Naavi.org

GDPR Exclusion

Posted on May 26, 2018 by Vijayashankar Na

GDPR Exclusion

It is declared that Naavi.org follows the principles of Privacy protection under Information Technology Act 2000 as amended from time to time and where there is a conflict with any other international law or guideline, the provisions of ITA 2000 shall prevail.

In particular, Naavi.org does not subject itself to the administrative jurisdiction of GDPR and any data subject who intends to be protected by GDPR and not ITA 2000 shall not use any of the services of this site or its networked sites.

Any claims made under non-ITA 2000 statutes or regulations regarding privacy protection or otherwise are unacceptable and may be deemed as maliciously intended.

Naavi

Posted in Cyber Law | Leave a comment

Tame the monster of GDPR

Posted on May 26, 2018 by Vijayashankar Na

GDPR has come into effect since yesterday along with the UK Data Protection Act 2018. Together these legislation are completely changing the IT business landscape in India.

Already an Austrian Data Privacy Activist Max Schrems has launched three complaints worth a total of Euro 3.9 billion against Facebook, WhatsApp and Instagram through regulators in Austria, Belgium and Germany.

More such insane legal action will follow.

These actions elsewhere in the globe will also have ripple effects in India which is the back end processing center for a large part of personal data processing. To a corporate entity, they can be devastating. Defending such cases particularly in foreign countries could be expensive and it would increase the cost of doing business.

Indian Companies need to be therefore extremely concerned with the damage that motivated activists can do to their business both to boost their ego as well as an instrument of blackmail.

While it is the legitimate right of any individual or an activist to seek legal recourse for any grievance real or imaginary, Courts and Regulatory authorities need to remember that law is there for the benefit of people in general and that “People” include “Legitimate Business”.

But we have to admit that when a primafacie case is made out, the Courts have no option to launch a trial and that itself is a burden on the business.

The first line of defense for Companies is to present it’s case properly to the regulatory authorities so that unfair litigation is killed in the bud.

Knowledge is the tool for such defence and every company and the CEOs and Directors should themselves be reasonably aware of the provisions of data protection laws so that they can ensure that their legal teams find out appropriate solutions to problems that may arise.

I therefore urge the top management team in business to go through an awareness program for themselves before taking action on the basis of recommendations from different consultants and being swayed by the media which will sensationalize most of the issues.

In this direction, Naavi has launched a new online training program on GDPR through Apnacourse.com. I hope it would be of use to companies in first acquiring some basic understanding of GDPR as a regulation and then take steps in compliance.

This online program may not be an end in itself but can be the beginning of a journey in understanding the intricacies of data protection laws essential to protect the existential interest of business.

Naavi

Posted in Cyber Law | Tagged GDPR, Max Schrems, naavi | 1 Comment

Today is GDPR Day… Love it or hate it, you cannot ignore it

Posted on May 25, 2018 by Vijayashankar Na

Today is 25th May 2018. EU is still waking up to this D Day while India is already awake. There is no doubt that today will be considered a historic day in the Data Protection industry since EU GDPR is coming into effect from today.

Two years back the regulations were announced and the dead line was set. But mot companies continued to be complacent. Naavi started actively urging the Indian industry to respond by first opening the Privacy Knowledge Center in September 2016, and following it up with the GDPR Knowledge Center in February 2017.

Since then several articles have been published under www.privacy.ind.in as well as www.naavi.org highlighting the positive and negative features of GDPR.

However, the industry woke up only in the last six months when they saw the potential impact of a huge penalty for non compliance envisaged under the Act and the perception that it may become applicable even for entities outside EU.

During the past one year, since India is itself discussing its own Data Protection law under the Expert Committee Chaired by Justice Srikrishna, I have been urging the committee to ensure that Indian Data Processing industry is provided a protective umbrella in terms of the unreasonable penalties that may be imposed consequent to GDPR and the contractual commitments that Indian Companies may undertake in their anxiety to preserve their business. I have also raised the concern that Indian shareholders of such companies may be adversely impacted if they sign uncapped indemnity clauses that may provide for transfer of liability of their business partners.

I have also expressed my displeasure that EU has drafted the regulations in such a manner that it can be mis-understood as a global law and create a sense of fear amongst the data processors outside EU.

To some extent this sense of fear may not be warranted and I am sure that if challenged, EU will defend and say their law does not impose itself on other countries. But the fact is that perceptions some time cloud the reality and if we do a survey of Indian companies, we find that most IT professionals think that GDPR is mandatory for them.

In the meantime, UK has come up with its own DPA2018 which is perhaps of a greater concern to Indian companies since most Indian companies have established physical presence in UK even to take up business in EU and hence DPA 2018 is applicable to a much larger number of Indian companies. UK law by trying to extend GDPR as part of its own law, creates some additional burden that is beyond GDPR.

All this means that the cost of IT business in India is going up and Indian Companies need to ensure that they donot take up GDPR compliance entirely at their cost and try to load part of it on their international customers.

While I have indicated that in order to effectively defend against the impact of GDPR (and now add UK_DPA2018), industry needs to organize itself and SME data processors as well as Data Protection Professionals need to create some sort of collective bargaining power by creating self interest groups, I have also recognized that GDPR will be also creating business opportunities of different kinds for professionals.

In all such situations, the first industry which will benefit is the Education Industry. Infact, the career of the undersigned itself took off with Cyber Law College when ITA 2000 was enacted and later added consultancy. Similarly, GDPR will also create opportunities for the training industry. Already we have seen people from EU and some enterprising local professionals conducting training programs and charging a bomb. The GDPR itself may give further boost to some of them by creating a “Certification Mechanism” which will provide a false sense of privilege to some organizations established in EU which can claim “Accredited with the Supervisory Authority of …”.

Naavi believes that what is important is “Education” in which we become more knowledgeable. Certifications will follow. Certification without transfer of knowledge is not going to benefit professionals and could actually create traps where a professional may grow to his level of incompetence as Peter’s Principle suggests.

Naavi’s Cyber Law College in association with Apnacourse.com will be launching a training program on GDPR which will go online today to mark the formal coming into effect of GDPR.

(A Link to the course is available here)

The Course will contain about 7 hours of video lectures spread over around 18 modules. Probably this needs to be updated from time to time since this space is dynamic. Even the interpretations under GDPR itself will undergo some changes once the EU Data Protection Board becomes more active. Just as we have updated the Cyber Law Course on Apnacourse.com when some major changes occurred, this course will also undergo some updations from time to time. Presently the Course is being presented for knowledge enhancement. In due course Cyber Law College may introduce a certification of its own to provide recognition of “Course Completion” and recognition of passing a “Basic Awareness Test”.

Cyber Law College and Naavi in association with Apnacourse.com and otherwise would be conducting offline corporate training programs also so that awareness of GDPR would not be a matter of deficiency in the Indian industry.

Implementation is ofcourse a choice that the industry players may have to decide based on their own risk appetite. But I would like to caution the industry that they should not allow the international competitors to use lack of awareness or compliance of GDPR as an excuse to shift outsourcing business from India to elsewhere. For this purpose they need to incorporate a plan of action where by they can provide confidence to all their customers that they are aware of and are compliant with GDPR though we may assert our “legitimate Interests” and “Application of Local Laws”.

So… interesting days are ahead of us. Whether we like it or dislike it, GDPR is here and we cannot ignore it.

…..So happy GDPR day to all…

Naavi

Posted in Cyber Law | Leave a comment

UK Data Protection Act 2018 comes into force…

Posted on May 24, 2018 by Vijayashankar Na

Racing against time with the implementation of GDPR, UK authorities have completed the formalities in introducing the new version of Data Protection legislation effective from 25th May 2018 co-terminus with the applicability of EU GDPR. This will continue even after BREXIT.

UK-DPA 2018 should be considered as an extension of GDPR and entities to whom UK DPA 2018 is applicable may have to read both the DPA 2018 and GDPR side by side.

The office of ICO provides further information about the Act. (Refer here).

A copy of the Data Protection Act is available here.

The DPA 2018 copy as released on 23rd may 2018 contains 215 articles divided into 7 parts and 20 Schedules.

While Data Protection Legislation advise Companies to make their consents “Simple” and expressed in easily intelligible language, UK’s DPA is as complicated as any legislation can be and alien to the principle of simplicity. It will take some time for the industry to fully digest the provisions and be confident of compliance.

As we have often highlighted, laws that are simple are more likely to be complied with and a complex law will have a lower level of voluntary compliance requiring rigid penalties and enforcement.

India is in the process of completing its Data Protection Act and I wish that Indian legislators donot make the law as huge and as complicated as the UK DPA and opt for a more simpler legislation which can be equally effective.

Law makers need to remember that laws are made not to show how knowledgeable the law maker is, but to ensure that the citizen understands it for compliance.

However we shall continue to try demystifying the UK DPA 2018 over a time.

The PDF version of the Act as made available is a 353 page document that requires a detailed study.

Some of the salient features for immediate consumption is given below:

Applicability:

Under Article 207, this act is applicable to

a) processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom

b) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—

(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—

(i) the offering of goods or services to data subjects in the United
Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United
Kingdom.

The Act is about “Processing of Personal Data” and Personal data is defined as ” any information relating to an identified or identifiable living individual”. The Act does not say whether it is the Personal data of a UK citizen or a citizen of other countries.

Jurisdiction of Courts

The Jurisdiction conferred on a Court under UK_DPA 2018 is excercisable in England and Wales, Northern Ireland and Scotland.

This effectively recognizes the limitations of the law making body which derives its powers from the sovereign Government that it represents. The EU GDPR ignored this limitation and arrogated itself the responsibility for protecting global citizens as if it is a global legislative body.

However as a humble servant of the EU which the majority of UK voters voted to exit, the legislators have vowed to legitimize GDPR within this legislation. Considering the details to which this legislation went, there was no need for making it a subordinate legislation to the GDPR but it appears that the UK legislators were under some thing like a “Stockholm Syndrome” and could not break themselves from expressing their past loyalties to EU by importing GDPR into its own legislation. UK seems to have lost its mental independence to stand up as an independent sovereign country and feels obliged to follow its EU masters.

Part 2 of the Act is devoted to supplement GDPR

Chapter 2 of this part applies to the types of processing of personal data to which GDPR applies by virtue of Article 2 of GDPR. Further the Act confirms that Chapter 2 has to be read with the GDPR.

Chapter 3 of Part 2 has some provisions which is defined as “Applied GDPR”.

Article 21 states

This Chapter applies to the automated or structured processing of personal
data in the course of—

(a) an activity which is outside the scope of European Union law, or
(b) an activity which falls within the scope of Article 2(2)(b) of the GDPR (Coming under Treaties of EU),

The term “Outside the scope of European law” is a loose statement that is amenable to mis interpretation.

The Applicability of UK DPA 2018 cannot extend beyond the jurisdiction of Courts as defined under Article 180 and all other narrations represent legislative imperfections.

Penalties:

Penalties as specified in EU GDPR Article 83 are applicable under UK DPA 2018 also.

More Codes to follow

The ICO has to develop certain code of practice such as data sharing code, Direct Marketing Code, age appropriate designing code, Data Protection and Journalism Code etc., These codes need to be approved by the British Parliament and hence the industry needs to await for the codes which will be important from compliance point of view.

DPO

UK DPA 2018 mandates the designation of a DPO by all organizations other than a Court or a Judicial authority. (Article 69)

Principles and Rights

UK DPA 2018 re-states the Principles of Privacy and Data Subject’s Rights as in GDPR.

Cross Border Transfer of Data

Cross border transfer of data is subject to requirements similar to EU which includes “Adequacy Decision” (Article 74) or Safeguards (article 75). Adequacy is as decided by the EU and Safeguard includes a legal instrument that binds the recipient of the data for protection of personal data. Additionally special circumstances such as where the vital interests of the data subject, legitimate interests of the data subject (not the data controller… Ed: Could be a drafting error), public security, law enforcement and legal requirements.

Responsibilities of Controller and Processor

The Act re-states the responsibilities of the Controller and Processor as in GDPR.

Offences

UK DPA 2018 defines the following offences related to personal data

a) Unlawful obtaining of personal data, selling personal data

b) Re-identification or de-identified personal data

c) Alteration to prevent disclosure

The person who commits the offence is liable for summary conviction to a fine. Prosecution may be instituted only by the Commissioner or with the consent of the Director of Public prosecutions.

The directors of a company maybe liable for offences committed by a body corporate if there is negligence on their part.

These are some preliminary observations and more discussions may follow in due course.

Naavi

Posted in Cyber Law | Tagged GDPR, UK data protection act | Leave a comment

The Role of DPOs under GDPR and the need for Indian Association of Data Protection Professionals

Posted on May 23, 2018 by Vijayashankar Na

GDPR which is coming into full force on 25th May 2018 is aimed at protecting the Privacy interests of EU citizens under the EU constitution. However, the EU Commission believes that it has a role in protecting the privacy of the global community and uses its commercial clout as a collective economic entity to project as if GDPR is a global law. In pursuance of this belief, GDPR contains provisions to state that even Data Controllers and Data Processors not established in EU are required to be compliant with GDPR and also appoint a representative in EU if they

a) Offer products and services to EU Citizens

b)Monitor the behaviour of natural persons in EU

While it is clear that EU does not have jurisdiction to make laws for other sovereign countries, many data processors in India presume that GDPR is applicable to them. Further the data vendors who provide processing contracts to Indian companies located outside EU also out of their own fear and concern about the penalty clause in GDPR, try to add a GDPR Compliance clause in their contracts with the Indian processors.

As a result, many Indian companies are trying to be compliant with GDPR.

While it is fine if the Indian companies try to provide Privacy Protection as per Global Standard not only to EU Citizen’s data or others, in their enthusiasm to be called “GDPR Compliant”, Indian Companies may try to out of the way to designate representatives in EU and also Data Protection Officers in their establishments in India.

We would like to keep the Indian Companies warned that there are some risks that the Companies would invite if they try to unnecessarily subject themselves voluntarily to GDPR. Further some of the provisions of GDPR may be in conflict with ITA 2000/8. When Indian Data Protection Act gets drafted, there is a possibility that there could be conflicts with GDPR in that legislation also. In such cases, the Companies need to ensure that they need to be first compliant with Indian laws before worrying about being compliant with other laws, unless it is essential for their business.

Similarly, executives would be excited if they are designated as “Data Protection Officers” under GDPR. It would enhance their professional reputation and also expand their global employment opportunities. The first reaction of professionals in the Information Security domain or in similar responsibilities is to therefore grab such opportunities.

In this connection, we need to have a second look at the provisions of GDPR relating to the Data Protection Officers (DPO), their responsibilities.

Article 39 of GDPR defines the tasks of the DPO. It must be noted that DPO under GDPR is not envisaged as an employee of the organization and is not burdened with the “Implementation”. He is expected to be an “Adviser” to the Controller or Processor and an in house representative of the supervisory authority to monitor compliance and act as a contact point of the supervisory authority.

Under Article 38, DPO is also the contact point for Data Subjects. This means that he would be the grievance redressal official to receive complaints from data subjects including requests for exercising of data subject’s rights and ensuring the compliance.

Article 38 of GDPR states further that the DPO does not receive any instructions from the Controller/Processor on his tasks. This means that he would act independently.

Under Article 37, it is indicated that DPO need not be a “Staff”. He can be on a “Service Contract”. This means that DPO may be an external consultant.

If he is a “Staff”, then conflict of interest with other duties need to be avoided. (Article 38).

If we seriously analyze the tasks of the DPO, it does not appear easy to identify that there could be any activity that a staff member can discharge which does not have a conflict of interest with the DPO’s responsibilities. His position will report directly to the CEO and hence he would be above the CISO and CTO in the current structure. His decisions will affect the interest of the Company as a whole and hence even being an advisor to the CEO he has a conflict situation.

For example, if there is a data subject’s complaint, then it is the DPO who based on his assessment has to agree with payment of any compensation and also report to the Supervisory authority who has the right to impose penalties. The DPO may therefore decide how much of cash outgo occurs in any suspected non compliance situation. This is certainly a conflict with the CEO’s own responsibility for revenue management.

Since DPO cannot be a staff higher than the CEO, it is practically not possible to avoid conflict of interest if an internal DPO is appointed. In most cases therefore DPO has to be an external consultant with the necessary professional knowledge and also integrity. Most of the time, Knowledge and Integrity does not go together and Companies will have to struggle to find the right combination at a right price. If they compromise on pricing, there is certainly a possibility of loss of quality. Hence DPO designation is a complex decision that the management has to take.

According to Article 37 the designation of a DPO is not mandatory in all circumstances. The designation of a DPO would be mandatory only if the “Core Activity” of the Data Controller or Data Processor consists of processing such information where there is a “Large scale”, “Regular and Systematic monitoring of EU subjects”.

What amounts to “Large Scale” is a matter of interpretation. An Indian BPO handling data processing of different data subjects in different countries. In such a case, the Core activity may not be processing of GDPR sensitive data. Even if there is a website accessible from EU, the data collected about EU data subjects may only relate to non sensitive data and may be considered as not regular and systematic collection. Hence unless there is an activity that is directed towards EU data subjects alone or where the EU market share is significant, the need for DPO may not be considered mandatory.

Though this is the view of the undersigned, it is possible that many organizations may feel that there is a need to designate a DPO and also designate a EU representative so that they may project their GDPR Ready Profile to the prospective EU business partners. Hence many of the Indian Companies may start designating one of their employees who has undertaken some training and certification as the DPO.

Such DPOs will have to work under an environment of conflict where they are paid by the Company and are junior in terms of organizational hierarchy but are expected to act independently.

The fact that the DPO shal not be dismissed or penalized by the Controller/Processor for performing his tasks makes him a privileged person who in due course become a thorn in the activities of the IT and IS departments if he is honest to his duties. All CISOs and Compliance officials have faced awkward experiences when they have to disagree with a powerful business manager who insists that some decision has to be taken in business interest even if the CISO or the CCO has his objections.

Some of these issues are also faced by Company Secretaries and Auditors who have to manage their statutory responsibilities which may go against the Company which pays them. Recently many auditors have been criminally booked for negligence when they have failed to respond to their duties to the share holders and responsible for frauds going unreported for a long time.

Similar developments can be expected in the case of DPOs.

Presently GDPR does not talk of any liabilities of the DPOs. However, if DPO is a trusted representative of the Supervisory authority, then he would be liable for “Breach of Trust” if he does not discharge his duties to the satisfaction of the Supervisory authorities.

Hence DPOs should be ready for a situation where they are aware of some potential data breach scenario in their company but keep quiet while there is an attempt to brush the incidents under the carpet which blows out on a later day. An investigation in such a situation may reveal that DPO was aware of but did not act diligently and hence was guilty of breach of trust. Even the top management of the Company itself may disown the DPO and insist that it was not kept informed of the accumulating risk. Afterall the management also wants a scapegoat to negotiate with the supervisory authority for lower penalties by blaming the DPO for all the problems.

Some of my readers may say that I am speculating of a scenario with a negative outlook. But any experienced person who has the experience of working in an organization particularly in the internal audit departments would easily recognize the truth about what I am talking above.

While these are developments which are bound to happen in a scenario like this and many would consider this as a part of the “Risk in the Profession” itself and negotiate remuneration packages, severance packages, insurance and indemnity covers to ensure that they will not be personally liable when an adverse situation arises, there would be many not so intelligent, smart and powerful persons who may be working hard and honest only to be blamed one day that they were not able to discharge their responsibilities properly.

I therefore think that there is a need for DPOs to ensure that their professional interests are protected. I therefore propose that “Data Protection Professionals” (Which may include DPOs, Compliance officials, IS officials) to organize themselves by creating an “Indian Association of Data Protection Professionals” (IADPP) on the lines of ICAI, ICS or similar professional organizations.

I invite the views of other professionals in this respect.

Naavi

Posted in Cyber Law | Tagged dpo, GDPR, iadpp | Leave a comment

Closure of Bazee.com case: Sharat Digumarti gets relief amidst Intriguing precedents created

Posted on May 23, 2018 by Vijayashankar Na

The Bazee.com case which was one of the earliest criminal prosecutions to be launched under Information Technology Act 2000 appears to have finally completed its journey with the quashing of criminal prosecution against Mr Sharat Babu Digumarti. This case was filed in 2004 and lingered on in different courts until this current judgement on December 2016 seems to have brought a closure.

For some reason the judgement got re-circulated in some social media groups and hence I was constrained to bring this up for debate for some academic considerations. Let me make it clear that this discussion is not to express that the relief granted was unjustified.

It was clear from the beginning that this was a case where the juveniles who committed the offence landed other adults into legal problems. First was Mr Raviraj, the IIT student whose career was killed because he chose to sell the DPS-MMS video. Secondly Mr Avnish Bajaj, the CEO of baazee.com had to fight his case in all the Courts until 2008 before he was acquitted. But the case against Mr Sharat Babu Digumati lingered on further. All the three accused namely Raviraj, Avnish Bajaj and Sharat Babu have faced disproportionate punishment, intimidation and expenses while the two juveniles went unpunished thanks to the way law is in such cases.

In the Nirbhaya case there was discussion on the need to amend the Juvenile Justice system and some changes did occur and hopefully more changes may occur in future.

In the course of the journey of this Baazee.com case, there were several precedence created. Firstly the operation of “Vicarious Liability” under Section 85 of ITA 2000 was invoked and that was what sustained the case until, the Supreme Court in 2008 came to the conclusion that the case against Mr Avnish Bajaj did not stand because the Company itself has not been arraigned as an accused.

The original case had been filed under sections 292 and 294 of IPC and Section 67 of ITA 2000 and each section was separately debated and Mr Bajaj got acquitted out of all the sections one by one. However, Mr Sharat Babu had not got relief under Section 67 and hence the appeal was preferred with the Supreme Court.

In the current judgement, the point of legal debate was

“Whether proceedings under Section 292 can continue after being discharged under Section 67 of ITA 2008”

The final outcome of the Case indicates that the Court agreed with the view that ITA 2000 is a special law and hence Section 67 of ITA 2000 prevails over Section 292 of IPC. Since Section 67 has been quashed for other reasons, trial should not continue under Section 292 of IPC.

However, what is surprising was that this judgement made references to the Shreya Singhal case as well as prevalence of Sections 67A and 67B in the Act. These were developments which were not present when the cause of action arose.

Even if the Section 66A judgement was an opinion and could perhaps be taken as a guidance even in other cases, Sections 67A and 67B along with the diluted Section 67 are creations of ITA 2008 which did not have retrospective effect. They were effective from 27th October 2009. Hence it appears inappropriate that the Court should have quoted these two sections in this judgement.

Considering the content of this judgement, it appears that in future, Double Jeopardy could be implied when for the same offence both ITA 2000/8 and IPC are invoked and in such cases the ITA 2000/8 will prevail (In cases where electronic documents are involved). Hence police should be careful while framing charges and ensure that one section of either IPC or ITA 2000/8 alone has to be invoked for a particular offence or a step in the offence. Otherwise the charge may be quashed for double jeopardy unless the ITA 2000/8 charge prevails.

Since the problem with ITA 2000/8 is mainly in terms of production of evidence, Police prefer to use IPC sections where possible. Further during investigation stage, IPC sections provide some flexibility to start investigations based on some section which is cognizable under IPC, Police prefer to add IPC sections. These practices need to change now once the primacy of ITA 2000/8 as the law to be applied in case of offences involving electronic documents.

Further this judgement is a further vindication of the “Special Law” status of ITA 2000/8 which was stressed in the Basheer judgement on Section 65B of Indian Evidence Act.

P.S: In the S V Shekar Case discussed earlier it may be noted that the section which is non bailable was under IPC. Further the offence involved was “Forwarding of an electronic document in social media”. Hence it would be appropriate only if it is tried under ITA 2000/8 provisions and not under IPC. Hence the entire FIR in the case of S V Shekar case may have to be reviewed.

Naavi