Naavi.org

According to Zebpay which has shifted its business out of India, it still has more than 2 million Bitcoin holders in India and have more than 40000 bitcoins in their possession.  According to their estimate there are about another  15000 bitcoins in the hands of Indians in other exchanges and may be a further 20,000 in dark pools which Zebpay itself calls as “Black Market”. The other Crypto currencies could add up to a further 50% of the Bitcoin holding.

The total estimated value of the Crypto currencies in the hands of Indians which we term as “Digital Black Money” could therefore be around 100,000 bit coins. At around Rs 8.5 lakhs per Bitcoin, the total value is around Rs 8500 crores. It must be recognized that this is only an estimate of the holding by Indians and the rest of the market capitalization (nearly 300 billion US dollars)  is held by non Indians.

According to the industry’s own estimate,  only 21% of Bitcoin transactions are deemed ” Lawful” as revealed by the research of MIT and IBM. The research said that billions of dollars are laundered through Crypto currencies every year.

The honourable Supreme Court cannot ignore these facts when it hears the arguments of the industry on legitimization of Cryptos in India.

Naavi

Articles on Bitcoin on naavi.org

Here is a simple survey I am conducting on a question of law. I request all legal professionals to send me your personal view on this matter through e-mail or otherwise.

This looks simple and a waste of time for most of the legal professionals. But believe me, your view may be important in defining the law of Cyber Crimes in India. Hence I request you to take a few minutes to send me your views.

Naavi

Section 43 of ITA 2000 states as follows:

Penalty and Compensation for damage to computer, computer system, etc 

If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network –

(a) accesses or secures access to such computer, computer system or computer network or computer resource 

(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;

(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(e) disrupts or causes disruption of any computer, computer system or computer network;

(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;

(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder,

(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,

(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means 

(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage,

he shall be liable to pay damages by way of compensation to the person so affected.

This section uses the term “Person” many times and most importantly for the entity that has suffered a damage and the entity that has caused the damage.

This section is linked to Section 66 and any of these acts committed dishonestly or fraudulently constitutes an offence under Section 66. The two sections cover most of the so called Cyber Crimes against which all of us are fighting against.

In law the word “Person” is applicable both to an individual living person as well as a company. The General Clauses Act also specifies the same.

In this context please let me know your view as to whether the word “Person” used in Section 43 of ITA 2000 is restricted to only an “Individual”.

Thanking you in advance.

Naavi

IAMAI the Internet and Mobile Association of India is a body registered under the Societies Act with a self declared mandate to expand and enhance the online and mobile value added services sectors. Considering the growth of the mobile industry in India and its reach among the common people. IAMAI represents a very important segment of the communications industry. It therefore holds a very important obligation to the people of India.

While promotion of the commercial interests of the members is a legitimate activity of the association, I would like to ask the Governing Council members to take a fresh look at their objectives and whether the objectives include promotion of commercial interests irrespective of the impact of their decisions on the society at large.

In short we need to question if the objectives to promote business includes promotion of “Ethical and Legal Business” and not business that is detrimental to the very survival of the India as a sovereign country. ( This is no reflection on many good causes for which IAMAI might have devoted its energies in the past.)

There are may actions of the IAMAI such as its opposition to Data Localization that has betrayed the lack of national interest in the pursuance of its objectives but I would like to focus now on the specific stand that IAMAI has taken to support the legitimization of Crypto Currencies in India and oppose the stand of RBI in banning the Bankers involvement in the Crypto exchanges.

In the petition being heard in the Supreme Court IAMAI has taken a stand to oppose the RBI ban on Crypto transactions.

The IAMAI counsel has argued

“RBI restricting banks from providing services to crypto [businesses] is a colorable exercise in the guise of consumer interest. It can exercise power in public interest only to the extent as provided under law such as interest of depositors, borrowers etc,

“cryptocurrency must not be equated to sovereign currency i.e., rupee etc,”

“RBI is only a delegatee of power which cannot exercise [the] same powers as Parliament which has a direct impact on legitimate businesses,”

“since Blockchain technology” is not disputed, the blanket ban on Virtual currencies built on this technology is “arbitrary, unfair and unconstitutional”.

The counsel has also showed that certain businesses have suffered losses or closed down their businesses because of the RBI ban and therefore drawn attention to Article 19(1) of the constitution.

We draw the attention of the honourable Supreme Court to the counter views that it must consider before taking any view on these arguments.

1. 1. Bitcoin and other private crypto currencies form one set of mutually interchangeable assets. Hence a holder of one of the currencies can convert it to anther. Some of these currencies are convertible to legacy currencies such as Swiss Francs and Japanese yens. There are ATMs operating in several places abroad where cryptocurrencies can be deposited or withdrawn against legit currencies. Hence any holding of a crypto currency is equivalent to the holding of foreign currency and violates the FEMA regulations.
   2. Crypto currencies are called “Currencies” because they are dealt with as “Currencies”. They are not dealt with in the market as “Commodities”. Hence the only discussion that is relevant is for “Crypto” as a “Currency” and not as a “Commodity”.
   3. In actual usage Cryptos are used as “Currency of the criminals” and “Currency of terrorists”. More than 90% of the Cryptos like Bitcoins are in the past used for financing some illegal drug activity or arms trading or for collecting ransom and hence most of the current stock if considered as “commodity” is tainted as “used in money laundering”.
   4. Cryptos arise out of three channels namely the “Mining”, “Trading” and “ICOs”. Mining is an activity which consumes huge quantities of resources in terms of power and computing resources and will encourage unproductive use, crypto mining offences etc. Trading will enable the currencies to be used for money laundering. ICOs are a fraud since it is like a private placement of a self created wealth. As long as the identity of Bitcoin wallet owners and Bit coin transactions remain anonymous, we have to treat the holdings of Cryptos as “Digital Black Money”.
   5. If Supreme Court is even thinking of legitimizing private cryptos, it would mean that the Court has gone back on its commitment to root out black money.

IAMAI should refrain from promoting  business that supports “Digital Black Money” and “Money laundering” however beneficial it is, to its members. If some of these Crypto exchange companies close down, it is a natural consequence of pursuing the business of money laundering. It cannot be a fundamental right that the Court should protect.

I request members of IAMAI to discuss whether the organisation has to involve itself in promoting Crypto currencies as it amounts to promoting unethical business.

Naavi

Also see:

The leaked copy of the Bill

Bitcoin.com and livelaw.in have reported that the hearing at Supreme Court took place on 8th August 2019 and certain points were presented. The petitions are being heard by a bench consisting of justices Mr R F Nariman and Surya Kant.

The main points indicated as discussed in these reports are summarized below. More details are available here  and here. Our comments are also interspersed.

There were two issues that were specifically discussed. One was the RBI circular of April 6 2018 prohibiting the Banks from providing any Banking facilities to the Crypto exchanges and the second is the action the Government of India is contemplating on regulating the Crypto currencies in India.

Comment 1: It is unfortunate that IAMAI (Internet and Mobile Association of India) is a party promoting the Crypto currencies. Its involvement in this case is like a CII or FICCI arguing that narcotics trade or arms trade should be legalized in India because the traders and industries can benefit from such trade. The industry body is exceeding its mandate and bringing pressure on the Government and RBI to introduce policies that are illegal and detrimental to the interests of the citizens of India rather than focus on business interests within the framework of what the policy makers allow.

The counsel for IMAI argued that since “Blockchain technology” is not disputed, the blanket ban on Virtual currencies built on this technology is “arbitrary, unfair and unconstitutional”.

Comment 2: The argument that if Blockchain technology is acceptable, any product or service built on that technology should be accepted exposes  abject ignorance or dishonesty of the argument. This is like arguing that if Windows as a computing platform is acceptable, a virus created to run on windows or a crime using a windows vulnerability is constitutional and cannot be banned or punished.

The Court has to recognize that technology platform is different from how the platform is put to use for a particular product or service. Acceptance of Block chain technology cannot be termed as acceptance of all criminal activities that are conducted using the technology.

The counsel also argued that “No Study” was conducted by RBI before the decision was taken.

Comment 3: A “Study” or a “Committee” is not a pre condition for the RBI to take any policy decision. The internal expertise available with the executives and the publicly available information on the damage that crypto currencies may create to the monetary system in any country is adequate for the RBI to take the decision. The Supreme Court cannot be forced to lay down a principle that before any operative decision, RBI should mandatorily constitute a committee or conduct a study.  This will be an interference in the day to day activities of RBI which is a statutory body regulating the monetary health of the country.

The Government has submitted the draft regulation on Crypto currency which it has prepared and expressed its intention to introduce it as a bill in the next session of the Parliament. It appears that this did not come up for discussion today.

The hearing has been now adjourned to August 14th.

The report in Bitcoin.com makes a false and misleading contention that the Secretary of the Ministry of Finance was removed immediately after the submission of the report on Crypto currency as if the two are connected. The Bitcoin community is now trying to influence Mrs Nirmala Sitharaman for a favourable view. It is also trying to mislead the public that “Crypto currency is not prohibited in India”, quoting a parliamentary answer given by Mr Anurag Thankur. This is a fraudulent misrepresentation aimed at cheating the public into entering into fresh transactions.

I urge the Government to ensure that “Promotion of Private Crypto currencies” as an alternative to legit currencies is also considered a punishable crime in the proposed bill.

The Government must take note of the attitude of the industry to challenge the sovereignty of the national currency system. One example of this attitude is revealed in the following statement (Refer livemint.com)

” Sathvik Vishwanath, CEO co-founder, Unocoin, said he doesn’t think the bill will be able to stop the dealings in cryptocurrencies even if it does come into effect. “Transactions are completely online,” he said. “It’s impossible to tell where it’s happening from…..it would be a bad idea for the government to ban cryptocurrency in India, because it might drive transactions underground…..a lot of people had moved their cryptocurrencies out of the country..”

” Ashish Singh, CEO of bZird, a digital marketing firm, said many cryptocurrency users in India keep their money abroad…..many Indian users don’t actually hold cryptocurrency accounts in their own name. Instead, they have friends in other countries who buy and sell currencies for them, and send the money through platforms such as PayPal”

The above are admissions of illegality and havala operations by Bitcoin businesses in India. I wish the honourable Supreme Court must take note of these views and the Government must initiate further inquiries with these executives to stop such illegal activities that they are referring to in these statements.

Naavi

(Continued from the previous article: Challenging the GDPR Fine-Decision of Greek DPA on Employee data)

The second case on GDPR fine which needs discussion is the decision by the UK ICO on a Canadian Firm Aggregate IQ Data Services Ltd (AIQ). On 24th October 2018, the UK data protection enforcement body, the ICO issued a notice specifying several breaches and a possible fine under GDPR provisions.

The charges made included

1. AIQ breached Articles 5(1)(a)-(c) and Article 6 by processing “personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.” Moreover, “the processing was incompatible with the purposes for which the data was originally collected.”
2. AIQ also breached Article 14 in that it failed to provide “data subjects with the information set out in Articles 14(1) and (2), and none of the exceptions set out in Article 14(5) apply.” (Article 14 deals with the situation in which a company obtains the personal data from one or more third parties rather than from the data subjects directly. If Article 14 applies, the controller of the data must communicate to the data subject, among other things, the category of the data collected, the purpose(s) of the data processing, and its legal basis.)
3.  Although it is not alleged in the Enforcement Notice, AIQ was also probably in breach of Article 27 in that non-EU companies that process the personal data of EU residents must designate an EU representative, which is obviously intended to provide regulators with an easy means of imposing jurisdiction. The failure to comply with Article 27 alone can result in a fine of €10 million or 2% of a company’s global group turnover, whichever is higher.

The notice to the Canadian firm has also evoked a question on the extra territorial jurisdiction under GDPR. This breach has come out of the investigation related to the Cambridge Analytica case about the use of UK citizen’s data for analysis without the knowledge of the data subjects.

The claim of ICO  is that AIQ processed UK personal data in a manner that did not include the consent of the data subjects concerned, and that (notice the date) it continued to hold this personal data after the date at which GDPR came into force (May 25, 2018).

The notice stated “The Commissioner takes the view that damage or distress is likely as a result of data subjects being denied the opportunity of properly understanding what personal data may be processed about them by the controller [which is AIQ], or being able to effectively exercise the various other rights in respect of that data afforded to a data subject.”

It is important to note that the “Damage” is speculative and not “Real”.

AIQ has objected to the jurisdiction of ICO in the matter and the matter now rests with the General Regulatory Chamber (GRC) of HM Courts & Tribunals Service.

More details will be known in due course but the case indicates how GDPR may be used to target data processing companies outside the jurisdiction of EU.

The global corporate sector needs to seriously think on how this threat could be factored into their business strategies. (Refer the article in secuirtyweek.com for more information)

Indian companies need to take appropriate precautions to safeguard their interests by ensuring that their liability if any comes only out of the processing contract with the Data Controller and not directly.

Naavi

Also Refer:

Enforcement and Remedies under GDPR

Why was AIQ targeted?

Over 2 lakh incidents in one year

More enforcement action by ICO

With an year of GDPR enforcement behind us, the Companies are now exposed to different interpretations of the law by different Supervisory authorities imposing fines on various counts.

Two recent decisions that attract special attention are

a) The Hellenic (Greek) DPA decision imposing a fine of EUR 150,000 on Price Water House coopers Business Solutions SA (PWC)

b)The UK ICO order against Aggregate IQ Data Services Ltd (AIQ)

The Hellenic decision focuses on the GDPR issues related to employee data while the UK ICO order relates to the jurisdiction aspect of the UK DPA on a Canadian Company.

In the Hellenic order, the DPA imposed the fine based on a complaint and an ex-officio investigation on the “lawfulness” of the processing of personal data of the employees.

According to the order it appears that the DPA objected to the company demanding consent to the processing of the personal data. The DPA considered that for the data to be considered as processed “lawfully”, all the conditions mentioned in Article 5(1) should be met.

Article 5(1) is reproduced below and states:

1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (1) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

The DPA further held that “The identification and choice of the appropriate legal basis under Article 6(1) should be informed to the data subject since the choice of the legal basis has an effect on the application of the rights of the Data subjects.

Article 6(1) stats that

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child…..

While Article 6(1) states that processing would be lawful if “atleast one” of the conditions stated here are satisfied, the DPA made an observation as follows.

“The principles of lawful, fair and transparent processing of personal data pursuant to Article 5(1)(a) of the GDPR require that consent be used as the legal basis in accordance with Article 6(1) of the GDPR only where the other legal bases do not apply so that once the initial choice has been made it is impossible to swap to a different legal basis”..Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.

It further held “In this case, the choice of consent as the legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest”.

The decision of the DPA appears too harsh since an employer-employee relationship which is bound by a contract and the alleged violations were too technical in nature.

Organizations therefore need to ensure that their legitimate interest is properly defined and bound to the employment contracts.

The GDPR itself does not seem to indicate the need for such  a harsh treatment of the issue since Article 88 leaves it to the individual states to provide more specific rules for protecting the employee’s personal data.

Managing employer-employee relationship is a contract in which the employer should have the right to make background checks before employment, profile the employee behaviour during employment and also conduct appropriate exit interview to document the reasons for exit etc. If GDPR interpretation should therefore not interferes in the management of the company.

The decision should therefore be challenged in an appeal to ensure that wrong precedents are set by over enthusiastic DPAs.  Every organization will have a set of employees who are disgruntled and they are likely to raise any issue of this nature just to put the employer into a legal tangle.

GDPR is not clear about the appeal process and it is to be interpreted under Article 79(1) that any legal person aggrieved by the order of a supervisory authority shall have a recourse to the normal judicial remedies in the member state.

….Continued

Naavi