Social Media Hub… Was the Supreme Court mislead by the political canvas

Posted on September 8, 2018 by Vijayashankar Na

The Supreme Court is the ultimate hope for justice in India and deserves to be respected and supported.

But in recent days, it appears that Supreme Court is spending a disproportionate share of  its time in resolving political issues and policy issues rather than addressing the citizen’s needs. The special treatment shown to the petition against the arrest of the Naxal sympathisers  of the Bhima Koregao agitation who were allegedly plotting the assassination of the Prime Minister of India, has attracted criticism of a differential soft treatment to Naxal sympathizers and unless this trend is checked, the Supreme Court  is in the danger of losing  some of its respect in the eyes of the common citizens.

Sometimes, the comments made by judges during the hearings get blown up in the media and projected as if it is the final judgement. The Court does not seem to exercise proper control over such motivated reporting of the proceedings creating misconceptions in the public posing a challenge to Governance.

After the unprecedented Press Conference by four senior judges commenting that “Democracy was in danger”  the judges have by their own actions painted themselves as having a political leaning of their own. Now with the change in the Chief Justice with one of these judges taking over as the Chief Justice just before the next election, there will be a higher level of public scrutiny of the actions of the Court. After all, the same judges justified the press conference stating that Citizens need to be aware of certain goings on within the Supreme Court management in the interest of democracy and now they should also be open to the scrutiny of  the fairness of their decisions.

If the Supreme Court has to retain its respect amongst the citizens, it is necessary that the judges display an extraordinary sense of restraint when admitting petitions against normal Government actions filed by the political opponents and also passing adverse comments before hearing out the evidence.

The case of the “Social Media Hub” proposed by the Ministry of Information and Broadcasting which was withdrawn by the Government was an example of how the Supreme Court can interfere in the normal functioning of the Government by just passing strong adverse comment during preliminary hearings at the time of admission of a petition.

In the case of the proposal for setting up of the Social Media Hub which was challenged by a TMC MLA, the comment passed during the hearing by one of the Judges was reported to be “the proposal will be like creating a surveillance state”

If we look at the Financial Express report, it clearly indicates that “Supreme Court Says..” and calls the proposal “E Spying”. Has the Supreme Court taken any objection to this type of reporting? …which is more or less repeated in many other media publications also?

Should not the Supreme Court have asked the Journalist to clarify that it is not the statement of the Supreme Court but only an observation or a question put to one side such as “Is it not amounting to surveillance”?..etc. Has the Supreme Court at this stage gone through the RFP in detail and heard the explanation of the Government?…

Without giving an opportunity to the Government to explain its stand for which the Court is bound, the Court should have avoided jumping into conclusion and not allow the Press to report the matter as if the Court has made up its mind.

If this is allowed, why should there be any trial at all? and in what way this “Expression through Comments” different from “Media Trial”?

It is necessary for the Supreme Court to seriously think about its own conduct in such cases and if any journalist has mis-reported, it should be objected to by the Court itself.

However, this requires the Court to monitor what the media is saying about itself  and on specific matters under trial.  Such monitoring means, scanning the public media vehicles to observe what comments have been made. This is not “Surveillance” of the Citizens of the country.

The Supreme Court failed to recognize that there is a difference between “Surveillance over people” and “Scanning of media” before arriving at the conclusions on the social media hub and its objectives.

The Social Media hub proposal was nothing but creating a set up which could scan the online media including Twitter kind of social media to know what is being published. If such publications are subject to legal action in terms of defamation etc., then there is nothing wrong in the Government or any individual or a company monitoring them.

The business calls it as “Reputation Management”. It is necessary for Supreme Court to understand the term “Reputation Management” and how it is done by the industry. If the means used is unethical or in violation of privacy, objection can be taken to the specific methods used. But it was not prudent on the part of the Supreme Court to flag the “Media Monitoring Exercise” as “E-Spying or Surveillance”.

The petitioner was Mahua Moitra, of TMC and neither the party nor the person has an immaculate reputation themselves and the advocate representing them was a Congress leader Mr A.M.Singhvi. The Supreme Court  ought to have considered the background of the petitioner before making judgemental comments and allowing it to be carried by the media as if it is the final view of the Court.

It is possible that political persons make unsubstantiated allegations as part of their political agenda but the Court should stick to evidences and not accept political allegations and pass comments to be reported in the media.

Going by the report of the Financial Express, it is quoted that the bench said “ The Government wants to tap Citizen’s WhatsApp messages”. I wonder where from they got this idea that the Government wants to tap WhatsApp messages from out of the evidence available before it.

I suppose that the petition was filed on the basis of an RFP a copy of which is here.

If we look at the scope of work in the RFP, the following media vehicles have been indicated.

Twitter, You Tube, Google+, Instagram, LinkedIn, Flickr,Tumblr, Pinterest, Playstore, eMail, News, Blogs, Forums, Complaint Websites.

There is no “WhatsApp” in this RFP at all and if the Supreme Court just took the petitioner’s word for it, then it has let itself be mislead by the politically motivated petitioner.

Out of the social media vehicles indicated in the RFP, the only questionable inclusion is eMail. A clarification could have been asked on what it means and the Court could have ordered its removal. Some of the other media mentioned here have “Private” and “Public Settings” and what a user indicates as “Public” is what a media monitoring agency can monitor.

If there is any attempt to break into “Private” messages or eMail, then it would amount to an offence under Section 66 of ITA 2000/8 as “Unauthorized Access” and neither the Government can ask for it nor the service provider can give it. Any prudent service provider responding to the RFP would have pointed out that “EMail and Private messages are out of scope of the service provided”.

Once the information is in public domain and is collected, what software is used to monitor them is left to the intelligence of the service provider. As long as the data analysis is restricted to “Profiling of the general trend on public response to various Government initiatives” and not “Profiling the behaviour of individuals”, the proposal would even go through the current Personal Data Protection Act 2018 (Draft). Privacy infringement would arise if there is profiling of individuals and not otherwise.

One disclaimer that “Monitoring would be restricted to only such circumstances where there is no violation of law or privacy of an individual”, would have taken care of all the concerns which the Supreme Court would have on the matter.

Instead of showing patience to get the views of the Government, the members of the bench appeared to have been unduly influenced by the weight of the counsel representing the MLA and made harsh comments which were not warranted.

It is tragic that Government did not want to contest the observations of the Court and yielded to the wishes of the political opponents by withdrawing the proposal. Perhaps the Government was not confident that a fair and unbiased view could not be taken by the Court in a surcharged  political atmosphere which had left a threat on the judiciary in the form of impeachment motion and softened the judiciary.

In the process, Government expressed its own no-confidence on the highest court of the land and this should be actually considered as an undesirable offshoot of this incident.

In many of the matters concerning the Internet activities, even the senior counsels on either side are not necessarily well informed and hence they are unable to take a principled stand. In this case also as in the earlier incident of Section 66A scrapping, the Government Counsel did not have the self confidence to argue with the Court that their observations were wrong and contested the case to the logical end with an assurance that if the Court wanted any modifications to meet some concerns, it could be accommodated.

Unless the Supreme Court as well as the Attorney General are able to have a reasoned debate based on the points of law and not get swayed by the media reports and the politically motivated advocates and petitioners, and come to practical solutions of Governance, the Citizens of the Country will consider that there is a fight going on between the Supreme Court and the Government .

When cases like National Herald take endless time, Cases against Jayalalitha are shelved until the death of the accused, while cases against terrorists are taken up in the middle of the night, the general perception of the common man is to consider that the Court has some concerns of its own in discharging its duties.

This is not a good perception for the Court to build.

We anticipate more such instances in future as the election day approaches. We appeal to the Supreme Court to take suitable steps to ensure that such a perception is avoided.

Naavi

Posted in Cyber Law | 1 Comment

PDPA 2018: Is Data Localization related to Privacy?

Posted on August 31, 2018 by Vijayashankar Na

[This is in continuation of earlier articles on PDPA 2018]

There is a strong opposition to the proposal in PDPA 2018 about the Data Localization requirement which has already been discussed in the earlier articles.

There are a few specific questions that are coming up in the discussion about Data Localization, namely

 “Is Data localization has any relation to Privacy”? ..

“If only a copy is being maintained in India and another copy is anyway going to be maintained elsewhere, how does it provide more security”?

” What is the meaning of a Serving Copy”?

I am sure that different view points will prevail on some of these matters but I would like to place my personal views on these.

 “Is Data localization has any relation to Privacy”?

According to the diktat of the Supreme Court in the Puttaswamy judgement, Privacy Right is a fundamental right in India. There is therefore an obligation for the Government to take all measures to ensure that the Privacy of an Indian Citizen is protected.

To repeat what we have said earlier, “Privacy” is an “Individual Preference” of a person on what makes him feel “left alone”. What is “Privacy” for one is “Not Privacy” for another. What is Privacy for a person at one time is not Privacy for the same person at another time. This being the nature of Privacy and it being a matter of  individual preference and choice, it is difficult to provide privacy protection by a law applicable to all.

What we are therefore doing is to focus only on “Information Privacy” meaning that we give control to the data principal to determine how some information can be collected, processed and shared. The entire exercise is therefore only related to “Personal Data Protection” and nothing else. To call this exercise as “Privacy Protection” is perhaps a misnomer but we need to put up with the situation as there may not be an alternative.

In this “Personal Data Protection Approach” to “Privacy Protection”, we need to define what is “Personal Data” and “What kind of protection we should provide”.

In order to design a guideline for such data protection, the PDPA 2018 defines data in different categories namely “Personal Data”, “Sensitive Personal Data”, “Critical Personal Data” and also “Personal Data exempted from some restrictions” for reasons of “necessity” and “strategic interests of the State”.

Coming specifically to the Data Localization, it is felt that if the Government of India needs to protect the personal data of an individual then it should have the control on the personal data. If I send my personal data to some unknown person in Timbaktu and expect the Government of India to take responsibility for its protection, it will be an unreasonable expectation.

Therefore it is reasonable for the Government to propose that “Data Shall Remain In my control” and this translates into the “Data Localization” in the Act. The industry however looks at only the commercial aspect of the requirement and thinks that any change from the current scenario may involve additional cost and therefore they donot want Data localization. If Cost is the only criteria, let us appreciate that the Privacy Protection itself imposes a cost and if there was no PDPA 2018, there would be no cost.

The industry is behaving in a strange fashion by first fighting with the Government for the legislation and now trying to stall its implementation by irrelevant arguments on data localization.

Recognizing this opposition perhaps, Government has actually diluted the Data Localization principle by providing that only the “Sensitive Personal information” is subject to strict data localization. The “Critical Personal Information” will also be subject to similar strict data localization but it will be restricted to some specific categories that the Government may have to notify. On the other hand the “Personal Information” which is not considered sensitive can continue to be processed and stored any where except that one “Serving Copy” has to be kept within the boundaries of India.

This need for local storage is restricted to data that is originating in India or is being processed in India and should therefore first be stored here and then a copy forwarded outside.

The Government has also been considerate in not insisting that the entire processing has to take place in India since only a “Serving Copy” needs to be retained. The processing can still take place elsewhere.

Thus Government is trying to yield to the industry pressure and allowing the cross border outflow of personal information for which it has prescribed under Section 41 the various means such as standard contractual clauses, adequacy of protection in a given country or sector, or upon specific consent and also when there is a “Situation of Necessity”.

The provisions are therefore very flexible and perhaps too flexible for hard core privacy activists.

The objections raised on this ground therefore lacks conviction.

“If only a copy is being maintained in India and another copy is anyway going to be maintained elsewhere, how does it provide more security”?

This is the genuine grievance of a hard core Privacy Activist and needs to be addressed through a proper system of approving of countries on “Adequacy” principle, incorporation of “Standard clauses” and “Informed Explicit Consent”.

The Data protection Authority should be expected to take necessary measures in this regard.

” What is the meaning of a Serving Copy”?

The meaning of “Serving Copy” can be interpreted in any manner based on our expectations. I feel that the intent is to ensure that it should mean a current live copy which is dynamically updated with every transaction and not a back up copy.

Since the Act applies only for data which originates from India, the local server copy can be the first instance of the data which then can be sent outside for back up storage.

Where there is a need for processing abroad, the local server should be the gateway through which the data goes out and it should return to India after processing. The facility outside India should work like a “Processing System” and not a “Processing cum storage system”. After the processing the data can be received back in India and stored here. A back up of this stored copy can be sent outside for back up storage if required.

If any company adopts a different process then they should satisfy the authorities on “Unfailing Synchronization” so that the copy in India is always the latest copy from which further transactions have to take place. The Data Protection officer should take care of this during his impact assessment.

(P.S:. As said earlier, this is only one opinion and it is possible that there may be alternate opinions also. I welcome sharing of any views and comments on the above)

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

PDPA 2018: Privacy Activists and RTI Activists fight with each other

Posted on August 31, 2018 by Vijayashankar Na

[This is in continuation of the earlier article on PDPA 2018]

There were three major criticisms against the PDPA 2018 (draft) which was presented by the Srikrishna Committee. One was on whether Aadhaar Act was to be amended. Second was on “Data Localization”. The third major objection was raised in respect of the proposed amendment to RTI Act 2005.

According to this report in dnaindia.com  RTI Activists in Mumbai have started a campaign against “Amendments to the RTI Act through the proposed Data Protection Bill” because they believe that this will ensure that officials will not be held accountable and transparency will be affected. A RTI activist named Mr Bhaskar Prabhu has been quoted as stating “As per data protection, it seems they have suggested changes to 8 (1) (j) or strike it odd altogether. If they take that stand and data protection has an overriding effect, then all information will be termed a personal and will not be provided,”

Another activist Mr Shailesh Gandhi has reportedly started a campaign for people to call up law makers and states “”The more serious amendment to RTI Act has been proposed in the Data Protection Bill. It seeks to make Section 8 (1)(j) an omnibus exemption which could be used to deny most information where there is the name of an individual,”

PDPA 2018 proposes that in place of the current clause (j) of sub-section (1) of section 8 of the Right to Information Act, 2005 the following clause (j) of sub-section (1) of section 8 shall be substituted.

Coinciding with these views, comments made by the Central Information Commissioner Sridhar Acharyulu in a lecture in Hyderabad on the Right to Information (Amendment) Bill 2018 stating that it will weaken the Act was super imposed by the media to project as if he has a strong objection to the proposed amendment through the PDPA 2018.

However, if we observe the proposed amendment it appears that this is a propaganda launched by the motivated media to oppose the PDPA 2018.

The two versions namely the present version and the proposed version are provided below:

Present
Version		 Proposed
Version
(j) information which relates to personal information the disclosure of which has not relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate  authority, as the case may be, is satisfied that the larger  public interest justifies the disclosure of such information: Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

(j) information which relates to personal data which is likely to cause harm to a data principal, where such  harm outweighs the public interest in accessing such information having due regard to the common good of promoting transparency and accountability in the functioning of the public authority;

Provided, disclosure of information under this clause shall be notwithstanding anything contained in the Personal Data Protection Act, 2018;

Provided further, that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

Explanation. —For the purpose of this section, the terms “personal data‟, “data principal‟, and “harm‟ shall have the meaning assigned to these terms in the Personal Data Protection Act, 2018.”

If we study the two versions, it appears that  the proposed amendment is cosmetic and tries to replace the words

“..cause unwaranted invasion of Privacy of an individual…unless the Central Public Information Officer or the State Public Information Officer or the appellate  authority,  is satisfied that the larger  public interest justifies the disclosure of such information “

with the words

likely to cause harm to a data principal, where such  harm outweighs the public interest”

There does not appear to be any ground to attribute all the motives that the Press reports to have assigned in their reports.

I request Mr Sridhar to clarify if he has any view on this specific amendment proposed by the Justice Srikrishna Committee. It is possible that the other RTI activists quoted in the DNA report might not have studied the bill and might have made an off the cuff remark based on what the journalist might have told them about the proposed bill. If so, they also need to clarify.

It is regrettable that certain sections of the media appear to be hitting out at PDPA 2018 without specific reason. It appears that they have objection to whatever Modi Government does or does not do. First they said there is no Privacy Act in India and now they donot want the Act to be passed. I wish that these Pseudo Data Protectionists should be stopped from spreading mis information about the PDPA 2018 and the Press Council should seek explanation from these journalists on the basis on which they are writing such motivated articles.

It is because of such unscrupulous journalists that Social Media is being relied more than the traditional media which situation is being exploited by the malicious individuals to spread fake news and further blame the Government for its inability to control fake information.

There appears to be a fair amount of “Fake” information in the traditional media itself working under the cover of “Freedom of Press”. This needs to be checked by “Ethical Journalists” who should come together to weed out the bad elements.

If these fake journalists are not stopped, they will prevent the PDPA 2018 from being passed in the next session of the Parliament and then they will lobby with the Supreme Court to release the Aadhaar judgement to strike it down since the Government has failed to pass the Privacy Bill and further attack Mr Modi during the next election for his inability.

Thus we are seeing the playing out of the 2019 election politics in the criticisms of PDPA 2018 that are surfacing now.

Naavi

Posted in Cyber Law | Tagged , | 1 Comment

Personal Data Protection and Data Localization-2

Posted on August 30, 2018 by Vijayashankar Na

[This is a continuation of the earlier article]

Having debated the need to “Restrict” the operation of the word “Indirectly identify” in the definition of “Personal Data”, we can now look at Section 40 once again.

We know that PDPA 2018 is a law that has been framed under the Indian Constitution (Just like the GDPR which is a law under EU Constitution) and its basic jurisdiction is for the citizens and activities that fall under its geographical boundaries. If “Privacy Protection” is the basic objective of the law then the mandate for the Government is to protect the privacy of Indian citizens. India cannot assume the responsibility to protect the Privacy of global citizens just as EU cannot assume responsibility for protecting the privacy of an Indian citizen.

However, law makers arrogate to themselves the right to frame laws with universal jurisdiction as if they are protectors of the whole world. GDPR did it and PDPA 2018 had no option but to follow suit.

Hence PDPA 2018 has stated that the law will have extra territorial jurisdiction in some respect though it is more humble than GDPR.

Basically PDPA 2018 applies under Section 2, to the following:

(a) processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India; and
(b) processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law.

Under Section 2(1)(b), processing of data by an Indian company even of a foreign national is subject to this Act.

I consider this a needless responsibility that the law could have avoided.

Under Section 2(2)

(2) Notwithstanding anything contained in sub-section (1), the Act shall apply to the processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is —

(a) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(b) in connection with any activity which involves profiling of data principals within the territory of India.

This is better worded than similar regulation under GDPR and brings the foreign companies within the ambit of the Act which is only reasonable if they are doing business in India or profiling activities in India.

Obviously some of the industry giants appear to be miffed at the courage shown by the legislators in bringing them under Indian law. While US meekly surrenders to the EU GDPR and EU GDPR tries to lord over the global IT systems, there seems to be objection only when India tries to assert its rights equal to other countries. It is in this context that the need to defend the sovereignty of India arises even in defining the provision of the data protection law.

Unfortunately our industry is dominated by vested interests and we find that this provision is being opposed as part of opposition to “Data Localization”.

The arguments presented in this opposition is

  1. Restricting cross border data flow is against the basic philosophy of Internet
  2. Imposes Additional cost
  3. A balanced view is required between Safety and Security of India and flow of global data into and from India
  4. Approach is against the fundamental tenets of our liberal economy
  5. Localization may become a trade barrier and unlikely to benefit local industry

Additionally, recognizing that the key to escaping data localization lies in the definition of data, there is an industry view point presented as a dissenting note that wants “Financial Data” and “Password” to be not classified as “Sensitive Data”.

It is not possible to give any credence to any of the objections raised above. It is like the usual arguments we see from the Pseudo liberals in our country  who plot the assassination of the Prime Minister on the one hand but wants to be protected under free speech on the other hand.

The Pseudo Data Protectionists want the law to be tuned to the advantage of other countries rather than India. They are having a skewed interest in data protection from the point of view of what helps their commercial interests rather than what helps the country and its citizens. This attitude needs to be countered for a healthy development of “Privacy in harmony with Security”.

I am sure that as in many other instances, Naavi.org will be a contrarian thought leader and the industry professionals may have discomfort in accepting the “Nation First” view point even ahead of “Privacy”.

After all I consider that “Cyber Security is a fundamental Right” and Privacy right  has to be balanced with the Security of the State without any excuse.

However, there will be many debates on this concept and this is only the beginning of a long drawn data colonisation war which India has to fight with the world data business leaders.

Let’s watch the developments as they unfold.

Naavi

Posted in Cyber Law | Tagged | 2 Comments

Personal Data protection and Data Localization-1

Posted on August 30, 2018 by Vijayashankar Na

(This is in continuation of the earlier article on PDPA 2018)

After the discussions on Aadhaar the other hotly debated aspect of Srikrishna Committee’s report and the draft PDPA 2018 is the “Data Localization” recommendation.

The PDPA 2018 has recommended under Sections 40 and 41, the regulations on cross border movement of data and there is a strong opposition from the industry circles on the proposed requirement that suggests that at least one serving copy of personal data generated in India has to be retained in India.

The Data Localization debate  has also triggered the concept of “Data Sovereignty” under which it is argued that the nation has the right to expect control over data that belongs to it.

We can refer to a well articulated opinion expressed in Economic Times today titled ” Data Sovereignty-Economic Implications for the country”

The Indian IT industry represented by NASSCOM which was represented in the Srikrishna Committee as DSCI has through a dissent note submitted as part of the report expressed its reservations on the recommendations of the Committee. The industry is continuing to lobby for a change so that the proposed recommendation is scrapped.

Until there was no specific data protection law in India, the IT industry lobbied for the law stating that it is important under the EU data protection guidelines. The EU guidelines even before GDPR threatened that no data would be transferred to Indian data processing industry unless there is a strong data protection law in India. The industry failed to recognize that ITA 2000/8 was itself a strong data protection law in India and was sufficient to claim the status of a “Adequate Data Protected Nation” under EU regulations. What was lacking was perhaps an effective implementation which could have been corrected administratively without another law.

However, after the Supreme Court jumped into the fray with the Puttaswamy judgement essentially to reign in the use of Aadhaar, there was no option for the Government but to develop a separate Personal Data Protection Law and the result is the PDPA 2018.  While the industry was earlier crying that data inflow has been curtailed because of lack of a law in India, now they are raising an objection that the law is restricting the data outflow. The stand taken by the industry therefore lacks conviction and looks like a lobbying by vested interests.

Let’s us first see what PDPA 2018 has proposed and what are the objections of the industry.

Section 40 of the proposed PDPA 2018,

40: Restrictions on Cross Border Transfer of Personal Data

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.

(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.

(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under sub- section (1) on the grounds of necessity or strategic interests of the State.

(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

For the purpose of this section, data has to be considered as belonging to four types namely

a) Personal data to which Section 40(1) applies

b) Critical Personal data to which Section 40(2) applies

c) Exempted categories of data to which Section 40(3) applies

d) Sensitive Personal data to which Section 40(4) applies.

Of these, Personal data and Sensitive personal data is defined in the law and the Critical and Exempted data categories need to be notified by the rules or the Data Protection Authority of India (DPAI) when established.

Essentially the restrictions under Section 40 states that “Sensitive Personal Data” has to be compulsorily retained within India. As regards Personal Data, a copy alone need to be compulsorily retained in India and otherwise the data can move freely outside. Additionally the Government has kept the power to notify any other type of data that can be mandated for processing in India as “Critical Information” and those which can be exempted for local retention (of even a copy) under grounds of necessity or strategic State interests.

We should also observe the section carefully and note that Section 40(1) applies only to personal data to which this Act applies.

To understand Section 40(1) we need to therefore visit the definition of Personal Data and the Applicability of PDPA 2018.

The definition of “Personal Data” under Section 3(29) follows the global standards of defining anything and everything as “Personal” and if we raise objection to this, the very foundation of all personal data protection laws including GDPR would be threatened.

The definition given is

Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information”

The definition is clearly omnibus with the use of the words “relating to”, “Indirectly identifiable” and “any combination”.

Data exists for a purpose and Law basically exists for the protection of a “Natural Person”. Hence almost all “Data” is indirectly related to a Natural person. In the days of “artificial Intelligence” supported by “Quantum Computing Power”, it is impossible to find data that is not related a natural person. Take for example a “Google Glass”. If I am wearing a Google Glass, every thing I see around me can be tagged to the identity of the face recognition. A Place can be identified with the people who have visited the place and it becomes “related to an individual”.

To expect any data to be “Not Related to a Natural Person indirectly or directly even with a combination of information sorrounding it and the use of technology” is a figment of imagination and living in a fools paradise.

I therefore consider that the law whether PDPA 2018 or GDPR has to recognize its own limitations and provide for a less than universal definition of “Data to which this Act applies”.

If we donot recognize this, there will be endless litigations and Supreme Court of India will have nothing to do expect interpreting how a particular piece of data is related to an individual.

This article which you are reading on the internet is a non-personal data but it is related to a person whose nick name is Naavi but who has a real name and identity associated with an e-mail address, a mobile number, aadhaar etc. Can we then say that this article is subject to Section 40(1) of PDPA 2018?. A strict interpretation will essentially agree with such an interpretation.

We therefore should recognize that if we donot confine the meaning of the “Personal Data” and remove the word “Indirectly” and stick to specific identifiers being defined (like in HIPAA), we are in for a chaotic time. This is not just for PDPA 2018 but also for all other legislation such as GDPR.

We shall however for the time being donot stir this hornet’s nest and accept the word “Indirect” as part of the definition and move on.

(To Be continued)

Naavi

 

Posted in Cyber Law | Tagged , , | 1 Comment

PDPA 2018 and Aadhaar-2

Posted on August 29, 2018 by Vijayashankar Na

Continuing our discussion on the draft PDPA 2018 (proposed by the Srikrishna Panel) and the proposed amendments to the Aadhaar Act embedded in the report under the Appendix, the following observations can be made.

  1. Offline Verification

One of the proposed changes is the introduction of the concept of “offline verification” which is defined as

“a process of verifying the identity of the Aadhaar number holder without authentication through such offline modes as may be specified by the regulations”.

We had a brief discussion on the possibilities of how an “Offline Verification System” can be used as a substitute to the present system where the authentication is based on the provision of biometric (Finger prints and/or Face recognition) at the service provider’s end and a direct connection to the CIDR for real time verification.

More discussions on the way the offline verification system can be designed will be required and hopefully UIDAI will come up with some innovative ideas of its own. For the time being we shall take this as a suggestion of the Srikrishna Committee to be further explored and developed. But this should be an alternative to the current system of authentication (both through global AUAs and Local AUAs with the use of the real Aadhar number and the virtual aadhaar number) and reduce the risk of leakage of biometrics during the billions of authentications that will be happening on the system on a daily basis.

2. Consent before Verification

Srikrishna Committee has proposed introduction of Section 8A to the Aadhaar Act which specifies that

(1) Any offline verification of Aadhaar number holder shall take place on the basis of consent provided to such verification by the Aadhaar umber holder

(2) Any offline verification-seeking entity shall,

(a) obtain the consent of an individual before verifying him offline, in such manner as may be specified by regulations; and
(b) ensure that the demographic information or any other information collected from the individual for offline verification, if any, is only used for the purpose of such verification.

(3) An offline verification-seeking entity shall inform the individual undergoing offline verification the following details with respect to offline verification, in such manner as may be specified by the regulations, namely: —

(a) the nature of information that may be shared upon offline verification;
(b) the uses to which the information received during offline verification may be put by the offline verification requesting entity;
(c) alternatives to submission of information requested for, if any.

(4) An offline verification-seeking entity shall not:

(a) subject an Aadhaar number holder to authentication;
(b) collect, use or store an Aadhaar number or biometric information of any individual for any purpose;
(c) take any action contrary to any obligations on it, specified by regulations.

It can therefore be observed that the entity seeking authentication through the off-line process has been mandated to obtain an informed consent. This is anyway covered under the PDPA 2018 also since the person receiving the information would be a data fiduciary even before he tries to verify the data.

There is need to recognize one anomaly here. The Aadhaar comes into the picture only for “Verification” of the “Data already provided by the data principal to the service provider (eg SIM card provider). It is at the time of providing his personal information to the service provider that he is obligated under PDPA2018 to obtain the necessary consent. Subsequently the interaction with UIDAI is not “Collection of Information”. It is only “Verification” of information already collected. So we may argue that no consent would be required to be taken from the data principal for the service provider to verify the data with the UIDAI. As long as the verification is the binary answer to the parameters submitted “Correct” or “Incorrect”, there is no information collection beyond what the data principal has already given.

The consent suggested therefore may be considered as a means of abundant caution. It may be relevant when the service provider just provides an Aadhaar number and the UIDAI send out the demographic data. This is being followed now but should perhaps be discouraged. The proposed amendment to Aadhaar Act will perhaps provide the backing to this system where data is thrown out of UIDAI to the service provider when a form is populated automatically with the data to be used by the service provider.

3. Purpose Limitation

Aadhaar service providers would be bound by the terms of the consent to use the data only for a specified purpose. This is also reiterated under the amended section 29 (4) which states

No Aadhaar number, demographic information or photograph collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for purposes, if any, as may be specified Provided, nothing in this sub-section shall apply to core biometric information which shall only be governed by sub-section (1).”

The amendment under 29(4) on restrictions on sharing the information addresses the many cases of aadhaar leakage that we have observed in the past.

4. Civil Penalties

It is proposed that an entire new chapter VIA on Civil Penalties along with Chapter VIB on appeals is proposed to be added. The civil penalty can extend upto Rs 1 crore and in the case of continued failure can extend to Rs 10 lakhs for each day of failure. Civil Courts will not have jurisdiction and the appeal from the Adjudication authority (to be appointed) goes to the Appellate Tribunal and then directly to the Supreme Court.

5. Criminal Penalties

Under Sections 38 and 39 it is suggested that the term of imprisonment can be increased from 3 years to 10 years.

Not obtaining a proper consent or unauthroized publication of data or unauthrorized use of biometric is considered as a criminal offence that can attract an imprisonment of 3 to 10 years with fine upto fifty lakhs. (Section 40, 41A, 41B,41C and 41D)

Punishments under  section 42 (residual penalty) has also been increased from 1 year to 3 year making it possibly a cognizable offence.

In view of the above, it can be stated that the Srikrishna Committee has suggested a substantial hardening of the Aadhaar act which should be welcomed.

However it is strange that we see some objections on the propositions including the dissent note from one of the members that suggestions on Aadhaar was beyond the scope of the committee’s terms.

While we are open to further suggestions and refinements regarding the controls that can be suggested for preventing misuse of the Aadhaar system, it is necessary to record that the recommendations are welcome.

Naavi

Posted in Cyber Law | 2 Comments