Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?

Posted on August 31, 2019 by 98410spice

Indian consumers of Credit Card services have been frequently expressing their dissatisfaction against the role of CIBIL as a credit rating agency.

It is often accused of cheating the public by not providing the free credit report which they are supposed to provide once a year, are accused of inefficiency in not updating the customer data and on occasions receiving false data from the Banks due to error or design.

The travails of the credit subjects have been well captured in the article “How CIBIL Can mess-up your credit score” in moneylife.in.

I would not go into discussion of this more except to say that this happens fairly regularly and reflects the callous manner in which the service is managed.

But I would like to point out that the life for CIBIL will not remain as comfortable as it is now in the coming days where PDPA (Personal Data Protection Act) will become a law and a Data Protection Authority would be set up in India. Then CIBIL and the other Personal Credit rating agencies in India will be answerable to the Data Protection regulations which will include civil and criminal liabilities.

CIBIL  or Credit Information Bureau (India) Limited) came into existence on August 2000, entered consumer operations in 2004 and into commercial credit operations in 2006.

Initially, CIBIL was perceived to be a Company started by RBI with equity contributions from different Banks as indicated in the above share holding pattern. (Reference taxguru.com)

However, current information indicates that 92.1% of its shares are now held by TransUnion. Transunion is a US based Company. The ownership of TransUnion CIBIL is therefore in the hands of a foreign company. This company now holds about 550 million India’s credit data which is “Sensitive Personal Information” under ITA 2000 and will be “Critical Personal Information” under the PDPA. Hence this company will come under the Data Localization rules.

Further, this company has so far collected personal data not from the data subjects but from the Banks. There was initially no consent from the data subject. Subsequently since the Credit Information Companies (Regulation) Act, 2005, was notified on 23rd June 2005, the presumption is that Banks are sharing the personal data under permission from RBI. But this is not the correct legal position. TransUnion is a commercial entity which has about 2400 members from the Banking and FinTech companies in India and collecting a fat fee from them for every credit score reference they receive.

TransUnion CIBIL is therefore an entity that is a MNC which has taken over an Indian company along with a highly valuable critical personal data worth billions of rupees and is making a huge profit.

The manner in which the TransUnion has acquired access to the critical personal data of Indian citizens is through a clever manipulation of take over of a company along with its data assets. This is “Data Laundering”

How was this allowed to happen is a matter which needs investigation. Who gave the permission? Was it the Finance Ministry headed by Mr P Chidambaram? Who was the RBI Governor who allowed this set up? all needs to be verified.

Is there a scent of a scam?… I request Dr Subramanyam Swamy/Pgurus to take a look.

From the case referred to above, it is clear that TU-CIBIL is guilty of

a) Not keeping the personal data properly updated and accurate

b) Using  an automated decision making process to make profiling decisions about the individuals

c) Not obtaining explicit consent from the data subjects for the profiling

d) Not informing the data subjects that their personal data is being collected from third parties for profiling and generating the Credit Score

e) Sharing the credit score which may be incorrect and adversely affect the reputation of the individuals.

f) Transferring the critical personal data across the border for processing without explicit consent…etc

The apparent violations of the company are extremely serious and need immediate action from the Government of India first under Information Technology Act to check if they are practicing “Reasonable Security Practice” and “Due Diligence”. An immediate audit from CERT-IN is warranted.

RBI has powers under the Credit Information Companies (eRegulation) Act, 2005, was notified on 23rd June 2005, to regulate such credit rating agencies. It would be interesting to note if RBI has ever conducted an audit of CIBIL or like PNB, left it to the God’s wish that the security of information takes care of itself. Perhaps the current RBI administration may answer this.

When PDPA becomes effective, the data collected prior to the implementation date will become illegal and has to be destroyed. This means that unless TransUnion CIBIL obtains “Explicit Consent” on or after the date of PDPA notification, it cannot be allowed to continue in business.

I warn the CIBIL users to take note that if the Government takes action against CIBIL as they should do their business continuity may be adversely affected. They need to therefore secure themselves against such contingent event.

I am looking forward to receiving a counter from CIBIL regarding the above and if received, would be happy to publish it here. If no response comes from them, it would be presumed that the inference drawn here are perhaps true.

Those in Nasscom and DSCI who have been championing the opposition to the Data Localization also need to comment on whether TransUnion should be allowed to transfer the data outside India and what action is to be taken to ensure that the data already transferred out is erased in the servers in US or elsewhere.

Naavi

Comments Welcome

Posted in Cyber Law | Tagged , , , | 1 Comment

The petition for Data Sovereignty

Posted on August 30, 2019 by 98410spice

Mr Vinit Goenka, of the Center of Knowledge sovereignty has floated a petition on Data Sovereignty at change.org.

The link to sign the petition can be found here:

For immediate reference some of the salient features of the petition are reproduced here along with my comments.

The petition is in the context of the PDPA Bill which is to be introduced in the next session of the parliament.

Petition and comments: 

“Government of India cannot be a mere silent spectator here when data of millions of people in India (common man) is been compromised by tech gaints and foreign entities. The common man gets lured by Free Apps and doesn’t understand the terms and conditions drafted by these tech companies and social media giants.

The social media platforms carrying such Apps/advertisements on their channels as well as new apps making entry into Indian cyberspace have to clearly be monitored.

This is not censorship but the right over our data, maintain our privacy, respect our individuality and to ensure we are not made DIGITAL SLAVES. Its high time, the Government of India takes some strong steps as each day’s delay is a ticking timebomb and we are losing the Digital race.

1) It is the need of the hour to bring in strong laws to monitor and check the social media channels and also revisit the laws every year in the ever-changing cyberspace.

Comment: PDPA read along with ITA 2000 would be reasonably strong to address the requirement if it is passed quickly by the Parliament. 

2)It must be made mandatory for these companies to store data inside India and take the permission of the Government of India to take the data overseas.

Comment: Already available under PDPA

3) It must also be mandatory for the parent company of the apps or social media company to have an office in India, registered business address in India and occupier in India. This responsible officer must cooperate with law enforcement agencies.

Comment:. Social Media companies spreading fake news require a different treatment. Some cases may come under right to free speech. Hence this aspect must be handled with finesse. ITA 2000 and the intermediary guidelines are good enough to handle this if the provisions are enforced properly. The data localization is a means of such enforcement.

4)It should also be made compulsory for the social media companies to highlight in the agreements any clauses that infringe the data privacy of the users .

Comments: Already incorporated under PDPA. 

5) The agreement should also be in drafted in at least 5 more Indian languages so that the people of India can understand the terms and conditions before using the application and platform.

Comments: The question of taking consent is not an efficient way of privacy protection. There are other means which are out of scope for discussion here. Anyway the suggestion is a step in the right direction. But the problem is why five? which five? etc…

6)The laws must define clearly the provisions for violation of privacy and the said officer and organisation must cooperate with the law enforcement agencies.

Comment: PDPA with ITA 2000 ensures this

7)The minimum age limit of the user of the applications must be defined clearly . Minors should not be allowed to use / register on platforms without parental vigilance.

Comment: PDPA with ITA 2000 ensures this.

8)The Social Media App must be linked to some Government Id or Any verifiable identity to make traceability, stop children from accessing Social media before the stipulated age and curb fake news.

Comment: PDPA with ITA 2000 can be applied to ensure this. Already discussions have taken place with WhatsApp. There was also a discussion in Madras High Court in which the IIT professor Dr Kamakoti also provided some technical solutions.

9) The laws must provide the user with the right to delete his/ her data from common view or access if they later find it inappropriately posted on such platform or application. This data must be wiped out from the servers for common commercial or other use except for law enforcement reasons.

Comment: This has some issues… ITA 2000, Sec 79 has some provisions. PDPA also will have some provisions. Removal from public view is necessary in case of objectionable fake news. But truth cannot be suppressed except in emergencies for which specific provisions in ITA 2000 are available.

10) Social media companies must not use any data without the explicit consent each time while sharing, using, reproducing our content, images, data .

Comment: We need to work with PDPA with ITA 2000 to ensures this

11) These social media companies must pay legitimate taxes in India as per the provisions of law.

Comment: This is outside the purview of the Privacy discussion.

Other Views

We are aware that the industry lobby is strongly opposing the provisions of the PDPA bill under clause 40 which states as under:

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.

(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.

(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under sub- section (1) on the grounds of necessity or strategic interests of the State.

(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

The above restriction applies to only non sensitive and non critical personal data. Besides only one serving copy is required to be kept and transfer is available on various conditions including adequacy, standard contractual clause, explicit  consent, medical emergency etc. These are not different from GDPR which says that Cross border transfer is permissible under similar conditions which indirectly means that it is not transferable otherwise.

The social media companies are making an unnecessary issue out of this provision and their objections are not justified.

We also know how these companies like Twitter are helping anti India activities and spreading fake news. When called upon to correct as per the provisions of ITA 2000, they donot respond. These companies who are  subservient to FBI and allow backdoors only have problems with Indian requests. Hence their arguments are not to be considered genuine.

Apart from this, some of the points mentioned by Mr Vinit Goenka may require further discussion. One such point is point no 10 on deletion of the data. This has to be subjected to provisions of Section 79 of ITA 2000 and the data erasure provisions under PDPA. There is a proposal to amend a rule notified under Section 79 which also has been placed in the background due to the opposition raised by the vested interests in the industry who donot want fake news in social media to be strongly regulated. MeitY should go ahead with the notification without further delay.

I have proposed other mitigation efforts under PDPA which may be discussed on a different occasion. Subject to these, PDPA is a strong enough law and when implemented along with ITA 2000, can force the intermediaries to cooperate with the law enforcement authorities.

From the petition it appears that there is a lobby in the Government which is interested in yielding to the pressure from the industry  which Mr Vinit Goenka is trying to counter. We know that this lobby includes the NASSCOM which is working through DSCI. DSCI submitted a dissent note to the Srikrishna Committee but the Committee went ahead with its proposal for data localization. It is this lobby which has delayed the presentation of the bill so far and may still be fighting for dilution of the PDPA Bill.

I strongly object to the MeitY if it wants to succumb to the pressures of vested interests and hope the Government will be firm in implementing the PDPA provision on data localization.

I therefore  support the petition and I feel that Data Localization will give a big boost to the local data industry and must be implemented.

Naavi

Posted in Cyber Law | 1 Comment

IDBI Bank held liable in Phishing Case a-la Umashankar Vs ICICI Bank

Posted on August 29, 2019 by 98410spice

The adjudication complaint of S Umashankar Vs ICICI Bank was a historic case in which the Adjudicator of Tamil Nadu, Mr PWC Davidar held that ICICI Bank is liable for negligence despite the phishing mail having been answered by the innocent victim.

This decision of the Adjudicator was challenged by ICICI Bank in the Cyber Appellate Tribunal and on 10th January 2019, the TDSAT to which the Cyber Appellate Tribunal was merged into in 2017 delivered it’s judgement upholding the Adjudicator’s verdict and rejecting the appeal of ICICI Bank.

Now in yet another case, TDSAT has upheld the Gujarat Adjudicator’s decision to hold the Bank responsible to pay compensation.

Refer the judgement here: Cyber Appeal 7 of 2013 IDBI Bank Vs Sudhir S Dhupia

This was an ex-parte order

It was interesting to note that the hearing was ex-parte and the victim got justice despite his inability to be present during the hearings . The TDSAT must be specially commended for this decision since justice was upheld without the necessity for the victim to explain to the Court that he was a victim and needs justice. If all Courts adopt this sort of stand, the Judicial system in India will come to be respected far more than at present.

Some Courts which swear on formalities need to take a fresh look at their procedures and make justice more easily accessible to the common man.

The Judgement quotes the precedence of Umashankar Vs ICICI Bank

It was interesting to note that the judgement made a reference to the Umashankar Vs ICICI Bank case both the adjudication verdict and the TDSAT’s own verdict. (Cyber Appeal 1/2010).

Other Banks should take note of such judgements and withdraw their cases against the hapless customers who cannot pursue expensive litigation to fight for their justice. Banks have public money and they are wasting their money on continuing the litigation. Banks are also ignoring the RBI guideline that RBI has given that they need to  have Cyber Insurance cover and use it such cases of third party frauds.

While looking at the negligence under Section 43 and 43A, we need to also draw the attention of the public on the Kerala High Court judgement in the case of SBI vs P V George which has been discussed earlier here where the Court has held that even not responding to the SMS alert cannot be held against the customer for denying reimbursement for such frauds.

We can also draw the attention to the following news report which reports a fraud in

Mangalore, Karnataka, where the customer has lost money even without sharing OTP or answering the Phishing mail. This highlights the fact that such frauds occur because of an inherent security flaw in the Banking system which includes the insider involvement in the frauds.

Hence Courts should take note of the increased level of security expectation on the Banks and ensure that customers who are victims of the insecure banking practices are not made to suffer the loss.

I request the Finance Minister Mrs Nirmala Sitharaman and the RBI Governor to advice the Banks to withdraw all cases of similar nature in which they are continuing to litigate with the use of public funds.

I also request shareholders of these Banks such as ICICI Bank, SBI, HDFC Bank, PNB, IDBI Bank etc., to question the boards as to why they are continuing the litigation and not settling the victim’s claims immediately.

Naavi

Posted in Cyber Law | Leave a comment

Bitcoin can create a nuclear holocaust

Posted on August 24, 2019 by 98410spice

The Supreme Court of India is now debating on the “Legality” of the “Powers of the RBI to bar the Banks from dealing with Bitcoins and other Crypto Currencies” vis a vis the freedom of Crypto Currency exchanges and miners to mine, trade in and exchange legacy currency of INR into the anonymous currency which is Bitcoin and nearly 2000 other crypto currencies with which it is fungible.

If we go by what Bitcoin supporters are saying, the Judges during the hearing have already decided to rule the case against RBI.

In one of the publications, it is highlighted that the Judge asked RBI, “How are you concerned with Consumer Protection? It is the concern of the Government not yours”.

I am not sure if this is a correct representation of what the Judge said or intended to say. “Consumer Protection” is a matter of public interest. It is not only the Government which should be concerned, but I, you, the Supreme Court judge and all.

Can the Supreme Court say that “Fundamental rights” or “Cyber Crimes” is the concern of the Government and not that of a responsible regulator who is supposed to regulate the finances of the country?

I therefore consider that the publication has either mis-quoted the judge or misrepresented what the Judge wanted to know.

This criminal way of thinking comes naturally to the Bitcoin eco system because the Bitcoin system itself is a system by criminals, for criminals and of criminals.  It is born for the purpose of tax avoidance.

Tax avoidance is cheating the honest citizens who pay tax because we all live in a society governed by some accepted principles of Governance.

The dangers that the addiction to Bitcoin can bring to the world recently surfaced in a more dangerous form in Ukraine where there was a radiation leak from a nuclear reactor. It is now revealed in an investigation that the radiation leak was caused by “Crypto Miners” in the nuclear plant who tried to use the computing facilities in the plant to mine crypto currencies. Several employees have been arrested in this connection. Crypto mining equipments have been seized

The incident also indicates a massive Information Security failure as computers not required for the plant entered the system and were connected to the network. Basically it is the failure of the “Human Element of Information Security” caused by the fundamental attitude of Bitcoin miners who are “Anti-Establishment” in their basic attitude.

I wish the Supreme Court examines this angle of what is the  psychological profile of a Crypto supporter ( in the current context where the debate is whether a private Crypto currency is a currency of criminals and has to be banned or not) and whether he is more friendly with anti national forces or is loyal to the country.

We the people of India will keep watching even the  Supreme Court and how loyal is our judiciary to the principles of natural justice to the country.  There should be no attempt to  hide behind some technicalities and give an ambiguous ruling to oblige the petitioners of this case which we know has the ability to shower their appreciation on the Judges in many forms if they are made happy.

I also hope the media does not twist the statements of Judges during the trial and spread speculative views to mislead the public.

Naavi

Posted in Cyber Law | Leave a comment

73rd Indian Independence Day with the participation of Kashmir

Posted on August 15, 2019 by 98410spice

India celebrates for the first time Independence day  with the participation of Kashmir. Let us look forward to better days for India with Kashmir.

Naavi

Posted in Cyber Law | Leave a comment

How Do I harass a company with GDPR?

Posted on August 13, 2019 by 98410spice

GDPR is a regulation meant to protect the privacy rights of an individual. Principally it is meant to protect the right of a citizen of EU and tries to exercise control over the personal data collection activities in the jurisdictional boundaries of  EU. UK as a faithful servant of the EU and reeling under the repentance of Brexit wants to be more loyal than the King and has pursued the UP Data Protection Act 2018 to extend GDPR to its jurisdiction.

The objectives of GDPR are laudable and extends the concern the EU legislators always had on the protection of human rights.

Having dealt with dictators like Hitler, Mussolini and Napoleon and lived a life of pirates and conquerors for generations, (of which we the Indians have centuries of experience), the population of EU has developed a culture which appear to have made them suspicious with every body else and over sensitive to some issues related to Privacy. 

This is indicative in an interesting case reported below, details of which are available here.

This article “My GDPR Complaint Against Tinder (MTCH Technology Services)” is an interesting case study of how one person has painstakingly pursued his complaint with the company over a long period using the good intentions of GDPR to his advantage and in the process consuming days of effort and money of the company.

This is a typical indication of how the law can be misused by some persons for their own reasons. 

To briefly explain the incident, immediately after the GDPR came into operation on 25th May 2018, on 2nd June 2018, a website PersonalData.IO submitted a request on behalf of a customer requesting the company MTCH Technology Services Ltd, to provide “all of the information collected on me”. Since then, the complainant is pursuing the complaint expressing his dis-satisfaction about the information that has been provided. The complaint has been originated with ICO in UK and later transferred to the supervisory authority in Ireland. The matter appears to be resting with the detailed reply given by the company on 29th May 2019 but the complainant is still not satisfied and is following up.

During this entire exercise, the company has patiently been replying to the complainant and it is evident that it has spent enormous corporate time with its technical team, compliance team, the legal advisors etc to draft a satisfactory reply.

We must pause at this stage and reflect whether the cost forced by the complainant on the company has been productive and whether the complainant has been  inflicting unjustified losses on the shareholders of the company who are also individuals like the complainant himself.

GDPR has provided a “Right” to the data subject to request for information from a company whether personal data of himself is being processed and if so how is it being processed. The purpose of Articles 13 and related Articles of GDPR is to enable a data subject to ensure that the company adheres to the principle of collecting an informed consent and using the data only as agreed upon and not make a fraudulent or unethical and dishonest use of the personal data.

The complainant in this case on the other hand appears to have pursued his complaint dishonestly with the sole purpose of harassing the company through a series of e-mails and making a “Disproportionate request”. There is no “Data Breach” reported in this instance and the request is a fishing exercise of the complainant to find out a cause for further harassment of the company.

This complaint reflects a sadistic tendency on the part of the complaint who seem to have lot of time at his disposal to keep sending request after request and not be satisfied with any reply received.

There is a need to put an end to the development of such trend which will be detrimental to the industry. If this goes unchecked, any body and everybody may keep sending out e-mails just to make the life of the companies difficult. It may provide a sense of satisfaction to the complainant that he has achieved something great in his life by dragging the company into an endless conversation.

The responsibility to put an end to such an attempt lies with the supervisory authority which has to exercise a judicial discretion to separate a real complaint from a complaint designed as a fishing exercise where the complainant has no prima facie case of having been adversely affected.

The supervisory authorities in such cases should politely refuse the complaint and close the case so that the company can go ahead and attend it its other activities. This requires a sense of maturity for the officers who have the responsibility to uphold the real values reflected by GDPR.

Unfortunately the drafting of GDPR and more so the UK Data Protection Act 2018 is not good enough to avoid dishonest complaints being made against companies without valid and prima facie reasons. It is also not possible to avoid all inconsistencies when a law is drafted and it is the duty of the judiciary and other authorities implementing the law to read down the different provisions and ensure that the real spirit of the law is upheld.

If the supervisory authorities fail to respond properly to prevent such harassment, the Companies will also start disrespecting the authorities and we will end up with litigations all round. This will impose an unreasonable cost on the society and render the regulation an unproductive burden.

I therefore advise the complainant to be satisfied with whatever information has been provided. She has made not only this company but many others realize how GDPR can be make the life of the DPO miserable and tighten up their compliance. I suppose her genuine purpose of making Companies more responsible has been served. 

She deserves a pat on the back.

But if the complainant  pursues the complaint further, her intentions would be suspect and  it would be proper for the Company to demand payment of costs for providing the information. Let this incident not be a lesson on how people can harass a company using the provisions of GDPR.

According to Article 12(5),

...Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

It appears that this is a fit case to test the provisions of this Article and how the supervisory authority of Ireland interprets this complaint.

Naavi

Posted in Cyber Law | Leave a comment