Naavi.org

The ordinance promulgated by the government on March 2, 2019, has once again brought the focus back on the use of Aadhaar and a possible challenge to it in the Supreme Court.

Aadhaar has become an “Instrument of Identity” similar to the “Social Security Number” and similar national identity instruments prevailing in other countries. Even the Supreme Court has conceded that Aadhaar can play a significant role in efficient and transparent governance, and more importantly, in the prevention of corruption.  However, the use of Aadhaar is being repeatedly challenged by privacy activists, alleging that its widespread use could lead to infringement of privacy—a fundamental right of all citizens.

It would, therefore, not be surprising if some privacy activists again knock at the doors of the Supreme Court with a plea to get the ordinance scrapped, perhaps alleging that it is an attempt to violate the principles of privacy laid out in the Supreme Court judgment of September 2018 on Aadhaar (KS Puttaswamy vs Union of India case).

The Puttaswamy judgment raised serious concerns about the use of Aadhaar by private sector companies which had been permitted under Section 57 of the Aadhaar Act. The majority judgment struck down that part of Section 57. Consequently, Section 57 of the Aadhaar Act stood read down with the following effect:

57. Act not to prevent use of Aadhaar number for other purposes under law.

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force. Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

It must be recognised that the Puttaswamy judgment did not impose a blanket ban on the use of Aadhaar, either by the government or other entities. It only prohibits the use of Aadhaar under any contract not pursuant to any law. The Court therefore suggested that a proper law should be passed to enable the use of Aadhaar.

The citizens of the country are well aware of the fact that Aadhaar is an “Identity Infrastructure” created by two successive governments at enormous cost to the people of the country. Therefore, it is illogical to block the use of this infrastructure to be harnessed fully for the benefit of the citizens.

However, after the Puttaswamy judgment, the private sector stopped using Aadhaar as an identity management tool since the widely used Aadhaar authentication-based e-KYC system was not part of the Aadhaar Act.

The e-KYC system used for Aadhaar was part of the notified rules of the Controller of Certifying Authorities for e-Sign as an electronic signature under Section 3A of the Information Technology Act, which may be considered as an extension of a statutory base for its use in that context. But KYC which was part of many other regulations such as the RBI guidelines was more of an administrative guideline or a best practice adopted by the industry.

Hence, the government was under an obligation to clarify the use of Aadhaar by private sector companies by enacting suitable legislation so that it became part of Section 57 after its partial striking down by the Supreme Court.

Further, the Justice Srikrishna Committee on Data Protection had recommended a full set of amendments to the Aadhaar Act in an appendix to its report. While the government had introduced the Personal Data Protection Bill as recommended by the Srikrishna Committee, it had to introduce the Aadhaar-related amendments recommended by the committee as a separate amendment bill.

The government was therefore correct in introducing the Aadhaar (Amendment) Bill on January 2, 2019. Though this Bill was passed by the Lok Sabha, it could not be passed in the Rajya Sabha during the current tenure and hence lapsed. In order to ensure that the private sector is not inconvenienced due to the lack of a lawful process of using Aadhaar, the government came up with the Aadhaar ordinance.

Hence, sufficient justification can be provided for the need for the ordinance and its promulgation by the government at this point of time.

Key Provisions of the Ordinance

Some of the key provisions of the ordinance which we can take note of are as follows:

• The ordinance completely removes Section 57 of the Aadhaar Act though only a part of it had been struck down by the Supreme Court. The other changes are meant to offset the adverse effect of the removal of Section 57.

This was an unwarranted overreaction by the government.

• A distinction is sought to be made between the use of Aadhaar for “Authentication” and “Verification” and the concepts of “Offline Verification” and “Voluntary Permission to use Aadhaar based on an Informed Consent”. However, the distinction made between “Authentication” and “Verification” is very fragile and may require reconsideration.

“Offline Verification” is defined as a “process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations” [Proposed amended section 2(pa)]. On the other hand, “Authentication” is defined as “a process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it” [current section 2(c)]. The distinction made out appears to be merely a play of words and would be difficult to justify.

• A fairly large civil penalty of up to Rs 1 crore has been introduced for each violation in case any entity in the Aadhaar ecosystem fails to comply with the provisions of the ordinance.

The imposition of the penalty is supported by the proposal for appointment of one of the officers of the UIDAI as an adjudicator and TDSAT as the appellate authority. After a matter is decided by the TDSAT, further appeals would lie directly before the Supreme Court, thus completely eliminating the role of the high courts.

In case of Cyber Appeals, further appeals from TDSAT go to the respective state high courts and a similar provision could have been made in the Aadhaar Act also since many of the members of the Aadhaar ecosystem could be small entities across the country, and a TDSAT with a presence only in Delhi without sittings and benches elsewhere would create a huge financial burden on the litigants.

This provision has been made to make the work of UIDAI easy at the cost of inconveniencing the litigants.

• The criminal penalty prescribed under Sections 38 and 39 of the Act has been enhanced from imprisonment of 3 years to 10 years and the imprisonment term under other sections has also been enhanced, thus making the law more stringent.

This should please the privacy activists.

• In a consequential amendment to the Indian Telegraph Act, telecom companies have been permitted to use Aadhaar for identification with options being made available to the public to use alternative modes of identity verification.

This provision comes as a big relief to telecom operators.

• In a consequential amendment to the Prevention of Money Laundering Act, 2002 (PMLA 2002), the use of Aadhaar has been permitted for banking companies while others may use Offline Verification and other alternatives.

The Fintech industry is not happy with their exclusion. Perhaps those Fintech companies which are not “Banking Companies” but are registered in some regulatory category with RBI or SEBI could be provided the use of Aadhaar.

• The ordinance includes “Virtual Identity” also as an “Aadhaar number” [Proposed amended section 2(a)].

This has defeated the very purpose of introduction of the Virtual Aadhaar ID, and the government has missed an opportunity to declare it as a derivative service which does not violate the privacy of the Aadhaar holder particularly when it is used without the use of biometrics.

In summary, it can be stated that the “Ordinance” was perhaps justified but some of the provisions of the ordinance must be revisited when the Bill is finally taken up for discussion when the next Parliament meets.

It can also be stated that there is no need for any immediate judicial challenge to the ordinance since its life span is short and it will come up for automatic reconsideration within the next six months.

Naavi

[This is a reproduction of article earlier published in India Legal magazine]

Ever since GDPR came into circulation, it has become a trend setter in Data Protection Regulation. When PDPA 2018 followed, it was natural that several concepts which were part of GDPR also became a part of PDPA.

Since GDPR had a legacy of EU Data Protection, the WP 29 documents and further a two year leadtime for implementation and now nearly one year after its implementation, there is a huge knowledge base already created on GDPR and most of the Indian practitioners are also familiar with the provisions as they have had multiple rounds of discussions with their foreign counterparts.

It is therefore natural that any aspect of PDPA2018 will quickly be interpreted as per the learning under GDPR. In this process there is a danger of misinterpreting PDPA 2018 and this should be avoided. We need to explore PDPA 2018 withut being prejudiced by our perceptions of GDPR. If necessary we need to unlearn some of our dogmas created if any out of GDPR before we learn PDPA.

Naavi therefore advocates a clean interpretation approach to PDPA without the overhang of our GDPR baggage. The PDPSI (Personal Data Protection Standard of India) is one such approach advocated in this context because PDPA holds some innovative differences with GDPR which needs to be recognized.

There is no doubt that the first and the most critical differences between GDPR and PDPA is the re-defining of the Data Subject-Data Controller relationship as Data Principal-Data Fiduciary relationship. This has been discussed several times in the past through these columns and remains the fundamental difference between GDPR and PDPA and any comparison without taking this into consideration would be like comparing  Apple and Oranges.

I am not sure that the full implications of this innovative master stroke has sunk in the minds of the Indian Data Protection Professionals as they try to look into PDPA with the colored glass of GDPR. There is a danger of this being missed by legal pundits also as we move towards the formalization of the PDPA Bill into an Act in the coming days. Even the DPA when it comes through may not find it easy to remember that PDPA is not Indian GDPR and they need to be reminded again and again that “It is different”.

But in addition to this fundamental redefinition of the role of the so called “Data Controller” as a “Data Fiduciary”, there are some more  differences which we need to recognize so that we realize that PDPA 2018 is not a copycat of GDPR. It does incorporate many of the provisions of GDPR but tries to add it’s own spice in between.

Let us try to capture some of these minor differences before we get back to the analysis of the  Data Fiduciary master stroke.

1.  Classes of Data Fiduciaries

GDPR recognizes Controllers, Joint Controllers, Processors and Recipients as different entities who handle the personal data and sensitive personal data which is the subject matter of protection.

On the other hand PDPA recognizes Data Fiduciaries, Significant Data Fiduciaries, Guardian Data Fiduciaries as different classes of Fiduciaries in addition to the Processor. Significant and Guardian Data fiduciaries maybe required to register themselves with the DPA.

2. Criminal Penalties

PDPA includes Criminal punishments for data breach while GDPR does not

3. Right to Forget

Under PDPA, right to erasure requests are subject to adjudication by an external authority. In GDPR it is the decision of the Company.

4. Dispute Resolution Mechanism

Instituting a dispute resolution mechanism is mandatory under PDPA and is a recommended good practice under GDPR.

5. Mandatory Annual third party Data Audit

PDPA requires a mandatory data audit by an external auditor on an annual basis besides DPIA. No such requirement is there in GDPR.

6. DPO as a Service

GDPR provides an external consultant who can work as a DPO. PDPA has no such provision

7. Harm Audit

PDPA includes a concept of “Harm Audit” to be conducted which is an assessment of the gravity of a data breach incident. This may also be required when there is a conflict between RTI Act and disclosure under PDPA. Under GDPR no such mention has been made though the concept is inherent in every data breach notification policy.

8.Data Trust Score

 PDPA requires Data Auditors to compute a Data Trust Score for every organization they audit. This is not part of GDPR.

9.  Data Breach notification

Under PDPA, data breach notification to the data principals is determined by the DPA. There is no such requirement under GDPR where the company has to decide.

10: Official Identifier

Official identifier such as Aadhaar is declared as a Sensitive Personal Information under PDPA. GDPR leaves it to the member countries to determine how the national identifiers would be processed.

11. Codes and Practices

PDPA has left it to the DPA to define the codes and practices  besides an enabling provision for industry bodies to come up with their own codes to be approved by the DPA. GDPR has also a similar provision where the member states will encourage development of codes and practices and certification bodies will be accredited by the supervisory authorities.

12.Secular status

GDPR provides some exemptions to Churches whereby they can apply for their own regulation to be brought into the legislation. Indian PDPA has no such recognition of any religious rights and is therefore more secular than GDPR.

13. Employment

GDPR leaves it to the member states to frame laws regarding information in the course of employment. PDPA has specific reference under Section 16 providing permissions to process data for employment purposes.

14.Data Localization

PDPA has a direct provision that a copy of personal data shall be in India and  sensitive data shall not be transferred out but provides several exemptions. GDPR addresses the same issue indirectly by allowing data transfer only to such countries where EU considers considers that there are adequate laws, and also provides other exemptions. In effect there does not seem to be much difference.

Thus there are many differences between the PDPA and GDPR and as we go forward, even more differences can be spotted.

It is therefore unfair to call PDPA as a Copy Cat of GDPR. In fact leading with the Data Fiduciary, Criminal penalties, Adjudication etc., there are several unique differences that make PDPA far more practical than GDPR.

More on this should come up for discussion in the March 15 seminar in Mumbai.

Naavi

Legal Era (www.legaleraonline.com) known for its informative legal periodical by the same name is organizing its flagship annual event “GEN-NExt 2019”  between March 14 to 16 in Mumbai.

Many eminent speakers from India and abroad as well as Judicial luminaries will be participating in the event to discuss some of the most critical aspects that are of interest to the legal community in India.

One of the discussions which is scheduled is on “Privacy” and is happening on 15th. Naavi will be moderating a panel which will consist of eminent lawyers and technical professionals from the industry and analyze different aspects of Privacy regulation as they are emerging in India .

We can look forward to some interesting discussions which will be discussed subsequently in these columns.

Naavi

We have been discussing the problem of “Fake News” in India particularly in the context of the forthcoming Indian elections. The political party in opposition has made it it’s policy to try and win the election only by brazen lies being spoken off without any hesitation under the assumption that some of the mud thrown will stick on their political opponents. To support such world of lies, Internet is being used freely and this needs to be recognized and checked before the entire Internet becomes completely untrustworthy.

Articles being planted in the media by bribing journalists is an old trick. Today, the political parties manage a laboratory to create fake news and spread it across the social media through the millions of fake Twitter or Facebook accounts that are created only for this purpose. One of the tools they use is “Artificial Intelligence” to create news stories that are created to suit their own narrative without any reference to the truth.

Today, even the illiterate rural person knows that TV news is like reality shows. Take it if you like and reject it if you don’t like. People over a course of time have developed an instinct to create his own filter  to believe or reject news stories even if the news anchors think that they are successfully  brainwashing the public.

Use of “Morphed pictures” was the next tool that fake news creators started using to prove their point. Then they started manipulating the audio stream in a video to change what a video was supposed to show as in the case of the JNU campus  incident.

Just as we thought we have reached the end of the technology of fake news creation, comes the alarming news about “Deepfake videos”. (Refer here).

Deepfake videos are created by the advanced use of Artificial Intelligence (AI) where fake videos are created of persons from the machine learning that takes place by observing some real videos. The improvement of the algorithms are achieved by pitching two AI machines one against the other to identify the flaws and improve upon the earlier creations. This reiterative process creates continuously improving fakes until it reaches a stage where it becomes indistinguishable from the real video when it can get published.

The authentic data set used for learning may consist of hundreds or thousands of still photographs of a person’s face, so the algorithm has a wide selection of images showing the face from different angles and with different facial expressions to choose from.

Tomorrow if you receive a video call from your wife asking you to immediately transfer some money to some account, it is quite possible that the video call may actually be that of a fraudster who was earlier trying to fool you with a phishing e-mail or a voice call. The risk to the reliability of the Internet system is therefore extremely high.

Naturally, there is a thinking about how such deepfakes can be prevented. In US, it is said that a new law to criminalize deepfake is being considered.

In India we have so many anti nationals in the guise of journalists and activists that if we attempt to pass any law even to impose responsibilities on intermediaries to check the spread of fake news, immediately people rush to the Supreme Court alleging infringement of constitutional rights.

It is therefore time for us take a realistic assessment of the situation and ensure that irrespective of what the fake activists think, there is a need for a strong internet regulation that has to preserve the trust in the system. Otherwise the entire edifice of E Commerce and E Governance is in the danger of falling apart.

Presently, the amendments to Intermediary Guidelines under Section 79 of ITA 2000 is under consideration and it is time for the Government to take a tough stand on the intermediaries and make them responsible for fake news and liable for the consequences.

Naavi

Cyber Society of India (CySi) and Foundation of Data Protection Professionals in India (FDPPI) are jointly organizing a one day seminar on Section 65B of Indian Evidence Act at Chennai.

Venue :Hotel RainTree, Annasalai, Teynempet, Chennai 600035

Time: 10.00 am to 5.30 pm 

Date: 16th March 2019, Saturday

Naavi

Naavi has updated the E Book on Section 65B, titled “Section 65B of Indian Evidence Act Clarified” with an additional chapter on ‘Section 65B for Data Protection Professionals”.

A print copy of the above book is scheduled to be released in Chennai on March 16, along with the launching of the Chennai Chapter of FDPPI and a day long workshop on Section 65B organized jointly by Cyber Society of India (CySi) and FDPPI.

Naavi was the founder secretary CySi and a continuing life member, as also the Founder Chairman of FDPPI. Mr S.Balu the current president of CySi is also a member of FDPPI.

The E Book is currently priced at Rs 150/-. The Printed version of which limited copies would be available is priced at Rs 200/-. (Will be available at the conference at a concessional price of Rs 100/-).

Naavi