Naavi.org

Will GDPR convert the entire Internet to Deepweb?… NIXI Has to wake up

Posted on June 2, 2018 by Vijayashankar Na

The difficulties created by GDPR to the global business system has now escalated into a legal battle between ICANN and a German registrar regarding the implications of GDPR.

A German Court has recently rejected a suit filed by ICANN against the domain registrar EPGA asking for injunction against stopping of collection of information from the domain registrants. (Refer details here).

The dispute was regarding whether the details collected by the registrar of a domain name was “Excessive” and not in accordance with the “Data Minimization” principle. EPGA is owned by TUCOWS which is supposed to be the second largest domain registrar in the world.

It is reported that ICANN had earlier represented before GDPR authorities that collection of Admin and Technical Contact details were necessary along with the Registrant’s details which GDPR considers as unnecessary. The German Court appears to have agreed with the view of GDPR.

Now the ball is in the court of ICANN. Will it simply accept the diktat against its own rules or will it fight by defending to its “Legitimate Interests” and cancel the registrar’s license which is based on its present contractual obligations.

The domain names can then be transferred by ICANN to other registrars who may bid for the same under a “Transfer Mechanism” which may include the explicit consent of the data subjects to continue to adhere to the current ICANN regime.

How GDPR may convert entire Internet into Deepweb

Already, the “Privacy” issues have made most registrars to adopt a suppression of Who-Is information behind a veil of secrecy. This has enabled more and more criminals use temporary domain names for committing crimes and law enforcement struggling with the identification of domain name managers.

Now the GDPR is complicating the matter further first by the “Right to Erasure” right. “Right to Erasure” means that a domain name registrant who has used a domain name can demand that all information about the domain name should be deleted from the records of the registrar. In order to comply with this requirement, the EU based Registrars would introduce a system where by such requests are diligently handled.

As a result, “Deletion on Request” would become a standard procedure for Registrars first in EU, then by others for “Registrants from EU” and then by multi national companies having an office in EU and perhaps as a standard practice by others.

When such developments take root, criminals will have a field day. The domain name data will first get shielded under the “Privacy” clause and then will vanish.

As a result the internet will be as secretive as the deep web in respect of domain ownership.

This could be a serious law enforcement issue that would convert Europe into a haven for Cyber Criminals.

Recently a demonstration was reported from London misusing the “Freedom of Expression” and demanding introduction of “Shariat Law” in UK. The Privacy laws through GDPR will create another instrument by which terrorists will spread their tentacles world wide sitting in the safe havens of EU. It is unfortunate that EU authorities are either naive to disregard this threat or are themselves compromised and letting Privacy be used as a shield for criminal activities.

I suppose Indian authorities including NIXI which is in charge of the local domain names will not let these mis-application of Privacy laws and create a safe haven for Cyber Criminals. When India introduced dot in domain name registrations, there were many German registrants who registered dot in domain names for squatting purpose or for future criminal intention. Now many of these will start questioning NIXI if they are GDPR Compliant.

NIXI should understand that there are Data Retention Laws in India under ITA 2000/8 which require certain data to be kept by intermediaries for a reasonable period. Though MeiTy has not yet designated domain name registrations as data to be retained for a particular period, presently it is a permanent record and any change would need modification of the terms of registration agreement.

NIXI should reiterate that GDPR is not applicable in this instance since our “legitimate interest” and “local laws” are not in agreement with GDPR and these prevail over GDPR.

Justice Srikrishna also needs to take note of these developments and ensure that our own Data Protection Laws donot endorse GDPR blindly.

I request the MeiTY to respond to this concern.

Naavi

Posted in Cyber Law | Leave a comment

Territorial Scope of GDPR and UK DPA 2018

Posted on May 29, 2018 by Vijayashankar Na

There is a mis-perception prevailing in some sections of IT industry in India that “GDPR is applicable to India” without recognizing that its applicability is subject to certain conditions. This needs to be dispensed with at the earliest.

One of the frequent questions asked is

if we encounter an EU Citizen in India and its business, am I liable for GDPR?

If so should I appoint a representative in EU?

The answers to these questions are to be given only with reference to the context and not absolutely.

For example, GDPR is applicable to EU Citizens in the context of their activities in EU. In the case of EU Citizens in the context of their activities in India, GDPR is not applicable.

If a company in India is monitoring the behaviour of an EU Citizen in respect of his/her activity in EU, or offering any goods and services to the EU Citizens in EU, then GDPR may be applicable. But if the processing involves an “Occassional Interaction” with the EU Citizen, then GDPR is not applicable.

Therefore, If an EU citizen walks into a mall in Bangalore and gives his credit card for buying a product, it is not a case that falls under GDPR. If an Indian maintains a website and a EU person visits it, then also it should not ordinarily fall under GDPR. Only when a service is specifically targeted to an EU person, GDPR may become relevant.

The above inference can be drawn from the following articles:

Article 2(2): This Regulation does not apply to the processing of personal data… in the course of an activity which falls outside the scope of Union law;

Article 3(1) : This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Article 3(2);

This Regulation applies to the processing of personal data of

data subjects who are in the Union

by a controller or processor not established in the Union,

where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

In the case of data processors in India who process data sent to them by another entity established in the EU, that entity would be the Data Controller and is liable for compliance of GDPR. The Indian entity is only liable to it’s contractual bindings with the data supplier.

GDPR is badly drafted in this respect as it uses the ambiguous words “Data Subjects in the Union” without specifying if it is restricted to EU Citizens or every body else who at the time of collection of data are within the boundaries of EU.

However, those who are not “Residents” of EU cannot be considered as coming under GDPR since their encounter with the data collector will be only “Occasional”. Since the power of EU and the mandate is to make laws for Eu Citizens, it is unclear how it can extend to other citizens. Similarly when a EU Citizen is travelling in another country under a VISA and is bound by the laws of that country, it is unclear how GDPR can extend to his activities outside the EU>

UK DPA 2018

UK DPA 2018 extends the GDPR blindly, and therefore also extends the unclear aspects of GDPR. But when defining the direct incidence of DPA 2018, UK DPA is a little bit more clear.

Article 207 of UK DPA 2018 states as follows:

207 Territorial application of this Act

(1) This Act applies only to processing of personal data described in subsections (2) and (3).

(2) It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or
not the processing takes place in the United Kingdom.

(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—

(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—

(i) the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United Kingdom.

(4) Subsections (1) to (3) have effect subject to any provision in or made under section 120 providing for the Commissioner to carry out functions in relation to other processing of personal data.

(5) Section 3(14)(c) does not apply to the reference to the processing of personal data in subsection (2).

(6) The reference in subsection (3) to Chapter 2 of Part 2 (the GDPR) does not include that Chapter as applied by Chapter 3 of Part 2 (the applied GDPR).

(7) In this section, references to a person who has an establishment in the United Kingdom include the following—

(a) an individual who is ordinarily resident in the United Kingdom,

(b) a body incorporated under the law of the United Kingdom or a part of the United Kingdom,

(c) a partnership or other unincorporated association formed under the law of the United Kingdom or a part of the United Kingdom, and

(d) a person not within paragraph (a), (b) or (c) who maintains, and carries on activities through, an office, branch or agency or other stable arrangements in the United Kingdom, and references to a person who has an establishment in another country or territory have a corresponding meaning.

In the above article, para 3(a) states as follows:

(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,

This provision is ambiguous since it does not specify clearly that it refers to the Controller or Processor who is established in EU and gets his data processed elsewhere. DPA 2018 is not a law which is directly applicable to a company established in another country under a different law and this has to be recognized while reading this article.

Para (7) is however welcome as it explains which are the organizations which are considered as “Established in EU”.

Section 3(b) also clarifies that “In the UK” is to be interpreted as “At the time of processing”.

It is unfortunate that both GDPR and the UK DPA are drafted inadequately and puts needless doubts in the mind of technical persons not well versed in the legal aspects. It is not clear if this is deliberate.

I presume that Indian DPA will provide the necessary clarification when it is drafted and establish the sovereignty of the Indian Government to make laws for its companies and not allow EU and UK to think that India is still their colony.

Naavi

Posted in Cyber Law | Tagged DPA2018, GDPR, territorial applicability | Leave a comment

Are Privacy Laws Getting bigger than Cyber Crime Laws?.. Is Profiteering replacing deterrence principle in law making?

Posted on May 27, 2018 by Vijayashankar Na

GDPR has changed the landscape of Cyber Laws by redefining the priorities of Cyber Laws. So far the concern of the society was mostly on “Preventing Damage to a Citizen” through Cyber Crime laws. This was achieved by defining certain actions as “Contraventions” and/or “Offences” and imposing a “Civil Liability to pay compensation” or treat it as a “Criminal Offence” in which the perpetrator of the crime will “Pay penalty to the Government and face imprisonment”.

“Unauthorized Access” to data was therefore considered as a Cyber Crime and if the person who caused a wrongful loss through an act which contravened the law was asked to pay compensation for which the victim had to prove the extent of damage suffered. If the unauthorized access was intentional and had a “Malicious intent”, it was considered as a “Crime punishable with imprisonment and fine”. Criminal action was a state action and intended to be a deterrent. Civil action was meant to recover the loss suffered by the victim.

When unauthorized access was accompanied by “Data Theft”, “Data Deletion”, “Data Modification”, “Impersonation”, “Cheating”, “Profit making” etc, the crime was considered a higher order crime and the punishment could be harsher. But the civil damages always were based on the actual loss suffered by the victim which he was supposed to prove during the trial.

The Cyber Crime laws focused on providing deterrent punishments that were commensurate with the gravity of the crime and easy grievance redressal procedures through fast court systems, simplified procedures etc.

India provided such measures through ITA 2000 in which “Adjudication” was provided as a fast Court system to compensate the victims of cyber crimes. ITA 2000 was a representative of the first generation of Cyber Crime laws where the target was to provide protection to a victim of Cyber Crime.

Out of necessity, the first generation Cyber Crime laws did address the responsibilities of an “Intermediary” and need for the intermediary to take suitable “Due Diligence” steps to make it harder for criminals to benefit and if they do, provide suitable evidence to the law enforcement to bring the culprits to book. Section 85 and Section 79 in ITA 2000 were meant for this purpose.

In the second generation of Cyber Crime laws represented by ITA 2008 (Amended version of ITA 2000) apart from defining more Cyber Crimes, were fundamentally different from ITA 2000 since there was a greater emphasis on the role of “Information/Cyber Security”. For example, ITA 2008 introduced data protection clauses such as Sections 43A and 72A providing civil and criminal penalties if “Personal/Sensitive personal data” is not protected adequately by a data processor, which term included the Data Controller or Data Consumer or a Data Collecting agent. There were also Data Retention provisions under Section 67C, Regulatory powers to different authorities under Sections 69, 69A ,69B and 70B which represented the requirements of national security and law enforcement requirements.

ITA 2008 was stringent enough in terms of “Non Compliance” but the penalties were not in the form of huge financial penalties that the regulator would collect but in the form of huge imprisonment terms that the act provided for.

GDPR and UK DPA 2018 represent the third generation of Cyber Laws where more than the crime itself, prevention is considered as a greater responsibility and intermediaries will be subject to penalties that could be crippling.

GDPR raises a concern about the power of a “Supervisory Authority” to pursue penalties arising out of non compliance to the extent of 4% of Global turnover of an undertaking which has no relation to the actual damage that the data subjects might have suffered due to the non compliance.

ITA 2008 on the other hand has upto 7 years punishments in the case of Sections 69 and 69A, 3 years under Section 69B and 1 year under 70B. The penalties were in the range of upto Rs 1 lakh or left unstated.

Though the criminal punishments under ITA 2008 are huge, the Courts would evaluate the crime and arrive at the actual punishments both in terms of the imprisonment and the fine. Indian Courts provide enough opportunity for the accused to seek justice based on the actual facts of a case.

However, GDPR has now placed a power to impose a billion dollar fine on an executive and even in cases in which the non compliance can be technical and may not result in significant damage to the citizens whose privacy right is what the act tries to protect.

It appears as if the “Non Compliance” of a regulatory provision is a greater offence than an actual Cyber Crime in which some body is cheated of a million dollar.

This is a wrong prioritization in the justice system where the “Failure to implement Crime prevention” is considered a bigger crime than what the “Criminal” has committed.

An example is to impose an imprisonment of life term to a Security guard who forgot to lock the gates of the godown from which the thief stole some valuables while the thief himself is punishable for an imprisonment of two or three years.

EU authorities may justify their action by stating that the penalty provision in EU is just an enabling provision and would not be imposed in a manner that is unfair.

But there was no need to place such a stringent provision without any checks and balance?. It would have been better to leave the larger amount of penalty to the Courts instead of the executive. GDPR has failed in this regard to have a fair legislation.

We may recall that ITA 2008 has placed a Rs 5 crore cap on the power of the Adjudicator and left the higher penalties to the discretion of the Courts. But EU did not provide for such checks and balances before indicating a threatening level of penalties.

It appears that the Regulators have started considering the penalty provisions as an opportunity for “Profiteering” rather than as a deterrent.

This could well be the tendency of the new generation of Privacy Protection Laws which are actually one part of Cyber Crime laws applicable only to the mis-use of one type of data called “Personal data”. Every data theft is also a cyber crime and there is already a legal penalty for the same. The administrative fines are just one of the penalties that may be imposed on an intermediary in respect of a Cyber Crime and should not ideally be more damaging than the punishments meant for the cyber crimes.

Let’s forget the European Laws since EU is unmindful of the damage they are doing to their own business fabric through such crazy penalties. India is now considering its own Data Protection Law which Justice Srikrishna is in charge of drafting.

We need to watch and see whether Justice Srikrishna Committee would be falling into the trap set by GDPR and the UK DPA 2018 and make data protection legislation over power the Cyber crime laws or keep it as a subordinate law to the Cyber Crime law as it should normally be.

Many suggestions have been made to the Committee in this regard and we need to watch the developments so that India can show to the world of how to frame data protection laws which are fair to all stake holders.

India should also remember that GDPR is a terrorist friendly and Criminal friendly regulation and India cannot afford to toe its line. Hence Right of Erasure must be avoided and Right to restriction and correction should be moderated with appropriate data retention protections. These are required in the interest of national security which GDPR has ignored but we cannot.

Naavi

Posted in Cyber Law | Tagged DPA, GDPR, srikrishna | Leave a comment

GDPR Exclusion

Posted on May 26, 2018 by Vijayashankar Na

GDPR Exclusion

It is declared that Naavi.org follows the principles of Privacy protection under Information Technology Act 2000 as amended from time to time and where there is a conflict with any other international law or guideline, the provisions of ITA 2000 shall prevail.

In particular, Naavi.org does not subject itself to the administrative jurisdiction of GDPR and any data subject who intends to be protected by GDPR and not ITA 2000 shall not use any of the services of this site or its networked sites.

Any claims made under non-ITA 2000 statutes or regulations regarding privacy protection or otherwise are unacceptable and may be deemed as maliciously intended.

Naavi

Posted in Cyber Law | Leave a comment

Tame the monster of GDPR

Posted on May 26, 2018 by Vijayashankar Na

GDPR has come into effect since yesterday along with the UK Data Protection Act 2018. Together these legislation are completely changing the IT business landscape in India.

Already an Austrian Data Privacy Activist Max Schrems has launched three complaints worth a total of Euro 3.9 billion against Facebook, WhatsApp and Instagram through regulators in Austria, Belgium and Germany.

More such insane legal action will follow.

These actions elsewhere in the globe will also have ripple effects in India which is the back end processing center for a large part of personal data processing. To a corporate entity, they can be devastating. Defending such cases particularly in foreign countries could be expensive and it would increase the cost of doing business.

Indian Companies need to be therefore extremely concerned with the damage that motivated activists can do to their business both to boost their ego as well as an instrument of blackmail.

While it is the legitimate right of any individual or an activist to seek legal recourse for any grievance real or imaginary, Courts and Regulatory authorities need to remember that law is there for the benefit of people in general and that “People” include “Legitimate Business”.

But we have to admit that when a primafacie case is made out, the Courts have no option to launch a trial and that itself is a burden on the business.

The first line of defense for Companies is to present it’s case properly to the regulatory authorities so that unfair litigation is killed in the bud.

Knowledge is the tool for such defence and every company and the CEOs and Directors should themselves be reasonably aware of the provisions of data protection laws so that they can ensure that their legal teams find out appropriate solutions to problems that may arise.

I therefore urge the top management team in business to go through an awareness program for themselves before taking action on the basis of recommendations from different consultants and being swayed by the media which will sensationalize most of the issues.

In this direction, Naavi has launched a new online training program on GDPR through Apnacourse.com. I hope it would be of use to companies in first acquiring some basic understanding of GDPR as a regulation and then take steps in compliance.

This online program may not be an end in itself but can be the beginning of a journey in understanding the intricacies of data protection laws essential to protect the existential interest of business.

Naavi

Posted in Cyber Law | Tagged GDPR, Max Schrems, naavi | 1 Comment

Today is GDPR Day… Love it or hate it, you cannot ignore it

Posted on May 25, 2018 by Vijayashankar Na

Today is 25th May 2018. EU is still waking up to this D Day while India is already awake. There is no doubt that today will be considered a historic day in the Data Protection industry since EU GDPR is coming into effect from today.

Two years back the regulations were announced and the dead line was set. But mot companies continued to be complacent. Naavi started actively urging the Indian industry to respond by first opening the Privacy Knowledge Center in September 2016, and following it up with the GDPR Knowledge Center in February 2017.

Since then several articles have been published under www.privacy.ind.in as well as www.naavi.org highlighting the positive and negative features of GDPR.

However, the industry woke up only in the last six months when they saw the potential impact of a huge penalty for non compliance envisaged under the Act and the perception that it may become applicable even for entities outside EU.

During the past one year, since India is itself discussing its own Data Protection law under the Expert Committee Chaired by Justice Srikrishna, I have been urging the committee to ensure that Indian Data Processing industry is provided a protective umbrella in terms of the unreasonable penalties that may be imposed consequent to GDPR and the contractual commitments that Indian Companies may undertake in their anxiety to preserve their business. I have also raised the concern that Indian shareholders of such companies may be adversely impacted if they sign uncapped indemnity clauses that may provide for transfer of liability of their business partners.

I have also expressed my displeasure that EU has drafted the regulations in such a manner that it can be mis-understood as a global law and create a sense of fear amongst the data processors outside EU.

To some extent this sense of fear may not be warranted and I am sure that if challenged, EU will defend and say their law does not impose itself on other countries. But the fact is that perceptions some time cloud the reality and if we do a survey of Indian companies, we find that most IT professionals think that GDPR is mandatory for them.

In the meantime, UK has come up with its own DPA2018 which is perhaps of a greater concern to Indian companies since most Indian companies have established physical presence in UK even to take up business in EU and hence DPA 2018 is applicable to a much larger number of Indian companies. UK law by trying to extend GDPR as part of its own law, creates some additional burden that is beyond GDPR.

All this means that the cost of IT business in India is going up and Indian Companies need to ensure that they donot take up GDPR compliance entirely at their cost and try to load part of it on their international customers.

While I have indicated that in order to effectively defend against the impact of GDPR (and now add UK_DPA2018), industry needs to organize itself and SME data processors as well as Data Protection Professionals need to create some sort of collective bargaining power by creating self interest groups, I have also recognized that GDPR will be also creating business opportunities of different kinds for professionals.

In all such situations, the first industry which will benefit is the Education Industry. Infact, the career of the undersigned itself took off with Cyber Law College when ITA 2000 was enacted and later added consultancy. Similarly, GDPR will also create opportunities for the training industry. Already we have seen people from EU and some enterprising local professionals conducting training programs and charging a bomb. The GDPR itself may give further boost to some of them by creating a “Certification Mechanism” which will provide a false sense of privilege to some organizations established in EU which can claim “Accredited with the Supervisory Authority of …”.

Naavi believes that what is important is “Education” in which we become more knowledgeable. Certifications will follow. Certification without transfer of knowledge is not going to benefit professionals and could actually create traps where a professional may grow to his level of incompetence as Peter’s Principle suggests.

Naavi’s Cyber Law College in association with Apnacourse.com will be launching a training program on GDPR which will go online today to mark the formal coming into effect of GDPR.

(A Link to the course is available here)

The Course will contain about 7 hours of video lectures spread over around 18 modules. Probably this needs to be updated from time to time since this space is dynamic. Even the interpretations under GDPR itself will undergo some changes once the EU Data Protection Board becomes more active. Just as we have updated the Cyber Law Course on Apnacourse.com when some major changes occurred, this course will also undergo some updations from time to time. Presently the Course is being presented for knowledge enhancement. In due course Cyber Law College may introduce a certification of its own to provide recognition of “Course Completion” and recognition of passing a “Basic Awareness Test”.

Cyber Law College and Naavi in association with Apnacourse.com and otherwise would be conducting offline corporate training programs also so that awareness of GDPR would not be a matter of deficiency in the Indian industry.

Implementation is ofcourse a choice that the industry players may have to decide based on their own risk appetite. But I would like to caution the industry that they should not allow the international competitors to use lack of awareness or compliance of GDPR as an excuse to shift outsourcing business from India to elsewhere. For this purpose they need to incorporate a plan of action where by they can provide confidence to all their customers that they are aware of and are compliant with GDPR though we may assert our “legitimate Interests” and “Application of Local Laws”.

So… interesting days are ahead of us. Whether we like it or dislike it, GDPR is here and we cannot ignore it.

…..So happy GDPR day to all…

Naavi

Posted in Cyber Law | Leave a comment