration of the faith in the electoral system and ensure that politicians donot sully the image of the election process as it suits them.

I therefore call upon the Modi 2.0 government to take necessary action to restore the faith of the EVM system in particular and the election system in general

I recently heard from a famous astrologer that the Government may introduce “Online Voting” in this term. This demand has been there primarily for enabling the NRI voters and further to improve the voting percentages. There is definitely merit in the demand but it needs to be approached with caution.

The problems with our electoral system now include

a) The Electoral rolls are not upto date and hence there could be genuine omissions of voters who move out from one address to another and also because political parties actually introduce bogus voters to rig the elections. There are many rogue state governments who would indulge in such practices with the possible assistance of the local officers of the election commission much before the election heat is generated. We therefore need to find measures to sanitize the electoral rolls.

b) The EVMs are not amenable to the kind of manipulation that Mr Kejriwal or Kapil Sibal are complaining because there are over riding physical security measures that are difficult to manipulate. But it is still possible to capture booths and force voters to vote for a particular party or for one party to simply create votes in the names of the voters without the voter being present. When there are state Governments like West Bengal and Kashmir or Kerala who cannot be easily disciplined even with the central security forces, “Booth Capturing” cannot be easily eliminated. We need to find measures to prevent such booth capturing.

c) The confusion created by the Supreme Court regarding the counting of VVPATs as a confirmation of the EVM count itself needs to be resolved legally and technically. This aspect has been discussed several times by the undersigned (Refer articles here). The legal position needs to be re-iterated and clarified so that we end the opposition to EVM arguments once and for all.

To address all these issues, I request the Government to take the following actions.

1. Updation of Electoral Rolls

Consider updating the electoral rolls at every booth level through an online authentication process  through a three stage process.

First would be the self authentication by the voter himself for which he can provide appropriate KYC documents. The second would be by the EC officials. Upto this, the system would be similar to the present system.

The third (an addition to the current process) is by the other approved co-voters in the same constituency through a block chain method. The approval block chain in the third stage could fork if the voter’s entry is not approved by others. This should be recognized as a challenge and should be open to the voter producing necessary confirmation and also submitting himself to a penalty if his identity is proven to be wrong in a subsequent enquiry.

The three level approved voter’s list should be considered for further use as the official revision of the voter list.

The “Challenged Voter List” may be published separately by the EC from time to time so that the affected voters may take steps to get their names removed from the list if necessary.

Votes cast by those in the “Challenged Voter List” should be considered as “Provisional Votes” which may be recognized only during an election petition.

2.  Voting Surveillance

The present system of having Central forces in the booth is only having partial effect in ensuring fair polling. Since 100 % of the booths cannot be secured by the CRPF and the inability of polling officials to prevent lumpen elements taking over the process cannot be prevented, it is necessary that every voting booth has to be subject to an electronic surveillance through a CCTV which broadcasts the voting process to a public website which can be viewed by the voters.

The CCTV picture of every voter should be recorded so that it can be challenged later in an election petition. It goes without saying that “Burqua” or “Helmet” may have to be removed during the voting process.

3. EVM modification

Every EVM must be modified to have a touch sensitive screen on top on which the ballot paper appears as an image. When the button is pressed on the screen, the status of the screen with the voting mark has to be captured as a screen image, hashed and the hash value printed in the VVPAT. While the VVPAT will continue to show the image of the party etc as is done now to satisfy the voter, the printing of the hash of the image containing the copy of the ballot paper after voting along with the time stamp will provide an electronic evidence of the ballot cast. This will provide legal validation of the VVPAT as a copy of the ballot paper.

It must however be clarified that as long as the electronic voting is recognized by the Peoples Representation Act, the voting gets completed when the electronic signal arising due to the pressing of the button by the voter as generated by the screen on the EVM is stored in the memory of the EVM. The binary imprint on the EVM’s memory is the etching of the ballot cast.

After the casting of the vote, generation of the VVPAT is an acknowledgement created as a secondary copy of the original binary noted ballot. There should be technically no mismatch between the votes recorded in the EVM and the counted number of VVPAT slips. If however they do arise, then the EVM count should be considered as the more reliable and legally recognized vote and discrepancy if any should be subject to a discussion in an election petition only. At the time of such election petition the both official may be required to provide a Section 65B certificate to the batch of VVPAT slips relevant for the challenge.

I request that the Modi Government in its second term takes up this issue seriously and take remedial action. The Election Commission itself may take up these suggestions and submit its recommendations to the Government. The Government should submit the same to the Supreme Court as a suo moto review so that the Supreme Court should also  record its views without hiding behind the arguments of motivated advocates during a PIL on a later date.

It is necessary that the Government, the Election Commission and the Supreme Court work as a single responsible team to bring credibility to our electoral system rather than each blaming the other. We need each of these three bodies to express “Vishwas” on the other. “Vishwas” of these three will bring in “Vishwas” for the citizens on the electoral process.

When GDPR came into effect on 25th May 2018, the most notable aspect of GDPR was the level of penalties for non compliance which could be as high as 4% of the global turnover of a company or Euro 20 million whichever is higher. This was the single most aspect of the regulation which shook up the industry all over the world including in India.

Now that one year has passed since GDPR became effective, we can review how this high penalty regime has worked in practice.

As per a report published at the end of February,  it is found that, in the first nine months, there were 206,326 cases reported under the new law from the supervisory authorities in the 31 countries in the European Economic Area. (Refer Report). The total fines imposed amounted to Euro 56 million.

About 65,000 were initiated on the basis of a data breach report by a data controller, while about 95,000 were complaints. Some 52 per cent of the overall cases have already been closed, with 1 per cent facing a challenge in national courts.There were some GDPR cases in progress, but that the past year had been mostly focused on legacy investigations, with fines handed to Uber, Facebook and Equifax. It may be noted that not all the fines were about data breaches. About half of the complaints related to the way subject access requests have been handled.

A list of penalties imposed by different Supervisory authorities is available  here.

During the last one year, German data protection authorities have issued 41 GDPR-related fines. Fines were levied for a variety of GDPR violations, such as inadequate technical and organizational security measures, non-compliance with information duties and sending unauthorized marketing e-mails.

Google was fined from France’s data regulator, citing a lack of transparency and consent in advertising personalization, including a pre-checked option to personalize ads.

In Denmark, a Taxi Company Taxa 4X35 was fined 12 M DKK because during a random audit, the company was found to have over 9M personal records the company had stored but did not need to and had failed to delete.

In the UK, the Information Commissioner’s Office (ICO) has dished out numerous six-figure fines but none have yet exceeded the £500,000 maximum penalty that was the maximum under the Data Protection Act 1998. The ICO slapped Facebook with the maximum possible fine of £500,000 for the social network’s role in the Cambridge Analytica scandal.

The Polish privacy regulator issued its first GDPR fine, penalizing an unnamed firm over £187,000 for scraping public data on individuals and reusing it commercially without notifying them.

It appears that during this year perhaps many more of the complaints may be further followed up.

It remains to be seen if the fines would result in better compliance in the coming years.

One view in the industry is that despite the media coverage on huge fines, the big companies seem to have actually grown their business in the post GDPR era while the smaller companies unable to manage the cost of compliance have lost their market share.

The counter productivity of high penalty regime has been identified even by HHS for HIPAA implementation which has recently reduced some penalty aspects under HIPAA-HITECH Act.

This is an important observation that we in India need to keep in mind when we implement PDPA in India. The draft E Commerce policy issued by the Government in February 2019 had indicated that small companies need to benefit from the policy and even suggested that MNCs need to share data in public interest with Indian companies.

The DPA should keep this public good objective in mind and  ensure that the high levels of fine and the criminal penalties under PDPA are not applied indiscriminately on SMEs.

For this purpose, it may be proposed in the Bill that a differential rate of penalty may be applicable based on the nature of the organization and more specifically if it is incorporated in India and owned and managed by Indian entrepreneurs.

The objective of the data protection legislation is not to enable the DPA or the Supervisory authorities to make undue profits out of the fines but to be able to make the industry take the regulation a little more seriously than they would otherwise take. I suppose this would not be lost sight of when the Indian PDPA is taken up for passing int he Parliament as an Act.

Naavi

Under HIPAA-HITECH Act, penalties for violation of the Privacy rules were pegged at a maximum of US Dollars 1.5 million per type of violation. The caps would apply to violations of each specific HIPAA requirement or prohibition in a given year, not to all HIPAA violations in a given year.

For example, if a covered entity violated more than one HIPAA requirement or prohibition, the cap could be multiplied by the number of different HIPAA provisions violated.

Now, as per a recent order, HHS has changed the rules related to the application of maximum penalties. It will no longer be $1.5 million per violation per year. It would be different for different types of violations.

Until further notice by the HHS, annual caps on penalties for a violation of a HIPAA requirement or prohibition will range from $25,000 for an unknowing HIPAA violation; $100,000 for a HIPAA violation due to reasonable cause but not due to willful neglect; $250,000 for willful neglect corrected within 30 days; and $1.5 million for willful neglect not corrected within 30 days.

Naavi