Personal Data Protection Act 2018…1….Section 43A goes

Posted on July 27, 2018 by Vijayashankar Na

The much awaited Data Protection Act of India has finally come to the open with a copy of the draft now being available. This appears as a text of the Bill and needs to be passed by the Parliament, approved by the President and notified in the Gazette before it becomes a law. This is part of a series of articles on the new Bill which when it becomes an Act will bring several changes to the Privacy and Data Protection scenario in India.

[This is the first of a series of articles that will be published on this topic…Naavi]

The first important thing we notice is that Section 43A of ITA 2008 has been omitted completely.  The “Reasonable Security Practice” mentioned under Section 87 of the principal Act in sub-section 2(ob) has also been omitted.

It may be noted that the Intermediary Guidelines under Section 79, it had been mentioned that

“the intermediaries shall take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011.”

As a result we need a modification in these rules and removal of the words “ as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011″

Since PDPA 2018 is anyway covering the requirements of Sensitive Personal Data Protection in greater detail, this may be an attempt to avoid overlapping provisions.

We shall go through the draft bill in greater detail and continue our discussions.

Naavi

A Copy of the Proposed Bill is available here (67 pages)

A more detailed Report of the Srikrishna Committee is available here (213 pages)

Posted in Cyber Law | Tagged , | 1 Comment

An Unprecedented Technical Revolution in Health Sector is in the offing in India…

Posted on July 27, 2018 by Vijayashankar Na

The Ayushman Bharat scheme also referred to as the Modi Care program is an ambitious welfare scheme which Mr Modi is implementing. Under this scheme it is expected that 1.5 lakh health and wellness centers offering  preventive and primary care would be operating ont he supply side and over 10 crore plus households would be provided a health insurance of Rs 5 lakhs per family.  The idea is to promote both the supply and demand side of health care service.

The ambitious plan which could transform the country in terms of public welfare is likely to also provide an unprecedented boost to the technology suppliers who specialize in the health care sector as the Government is unleashing a visionary digital framework usable by all stake holders in the Ayushman Bharat scheme in the form of the proposed “National Heath Stack” (NHS).

NHS is envisaged to be a holistic platform that supports multiple health verticals and integrates future IT solutions so that by 2022, digital health records of all citizens would be available on the platform.

It is clear that the challenge in terms of the sheer size of the required digital network along with the support features of connectivity, security etc would be providing an opportunity of unprecedented scale to the IT industry in India.

It is time for our businessmen to sit up and take notice of this development and start planning ahead for harnessing the opportunities that may be unleashed under NHS. It is expected that the grand announcement would be made about the roll out of the scheme on August 15 when Mr Modi makes his Independence Day speech which could be the last such occasion before the next election.

The occasion and opportunity is big enough to think that the 2019 Loksabha election could be actually a vote for and against Modi Care program.

While the political minds may keep scratching their heads on the pros and cons of NHS in the political environment, it is time for Cyber Security and Privacy Professionals should focus on the NHS document which has been placed for public comments for which the last date for submission is August 1, 2018.

In case you are yet to take a look at the document, kindly refer to ” National Health Stack Plan… This is the Digital Health Aadhaar Scheme…Available for Public Comment” and ensure that your comments if any is sent by e-mail to healthstackniti@gmail.com

Indian Academy of Data Protection Professionals (Proposed National Conglomerate of  Data Protection Professionals promoted by Naavi) is planning to conduct a Webinar on NHS on this Sunday, the 29th July 2018. Contact Naavi for details.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Offline verification of Aadhaar data.. Is it feasible?

Posted on July 26, 2018 by Vijayashankar Na

According to the Caravan report about the proposed new Data Protection Act /Privacy Protection Act which the Srikrishna Panel has tabled, a suggestion has been made for amendment of the Aadhaar Act to introduce what is called “Offline Authentication”.

A discussion has already ensured in the professional circles, how the “Offline” authentication can be done without a copy of the Aadhaar data being kept outside the CIDR and whether it will introduce new data breach risks.

However, I feel that just like the introduction of the Virtual Aadhaar ID which stepped up the security of the Aadhaar data by several notches and took the wind out of the anti-Aadhaar lobby, it is likely that this “Offline Authentication” system may also turn out to be a good practical suggestion that can ensure that Aadhaar system survives the critical scrutiny of the Supreme Court.

Just to think of one of the measures by which this system can be introduced, we can envisage that UIDAI may authorize “Identity Certification Agencies”.

This could be  part of the Digi Locker scheme and Digital Certificate Scheme run under the CCA. In such a scheme certain agencies may be licensed to make verification based on “Virtual Aadhaar ID” submitted by the Aadhaar user (Global KYC agents can perhaps use the real Aadhaar ID itself) and maintain a mirror identification data base of “Members of its service”.

These agencies could be be similar to the “Data Trusts” which Naavi had proposed earlier. Individuals could deposit their ID information with these agencies who may be private sector agencies who may have access to technology which they claim are better than that of UIDAI. Their data base may be maintained on the basis of their membership and the linked Virtual Aadhaar ID.

If there is any data breach at these “Trusted Intermediaries”, then UIDAI cannot be blamed. Also the loss can be recouped with the change of the Virtual Aadhaar ID.

Hence this move will both address the issue of insulating the CIDR from too much of access by public and also silence the critics by challenging them to be the secure repositories of the data if they are capable rather than blaming the Government all the time.

For the positively minded, this is an additional opportunity to create a business out of the need to secure personal data.

It is therefore time for the Critics of Aadhaar to accept the challenge thrown at them by the Srikrishna panel and find solutions to make offline Aadhaar authentication feasible without the fear of personal data breach.

Naavi

Posted in Cyber Law | 2 Comments

Another leak of the Srikrishna Committee Report on Data Protection

Posted on July 26, 2018 by Vijayashankar Na

Even while the Srikrishna Panel has expressed dissatisfaction at TRAI coming up with its own Privacy Protection regulation and a consequential need for revision by the Panel of its draft, Caravan has released a report about a draft copy of the proposed act containing 15 chapters which it has gained access to and released some of its views.

The Caravan article is here

Also see: Economic Times

This article  focusses on  some suggestions reported to have been made by the committee on Aadhaar Act and RTI Act.

It would be appropriate for us to wait for the official release of the draft to make serious comments.

However for the sake of records we can recount the remarks of Caravan.

  1. It is said that the draft proposes amendment to Aadhaar act and an “Offline Verification” for Aadhaar.
  2. It is also said that the RTI Act is also proposed to be amended with the need for the following three conditions to be fullfilled for the release of Personal data(a) the personal data relates to a function, action or any other activity of the public authority in which transparency is required to be maintained having regard to larger public interest in the accountability of the working of the public authority;(b) if such disclosure is necessary to achieve the object of transparency referred to in clause (a); and

    (c) any harm likely to be caused to data principal by the disclosure is outweighed by the interest of the citizen in obtaining such personal data having regard to the object of transparency referred to in clause (a).

We shall wait for further information to come forth instead of speculating on the above measures as there are more fundamental aspects of the law which may need attention rather than these peripheral issues.

Naavi

Posted in Cyber Law | Tagged , , | 2 Comments

Ethical E- Expression Consortium

Posted on July 25, 2018 by Vijayashankar Na

The media has been reporting many incidences of lynchings in India apparently caused by spread of rumours through the WhatsApp messaging system. Some of these may be “Fake” news and some may even be “Genuine” information which has evoked violent reactions due to the emotional content of the messages.

There was also a recent confusion created by news report that “Forwarding of a Message is equivalent to endorsing of a message”, arising due to a wrong interpretation of a Court decision.

In the light of the above, there have been some indications that WhatsApp itself may be introducing some changes into its system such as “Restricting forwards” or “Flagging a Forward” etc.  Such measures are welcome.

However, the solution to the problem may not lie in merely restricting the forwards to five or indicating that a “forward is actually a forward”.

It is clear from the developments that many of the lynchings that occurred in recent days had a political over tone meant to discredit the current regime and build up a narrative for the forthcoming elections. Media which is biased in favour of the opposition is hand in glove with building of such a narrative. Hence in many instances, the forwarding of a message or publishing of a message is only an “Excuse” for a “Crime already contemplated”.

Since in many cases, the investigations are also biased, truth might not have come out.

While WhatsApp or Bolo may try to find their own methods to improve reliability of messages it is necessary for persons using different means of expression on the Electronic media to ensure that they follow certain ethical principles.

While every person who originates a message can take care at his personal level to be ethical and avoid deliberate false messages, we cannot rule out the need for forwarding of messages of doubtful veracity either to check if it is true or to fore-warn if there is a potential risk if the message is ignored. Hence some “Conditional Forwarding” should be possible without attracting the wrath of the law.

Flagging a forward as “Forwarded as Received, Authenticity not Checked or Guaranteed” could be a good disclaimer that can protect a person in law.

But over and above this, I propose that a voluntary “Ethical E  Expression Consortium” (EEE Consortium) be formed which provide a “Virtual Editor” service to the individual publishers. The members should be able to load their expressions which may be blog articles or twitter messages or Facebook posts into the forum repository in the form of a link and let some body else review the comment and suggest their removal if it is necessary. The authors may either post their message and then seek a review or wait for a while before publishing their messages so that some reviewer can alert them if they are going overboard.

This would be a self regulation for bloggers before the Government comes up with its own regulation which all of us may later criticise as “An Assault on Free Expression”.

Naavi

 

Posted in Cyber Law | Leave a comment

Will TDSAT hold its hearings through Video conferencing?

Posted on July 22, 2018 by Vijayashankar Na

Telecom Disputes and Settlement Appellate Tribunal (TDSAT) is a body created initially for settling the disputes in the Telecom sector. However the Finance Bill  2017 has changed the character of TDSAT by merging the Cyber Appellate Tribunal (CyAT) which was set up under ITA 2000 to hear appeals from the Adjudicating officers all over India and the CCA.

TDSAT was set up under TRAI Act 1997 (as amended) and exercises both original and appellate jurisdiction. CyAT on the other hand exercised only an appellate jurisdiction and not original jurisdiction.

TDSAT does not seem to have issued separate rules for handling Cases transferred from CyAT and probably it may do so some time in future. In the meantime the existing law and the rules regarding TDSAT may be considered as continuing.

In CyAT, the appeal filing fees was Rs 2000/- and no fees was fixed for miscellaneous applications. TDSAT presently prescribes a fee of Rs 5000/- for the petitions and Rs 1000/- for Miscellaneous applications. CyAT required 6 copies of petitions to be submitted while in TDSAT, 5 copies may be sufficient but one additional copy is required to be given to the counter party.

TDSAT procedures include a specific “Mediation Procedure” which may be referred to the mediation center of the tribunal. The Mediation Center charges a nominal fee of Rs 1000/-. The fees of the Mediator and the Office expenses are borne by TDSAT. This is definitely a huge advantage for the small petitioners.

Naavi.org had raised two other points in its previous article which we would like to re-iterate.

First is the possibility of TDSAT holding its hearings outside Delhi in cities like Bangalore, or Chennai or Mumbai or any other place where the petitioners are located.

Second was the possibility of using online interactions through Video conferencing. If this is acceptable, the first requirement of holding sittings outside Delhi may not be that important.

The online hearings can also be extended to the Mediation process so that the need for travel of the petitioners and respondents to Delhi can be reduced.

Naavi.org has already drawn attention to the fact that it is ready to provide the services of ODRGLOBAL.IN where a facility is already available for conducting online arbitration supported by evidentiary capture of proceedings under Section 65B of Indian Evidence Act. ( More details are available at www.odrglobal.in). TDSAT may either use this facility itself or create a similar facility for its own use. If this suggestion is accepted, there would be a revolutionary change in the way justice is rendered to the petitioners.

Naavi would be happy to provide any assistance to TDSAT in implementing such technology innovations if required.

We look forward to how TDSAT approaches its new responsibilities for the cases transferred from CyAT.

Naavi

 

Posted in Cyber Law | Tagged | Leave a comment