Naavi.org

The Role of DPOs under GDPR and the need for Indian Association of Data Protection Professionals

Posted on May 23, 2018 by Vijayashankar Na

GDPR which is coming into full force on 25th May 2018 is aimed at protecting the Privacy interests of EU citizens under the EU constitution. However, the EU Commission believes that it has a role in protecting the privacy of the global community and uses its commercial clout as a collective economic entity to project as if GDPR is a global law. In pursuance of this belief, GDPR contains provisions to state that even Data Controllers and Data Processors not established in EU are required to be compliant with GDPR and also appoint a representative in EU if they

a) Offer products and services to EU Citizens

b)Monitor the behaviour of natural persons in EU

While it is clear that EU does not have jurisdiction to make laws for other sovereign countries, many data processors in India presume that GDPR is applicable to them. Further the data vendors who provide processing contracts to Indian companies located outside EU also out of their own fear and concern about the penalty clause in GDPR, try to add a GDPR Compliance clause in their contracts with the Indian processors.

As a result, many Indian companies are trying to be compliant with GDPR.

While it is fine if the Indian companies try to provide Privacy Protection as per Global Standard not only to EU Citizen’s data or others, in their enthusiasm to be called “GDPR Compliant”, Indian Companies may try to out of the way to designate representatives in EU and also Data Protection Officers in their establishments in India.

We would like to keep the Indian Companies warned that there are some risks that the Companies would invite if they try to unnecessarily subject themselves voluntarily to GDPR. Further some of the provisions of GDPR may be in conflict with ITA 2000/8. When Indian Data Protection Act gets drafted, there is a possibility that there could be conflicts with GDPR in that legislation also. In such cases, the Companies need to ensure that they need to be first compliant with Indian laws before worrying about being compliant with other laws, unless it is essential for their business.

Similarly, executives would be excited if they are designated as “Data Protection Officers” under GDPR. It would enhance their professional reputation and also expand their global employment opportunities. The first reaction of professionals in the Information Security domain or in similar responsibilities is to therefore grab such opportunities.

In this connection, we need to have a second look at the provisions of GDPR relating to the Data Protection Officers (DPO), their responsibilities.

Article 39 of GDPR defines the tasks of the DPO. It must be noted that DPO under GDPR is not envisaged as an employee of the organization and is not burdened with the “Implementation”. He is expected to be an “Adviser” to the Controller or Processor and an in house representative of the supervisory authority to monitor compliance and act as a contact point of the supervisory authority.

Under Article 38, DPO is also the contact point for Data Subjects. This means that he would be the grievance redressal official to receive complaints from data subjects including requests for exercising of data subject’s rights and ensuring the compliance.

Article 38 of GDPR states further that the DPO does not receive any instructions from the Controller/Processor on his tasks. This means that he would act independently.

Under Article 37, it is indicated that DPO need not be a “Staff”. He can be on a “Service Contract”. This means that DPO may be an external consultant.

If he is a “Staff”, then conflict of interest with other duties need to be avoided. (Article 38).

If we seriously analyze the tasks of the DPO, it does not appear easy to identify that there could be any activity that a staff member can discharge which does not have a conflict of interest with the DPO’s responsibilities. His position will report directly to the CEO and hence he would be above the CISO and CTO in the current structure. His decisions will affect the interest of the Company as a whole and hence even being an advisor to the CEO he has a conflict situation.

For example, if there is a data subject’s complaint, then it is the DPO who based on his assessment has to agree with payment of any compensation and also report to the Supervisory authority who has the right to impose penalties. The DPO may therefore decide how much of cash outgo occurs in any suspected non compliance situation. This is certainly a conflict with the CEO’s own responsibility for revenue management.

Since DPO cannot be a staff higher than the CEO, it is practically not possible to avoid conflict of interest if an internal DPO is appointed. In most cases therefore DPO has to be an external consultant with the necessary professional knowledge and also integrity. Most of the time, Knowledge and Integrity does not go together and Companies will have to struggle to find the right combination at a right price. If they compromise on pricing, there is certainly a possibility of loss of quality. Hence DPO designation is a complex decision that the management has to take.

According to Article 37 the designation of a DPO is not mandatory in all circumstances. The designation of a DPO would be mandatory only if the “Core Activity” of the Data Controller or Data Processor consists of processing such information where there is a “Large scale”, “Regular and Systematic monitoring of EU subjects”.

What amounts to “Large Scale” is a matter of interpretation. An Indian BPO handling data processing of different data subjects in different countries. In such a case, the Core activity may not be processing of GDPR sensitive data. Even if there is a website accessible from EU, the data collected about EU data subjects may only relate to non sensitive data and may be considered as not regular and systematic collection. Hence unless there is an activity that is directed towards EU data subjects alone or where the EU market share is significant, the need for DPO may not be considered mandatory.

Though this is the view of the undersigned, it is possible that many organizations may feel that there is a need to designate a DPO and also designate a EU representative so that they may project their GDPR Ready Profile to the prospective EU business partners. Hence many of the Indian Companies may start designating one of their employees who has undertaken some training and certification as the DPO.

Such DPOs will have to work under an environment of conflict where they are paid by the Company and are junior in terms of organizational hierarchy but are expected to act independently.

The fact that the DPO shal not be dismissed or penalized by the Controller/Processor for performing his tasks makes him a privileged person who in due course become a thorn in the activities of the IT and IS departments if he is honest to his duties. All CISOs and Compliance officials have faced awkward experiences when they have to disagree with a powerful business manager who insists that some decision has to be taken in business interest even if the CISO or the CCO has his objections.

Some of these issues are also faced by Company Secretaries and Auditors who have to manage their statutory responsibilities which may go against the Company which pays them. Recently many auditors have been criminally booked for negligence when they have failed to respond to their duties to the share holders and responsible for frauds going unreported for a long time.

Similar developments can be expected in the case of DPOs.

Presently GDPR does not talk of any liabilities of the DPOs. However, if DPO is a trusted representative of the Supervisory authority, then he would be liable for “Breach of Trust” if he does not discharge his duties to the satisfaction of the Supervisory authorities.

Hence DPOs should be ready for a situation where they are aware of some potential data breach scenario in their company but keep quiet while there is an attempt to brush the incidents under the carpet which blows out on a later day. An investigation in such a situation may reveal that DPO was aware of but did not act diligently and hence was guilty of breach of trust. Even the top management of the Company itself may disown the DPO and insist that it was not kept informed of the accumulating risk. Afterall the management also wants a scapegoat to negotiate with the supervisory authority for lower penalties by blaming the DPO for all the problems.

Some of my readers may say that I am speculating of a scenario with a negative outlook. But any experienced person who has the experience of working in an organization particularly in the internal audit departments would easily recognize the truth about what I am talking above.

While these are developments which are bound to happen in a scenario like this and many would consider this as a part of the “Risk in the Profession” itself and negotiate remuneration packages, severance packages, insurance and indemnity covers to ensure that they will not be personally liable when an adverse situation arises, there would be many not so intelligent, smart and powerful persons who may be working hard and honest only to be blamed one day that they were not able to discharge their responsibilities properly.

I therefore think that there is a need for DPOs to ensure that their professional interests are protected. I therefore propose that “Data Protection Professionals” (Which may include DPOs, Compliance officials, IS officials) to organize themselves by creating an “Indian Association of Data Protection Professionals” (IADPP) on the lines of ICAI, ICS or similar professional organizations.

I invite the views of other professionals in this respect.

Naavi

Posted in Cyber Law | Tagged dpo, GDPR, iadpp | Leave a comment

Closure of Bazee.com case: Sharat Digumarti gets relief amidst Intriguing precedents created

Posted on May 23, 2018 by Vijayashankar Na

The Bazee.com case which was one of the earliest criminal prosecutions to be launched under Information Technology Act 2000 appears to have finally completed its journey with the quashing of criminal prosecution against Mr Sharat Babu Digumarti. This case was filed in 2004 and lingered on in different courts until this current judgement on December 2016 seems to have brought a closure.

For some reason the judgement got re-circulated in some social media groups and hence I was constrained to bring this up for debate for some academic considerations. Let me make it clear that this discussion is not to express that the relief granted was unjustified.

It was clear from the beginning that this was a case where the juveniles who committed the offence landed other adults into legal problems. First was Mr Raviraj, the IIT student whose career was killed because he chose to sell the DPS-MMS video. Secondly Mr Avnish Bajaj, the CEO of baazee.com had to fight his case in all the Courts until 2008 before he was acquitted. But the case against Mr Sharat Babu Digumati lingered on further. All the three accused namely Raviraj, Avnish Bajaj and Sharat Babu have faced disproportionate punishment, intimidation and expenses while the two juveniles went unpunished thanks to the way law is in such cases.

In the Nirbhaya case there was discussion on the need to amend the Juvenile Justice system and some changes did occur and hopefully more changes may occur in future.

In the course of the journey of this Baazee.com case, there were several precedence created. Firstly the operation of “Vicarious Liability” under Section 85 of ITA 2000 was invoked and that was what sustained the case until, the Supreme Court in 2008 came to the conclusion that the case against Mr Avnish Bajaj did not stand because the Company itself has not been arraigned as an accused.

The original case had been filed under sections 292 and 294 of IPC and Section 67 of ITA 2000 and each section was separately debated and Mr Bajaj got acquitted out of all the sections one by one. However, Mr Sharat Babu had not got relief under Section 67 and hence the appeal was preferred with the Supreme Court.

In the current judgement, the point of legal debate was

“Whether proceedings under Section 292 can continue after being discharged under Section 67 of ITA 2008”

The final outcome of the Case indicates that the Court agreed with the view that ITA 2000 is a special law and hence Section 67 of ITA 2000 prevails over Section 292 of IPC. Since Section 67 has been quashed for other reasons, trial should not continue under Section 292 of IPC.

However, what is surprising was that this judgement made references to the Shreya Singhal case as well as prevalence of Sections 67A and 67B in the Act. These were developments which were not present when the cause of action arose.

Even if the Section 66A judgement was an opinion and could perhaps be taken as a guidance even in other cases, Sections 67A and 67B along with the diluted Section 67 are creations of ITA 2008 which did not have retrospective effect. They were effective from 27th October 2009. Hence it appears inappropriate that the Court should have quoted these two sections in this judgement.

Considering the content of this judgement, it appears that in future, Double Jeopardy could be implied when for the same offence both ITA 2000/8 and IPC are invoked and in such cases the ITA 2000/8 will prevail (In cases where electronic documents are involved). Hence police should be careful while framing charges and ensure that one section of either IPC or ITA 2000/8 alone has to be invoked for a particular offence or a step in the offence. Otherwise the charge may be quashed for double jeopardy unless the ITA 2000/8 charge prevails.

Since the problem with ITA 2000/8 is mainly in terms of production of evidence, Police prefer to use IPC sections where possible. Further during investigation stage, IPC sections provide some flexibility to start investigations based on some section which is cognizable under IPC, Police prefer to add IPC sections. These practices need to change now once the primacy of ITA 2000/8 as the law to be applied in case of offences involving electronic documents.

Further this judgement is a further vindication of the “Special Law” status of ITA 2000/8 which was stressed in the Basheer judgement on Section 65B of Indian Evidence Act.

P.S: In the S V Shekar Case discussed earlier it may be noted that the section which is non bailable was under IPC. Further the offence involved was “Forwarding of an electronic document in social media”. Hence it would be appropriate only if it is tried under ITA 2000/8 provisions and not under IPC. Hence the entire FIR in the case of S V Shekar case may have to be reviewed.

Naavi

Posted in Cyber Law | Tagged avnish bajaj, bazee.com, S V Shekar, sharat digumati | 1 Comment

S Ve Shekar and Forwarding of Social media Messages: Shreya Singhal Judgement over looked

Posted on May 20, 2018 by Vijayashankar Na

I refer to the recent judgement from High Court of Madras which was quoted in the media with headlines such as “Forwarding social media posts equals endorsement, says Madras HC “.

The judgement was in relation to an “Anticipatory Bail Application” by the well known Tamil Artist S.Ve. Shekar, on whom one Mithar Maideen A, State General Secretary, TN Journalist Protection and Welfare Association, Chennai registered a complaint. The FIR was registered on 21st April 2018 at CCB-1, Chennai under Sections 504, 505(1)c) and 509 of IPC and Section 4 of The prohibition of Harassment of woman Act 2002. The FIR was only against S.V.Shekar and there were no other respondents. However, in the judgement, the Court considered several other petitions (Nine petitions) all of which made S V Shekar the accused as the main person who has committed the offences under IPC and sought him to be jailed for upto 6 years.

To any unbiased observer, it was prima facie evident that the Complaints were motivated by the fact that Mr S V Shekar was a BJP leader. Mention of the old Shankar Raman murder case which is considered as one of the false cases instituted by some religious, opponents of the Hindu faith in the complaint was a definite give away for any body looking at the genuineness of the complaint.

The fact that the petitions were only against Mr S V Shekar and not against the others also indicated that the motive of the complainants was prompted by political considerations.

Despite these indications that the complainants had not come to the Court with clean hands, the Court did not dismiss the petitions forthwith and went ahead to pronounce a judgement against Mr S V Shekar. In the process the Court vindicated the complaints and provided it legitimacy.

The decision is now under appeal with the Supreme Court and we need to wait for further developments.

The political and religious issues involved in the case are a subject matter of debate in a different forum in which the Court’s failure to recognize possible ulterior motives of the petitioners is a matter that cannot be ignored.

However, it is necessary to point out that in the judgement, the Court made some comments which has attracted attention of the Social Media observers. As one can observe from the various media reports, the net effect of the judgement has been to create a fear amongst the Social Media users that “Forwarding of Messages would be considered as an endorsement”. This will also affect the WhatsApp users besides Twitter and other FaceBook users.

In a bid to harass a person solely for his political affiliation petitioners had sought to justify their case with an incorrect interpretation of the status of Social Media postings. These should have been rejected by the Court if it had made an independent assessment of the contentions made by the petitioners.

On the other hand, it is unfortunate that the Madras High Court has played along with petitioners and passed an order which incidentally is directly confronting the Supreme Court judgement in the Shreya Singhal Case (Scrapping of Section 66A of ITA 2008).

We have earlier discussed the Shreya Singhal Case in detail in these columns. We had indicated that the Shreya Singhal Judgement was prompted by the right reasons but was technically incorrect for the fact that it considered “Posting of Messages in Face Book and Liking a Message on the Facebook” as equivalent to “Sending messages through a communication device”.

At that time we had pointed out that the Police had made a mistake of booking the Palghar case under Section 66A and where as there was no cause of action under any sections of ITA 2008, instead of dismissing the case forthwith, different Courts presumed that the filing of the case under Section 66A was correct but the problem was with the Section 66A.

The Supreme Court in its judgement stated that Section 66A had created a “Chilling Effect” on the freedom of expression and had no place in the statute. It was so angry that it did not even read down the section but went ahead and scrapped it.

Now this judgement of Judge (Mrs) Ramathilagam essentially denying anticipatory bail as requested has indirectly concurred with the views of the petitioner that “Forwarding of a Message is equivalent to Endorsement”.

The Judgement does not independently analyze the reasons to agree with such a contention nor clarified that it does not agree with such a contention and allowed the judgement to be interpreted wrongly. The judgement has simply reiterated the arguments of the petitioners and proceeded to give its judgement leading to a conclusion that the judgement endorses the arguments made in toto.

The instant case is one of “Alleged Defamation of the Women Journalistic Community” through the use of electronic documents. The cause of action under different sections of IPC are fine but they have to be backed by admissible evidence and proving of the mens-rea. Under ITA 2000/8 sections 67, 67A and 67B speak of offences involved in publishing and transmission of electronic documents. In the absence of Section 66A, sending messages through communication devices is out of ITA 2008 list of offences.

If we go with the Shreya Singhal Judgement which is the current precedent, posting on Facebook, Twitter, Liking, (Retweeting) etc form part of the constitutional right to freedom of expression and cannot be objected on flimsy grounds.

Only in instance of “Child Pornography” under Section 67B, offences can be made out on issues such as forwarding.

The subject complaint is therefore completely out of ITA 2008 and completely against the spirit of the Supreme Court judgement on Section 66A.

If the complaint is sought to be sustained on the basis of IPC, then one has to ask the question if there was any Section 65B certified copy of the electronic document as admissible evidence?. If not, why did the Court proceed arbitrarily without admissible evidence?

If the Court wants to exercise its own discretion in the matter of evidence, questions should be asked about whether the Court considered the antecedents of the Complainants.

It would have been appropriate if the case had been heard by a larger bench taking into account the implications of allowing arguments such as “Forwarding is equivalent to Endorsement” remaining unchallenged.

It would have been prudent for the Judge to have pointed out that she might have come to the conclusion of rejecting the anticipatory bail application for reasons other than the reason that “Forwarding of an Electronic Document in Facebook is equivalent to Endorsement”.

This statement made by the petitioners is short sighted and mischievous and should have been categorically rejected.

Whatever be the political and ideological affiliation of the petitioners, the Court should have avoided passing an erroneous judgement against the Supreme Court’s prevailing order.

If in the process S V Shekar would have got the anticipatory bail which the Court did not like, it could have satisfied it’s urge to express its emotional feelings about the effect of the Facebook post/endorsement by passing strictures on him and warned him in severe terms.

I remember that in one of the past judgements, the Judge stated to the effect… “I know that the accused is guilty but the evidence unfortunately is not sufficient to declare him guilty. I therefore acquit him”. The Judge in this case was clear of his conviction but stuck to the established system of Criminal Jurisprudence.

A similar approach could have been adopted by the Court in this case of S V Shekar’s petition and chastised Mr Shekar in strong terms without endorsing arguments such as “Forwarding is equivalent to endorsement”.

I wish Supreme Court corrects this erroneous judgement.

If Supreme Court is committed to its judgement on Section 66A and Freedom of Expression, it should call this judgement as having “Double Chilling Effect on the Society” and scrap it forthwith. …Unless it is also swayed by the political and religious undertones in the case.

Naavi

PS: The copy of the order is available here

Posted in Cyber Law | Tagged ramathilagam, S V Shekar, section 66A, Shreya Singhal | 4 Comments

Data Processor’s Association of India needed for Compliance without Destruction

Posted on May 17, 2018 by Vijayashankar Na

The earlier article on GDPR entry into India being like a Vasco Da Gama discovery of India, has attracted some interesting reactions from some industry professionals.

While we may accept that the intention of GDPR is to protect the Privacy of natural persons and therefore there are “Data Subject’s Rights” including “Right to Erasure”, “Right to Access”, “Right to Data Portability”, “Right to Restrict processing”, “Right to Correct” etc., we must point out that any attempt to impose the regulation unilaterally on Indian Citizens is to be resisted because it is a question of the sovereignty of the Country.

I consider that GDPR has provisions which recognizes that other countries including the EU member countries may have over-riding provisions in their national interests, it is the intermediary analysts who are confused and spreading a message that GDPR is applicable to all companies and to citizens of all countries etc.

We need to therefore fight against the “Self Subjugation Mentality” of some consultants to give a larger than life importance to the EU legislation.

While laws can have extra territorial jurisdiction built into it as an “Enablement”, its implementation is subject to the acceptance of the other international Governments by way of a treaty.

Hence as long as there is no specific treaty between India and EU to implement GDPR, Indian Companies are not directly liable under GDPR.

However, ITA 2008 is a local law. DISHA 2018 would be another law of India and Data Protection Act of India when passed (Justice Srikrishna Law) would be a law of India which needs to be implemented in India.

At the present juncture, the GDPR provisions can be extended to Indian Data Processors only through the Data Processing Contracts that are signed between the Indian Data Processors and their international business partners. When Indian companies sign on blank indemnity provisions without an upper limit to the liability, they would be confronted with contractual disputes in due course if there is any claim by the international partners. Additionally, under the provisions of GDPR, Data controllers are empowered to literally extract the trade secrets of the data processors and if the Data Processors donot realize and resist, they will be subject to business secret disclosures and searching technology audits by external agencies which will hurt the business interests in the long run.

Further many of the provisions of GDPR are simply un-implementable since they are not conceived correctly though some provisions to by-pass the un-implementatble provisions is built-in. However, when there is a conflict, EU Supervisors and Courts may take a partisan view against Non Resident Companies and disallow any attempt to use special provisions that may look like an attempt to bypass the popular perception of a privacy protection provision.

In such a situation, I would have expected industry bodies such as NASSCOM and DSCI to have come up with proper guidance to the Indian Companies particularly the SMEs in the Data Processing segment.

However, by organizing a “Welcome GDPR” event in Delhi on 25th May 2018, the Government of India has indicated that it may fail to show the required concern for the welfare of the Indian Data Processors particularly in the SME sector who donot have a voice in NASSCOM or DSCI.

There is a possibility however remote it is that GDPR will be used by EU based businesses to squeeze the sweat out of Indian processors without commensurate reward. One notice from the business partner to show cause why they should not invoke an indemnity provision in the contract would render an Indian processor succumb to any pressure to reduce the price to levels where data processing for EU data will no longer be sustainable.

Slowly, EU will impose its own Certification bodies and Approved Codes which Indian processors will be forced to buy and adopt and Indian Data Processing industry will be subjugated into a Data processing colony of EU.

US will be in a similar situation but will because of its economic muscle, wriggle out of the vice grip of the EU GDPR through a new version of Safe harbor or Privacy Shield or Standard Contract clauses supported by the strong US Courts.

But in India we are unlikely to have similar support from the Government and the current industry associations. The only saviour I see is in Justice Srikrishna Law where some provisions can be incorporated which will not allow such international hagemony. Hence my earnest appeal to the Srikrishna Committee. I am aware that the committee is dependent again on DSCI and NASSCOM for advice but Mr Srikrishna should have an independent mind of his own and can see through any attempt to dilute the soverign rights of India in resisting the attempt of international regulations undermining the freedom of existence of Indian companies through unfair legislation and unfair implementation.

It is in this context that I urge the SMEs in the Data Processing Industry in India to secure their interests by forming their own association and develop a collective strength to be heard in India and abroad.

In case Justice Srikrishna Committee does not propose the necessary protective measures within the legislation, it would be necessary for the association to seek changes. Instead of waiting for the draft to be released before crying injustice, it is preferable that the industry moves now and before the imposition of GDPR on 25th May 2018, develop a collective strategy to ensure that the Indian Data Processing Industry is not unduly harassed. The Association should move towards developing its own “Privacy Protection Codes” for implementation in the Data processing environment for Indian Citizens and Non Indian Citizens and show to the world that India can respect Democratic norms without challenging the sovereignty of another country like what GDPR proposes to do.

If we donot act now, India will face self destruction of the Data Processing business segment in India and it will be happen with the help and assistance of many Indian industry establishments and associations who may think that they are globalizing the Indian data processing industry and cornering business opportunities.

I Request Justice Srikrishna as well as Mr Ravi Shankar Prasad to respond to the concerns expressed here and assure the citizens of India that their interests would not be undermined.

Naavi

Posted in Cyber Law | Tagged GDPR, india, srikrishna | Leave a comment

Calling attention of Justice Srikrishna Committee on Data Protection; Don’t let GDPR be the new Vasco Da Gama

Posted on May 16, 2018 by Vijayashankar Na

We have many times through these columns urged the Justice Srikrishna Committee which is drafting the new Data Protection law for India to ensure that an “Umbrella Protection” is provided to Indian Companies from being unfairly targeted under EU GDPR by EU Companies and EU data protection regime.

As we approach the D-Day, 25th May 2018 when GDPR will become operational, many companies in India are getting into a panic mode on the impact of GDPR on their business. The indications are that the companies think GDPR applies to all their activities and this is leading them to believe that they need to take many actions which they are not bound to do. Partly this panic is being induced by US companies who engage Indian Data Processors for part of their processing activities. In the process many of the Indian companies are revising their business contracts to meet the GDPR requirements as they perceive endangering their own and the country’s business interests.

These contracts typically contain indemnity obligations which includes compensation payable for any loss caused to the vendor. Since this is likely to include the administrative fines under GDPR, Indian companies may be forced to underwrite the GDPR obligations of international companies though their revenue share is only a part of the entire industry revenues.

There is a national interest involved in ensuring that unfair and unconscionable liabilities are not introduced into the data processing contracts that Indian Companies are forced to enter into.

These contracts are “Dotted Line Contracts” and need to be fairly constructed. However, in practice, it is difficult to expect Indian companies to resist the signing of such contracts because of the business relationship considerations.

It is therefore necessary that Indian legislation provides a protection to such companies in the national interest.

One option available to us is that we are about to draft our own Data Protection laws and this will provide an opportunity to define a grievance redressal mechanism by which it should be made mandatory for international contracts for data protection to be pre-approved by the Indian Data Protection Authority without which no liability may be imposed on Indian entities.

GDPR itself recognizes that some of the member states may not permit imposition of administrative fines and has suggested that suitable alternate measures may be provided in the member state laws. [Refer Article 83(9)].

Indian Data Protection Act should also incorporate equivalent protection so that any payment of fines under GDPR data processing contracts shall be considered void unless it is approved by the Indian law.

Though the GDPR should be interpreted as a law applicable for “Activities in EU”, there is an attempt to interpret it as a “Global Law” and let EU determine the law for other sovereign countries. I am not sure if EU is really that arrogant to assume that in the 21st century, other countries will tolerate the EU legislate the activities that take place outside the EU even if the intention is laudable. But many in India are more loyal than the king and when required to bend are happy to crawl. This tendency should be resisted.

Though Article 2(2) clearly admits that

“this regulation does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law”

many analysts are interpreting as if under Article 3(2), Controllers and Processors not established in EU are also subject to the regulations without any restrictions.

Some non EU companies are falling into the trap of Article 24(3) and thinking that they need to appoint representatives in the EU without recognizing that the act of appointing a representative itself brings them under the EU jurisdiction even if otherwise they are not.

Indian Companies need to avoid voluntarily jumping into the jurisdiction of EU and dragging liabilities which EU law making body has no authority to make.

(Refer article here where the GDPR scope is discussed in detail by one analyst…. very informative and indicative of the perceptions of the global community)

Welcoming the Vasco Da Gama

Unfortunately, it appears that there is no adequate attempt made by NASSCOM or DSCI in advising the Indian Companies properly to ensure that their interests are protected.

On 25th May 2018, there is a high profile event organized in New Delhi as if Indian wants to celebrate the GDPR. EU commission representatives are expected to participate in this along with DSCI, NASSCOM and Government officials.

Even Justice Srikrishna is likely to attend this event and speak.

As a result of the participation of NASSCOM, DSCI, and Justice Srikrishna, it would appear as if India is endorsing GDPR.

To me this appears to be similar to Indians who welcomed Vasco Da Gama to India without realizing that it was the beginning of the colonial rule which extended for centuries there after with all kinds of economic pirates entering India including the French and the British.

Now, a similar danger seems to be in front of us in the form of GDPR. Indian companies need to be protected against unfair incidence of GDPR and prevent this being used for building an economic colony in India by EU companies.

Even if at present GDPR appears to be only a Privacy protection legislation and a good “Standard” which can be adopted as an industry practice, we must realize that adoption of GDPR will be followed by GDPR Codes and Certifications approved by the Supervisory authorities of EU countries.

These GDPR Certification process will replace ISO standards and create a huge business potential for GDPR related security services and products.

I must disclose that I could be one of the beneficiaries of such a development since I may be providing consultancy and educational programs in the area and also is working on a patent pending software which should help Indian companies in compliance. However, in the interest of the community, it is necessary to raise a red flag against GDPR turning out to be an instrument of exploitation of Indian Business interests.

I request that EU should refrain from projecting itself as the Privacy saviour of the world community and avoid going overboard with the “Extra Territorial Jurisdiction” of its laws. If they desire to use GDPR for expanding their business network, then they need to enter into a Business treaty with Indian Government ensuring that there is a fair exchange of mutual benefits.

Since it appears that our IT Ministry might not have realized what Indian data processing industry is walking into in the guise of GDPR, I urge Justice Srikrishna to step in and introduce suitable provisions in the proposed Data Protection Act so that our national interests are not undermined with the application of GDPR directly or indirectly to the IT operations in India.

Naavi

Also Refer : Data Protection Law should provide a Jurisdictional umbrella

Posted in Cyber Law | Tagged data protection act, GDPR, jurisdiction, srikrishna | 2 Comments

IRCTC fraud is an exhibition of Technology Intoxication

Posted on May 10, 2018 by Vijayashankar Na

Recently, a case was reported from Lucknow where one person by name Hamid Ashraf from a place called Basti, in UP was arrested for running a franchise chain of over 500 franchisees across the country who were indulged in cheating the IRCTC systems and the public in making Tatkal bookings through the IRCTC website.

I congratulate the Police in Bangalore who raised the alarm and took it to CBI and with the assistance of the UP police, the criminal was nabbed.

I would like to see that the 500 franchisees are also arrested and proceeded against since all of them are guilty of the conspiracy.

I understand from the above video that Hamid had put more than Rs 50 lakhs in his account at ICICI Bank. I therefore consider that the officials of ICICI Bank were aware that this person had amassed wealth much beyond his known means as it is stated that he is just 18 years old, studies in 12th class and lives in a shandy house. How did the Bank not recognize that there was some illegal activity going on in this house and the money deposited was “Money laundered” as per the definition of AML provisions?

How did the IRCTC miss the fact that the IP address from which the Tatkal bookings happened were coming from a single source day after day. I am sure that ultimately it was the log record at IRCTC that led to this person but why not earlier?

I therefore cannot absolve IRCTC from its gross negligence in letting such frauds happen for a prolonged period.

I had some time back indicated that in the case of Abhinav Srivatsava, where Aadhaar system was alleged to have been hacked, Naavi.org had highlighted the fraud possibility months in advance and UIDAI had not got the hint. Earlier there was also the case of the fraudulent website cgtmse-govt.in where also the fraud thrived for nearly three years even after Naavi.org had pointed out the fraud.

In all these cases several intermediaries may be faulted for not taking early preventive action which could have prevented the fraud. By the operation of Section 79 and Section 85 of ITA 2000/8 they may be held liable by the victims and the prosecution for civil and criminal penalties.

In the case of IRCTC also, there is a similar issue. It was on August 25, 2010, that is eight years ago that I had posted the following in my blog:

IRCTC to bar Online booking by Agents

Aug 25: After frequent complaints from individuals about the difficulties in Tatkal booking because of block bookings by agents, Railways appears to have taken steps to ban the agents from online booking for a period of one hour from 8.00 am to 9.00 am. Ref: report

In the light of the revelations about the use of “User end Scripts” to automate the bookings and breaking of Captcha, it has become evident that the system is being abused significantly. Common men were disillusioned of late with the online bookings particularly for Tatkal booking and would welcome this move whole heartedly. At the same time IRCTC needs to tighten the security to disable user end scripts and also black list the user accounts of those who use the automated scripts. They should also retain the option to cancel the booked tickets without refunds where they can record proper evidence on such wrongful use. Since technically any use of scripts such as available at Vrarun Kumar’s blog is illegal (Offence under Section 66 of ITA 2008), the penalty of losing the booking is a necessary measure that IRCTC should take.

It is also reported that the Railways may start an alternate online booking site to remove the monopoly of IRCTC. Report The additional booking facility is likely to be introduced through http://www.indianrail.gov.in/

In this article, I had also quoted a blog shown below

After I had pointed this out and after one TOI reporter from Chennai contacted this techie, he removed the blog post. At that time no complaint had been filed and it appeared that the Techie had no malicious intentions and taken reasonable prompt action to remove the content on the potential offence having been brought to his notice. The TOI reporter was also responsible and did not sensationalize the issue. Otherwise it would have killed the career of a techie who was ignorant of Cyber Laws and acted just like what other techies always do.

I have called this tendency to show off the Tech Skills as “Technology Intoxication” which needs to be controlled. We see similar rebellious tendency when techies support Crypto Coins and post hacking tools in public or trade viruses in the underground.

The entire “Dark Web” is a compendium of such techies who unmindful of the damage they are doing to the society try to display their vulgar tech skills for others to exploit.

In the present case of Hamid Ashraf, he may or may not be technically qualified to develop the software. It is possible that he might have picked up this software from the dark web or other sources. We need to investigate this and try to eliminate the root.

I seriously urge the Police to take penal action on all the franchisees who made illegal money so that it would be a deterrent to others who use dark web tools to make money. Police should also question the Bank on why they allowed the money laundering and did not recognize that balance in the account was far above the known resources of the customer. The Income Tax authorities need to question themselves, why they were not able to trace the anamoly of a Rs 50 lakh Bank account by a 12th standard boy living in a modest hut.

Unless as a society we donot raise ourselves and be watchdogs, we cannot make progress in the country.

Now I have raised this issue here today and brought it to the notice of many Police officials also.

But will this case be pursued further to the logical end? or Will it be buried?

Will the 500 franchisees just ensure that a portion of their loot goes to right quarters so that the case does not proceed against them?

Will the Sicular politicians start saying that this is a vindictive action against a community?

As an honest citizen who keep watching the degradation of our society through corruption, I keep my fingers crossed and hope some honest police officials and some honest politicians and some honest media persons are still left in the society who will take this opportunity to take all steps that can be initiated to prevent such frauds in the future.

Naavi

Posted in Cyber Law | Tagged irctc, technology intoxication | Leave a comment