Naavi.org

When GDPR came into effect on 25th May 2018, the most notable aspect of GDPR was the level of penalties for non compliance which could be as high as 4% of the global turnover of a company or Euro 20 million whichever is higher. This was the single most aspect of the regulation which shook up the industry all over the world including in India.

Now that one year has passed since GDPR became effective, we can review how this high penalty regime has worked in practice.

As per a report published at the end of February,  it is found that, in the first nine months, there were 206,326 cases reported under the new law from the supervisory authorities in the 31 countries in the European Economic Area. (Refer Report). The total fines imposed amounted to Euro 56 million.

About 65,000 were initiated on the basis of a data breach report by a data controller, while about 95,000 were complaints. Some 52 per cent of the overall cases have already been closed, with 1 per cent facing a challenge in national courts.There were some GDPR cases in progress, but that the past year had been mostly focused on legacy investigations, with fines handed to Uber, Facebook and Equifax. It may be noted that not all the fines were about data breaches. About half of the complaints related to the way subject access requests have been handled.

A list of penalties imposed by different Supervisory authorities is available  here.

During the last one year, German data protection authorities have issued 41 GDPR-related fines. Fines were levied for a variety of GDPR violations, such as inadequate technical and organizational security measures, non-compliance with information duties and sending unauthorized marketing e-mails.

Google was fined from France’s data regulator, citing a lack of transparency and consent in advertising personalization, including a pre-checked option to personalize ads.

In Denmark, a Taxi Company Taxa 4X35 was fined 12 M DKK because during a random audit, the company was found to have over 9M personal records the company had stored but did not need to and had failed to delete.

In the UK, the Information Commissioner’s Office (ICO) has dished out numerous six-figure fines but none have yet exceeded the £500,000 maximum penalty that was the maximum under the Data Protection Act 1998. The ICO slapped Facebook with the maximum possible fine of £500,000 for the social network’s role in the Cambridge Analytica scandal.

The Polish privacy regulator issued its first GDPR fine, penalizing an unnamed firm over £187,000 for scraping public data on individuals and reusing it commercially without notifying them.

It appears that during this year perhaps many more of the complaints may be further followed up.

It remains to be seen if the fines would result in better compliance in the coming years.

One view in the industry is that despite the media coverage on huge fines, the big companies seem to have actually grown their business in the post GDPR era while the smaller companies unable to manage the cost of compliance have lost their market share.

The counter productivity of high penalty regime has been identified even by HHS for HIPAA implementation which has recently reduced some penalty aspects under HIPAA-HITECH Act.

This is an important observation that we in India need to keep in mind when we implement PDPA in India. The draft E Commerce policy issued by the Government in February 2019 had indicated that small companies need to benefit from the policy and even suggested that MNCs need to share data in public interest with Indian companies.

The DPA should keep this public good objective in mind and  ensure that the high levels of fine and the criminal penalties under PDPA are not applied indiscriminately on SMEs.

For this purpose, it may be proposed in the Bill that a differential rate of penalty may be applicable based on the nature of the organization and more specifically if it is incorporated in India and owned and managed by Indian entrepreneurs.

The objective of the data protection legislation is not to enable the DPA or the Supervisory authorities to make undue profits out of the fines but to be able to make the industry take the regulation a little more seriously than they would otherwise take. I suppose this would not be lost sight of when the Indian PDPA is taken up for passing int he Parliament as an Act.

Naavi

Under HIPAA-HITECH Act, penalties for violation of the Privacy rules were pegged at a maximum of US Dollars 1.5 million per type of violation. The caps would apply to violations of each specific HIPAA requirement or prohibition in a given year, not to all HIPAA violations in a given year.

For example, if a covered entity violated more than one HIPAA requirement or prohibition, the cap could be multiplied by the number of different HIPAA provisions violated.

Now, as per a recent order, HHS has changed the rules related to the application of maximum penalties. It will no longer be $1.5 million per violation per year. It would be different for different types of violations.

Until further notice by the HHS, annual caps on penalties for a violation of a HIPAA requirement or prohibition will range from $25,000 for an unknowing HIPAA violation; $100,000 for a HIPAA violation due to reasonable cause but not due to willful neglect; $250,000 for willful neglect corrected within 30 days; and $1.5 million for willful neglect not corrected within 30 days.

Naavi

On December 31, 2017, we posed a question to Mr Modi. ” Modi is yet to open his third eye on Bitcoin, the new alternative to Black Money…Will he wake up in 2018?”

Now that Mr Modi has the mandate for Modi 2.0, will he at least now open his eyes?… is the question we need to ask.

In October 2018, Nasscom chief said Bitcoin is illegal. In November 2018, we called upon the Supreme Court to declare Bitcoin as illegal..

But the Supreme Court has not so far displayed the courage to declare Bitcoin as illegal. It has hidden behind technicalities asking the RBI to give its views or the Government to give its views. It clearly appears that the Supreme Court is reluctant to say the obvious. We can speculate why.

We have written scores of articles on this site on how Bitcoin is a Currency of the Criminals and Terrorists, and  needs to be declared illegal and banned. We have discussed how legalizing Bitcoin will destroy the Indian economy, give China a handle to manipulate India. We have also highlighted that banning Bitcoin (along with other privately held Crypto currencies) is essential for choking the Dark Web. We have teased Mr Arun Jaitely and Mr Modi for not taking a decision. 

But the decision to ban Bitcoin is yet to come…

We have to now start questioning whether the Government has an understanding that “Bitcoin is the Black Money of the Digital World” and “Demonetization of physical currency was thwarted partly because of the availability of Crypto currencies” or there are any other reasons why there is a policy paralysis in this regard.

Now even before the Modi 2.0 takes over, I see the Bitcoin lobby at work. An article was circulated today under the title “Supreme Court Advocate suggests how to regulate Crypto in India”  . The article appears in bitcoin.com and it is easy to note the vested interest of the publisher. 

As per the article, some comments have been made in support of the continuation of the monster called Bitcoin and I would like to counter these points.

Comment 1 : “The right regulatory framework would ensure transparency, oversight and accountability”

Counter: Regulation pre-supposes recognition of Bitcoin as a currency. We cannot regulate some thing which is not recognized.

Under Indian law, Bitcoin is an electronic document and since it is not included in the schedule I of ITA 2000/8, it is not de-recognized as an electronic document  under Section 1(4).

But the use of Bitcoin as a “Currency” is ultra vires the RBI Act.

Any body referring to this electronic document as “Currency” exchanging it to Rupee or other currencies, using it to barter with other goods with the description of Bitcoin as a currency are violating the RBI Act.

Any promotion of Bitcoin as a “Currency” and a legal tender should also attract penalties under the law (IPC) for “Cheating” amongst other things. Any person assisting in the exploitation of the concept “Bit coin is a currency” and its promotion are liable for criminal conspiracy to cheat.

These penal provisions apply even to the publications and authors who are promoting the idea that Bitcoin is a legal tender.

Since the concept of “Bitcoin as a currency and legal tender” is ultra vires the Indian law, any regulation can only be to clarify and state that “Bitcoin is illegal”. There cannot be a regulation of narcotic drugs and  arms trade by people except to say that they are illegal. The same applies to Bitcoin.

This can be done by just adding an explanation in the Schedule I of ITA 2000/8. 

The MeiTy need not wait for July 23 when Supreme Court has to give its views on the case. It can act even now in under its administrative powers and get it ratified once the Parliament is convened. If the department has any other view, it is just an excuse.

Comment 2: “Explicit terms of functioning for such exchanges can regulate the kinds of virtual currencies that may be traded, the modes and methods of reporting, the restrictions on trading (including on valuation spurts etc.,) and also investor protection provisions can be incorporated,”

Counter: Since the commodity which is the subject matter of exchange is illegal, the exchange activity will also be illegal. No further discussions are warranted.

Comment 3: There is also debate on whether cryptocurrency can be banned at all. After all how would the government enforce it without infringing on the privacy of all. Any form of electronic device may be used to store crypto currency.

The defense of “Privacy” for illegal activity is untenable. Privacy is the right of a law abiding citizen and if there is any prima facie doubt that a person may be holding or trading in illegal currency, the argument of Privacy cannot save him. No Privacy law recognizes this right.

Enforcement is the responsibility of the Government. Argument that it is difficult is not a valid excuse. Any form of electronic device can be used to commit phishing or online frauds. Can we therefore regularize Phishing?

Comment 4: Unless we hear something concrete from our finance department I don’t think it’s going to affect existing traders.”…”By closing out the banking route, the Indian government merely pushed the entire market into the cash system thereby making it more opaque and impossible to track or trace”

Counter: This is an admission that Bitcoin exchanges in India are continuing to do business even though it is prima facie evident that it is not legal. We even saw one company putting up a Bitcoin ATM in Bangalore to run a havala operation of exchanging rupees into Bitcoin. The Government needs to take deterrant penal action to curb such illegal activities continuing.

Comment 5: It is likely the bill will take some time to become law, even if the government decides to introduce the same in the Lok Sabha, and certainly not before the next supreme court hearing on the issue in July, which might provide some clarity on the issue.

Counter: It is clear that the Bitcoin lobby is counting on a favourable judgement from the Supreme Court. This gives room for the speculation that the Bitcoin lobby may try to fix the judges.

We need to specially watch out for any irrational judgement that may come out which may confirm this suspicion. 

People are watching and Supreme Court should recognize if it is coming either under duress from parts of the industry or under the influence of any illegal gratification or promise thereof.

Since the future of many political parties may be involved in the legalization of Bitcoin, the highest level of influence would be brought to bear on the Court and the Court has to treat this as a sensitive case and handle it with a commitment to the national interests.

Comment 6: many countries such as the U.S. have chosen to regulate crypto assets instead of banning them. With every change that USA has brought about, other countries including Singapore and Japan have followed suit,

Counter: We are aware that many countries have legalized drug trade or arms trade. It need not guide our movement to eliminate black money from the system.

If we need to remove black money, we need to remove it even from the digital space. We are not concerned with what other countries do.

In fact, it is my sincere desire that Mr Modi extends his fight against Black Money to the global scenario and takes up the issue of outlawing privately held Crypto currencies across the globe. A consortium of like minded countries need to be formed. This should help several countries in Africa and elsewhere where there is terrorism and insurgency which requires drug trade and arms trade to go unhindered.

Comment 7: India’s population and young demographic being a substantial part thereof is reason enough for the government to take a definitive stance, the advocate told the news outlet. “Else a large young risk intensive population may have already entered the crypto-asset market and may then be left adrift with no remedies or solutions.

Counter: Definitive stance…yes. But only to criminalize the holding and use of Bitcoins.

Otherwise the argument is similar to that of Mehbooba Mufti that “Stone Pelters of Kashmir are misguided youth only and should not be punished.

If the misguided youth or others have already committed a crime, there is no need to protect them with a favorable law now.

They can always be given an opportunity to declare their holdings, account for it, surrender it and then allow them to escape  criminal  penalties.

Comment 8: The National Association of Software and Services Companies (Nasscom), a nonprofit trade association of the Indian information technology and business process outsourcing industries, is among those that have urged the central bank to consider allowing crypto companies to participate in its regulatory sandbox. 

Counter: This is a misguiding statement. Nasscom chief has admitted that Bitcoin is illegal. There is no need for any experimentation in the sand box of regulations. This will be a strategy like the proverbial Arabian Camel in the tent.

Comment 9: Since cryptocoins and tokens are an important component of the blockchain technology, the draft regulations appear to exclude testing of smart contracts and other approved blockchain technology under the sandbox.

Counter: This is another fallacy being spread by the lobby. Block Chain technology as has been used in Bitcoin has no use in any regulated activity. The Private Blockchains are a technology which are a fancy name to some thing which is already known and is being used. Hence there is nothing to be gained by shielding Bitcoins under the garb of testing Block Chain technology. 

Counter 10: Payments Council of India (PCI), the payments industry lobby group, has also urged the RBI to include cryptocurrency businesses in its regulatory sandbox, according to the Economic Times. Naveen Surya, chairman emeritus of PCI, believes that “Since there is no outright ban on cryptocurrency technology, it should form part of the sandbox,”

Counter: The article quotes the Chairman Emeritus of PCI. I look forward to the view of  the current management of NPCI.

I will be raising this issue both with the NPCI and PMO to confirm the view of NPCI. If there is any support for Bitcoin, I will not have the hesitation to call that it is wrong.

Counter 11: India should really look clinically at formulating simple regulations to meet its unique socio-economic milieu and lend support for developing the technology.

Counter: All the fancy words only mean a support for the Criminals to run their domain with a currency which cannot be traced by the legacy Governments. This currency supports the Dark Web, the exchange of Crime ware, collection of ransom in ransomware attacks. It can be and is perhaps is being used for paying terrorist sympathizers in India including the political parties by our enemies across the border.

What Needs to be done

Hence there is no need to show any mercy on the Bitcoin. It must be banned. Any person holding the Bitcoin should be considered as “Attempting to commit a money laundering offence” and booked accordingly. A small window may be given for voluntary disclosure when the crypto currency balances are surrendered for confiscation to the Government in convertible legacy currency and such persons can be exempted from criminal punishments. 

I list the “Banning of Crypto Currencies” (Privately managed) as the unfinished agenda of Modi 1.0 and urge Mr Modi, Mr Amit Shah and whoever becomes the  Ministers of Home, Finance, Law and IT to take appropriate steps to ban Bitcoins forthwith. 

I will forward this article to my MP besides the officials of NPCI and the PMO and seek their comments. If NPCI does not counter what is stated in the article, it can be presumed that they endorse the view mentioned…..Let us put their commitment to remove Black Money to test.

I am sure that this article will not be liked by many of my friends. I have explained elaborately in my previous article  of exactly this possibility and given my reasons why I still express such a view in the interest of the nation. 

I hope a majority would share my view. What matters however is…

Will Modi 2.0 share the same view?

Naavi

There is a big relief for people like us that Mr Modi is back. The relief is more because the alternative was a sure recipe for disaster.

But we the people of India are not content with the relief. We look forward to accelerated positive developments that can take our country forward. During the last few months of Modi 1.0, it appeared that Mr Modi was getting exhausted. Afterall the vicious campaign of the opposition was taking its effect on his self confidence. As a result the Government slowed down on many fronts during the last quarter of the 2018 and upto now.

The Tukde Tukde Gang led by advocates who were only interested in disrupting the society was well supported by the highest Court of the land and led the country into a “Temporary Policy Paralysis”.

This created a fear that if Mr Modi did not come back, the country would be destroyed by the opposition politicians supported by  PIL advocates who could make the Supreme Court dance to its tune. Now with the renewed support of 353+1 members of the Loksabha, Modi 2.0 is stronger than ever before and hence there is a temporary feeling of relief that the worst is over.

But has Mr Modi himself  recovered from his exhaustion and retained his vigour for an immediate return to fighting against the anti national forces or has been softened with the bombardment of the opposition over the last year, needs to be watched. 

During the last few months, I am aware that my professional image  was a little dented by my open expression of support to Mr Modi to the extent that in the social media, I was branded by trolls as Modi Bhakt. 

But in the interest of the nation, it was felt necessary for professionals like me to take a position openly and oppose the pseudo-seculars spread all over unmindful of the criticism that may come through. It is possible that this could have also adversely affected some of my professional work as well. 

Now it appears that the difficult period is over and the Indian electorate has silently brought Mr Modi back to power with a higher majority than before. Presently, we are waiting for the next step of cabinet formation and subsequently  the roll out of the Modi 2.0 promise.

Like the Justice Srikrishna concept of “Data Fiduciary”,  where we can expect the Data Controller to do more than what is contained in the consent because he is a trustee, Mr Modi is the “Citizen’s Aspiration Fiduciary”. What this means is that irrespective of what is stated in the manifesto etc, we the citizens expect that Mr Modi will act in such a manner that the Indian Citizen will benefit by his Governance in every aspect. The world is dynamic and hence the aspirations of people may also undergo a change.

As a Citizen’s Aspiration Fiduciary, we expect Mr Modi to keep doing things that are good for the citizens of India as we go forward. Hence we need to keep presenting our thoughts and ideas to the Government and Naavi.org will continue to do this in the domain of Data Protection, Cyber Laws, Information Security and related areas.

I thought I should wait to comment on the agenda for Modi 2.0,  until the cabinet formation is over, but some media elements appear to have already got their act together and started their campaign. In the Cyber Crime domain we know that whenever technology moves, it is the criminals who first make use of the new developments and the security professionals need to catch up.

Similarly, those who were opposed to many of the policies of Mr Modi in the earlier regime are the first off the block to start lobbying in the new regime even before it is formally in place. I already see planted stories and comments in the media/social media on certain  policy aspects as well as on who should be in the cabinet and what should be the portfolio allocations.

Therefore we also need to jump in and not allow the narrative to be one sided. As followers of this blog have recognized in my last post on the EVM, I have a tendency some times to express my views in advance to pre-empt the counter view point gaining ground. May be some of my apprehensions are therefore considered as speculations but I feel it is better to err on the safer side and start the counter discussions before it is too late.

I have been drawn into the political discussions since around the days of emergency in 1975. Though these were suppressed during my career as a Banker in the public sector, it obviously came back when I was free from employment obligations. 

People who have followed my other site www.aifon.org.in are aware that I have followed the electoral politics from time to time and expressed support for Modi and his predecessors in BJP.   Though I consider that Mr Modi is the best thing to happen to Indian politics as predicted by Nostradamus,  I will  continue to be the Chowkidar whether or not the prefix is still with my Twitter Handle or not.

In pursuance of this national responsibility within the chosen professional domain, I will try to highlight some of the policy decisions that I consider as needing special attention of Modi 2.0 government. In this series we will discuss the need for Bitcoin Ban, the PDPA Bill, the Intermediary Guidelines etc.  though it may be slightly uncomfortable to some of the professionals. 

This is a disclosure before I publish some of my view points on the unfinished agenda.

Naavi

Dark web is an aberration in the world of technology.It is a tragedy that Dark Web has spoiled the beauty of a concept called Internet.  Most security people talk of the impossibility of regulating the dark web. But just because a bad thing is difficult to remove, civil society cannot remain a mute spectator.

Naavi discusses the world of Dark Web for the India Legal magazine in this article.

Read the article here. ...Article titled Mafioso of the wired world

Naavi

Today is 25th May 2019, an year after the GDPR came into effect. During this one year, Indian Companies and the professionals in the Data Protection domain have discussed the impact of GDPR in great detail.

When we started the year, GDPR in principle was known for two years but the companies had not taken any action for their implementation. There was an expectation that the date could be extended. But when it dawned on the industry that no extension of date was in the offing, there was panic alround.

Indian companies were pushed to a higher level of panic by their US vendors who, because of their general concern arising out of the huge stakes involved demanded compliance from the Indian Data Processing contractors without fulfilling their own responsibilities as the Data Controllers.

It has taken a full year for this panic to subside. Now Indian Companies are aware that in most cases they are not Data Controllers. They are Data Processors and from a different legal jurisdiction. Their liabilities therefore are confined to the contract with the vendors from US or EU who are the data controllers and have to clearly indicate what “Privacy By Design” means in the specific context of the data processing contract between the two.

Indian Companies have also now realized that EU does not have direct jurisdiction on the Indian Companies who donot have offices in EU countries. Their liabilities arise only out of the indemnity contracts they might have signed.

In many cases, Indian Companies had engaged the sub contractors who were actually discharging functions of “Data Controller” where as the Indian company which was the principal in the contract was himself only a Data Processor to another Data Controller who appeared to be only a customer of the Indian Data Processor.

I suppose some of this role clarification might have occurred by this time and people are aware who is the Data Controller, who is the Joint Data Controller, who is the Data Processor and who is a a sub contractor and who is the Data Recipient.

Secondly, initially there was also confusion on what is the data that is subject to GDPR. Many of the companies did not have a mechanism to identify data of EU Citizens in respect of their activities in EU or identifying the activity in the EU region that they were profiling. The classification of stake holding data was therefore a difficult hurdle to pass through.

I hope companies have made some progress in this direction by now.

Once the roles are clarified and the stake holding data is identified, the companies have the technical wherewithal to implement compliance measures such as “Pseudonymization”, “Encryption”, “Access Control” and other measures that would be required for compliance.

This part of the compliance was perhaps the easier aspect since some tools were available and more could be acquired and created.

The last hurdle was the creation of the organizational culture that is conducive to the compliance. Typically, in the initial days, the hype was sufficient to make every employee aware that GDPR is big, there will be huge penalties etc.

But this awareness does not automatically convert itself into a compliance culture. Further the enthusiasm is likely to wane as the days go by.

Hence at the end of the first year, what Indian companies need to review is whether the employees are sufficiently tuned to the compliance culture.

This should be the task before every Indian Company exposed to the GDPR risk in this coming year.

As regards the Indian Companies, the coming year would be even more complicated from the point of view  of Privacy Compliance. With the return of Mr Modi as the PM, the unfinished jobs of the previous regime will move forward without much of a hurdle. One of the tasks that remained unfinished in the previous regime was the passage of the Personal Data Protection Act .

We can now expect that the formalities of the Bill being reintroduced and perhaps taken up by a Standing Committee for finalization, in the very first session of the Parliament is very high. I expect that the Data Protection Authority would be set up in the next 6 months and things will start rolling fast.

Indian Companies therefore need to incorporate the Indian PDPA compliance into their GDPR compliance plan at the earliest. Otherwise they will have to face a restructuring exercise a little while later.

Naavi’s initiatives for the coming year

Naavi has tried to make the industry realize that the time for action is now…before the PDPA becomes the law.

The FDPPI (Foundation of Data Protection Professionals in India) was formed by Naavi and his friends to address this issue of spreading the relevant knowledge and create a knowledgeable, skilled ethical eco system for data protection in India.

Now in 2019, FDPPI is likely to develop as the main representative of the Data Protection Industry in India and undertake activities that will enable the smooth implementation of PDPA of which GDPR would be a part.

Naavi on his own is in the process of developing the PDPSI (Personal Data Protection Standard of India” which will be incorporating the best global industry standards within the framework of the Indian Data Protection compliance requirements.

Further, Cyber Law College, which is the education wing of Naavi will start operating a new division on Data Protection education and training.

Ujvala Consultants Pvt Ltd, which is the consultancy wing of Naavi will focus on developing the Data Protection related consultancy with greater vigour.

During 2018, Naavi was working on a system of pseudonymization and anonymization for which a provisional patent had also been applied. Now Naavi intends to integrate it as a part of the PDPSI implementation structure and throw the idea open for implementation.

In the meantime, Naavi.org along with the Privacy Education Center (www.privacy.ind.in) and other associate websites will continue to spread knowledge through the web.

Coming months are therefore appearing to be exciting as we look forward to a new Government, new initiatives and a new hope.

Naavi