Naavi.org

[This guest post was published at the request of badal@myadvo.in. An objection has been received on 29th June 2020 stating that the article was originally written by Ms Jiss Joy for publication in myadvo.in and there is a copyright infringement. A request has been sent to Ms Badal Patel for confirmation  for taking down the article. If no counter objection is received from Ms Badal Patel within a reasonable time, this article will be taken down…. Naavi..29th June 2020]

[P.S: This is a guest post from Ms Badal Patel, Gurugram.]

Privacy rights have come to the forefront in recent years due to the exponential role played by the internet and social media in our everyday life. The question of how the privacy of a person is affected by the internet cannot be answered in a few words. Data is collected from even the most basic search a person makes. But these violations have huge implications on the privacy of a person and hence the personal data has to be protected.

The General Data Protection Regulation was one such regulation introduced by the EU to protect the data of its member states and its citizens. This Regulation is not region-specific and has an extraterritorial application (Article 3 of the GDPR). Any third parties who intend to get into agreement with the EU members have to strictly comply with these regulations, the non-adherence of which would result in penalties.

Moreover, under Article 44 of the Regulations, it is stated that the flow of personal information from the EU to a non-EU country can only take place if that country is in compliance with the GDPR standards. Under Article 45, the regulations have laid down certain levels of standards that the non-EU country shall meet for the flow of information to take place without any additional authorization. The circumstances looked into is whether that country has provided a safe environment for personal data and information protection. The data privacy rules are reviewed and their effectiveness calculated. The international conventions or treaties that the non-EU nations have has entered into shall also be looked into.

In India, with the recent decision given in Justice Puttuswamy v. Union of India, the Supreme Court, for the very first time, explicitly recognized the right to privacy of a person. With this landmark decision, the prevailing conditions of privacy and data protection came under scrutiny. The introduction of the Data Protection Bill of 2019 is a huge step in this direction and was a direct result of the historic judgment. This bill was put forward by Justice B.N. Srikrishna Committee which was appointed to analyze the current laws regarding data protection and also to suggest more contemporary regulations to be put in place. This Bill specifically focuses on the data protection regulations for protecting the personal data of Indian citizens. The EU has given GDPR adequacy approval to only thirteen countries. India has not received this approval but the new Bill has the potential to pave the way for the grant of the EU approval. Receiving this approval would both boost the IT sector in the country and will also make the compliance requirements to the GDPR much simpler for Indian Companies.

The Indian companies are required to comply with the GDPR for conducting transactions with the EU. Before understanding the compliance requirements, it is necessary to look into two terms used under the GDPR for the better understanding of the requirements; controller and processor.

Article 4 of the GDPR defines both these terms as given below:

“ (7) controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8)‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”

Both these terms are extensively used throughout the Regulations. The controller acts as the principal and the processor acts as the agent of the controller and acts on his request. It is important to understand what they are as the responsibility thrust on them is quite different from each other.

The requirements that Indian Companies need to comply with can be put into a checklist.

1. Records of Processing Personal Data Activities

Article 30 of the Regulations elaborates on the details to be recorded when it comes to the processing of the personal data. Paragraphs 1 and 2 of the Article enumerates the information to be recorded by the controller and the processor respectively. Both these lists are very specific and impose specific recording obligations on both the controller and the processor. As per paragraph 3, these records shall be in writing. They are also under the obligation to make the record available to their supervisory authority on request.
The information that is to be recorded under paragraphs 1 and 2 specifically points to disclosures are to be made when the personal data is transferred to third countries or international organisations, and the identification of such third countries and international organisations should be made along with the safeguards taken to ensure the safety of personal data in such cases.

The definition of ‘personal data’ is wide but must be ascertained in order to inform individuals about what type of personal data is being collected. ‘Personal data’ means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

2. Determine if the company is a data processor or a Data controller

The determination of whether a company is a data processor or a data controller is very important both for absolving the liability of the company and for imposing liability on the company. The definitions of both these terms have been mentioned earlier in this article. The definition is not an elaborate one. It only differentiates the controller and the processor based on whether they are in charge of the data and on who has the responsibility to process it. But the Regulation is very elaborate and it places specific responsibilities and liabilities on both the controller and the processor. Hence, it is important to understand whether you are a controller company or processor company to understand the responsibilities that fall on you and to fulfil them to ensure that there is no liability on your part.

Article 24 of the Regulations speaks about the “Responsibility of the Controller”. Paragraph 1 of the article lays an obligation on the controller company to implement appropriate technical and organisational measures to ensure compliance with the Regulations. Article 28 elaborates on the processor and his obligations both towards the controller and the data subject.

In order to understand which category you fall under, in simple terms, the power you have over the data is to be looked at. To be more accurate, the controller will have the following powers:

● To determine what is to be collected from the data subject.
● How to store the data collected.
● To what end the collected data is used and what portion of the data is to be used.
● To set guidelines for the data processor to follow while processing the data.

The data processor will have only the power to process the data as per the contract between them and the data controller. They will not have any power to augment the data in any way and the actions they take have to be in compliance with the Regulations.

3. Updating the privacy policy with privacy notices and consent

The Indian companies have to update their internal procedures to be GDPR compliant. One of the procedures that they have to adhere to is issuing notices and taking consent from the data subjects. These provisions are given under Article 12-14 and 19.
Article 12 lays the model in which data is to be collected and the relevant disclosures that are necessary when data is collected from different categories of data subjects by the Controller. This provision also enables the Controller to request for additional information when there is a necessity to confirm the identity of the data subject. Article 13 lays down the information disclosure requirements when the personal data is collected from the data subject. Under this Article, paragraph 1, there is a specific list of information that the controller has to disclose. Paragraph 2 provides additional disclosure requirements that the controller has to provide to ensure fair and transparent processing. Under Paragraph 3, it also says that if the controller intends to further process the data for something other than the purpose it was collected for, he has to give notice to the data subject prior to such processing. Under Article 14 lays down the information to be provided when the personal data is collected but not from the data subject.

Under Article 19, the controller has the obligation to communicate any rectification or erasure of personal data to each recipient the data has been disclosed to and to inform the data subject about the recipients of the data.

4. Rights of Data subjects

Under the GDPR, an entire chapter (Chapter 3) is dedicated to set forth the rights of the data subjects. There are 11 Articles (Articles 12-23) under this chapter. For an Indian Company to be compliant with the GDPR, they have to ensure that these rights are safeguarded. Article 12,13,14 and 19 have been elaborated under the previous sub-topic. Article 15 provides for the right to access any information as to the data obtained by the controller from the data subject. Under this Article, the data subject also has the right to be notified if his personal data is being transferred to a third country or international organisation. Article 16 guarantees a right to rectify personal data to the data subject. Under Article 17, the data subject will have the right to request the controller for erasing any personal data pertaining to them and the controller is liable to oblige without undue delay. As per Article 18, the data subject has the right to place restrictions on the processing of data by the controller. Article 20 enumerates the rights the data subject has in relation to portability of the data provided by him to the controller and how he can obtain it from the controller and transfer it to another person. Another right that is available to the data subject is the right to object to the processing of his personal data under Article 21. Under Article 22, the data subject has the right to not be subject to profiling resulting from the processing of his data. But under Paragraph 2, certain exceptions to this right are provided. If the Indian company is successful in incorporating all these rights into their framework, they will be GDPR compliant.

5. Update the security incident management processes

Ensuring the security of the personal data of natural persons belonging to the EU are at the core of the GDPR guidelines. Article 33 lays down that in case of a personal data breach the controller shall without delay (not more than 72 hours) notify the personal data breach to the supervisory authority. The controller has an obligation to document the data breaches, its effects and the remedial action taken. Under Article 34, when there is personal data breach, the controller has the responsibility to communicate this breach to the data subjects without undue delay. There are also certain exceptions provided under Paragraph 3 of the Article.

6. Working of the Data Protection Impact Assessment (DPIA)

A data protection impact assessment is done by the controller to assess the impact of the processing of data especially if a new processing technique is used and the risk to the rights and freedoms of the natural persons is higher. Article 35 of the Regulations the provisions regarding data protection impact assessment. Paragraph 3 of the Article lists out the cases where such an assessment will be mandatorily be required. Paragraph 7 points out what all the assessment should contain. Article 36 lays down an obligation on the controller to consult the supervisory authority prior to the processing in case there is a higher risk present. Under paragraph 3 of the Article, the supervisor is liable to provide certain information to the supervisory authority regarding the same.

7. Appointment of a Data Protection Officer

Articles 37,38 and 39 are the provisions which are dealing with the appointment of the data protection officer. Under Article 37, a data protection officer needs to be appointed by the controller and the processor when the circumstances are those which are given under paragraph 1 of the Article. As per Article 38, the Controller and the processor shall facilitate the functioning of the tasks of the Data Protection Officer given under Article 39. The tasks that the Data Protection Officer is responsible for is listed out in paragraph 1 of the Article. So, an Indian company, be it a controller or a processor, will have to appoint a Data Protection Officer if they fall under the criteria given under Article 37.

8. Displaying legitimate interest as to why the Personal Data is being collected and how the company intends on using it.

Under Article 6 (1), there is a list of criteria given to determine the lawfulness of the processing of the data. At least one of the given criteria has to be fulfilled for the processing to be lawful. One of the criteria that is given is legitimate interests pursued by the controller. But sadly, what constitutes legitimate interest is not defined in the regulations. Recital 47 under the GDPR explains that legitimate interest could exist:

● Where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
● The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
● The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

So showing legitimate interest is essential in the collection of data from the data subject.
The GDPR is extremely relevant in today’s world where the personal data of the persons are collected for various purposes. The implementation of GDPR ensures that there is transparency and the personal data is safeguarded. Hence the Regulations mandates that disclosures are made to the data subject as to the purpose of collecting the data.

9. Transferring personal data outside the European Economic Area (‘EEA’)

If personal data transfers take place outside the EEA the data controller must inform individuals in the privacy policy and specify mechanisms which will be used to protect the same (for instance the third party may have Privacy Shield certification).

10. Policy language

Privacy policies should be clear and easy to understand by individuals who have no knowledge of privacy law. There should be a translation of the policy to the relevant local language made available if the website targets users of different countries.

Conclusion

The compliance requirements will be significantly simpler and easier if the Data Protection Bill (2019) is passed and the provisions in the Bill are accepted as adequate by the EU for the protection of personal data. In the eventuality of this acceptance, India stands to gain a lot of benefits. It will have a positive impact on the IT sector and it will also ensure that the personal data of her citizens are protected.

Badal Patel
MyAdvo.in

P.S: This is a guest post. Views expressed here in are the views of the author.

In a surprisingly abrasive article, the bitcoin community has given a warning to RBI, which looks more like an ISIS warning.

An article that has appeared in nasdaq.com titled “Institutional Crypto Opponents to Fight Supreme Court Decision in India”  .The article is credited to one Landon Manning.

This article refers to the possibility that RBI is likely to apply for a review and puts out a dire earning more like an ISIS dictat stating

“In other words, the message to the RBI is quite clear: This industry is going to open up all over India, it may very well directly and specifically disrupt your way of running business and that is not going to change any time soon.”

The audacity with which the author has published this threat is worth noting.

It is time that we the Indians who consider Bitcoin and other private Crypto Currencies as “Digital Black Money”, “Currency of the Criminals”, “Currency of the Terrorists”, will oppose legalization of Bitcoin in India. Even any facilitation of money laundering through Crypto currencies that this decision of the Supreme Court could have enabled will be fought against.

Let the review be undertaken by a larger bench and let’s debate how this decision of the Supreme Court is a facilitation of money laundering.

In the meantime, Naavi.org will continue to urge the Central Government to issue an ordinance to Ban Crypto Currencies. Let this also be heard by the Supreme Court and we will know if the Judiciary is on the side of honest citizens of India or the black money vendors of India.

Naavi

[Views expressed here are the personal views of Naavi]

FDPPI and Cysi successfully conducted a workshop in Chennai to discuss the forthcoming Personal Data Protection Bill 2019. 

Honourable Justice K.N. Basha, retired judge of the Madras High Court and sitting MP, honourable P.Wilson graced the occasion.

Naavi made a presentation on the salient features of the Bill, and the need for the Bill to be passed into an Act. He also discussed on some of the controversies surrounding the Bill.

A detailed question and answer session followed in which the participants sought and obtained various clarifications.

Mr Wilson who is also an advocate himself spoke and highlighted  the need to create awareness among the stake holders even before the Bill is passed so that any modifications can be accommodated.

Justice K.N. Basha congratulated CySi and FDPPI for taking up the initiative and suggested that the points arising out of the discussion may be shared with the Government.

During the occasion, the Certificates of Mr Durai Kannaiyan and Nikhil Ranjan Nayak, members of FDPPI who were recently conferred the recognition as “Certified Data Protection Professionals” by FDPPI after a course and evaluation examination were handed over by Justice K.N. Basha and Mr P. Wilson.

Naavi

The Indian Stock markets have had a free fall in the last few weeks from around an index level of 12000 to 9000. While most people consider this as a reaction to the impact of business slowing down due to the Corona virus, it cannot be denied that there could be another reason why the fall in India is accelerated and appears disproportional to the economic impact of the Corona.

One of the reasons could be the Supreme Court decision which quashed the RBI circular that Banks should not engage themselves with the Bitcoin exchanges. This decision has been interpreted by the markets as en endorsement of the Bitcoin by the Supreme Court. 

Though the Supreme Court has been clever in its judgement and has only struck down the RBI circular and not its power to regulate in the matter, it has had a chilling effect on RBI officials and encouraged those officials in SEBI and the Ministry of Finance to silently support transactions in Bitcoins.

It is possible that a large amount of investments are being moved from the Indian stock markets to Bitcons and other Crypto currencies.

This doubt is strengthened by the fact that the Ministry of Finance and SEBI has been very lethargic in controlling the bearish trend in the market and have failed in intervene in time by suspending the market operations by a few days. This should have been the normal response of a prudent regulator. But we know that SEBI has been earlier supportive of the Bitcoin exchange and MCX even submitted a recommendations to the Government to regularize Bitcoins. It cannot therefore be ruled out that the inaction of SEBI and the Ministry of Finance could be deliberate.

Mrs Nirmala Seeetharaman needs to understand that the Supreme Court judgement was an encouragement for money laundering and if this is not checked immediately there will be further drain of funds from not only the stock markets but also the Banking system.

Now the action is required from three ends.

1. RBI should file a review petition on the Supreme Court order and seek an immediate stay on its operation.
2. Ministry of Finance should immediately release an ordinance to pass the “Banning of Crypto Currencies” legislation.
3. The CJI of India should recognize the link between black money, money laundering and the Crypto Currency exchanges  and suo moto order a review of the Supreme Court’s judgement to a larger bench

I suppose the saner non corrupt elements in the Government should recognize the link between Bitcoins and money laundering and urge the Ministry of Finance to act immediately.

Further, now that the Stock markets are disproportionately low, the Government agencies should start buying out some valued companies in the private sector both for better control of the Government in the private sector companies as well as short term commercial benefit which should be better than the bond yields.

Naavi

Cyber Society of India (CySi)  and Foundation of Data Protection Professionals in India (FDPPI) have organzied a half day workshop on Personal Data Protection Act (Proposed law in India presently with the Parliamentary committee) on 14th March 2020.

The program is meant to provide basic information on the proposed law, how it impacts the industry.

Honourable Justice K.N.Basha, former judge of the Madras High Court and Mr P.Wilson, Honourable Member of Parliament (RS) are expected to grace the occassion.

FDPPI is also distributing the Certificates to the successful candidates from Chennai who passed out of the recent “Certified Data Protection Professional” course conducted by FDPPI, marking the beginning of a new era of trained Data Protection Professionals in India

Naavi

In recent days a lot of discussion is centered around “Proportionality” when it comes to use of Government powers to either make laws or make regulations under the specific laws.

It has become a tendency for politically motivated litigants to oppose a law first when it is being passed in the Parliament and then in the Supreme Court on the basis that it violates some aspect of Constitutional Right. The Supreme Court is also most obliging in taking up such cases and investing its time and energy in meeting the political goals in such litigation against the Government.

When the law can no longer be challenged under the Constitution, the next challenge is mounted on “Yes.. Law is Constitutional,… But the implementation is not proportional”. The recent judgement in the case of Crypto Currencies when a bench of the Supreme Court consisting of Judges  V.Ramasubramanian, Aniruddha Bose and Rohinton Fali Nariman held that RBI has powers to regulate Virtual Currencies but its circular stating that Banks should keep away from Crypto Exchanges was a disproportionate use of this power.

This “Yes..But”  judgements are a reflection of the powers some advocates have to persuade the Courts to give temporary reliefs when it is not in the interest of the society. The Nirbhaya case in which the accused are filing curative petitions even after final judgement one after another and yet getting a favourable orders from the Courts is a case in point of how law is being twisted to suit the criminals.

To put an end to this “Yes…But” judgements, it is necessary for the Courts to establish the limits to which certain principles can be applied. One such principle that needs clarification is the test of “Proportionality” which is amenable for misuse by the influential litigants and obliging judges. In not every law passed by the Parliament and held constitutional can continue to be frustrated whenever the operating notifications are issued.

The PDPA is in the danger of such an “Yes..But” attack. After the act is passed by the Parliament, it is possible that it is challenged under the ground that Section 35 is unconstitutional or even if constitutional, fails on the proportionality test. Similar objections can be made on the Section 42(2) on the constitution of the DPA. Then similar challenges can be mounted on the definition of Sensitive Personal information or Significant data fiduciary, Social media intermediary and so on… The possibility of challenges to be mounted would be end less and like in the Nirbhaya case, the challenges can come one after the other so that the law as passed may be stayed in its execution stage.

If this situation unfolds, then it would be the Supreme Court itself which will be responsible for not allowing the Government to bring legislation on Privacy Protection and preventing the Puttaswamy judgement to be implemented. It could even be a blessing in disguise for the Government since it can continue to do what it does in the absence of the Privacy law.

Unfortunately even Justice B N Srikrishna himself has gone to public with a statement that the law can be challenged and he could be the prime witness in the case or could be the petitioner himself to challenge the law.

In this depressing scenario, it is necessary for us to feel refreshed by the judgement of another bench of the Supreme Court delivered on 2nd August 2019, exactly 2 years after the Privacy Judgement, in the case of Ritesh Sinha Vs State of Uttar Pradesh, which makes some key observations on the sense of proportionality.

The case related to an accusation that Mr Ritesh Sinha collected money from public promising jobs in the Police…in 2009. The investigating authority wanted a voice sample to be matched with the recorded calls and an application was made. The magistrate issued summons to appear before the investigating officer and provide the voice sample. 

This was challenged first in the High Court of Allahabad which was negatived in 2010. Then the appeal came to the Supreme Court. Now after 10 years, Supreme Court has rejected the appeal. Though the voice sample of 2009 may now be compared with the voice sample of 2019 and the time lapse itself would be an advantage to the accused, the judgement is noteworthy from the point of view of the clarification that it has provided on deciding on the “Proportionality” aspect and “Privacy Right”.

There were two issues that came to the contention of the Court. First was whether a person can be compelled to provide the voice sample as it may be evidence against himself. The second was whether in the absence of a provision in Cr.P.C., Court is competent to interpret the provision as the legislative intent.

The Court made the following observations on whether the Right to Privacy is absolute, by stating as follows:

“Would a judicial order compelling a person to give a sample of his voice violate the fundamental right to privacy under Article 20(3) of the Constitution, is the next question.

“The issue is interesting and debatable but not having been argued before us it will suffice to note that in view of the opinion rendered by this Court in Modern Dental College and Research Centre and others vs.State of Madhya Pradesh and others11, Gobind vs. State of Madhya Pradesh and another and the Nine Judge’s Bench of this Court in K.S. Puttaswamy and another vs. Union of India and others the fundamental right to privacy cannot be construed as absolute and but must bow down to compelling public interest.”

As regards the Court trying to interpret the intentions of the law, the judgement stated

“what may appear to be legislative inaction to fill in the gaps in the Statute could be on account of justified legislative concern and exercise of care and caution.”

“The exercise of jurisdiction by Constitutional Courts must be guided by contemporaneous realities/existing realities on the ground. Judicial power should not be allowed to be entrapped within inflexible parameters or guided by rigid principles.”

Though the judgement does uphold the right of the Court to fill in the words in the legislature it is pertinent to note that it has indicated a cautious approach when a written law is to be re-written by the Court through its interpretations.

It opined

“the judicial function is not to legislate but in a situation where the call of justice …, demands expression of an opinion on a silent aspect of the Statute, such void must be filled up not only on the principle of ejusdem generis but on the principle of imminent necessity with a call to the Legislature to act promptly in the matter.”

The Court also observed 

“when a yawning gap in the Statute, in the considered view of the Court, calls for temporary patchwork of filling up to make the Statute effective and workable and to sub-serve societal interests a process of judicial interpretation would become inevitable.”

Thus the judgement states that there has to be an imminent necessity with a call to the legislature to act promptly for the Court to interpret a law as enacted. Thus the “Proportionality test applied by the Court to over ride a written law or an order (as in the bitcoin case” has to meet the requirement of “Imminent necessity”.

In the Bitcoin case, when the Government was ready with the law, it would have been prudent for the Court not to express its view on the “Circular” of the RBI and let the Government and the regulatory authority to do its function.

Similarly in the PDPA case, if there is a challenge on Section 35 or Sec 42, the Court has to wait for emergence of an imminent need such as when the Government comes out with a blatantly unfair notification and not otherwise.

In the case of Ritesh Sinha, if the Court had ordered for the voice sample to be provided immediately and deferred the analysis for a later day, it would have been possible for the sample of 2009/2010 to be collected instead of the current date. The Court failed to provide such a solution.

But presently there have been instances when the Courts have allowed the law to run pending the decision on the challenge (eg: Article 370) and similarly, if PDPA is challenged, the Court should allow the law to be enforced while the debate continues on nitty grity. The other option of granting the stay and continuing the debate if followed would be indicating that the Court is not interested in Privacy protection being legislated.

Let’s see how the scene unfolds…

Naavi