National Health Stack Plan… This is the Digital Health Aadhaar Scheme…Available for Public Comment

Posted on July 19, 2018 by Vijayashankar Na

The Press Release from  PIB has called for public comments on the proposed National Heath Stack. (NHS)

NHS is the proposed scheme by NITI Aayog that envisages maintenance of a centralized health record for all citizens of the country to facilitate better management of the health care. This would be assisting in the implementation of the ambitious “Modi Care” or “Ayushman Bharath” scheme which is planning to cover 5 lakh to 10 crore poor families under a health insurance program.

Obviously there will be privacy issues, data protection issues and Fraud management issues inherent in such a program and its implementation would be watched keenly by the community of experts.

The Consultation document is available here

The scheme envisages besides creating a master registry of health data of citizens, a federated personal health records (PHR) framework, a National Health Analytics Platform and other components such as Digital Health IDs, Health Data Dictionaries and Supply Chain Management for Drugs, Payment Gateways etc.

Along with DISHA2018, this document will bring revolutionary changes in the way Health Care and Health Care Insurance is likely to be handled in the coming days.

What would be interesting for Data Protection professionals would be to study the proposed “Data Empowerment and Protection Architecture (DEPA) which would interact with the ID systems like Aadhaar etc.

Apart from the Privacy Considerations, Data Protection Requirements, the possibility of “Frauds” has also been envisioned and some thoughts have been given in this direction.

We have the experience of HIPAA and Obama Care in US and hopefully the lessons learnt by the US authorities in administering those programs would come in handy in India when Modi Care is being planned and implemented.

The Political opponents and the supporting sections of the society will raise many questions and perhaps try to ensure the defeat of the program. But people who are interested in national welfare should welcome this massive project and provide assistance to the Government in implementing it successfully.

If we look at the Aadhaar scenario, there has been a competitive criticism by the professionals in the Privacy and Data Protection industry basically led by the political considerations.

Now NHS scheme could be a “Digital Health Aadhaar” scheme having wide ramifications.

I hope that the opposition that surfaced for Aadhaar does not resurface in respect of the NHS and Modi Care program.

I therefore urge all the Data Protection Professionals who were in the forefront of criticising the Aadhaar and even went to the extent of submitting their own objections to the Supreme Court, collaborated with foreign agencies to find loopholes in the Aadhaar system, to take a deep look at the proposed consultation paper and record their views today instead of coming up with their objections later.

Send your comments if any by 1st August 2018 to healthstackniti@gmail.com

[Also refer to www.disha2018.in for information on the proposed Digital Information Security for Health Care Act and the EHR guidelines.]

Naavi

Posted in Cyber Law | Tagged , | 3 Comments

Data Processors may be able to create a Diamond out of Charcoal..if Indian Data Protection Act is innovatively drafted

Posted on July 17, 2018 by Vijayashankar Na

In the Privacy and Data protection circles, a debate is going on for some time in India. Naavi.org had also suggested this to the Srikrishna Committee during the public consultations. (Refer: “Personal Data Should be Considered as Personal Property”). Subsequently, DISHA 2018 in its draft form has endorsed this view.

Now the TRAI Chairman also seems to have suggested “Ownership of telecom data must rest with users: Trai“. Detailed copy of the recommendations is available here.

Though GDPR does not speak the language of ownership, and stops at “Data Subject’s Rights”, the California Privacy Protection Act recognizes the Data Subject’s right to “opt-in” to a selling of personal data and also provides that

” A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.”

This provision also indicates that the personal data is considered a possession of value for the data subject which can be exchanged for financial benefits. This is essentially a character of “Property”.

The world therefore seems to be veering down to the view that personal data is the property of a data subject and when he gives a consent for collection, he is actually alienating his property to the Data Collector and providing permission for specific use of the property for which he has a right to charge a price.

This is precisely the nature of “Intellectual Property” when the right is “Licensed” to another person for a price and can be sub licensed with a royalty flowing into the original intellectual property owner as the value keeps building up with the super structures built over the original property.

A similar benefit can be assigned to the Personal Data if it is accepted as a “Property” an “Intangible, Virtual property” recognized as a class of property on its own.

I hope that the Indian Data Protection Act which is under the final drafting stage will recognize this view and ensure that a proper system is introduced to enable data subjects to value their personal data and negotiate with data collectors to get a good price.

The undersigned suggested that there is a need to recognize the role of a “Data Trust” (Refer: “Look beyond GDPR and Create Personal Data Trusts to manage Privacy of data subjects“) with whom the data subject can park their personal data and let them manage it so that the data subject gets a maximum value for his personal data.

Such Data trusts can anonymize, pseudonymize or otherwise re-package the data and create marketable packages and license it under different terms to interested data controllers and data processors. The Data controllers and Data processors can then innovatively aggregate the personal data and create value out of the raw data. 

The need for such a thought has also been explained in detail in the concept of “Theory of Dynamic Data” where the power of an innovative data processor to convert raw data which is worthless in the hands of the individual can be made into a valuable data and part of the value can be shared with the data subject has been outlined. 

“Data Processors may be able to create a Diamond out of Charcoal” is the idea discussed in the above theory which requires the recognition that Data is a property of the data subject and he should have the right to sell it or license it for a consideration and the data processing businessmen can compete fairly with each other in giving the maximum value of the data for the data subject.

If the Government of India recognizes the potential of “Personal Data as a Valuable Personal Property”, billions of Indians can pool together their inherent data asset that is born with them and perhaps create a small fortune for themselves.

Will the authors who draft the Indian Data Protection laws be innovative enough to incorporate the “Theory of Dynamic Data”,  “Licensing of Personal Data” and role of “Data Trusts” in the eco-system, is the moot question. Let’s us wait and see how things shape up.

Naavi

Posted in Cyber Law | Leave a comment

How To Respond to Rogue elements on the Social Media?

Posted on July 13, 2018 by Vijayashankar Na

Internet was a great invention. Social media running on the Internet was a great utilization of technology which gave the ordinary internet user, the power of being a journalist.

Unfortunately, the greed of mankind has taken over both the Internet and the Social Media today. Internet has become the hunting ground of Cyber Criminals which has made “Cyber Security” a critical requirement for any Internet user. Fortunately, the operating system Windows itself providing an in built anti malware protection has made things much better for internet users though criminals still work around it as well as other malware fighting software. This is not the subject of our discussion today.

The other menace that we need to discuss today is that of the misuse of the Social Medial both by criminals for phishing type of activities and also by politically motivated persons to gain political milege like in the traditional media. Over and above these two, we are today finding Cyber terrorists using Social media to spread their sinister messages with “Fake News”.

There is a case for “Real News” however bad it is to be made known to the society though it should be done with some responsibility. Some time even real news released at a wrong time creates more problems than it will solve. Journalists should therefore be responsible and filter the content to some extent and delay its release in some instances in order to see that the “Freedom of Expression” does not create an unintended backlash.

Unfortunately, the traditional media has today become aligned with different political forces to such an extent that no news can be believed implicitly. This applies to the so called “Respectable” news papers and TV channels. The debates and news that are run everyday in the media which includes once respected BBC are all motivated expressions of different sections of people who have some axe to grind. It is very difficult to find unbiased content expressed in a manner in which it can be digested as knowledge by the public.

The problem of “Fake News” on Social media such as WhatsApp has introduced a new dimension since the media is inherently meant to be for consumption amongst known people and is meant to be an instant distributor of views and news. It is self regulated and cannot be filtered without changing the nature of the expression itself.

This has given rise for demand of some bizarre adhoc regulations such as “Registering a WhatsApp Group” etc. WhatsApp itself is toying with the idea of tagging “Forwards” so that the recipient knows that the the forwarded message is not the message which the sender has verified.

Recently the mistake committed by a Court in Tamil Nadu in the S.V.Shekar case  gave a wrong impression to the community that “Forwarding of a message is endorsing”. This is the same argument under which the Palghar girl was charged for “Liking” a face book post against Bal Thackeray. Though this was not a judgement itself, the impression seems to have stuck.

In this context, I would like to recall that way back on December 8, 2000, I had written the following in my blog in response to the presence of a “Rogue Website” called hindustan.org. I am reproducing the article here to reiterate that this kind of problem has been existing since a long time and is not just a creation of the social media itself. (Link here)

How to Counter Rogue Sites

Recently there has been reports of a spate of Rogue Web sites carrying “Anti Indian” messages, the latest being the one from the Tamil Nationalist group interlinked with the Islamic fundamentalists.

It is certainly alarming for the E-Governance of the Country that such sites should come up to disturb the peaceful fabric of the country or a part of it. However it would be interesting to see how the Government reacts to this challenge. This is not the first time that such a web site has come up in India or elsewhere and neither it will be the last time. The Government will have to therefore take a policy decision on how to handle such sites.

The Information Technology Act 2000 (ITA-2000) has empowered the Controller some powers in this regard.

Section 69 of the Act, states as follows:

69 (1): If the controller is satisfied that it is necessary and expedient so to do in the interest of the sovereignty or integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence, for reasons to be recorded in writing, by order, direct any agency of the Government to intercept any information transmitted through the computer resource.

(2) The subscriber or any person in charge of the Computer resource shall, when called upon by any agency which has been directed under subsection (1), extend all facilities and technical assistance to decrypt the information.

(3) The subscriber or any person who fails to assist the agency referred to in the sub section (2) shall be punished with imprisonment for a term which may extend to seven years.

Read with section 75 which extends the provisions of the ITA-2000 to persons outside India, the Controller will be in a position to take appropriate action under the Act to punish the owners of the site, the ISP that hosts the site and the content providers. He can conduct an enquiry with or without the assistance of an Adjudicating officer, pronounce his verdict (Using the quasi judicial powers vested in him through the section 69) and request the enforcement authorities to take action invoking International Public law. Of course such action should be completed within a few days to be of any effect in the Cyber World.
One other easy option for the Indian Government is to block the site from being viewed from within India as they have done in the case of some of the Pakistani newspaper sites.

However, blocking of a site may not be the correct solution since surfers may still access such sites through anonymizer services. Then the Government may have to block these services as well. More over, “Blocking ” is a negative way of regulation and only helps in distancing the Government from understanding the ground realities. It is a part of history now that Mrs Indira Gandhi suffered because of the Press Censorship during Emergency which gave her a wrong impression about the real situation in the Country. The Censorship by blocking those who access Internet with Indian ISP s will create a situation where the sites will continue to build up international viewpoint against the country with no counter point being served.

I therefore suggest for consideration the following model for handling “Objectionable Sites”.

1. Sites which are said to contain “Politically Objectionable material” are reviewed by a virtual committee of experts and voted for or against being declared “Objectionable for Viewing by the Indian Government”.

2. Based on such a verdict delivered through digitally signed e-mail confirmations from the virtual committee members, the Controller can issue a notice to ISP s in India to do the following.

3.Whenever a request for an objectionable site is received from a surfer, an “Objection Notice” to the following effect is displayed in a pop up box.

” The site requested by you contains information considered “Objectionable” by the Government of the Republic of India vide GO No xxx of xx.xx.xx. The reasons for objection can be found here. (Hyper linked Document) A List of sites presenting a counter view point can be found here (Hyper link to list of “Counter view point sites”)

4. You can click here to enter the site. (Hyperlink to “continue”)

The moment a site is declared “objectionable”, the Government should notify the same on the internet and invite the public to register their site or Pages containing counter view points. These can be reviewed and if found suitable, added to the list of “Counter View Point Sites”.

This strategy will enable the Government to use the public resources to produce content which will neutralise the objectionable material. If these sites do an equally good job, all the persons who are targeted to be influenced by the “Objectionable site” may actually be converted to the counter view point. Imagine some body like Mr Arun Shourie commenting on Kashmir problem. The owners of the “Objectionable sites” would think twice about inviting their audience to see his reasoned views on many of the contentious issues in the market.

Once a system is established for the purpose, the Indian Government can take up a request to other friendly Governments to bring an International treaty on mandating such services through the ISP s of their countries. India can take international lead in setting up a new treaty for ” International Cooperation in Cyber Space Governance”.

Naavi
December 8, 2000

The central theme of the suggestion made here was to use the power of the internet itself against the attempt to misuse the system by spreading fake news.

Perhaps this strategy can be used in the WhatsApp situation also.

For example, any forward can be sent to the receiver through a “Forward Server” with a comment from the sender similar to “I donot endorse this”, “I endorse this”, “I am neutral to this opinion” and even place a “Counter view” etc. The recipient can be encouraged to make comments and record “Counter views”, all of which should be available in a link that should go with the forward.

This will enable building up of the counter opinion against a fake news and the senders can be rated on the two criteria of “Forwarding a Fake message” and “Endorsing them”. Recipients can be provided a power to block such senders. Over a period of time the credibility of such endorsements will automatically fall and the receivers themselves will block such senders. When more than 50% of a group block a sender, he can be automatically removed.

There could be many more innovative ways of checking the menace of fake news if the instant messaging platforms address it. if they fail to address this issue, regulators will start arresting admins, admins will start withdrawing and eventually the platform will itself be banned or wither way.  Facebook and WhatsApp are today on the verge of tripping over if they donot take suitable steps to control fake news. It is better if they start thinking of proactively introducing some means of checking spreading of fake news so that they survive.

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

Cyber Appellate Tribunal back in action through TDSAT

Posted on July 9, 2018 by Vijayashankar Na

Information technology Act 2000 (ITA 2000) had an ambitious thought of expediting justice in respect of civil disputes arising out of any contravention of ITA 2000. Accordingly it gave powers to Adjudicators to adjudicate on any claim (Upto Rs 5 crores as per ITA 2008 amendment). It also suggested that the adjudication would be an enquiry process and should ideally be completed  within a period of 4 months.

The process of Adjudication however remained on paper until Mr PWC Davidar acting as the adjudicator in Tamil Nadu (by virtue of his position as the IT Secretary) delivered his landmark judgement in the case of S.Umashankar Vs ICICI Bank. Subsequently more cases were decided by him and more in Mumbai. However, most of these cases ended up in appeals in Cyber Appelate Tribunal (CyAT) in Delhi. CyAT functioned upto June 30 2011 and did not give any relevant judgement apart from dismissing some wrongly referred cases. The Umashankar Vs ICICI Bank appeal filed by ICICI Bank had been tried and arguments completed, written arguments filed by the time the then Chairperson Mr Rajesh Tandon attained superannuation on June 30 2011. The judgement was due on 3rd of July but due to the tenure of Mr Rajesh Tandon not being extended nor a new Chairperson appointed, all matters remained in suspended animation.

In the 2017 budget, CyAT was merged with TDSAT but TDSAT had not started hearing any of the pending cases.

Now it appears that the files have started moving in TDSAT and from the beginning of this month, TDSAT has started sending notices regarding pending cases for preliminary listing.

Let’s hope that the litigants who are waiting for a long time now will at last see justice.

During the last 7 years the scenario in Cyber Crimes in India has changed and this is likely to have its impact on the pending cases. We hope that TDSAT will interpret the provisions of ITA 2000/8 which were designed to make the judicial process simple in a manner that upholds the intention of those who framed ITA 2000/8. 

There are certain issues that still needs to be sorted out to enable TDSAT to fulfill its expected role. 

Naavi was representing several cyber crime victims in the CyAT at the time it closed its doors. Now at least one of those victims is no longer alive to continue the fight. Everybody else including Naavi have grown older by 7 long years before the files are being re-opened. All of us have seen the ugly side of how delays makes delivery of justice irrelevant. During this delay the Banks which enjoyed the fruits of the crime were the beneficiaries and the Cyber Crime victims who had lost their hard earned savings were suffering silently. 

It would be good if TDSAT understands the pain behind most of these cyber crime victims who have lost much of their zeal in this intervening days.

But we cannot lose hope and I am reminded of the Tolstoy’s story “God sees the Truth but Waits”. I therefore look forward to TDSAT ensuring that Justice and Truth prevails even if delayed by 7 years.

Naavi

Posted in Cyber Law | Tagged , , | 1 Comment

BJP being blamed for a Mega Bitcoin scam is a good thing..

Posted on July 9, 2018 by Vijayashankar Na

Bitcoin is the currency of criminals and is the digital black money. Now India’s most corrupt party called Congress is blaming BJP which is making efforts to reduce black money through various measures such as Demonetization, Linking of Aadhaar to Government services, Bank accounts and hopefully to Property holdings of a Bitcoin scam.

Naavi.org holds a view that Bitcoin is the darling of all blackmoney holders and corrupt persons whether they are politicians of X party or Y party or bureaucrats or businessmen. It is therefore possible that some politicians in the BJP may hold Bitcoins and may be sympathetic to the Bitcoin. But there is no doubt that many in the opposition parties have their own bitcoin wealth. I also suspect that most of the blackmoney in Swiss Banks has already been converted into Bitcoins or other altcoins. I would be surprised that the Congress as a party would not be the leader in such money laundering activities given the expert economists who are in the party.

The reluctance of the Government of India, particularly the officials of the Finance Ministry indicate that there is a lobby in the Ministry of Finance which is reluctant to take any action to ban Bitcoins and eliminate digital black money despite the pressure from the top brass of BJP. RBI is taking some steps within its own powers but it appears that it is not getting the support from the Finance Ministry. From time to time Mr Jaitely or somebody else comes up with a statement that something is being done but soon there are some leaks from unknown ministry officials stating that Bitcoin would be legalized, regulated etc creating confusion in the market.

Mr Modi and Mr Amit Shah may be worried that just like the Demonetization effort which yielded less than expected results (In general perception) because the Corrupt Gang including Bank officials frustrated its objectives to some extent, any attempt to strike at Bitcoin may generate a bigger backlash from the Corruption brigade.

After all it is so easy to receive bribes in the form of Crypto Coins that bureaucrats and politicians involved in big time corruption would love Bitcoins to continue its existence and they would like to oppose any move to eliminate bitcoins. Hence it is natural to expect the Corrupt politicians like the Congress leaders to do everything to oppose the move politically. Those media people who are hands in glove with such corrupt politicians will try to highlight such political moves and create noise in TV studios. Some politicians may also like to influence the Judiciary if possible that they will fight for Crypto Coins as a part of “Right to Privacy” !.

Given this scenario, it is not surprising that RBI banning the use of Banking Channels for Crypto Exchanges has already been countered by some Exchanges offering alternative channels for conversion of Bitcoins to other Crypto currencies and foreign exchanges and luring the public to break more laws to preserve their black wealth.

In this confusion there are media houses and experts who are trying to teach the public on how to circumvent the RBI’s limited ban on Crypto currencies and continue to break the law at the level of FEMA and PMLA throughvarious articles.

For example, look at the articles “RBI Ban on Cryptocurrency Trade From Today: What Indian Bitcoin Holders can Do!”  or “Bitcoin ban: How cryptocurrency exchanges are circumventing RBI’s circular” . Such articles are meant to guide people to raise an open revolt against the Indian regulation and such attempts need to be put down with an iron hand.

I donot see the rationale of RBI giving a long time for implementing their ban since any time given for implementation in such cases will only be used to circumvent the regulation. It is for this reason that Demonetization had to be announced with an element of surprise which itself was criticized by some who donot understand the mechanism of how such things work.

RBI took more than a few years to announce that “Bitcoin” is not a “Currency” and anybody dealing with a commodity as if it is a substitute for legacy currency was indulging in an illegal activity.

I presume it was because of the officials in the Finance Ministry  who were not in favour of doing anything against Bitcoins even by RBI. The “Expert Committee” constituted for this purpose only dragged the issue further.  This gave enough time for clever corrupt persons to covert their Bitcoin holdings to other alternate currencies. Just as the time given to bring back data of Swiss Banks was used by people to launder the black money into other currencies, the time given for announcing the Government view on Bitcoin has been used and will continue to be used by the corrupt to launder bitcoins into other forms of black money holding.

However, I still feel that it is better late than never and we need to ban Bitcoin completely from our eco system as soon as possible.

Time has come now for declaring that Bitcoin is a menace that has to be eliminated and any person or organization directly or indirectly dealing with Bitcoin or any other Crypto coin (since convertibility of Bitcoin into alt coins is always available without a problem), buying or selling, accepting or promoting the Bitcoin must be declared as an economic offender and proceeded against under laws including PMLA.

Since Bitcoin is the best currency for corruption, it is not surprising that some extortionists may be using it as the means to collect ransom and there could even be a link to a BJP MLA as alleged. If so, let it be exposed and the guilty punished.

I am not worried that Congress has taken up this issue politically  because some BJP MLA’s name has been involved in an incident. At least it will help the Central Government to shake off its lethargy and give more strength to Mr Modi and Amit Shah to be ruthless in coming down heavily against Bitcoin.

If Mr Modi and Shah dithers even now, then likes of Rahul Gandhi will keep talking about it as if Congress is a saint when it comes to Bitcoin issue and it is BJP and BJP alone which is to be blamed for Bitcoin menace.

As I have already written earlier, Mr Modi has to open his third eye to destroy Bitcoin. If he does so, all right thinking persons will support him. (Refer this article: Modi is yet to open his third eye on Bitcoin, the new alternative to Black Money.. Will he wake up in 2018?).

There will be the challenge to convince the voters in the 2019 elections but I feel that our so called illiterate voters are intelligent enough to understand the menace of corruption and accept  a campaign “Banning of Bitcoin is a global fight against Corruption”. Only Modi can take up this challenge and I hope he will do. 

I therefore hope that  Mr Modi himself to come out and make a formal announcement to the nation at least in one of his Man Ki Baat programs that

” Bhaayiyo and Beheno, We are committed to elimination of corruption and consider that all privately owned Crypto Currencies including Bitcoin are  a global menace that feeds on corruption and I therefore launch a global fight against corruption starting with the banning of all private Crypto currencies  first in the Indian economy and then try to persuade other countries to follow.”

I urge Mr Modi to also take up this issue in the UN and try to bring together all countries who have banned Bitcoins into  an “Anti Crypto Currency group of countries” to bring pressure on UN to declare support for banning private crypto currencies.

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment

Cyber Security is my Fundamental Right

Posted on July 8, 2018 by Vijayashankar Na

After the Supreme Court ruling in the Puttaswamy case, it is clear that the intentions of the Court is that Privacy is a Fundamental Right protected under the Indian Constitution. The Aadhaar judgement is still not announced and we are yet to find out whether use of Aadhaar as a citizen identity parameter linked to various services of the Government, Banking and financial data of individuals or property holdings to curb benami properties and blackmoney will be considered as acceptable or not.

The central debate of the acceptability of Aadhaar as an acceptable identity parameter will revolve around whether Privacy as a Right is paramount to what ever is the objective which Aadhaar linking is expected to achieve. Aadhaar is just one instance of an opposition to  perceived erosion of the status of “Right to Privacy” as a supreme right of an individual. Beyond Aahdaar opposition lies the fundamental aspect of whether a citizen of a democratic country has any right that is more supreme than the Privacy Right.

We need to realize that in many instances of Cyber incidents, privacy activists often defend the Privacy Right so aggressively that we often forget that there is life beyond Privacy. In pursuing the “Right to Privacy”, we also discuss Data Protection Requirements and legislation like GDPR which adopts a policy of high penalty limits as “Administrative Fines” (as different from the wrongful loss suffered by a citizen data subject).

We however need to appreciate that  Right to Privacy is a fundamental right but is subject to reasonable restrictions which include

a) interests of the sovereignty and integrity of India,
b) the security of the State,
c) friendly relations with foreign States,
d) public order,
e) decency or morality, or
f) in relation to contempt of court,
g) defamation or
h) incitement to an offence

Since “Privacy is a mental state of a data subject and differs from individual to individual it is impossible for a law to mandate based on the law subject’s mental state of “Feeling of being left alone”. Hence out of necessity, Privacy Protection is currently restricted to “Protection of Information Privacy” and the objective is to enable a data subject to have full control on determining how his personal data is collected and used.

In this context of “Information Privacy” being considered as “Privacy” and “Protection of Personal Information” as “Protection of Privacy”, we often consider “Data Protection” as same as “Privacy Protection”. When GDPR recognizes a role of a “Data Protection Officer” instead of a “Privacy Protection Officer”, it appears that GDPR considers that Privacy Protection and Data Protection is synonymous.

In India, until a new Data Protection Act comes into being, ITA2000/8 is the operative  “Information Privacy Protection Act”. It defines Personal information, Sensitive personal information, responsibilities of a Data Processor and an intermediary (who is also a limited data processor), consequences of non compliance in the form of civil and criminal liabilities, the means of grievance redressal etc. It also prescribes data retention norms, defines powers of interception or data demand by authorities in the national interest.

ITA 2000/8 may be considered weak in terms of its implementation mechanism but the law itself does provide a comprehensive framework for data protection which covers not only personal data protection as envisaged under Information Privacy Protection objective but also the higher levels of data protection that goes beyond Privacy Protection into the area of “Information Security” within an organization.

Information security within an organization is an attempt to protect the entire data environment which is under the control of an organization from unauthorized access, modification and deletion besides ensuring against denial of access.


We must recognize that “Data Protection” as envisaged under ITA 2000/8 which is the goal of an information security team in an organization encompasses several types of data beyond the personal and Sensitive personal data which is the subject matter of Privacy protection. For example, every organization possesses its own data which could be business data and some which may be constituting trade secrets or intellectual property.

There may also be “Transaction data” which is data such as log records which gets generated during any encounter with an outsider through the systems. Some of these transaction data which may include the IP address from which a person has interacted may be considered as “Personal Data”. But the transaction data itself indicates that IP address ‘X’ interacted with IP address ‘Y’ and the interaction lasted for ‘N’ minutes and resulted in exchange of ‘P’ bytes in and ‘Q’ bytes out etc.

These transaction information is neither the sole right of the data subject or that of the company but is a joint property of both.

ITA 2000/8 tries to protect all these types of data by imposing “Due Diligence” and “Reasonable Security Practice” obligations along with asserting Data Retention and Data Demand rights by designated authorities.

Hence “Data Protection obligations under ITA 2000/8” is more comprehensive than Privacy Protection Requirements.

Now looking at the data protection obligations from the view point of the industry, a Privacy Protection Officer is satisfied if “Personal” data under his control is secured by appropriate means to avoid unauthorized access etc. But a Data Protection Officer of a company should be interested in protecting not only the Personal data but other types of data also. Hence it is not appropriate to restrict the role of a designation such as “Data Protection Officer” to only as a protector of personal information as GDPR actually does.

“Data Protection Officer” as a designation looked at in the Indian context is therefore larger than the DPO as identified by GDPR.

If we go another level up in the Data Eco system, data of individual entities (individual and corporate) when aggregated becomes “National Data”. National Data set therefore is an aggregation of data of individuals and corporates working within the jurisdiction of India. For the same reason, when information security obligations of individual entities get aggregated, that becomes the “National Security”. Some times we call this as “Cyber Security”.

If we adopt this convention, Privacy Protection is at the lower end and addresses security of personal data in electronic form, Information security addresses security of all data in information form within the control of one legal entity and Cyber Security is the security of all data in electronic form under the jurisdiction of the country.

When we make data protection laws, we have a choice of making a Privacy Protection law and provide exemptions/derogations with respect to Information Security and National Information Security. Alternatively we can make a National Information Security law and create subordinate sectoral laws applicable to “Information within the control of a legal entity” and “Personal Information which is under the control of a legal entity”.

Laws such as GDPR adopt the first approach. It appears that ITA 2000/8 is closer to the second approach. If we donot properly prioritize our law making objective, there is a possibility of “Conflicts”.

For example, GDPR supports privacy according to which a recipient of an E Mail is not able to view the IP address of the sender which should be his right to information. A victim of defamation is unable to view the Who-Is data of the defaming website. Though work-around may be provided where by information is released upon legal demand, it is a hurdle placed on a genuine victim of a data related perceived crime in support of the privacy of an accused criminal. In many law enforcement situations, the golden hour of investigation is passed before the “Due Process” supported by a judicial order can be activated, permanently denying justice to the Cyber crime victims.

There is an urgent need to correct this skewed prioritization of “Privacy of a Crime Accused” ahead of the “Security of a Crime Victim” and the “Efficacy of the law enforcement system”. We need technical and policy initiatives that ensure that once a simple prima facie check is made on the identity of the person claiming a “perceived victim” status, the “Privacy Veil” has to be dropped and the “Right to Information” should take over as the over riding right. For example if a recipient of an e-mail demands the originating IP address of an e-mail he has received, it should be automatically provided since the identity of the recipient is inherent in the origination of the request itself. Similarly, if a Who-Is resolution request is invoked by a person with an irrefutable national identity such as a “Legally acceptable Digital Signature”, the Privacy veil on the who-is information should be dropped automatically.

I hope and demand that these and similar issues need to be addressed by the Indian Data Protection Act when it is released.

It is in this context that I would like to raise a slogan for the attention of the Government of India and the Supreme Court that  “Cyber Security is my Fundamental Right and should override other recognized fundamental rights such as Privacy Right as well as Right to Freedom of Speech.”

I look forward to the comments from the Data Security Community which includes Law Enforcement persons.

Naavi

 

Posted in Cyber Law | Tagged , , | 1 Comment