CII Mysore has organized a one day seminar on “Cyber Security & Privacy – Technical and Legal Compliance”.
Venue: ILI Building, at the Infosys Campus (Entry through Gate 2)
Sri Shailendra Kumar Tyagi, Director, STPI, Dr Subramanyewara Rao, IPS, Commissioner of Police and several prominent industrialists from Mysore are expected to participate.
Naavi will be speaking on the “Indian Privacy Law” in the event.
Contact Mr T.U. Augistine, CII Mysore for more information.
Naavi
The Privacy laws as they are emerging led by GDPR are conspicuous by the huge penalties that may be imposed as “Administrative Fines” even when the data subjects have not suffered measurable financial losses.
These laws in general prescribe that personal data of target subjects should be collected only on the basis of an informed consent where the data collector has disclosed all the purposes for which the data may be used along with other information which may include the details of downstream processing that may occur.
One of the uses of personal data collected is for the purpose of marketing products online. Since Advertising whether online or offline is a communication exercise in which the Advertiser uses his communication skills to design creative messages that will have the maximum impact, market segmentation based on the likely profile of the audience is a age old practice.
Advertising industry cannot do an effective job if it does not know the audience. If Chocolate advertisement is directed at an audience which are senior citizens and diabetics, the advertiser would be wasting his client’s advertising spend. If a Banker tries to advertise his products meant for high networth individuals to audience which may consist of farmers and villagers obviously he would be considered a fool.
But the Privacy laws are driving the advertisers to resort to “Blind Advertising” rather than “Targeted Advertising”.
The law makers will immediately say that if you want to collect personal data and use it for advertising, then say so in the consent form then it will be fine with law. This would mean that every time any “Personal Data” is collected, the collector should be aware of all situations in which the data could be used in future and take an omnibus consent. Such consent has to also have a legal validity as a “Written Consent” and in countries where “Click Wrap” contracts is nothing more than an “Implied and Standard Form of Contract”, the consent will always be deficient.
The recent news report that the first notice under the UK Data Protection Law has been issued on a Canadian Analytics firm named Aggregate IQ (AIQ) that worked for “Vote Leave” campaign has brought to focus the plight of the advertising industry in this regard.
It is reported that the UK’s Information Commissioner, though the firm had collected the data before 25th May 2018 when the GDPR came into existence, it was concerned with the continued retention and processing of the data after the said date.
The firm was used for a “Pro Brexit” campaign successfully and therefore the political reasons behind the complaint is clearly visible.
Leaving the technicalities aside, there is a need for the public to debate whether the Privacy laws are being used unfairly to target genuine business needs and this has to be stopped forthwith for the industry to survive.
If Advertising industry is not allowed to be creative with creative and targeted advertising campaigns, the damage is for the “marketing” activity and indirectly on the productivity of the industry.
It is time for the Marketing and Advertising industry to justify their existence and relevance if the Privacy Laws are not to destroy each of the marketing and advertising firms one by one with litigation by all and sundry.
Naavi
National Law School University of India (NLSUI) has released the admission notice for admission to the PG Diploma Course in Cyber Law and Cyber Law and Cyber Forensics (PGDCLCF).
This is a distance learning course with contact classes which will be held in Bangalore.
The last date for admission is September 30, 2018. Extended date with late fee of Rs 500/- is October 15, 2018.
As a premier law education entity in the country, the course attracts senior IT professionals, Lawyers, Administrators and Law Enforcement persons each year.
Persons interested may avail the opportunity.
Naavi
I draw the attention of readers to an interesting article titled “American Data Miners are modern avatars of British East India Company” .
This article also has relevance to the lobbying that many International companies are presently attempting to change some of the provisions of the PDPA 2018 (Proposed Personal Data Protection Act). Many vested interests have been even organizing seminars with the ulterior intention of mobilizing public opinion against the move of the Government which only says “One Serving Copy of personal data collected from India should be held in India”.
It is however noted that there are many experts who are vocally opposing the moves of these companies and we see heated debates in the seminar halls and WhatsApp group supporting the Government’s move.
Naavi.org considers that the provisions of PDPA 2018 has taken into consideration the views of the industry and accommodated the international players sufficiently. It has at the same time tried to safeguard the Indian interests both from the national security perspective as well as a need to give a boost to the Indian data storage eco system.
Just as the Y2K gave a boost to the Indian IT industry, the move of the Government has substantial economic significance and hence has to be pursued. It has the potential to create more data centers in India with associated activities including development of the professional work force with specialization in Data Protection.
Referring to the “East India Company” reference made in the article in mynation.com, we need to highlight that Naavi.org has several times in the past during discussions on Copyright and IPR indicated that the IPR regulatory regime is being used to create economic powers to ride over India. Now we see a similar attempt through the International Data Protection Regulations.
In our earlier article “Data Processors in India should avoid entering into unenforceable contracts which may be termed “Fraudulent” we had highighted how the “Standard Contractual Clauses” used in EU recommendations is an attempt to over ride Indian law. Sensing such attempts, we had recommended during the deliberations of the Srikrishna Committee that Indian Companies should be protected from international assault through data protection laws by creating an “Umbrella of Protection” so that no penal action be launched against Indian Companies under GDPR or similar laws except through the Indian Data Protection Authority. (Refer: “Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights“).
It is unfortunate that even during the East India Company days, India has been exploited by foreign agencies through obliging locals who could be bribed by various means to support the long term exploitation goals of the foreign interests ignoring the interests of the nation.
Even today, the same threat continues to haunt us and is also reflecting in the commercial aspects related to data localization or data protection in general.
Recognizing the need for Indian Data Protection Professionals to keep the interests of the nation on top of their minds, the Foundation of Data Protection Professionals in India (FDPPI) has adopted as its objective, of building an empowered community of Data Protection Professionals who contribute to the development of a Secure Information Society in India taking the national interests into consideration.
I hope the long term benefit of having an organization that focuses on Data Protection without neglecting the national interests would be appreciated by the community and translates into an active participation in the activities of the Foundation.
Naavi
Also refer:
India: The Debate – Data Localization And Its Efficacy
How localization of data will affect firms, consumers
Digital Signatures are the legally recognized means of authentication of electronic documents in India. Though many companies including Banks ignore that Password is not the legally acceptable authentication, it is being widely used for many authentications including the financial transactions. While some Banks have started offering digital signing options for Banking transactions, most of them are banking only on the OTP system to secure the authentication.
The e-KYC system used by Banks is also dependent completely on the security of the OTP system and even though e-KYC can be used for e-Signing which is legally equivalent to digital signature, is still not secure enough beyond what OTP provides.
Most Banks use OTP only on mobiles and the OTP message is sent through an unencrypted SMS message. In such cases, if there is a compromise of mobile through SMS reading apps, or when the customer is subjected to a Voice based phishing, the OTP will be compromised and could lead to frauds.
While it is necessary that Banks need to anticipate such risks of compromise at the user device level and initiate the security measures which overcome OTP compromise risks or bear the responsibility for the fraud losses, we can independently look at one measure which the Controller of Certifying Authorities (CCA) can initiate to improve the reliability of the Digital Signature system.
The CCA should take a leaf out of UIDAI in this regard where some measures have been initiated which appear to be also good for the CCA to introduce.
Firstly, just as UIDAI uses a system of biometric lock, CCA can through the Certifying Authorities provide an option to the digital signature user to lock and unlock his digital signature through the repository maintained by the parent Certifying Authority (CA).
Secondly the usage of every digital signing incident where a verification call is made on the repository could be logged with useful meta data and made available to the digital certificate subscriber. This also has been done by UIDAI though the information logged is sketchy and could be improved.
If such a facility is available, the application developers may also use a “Verification Call” as a mandatory requirement before a digital signature is applied in any usage scenario.
Probably in the case of offline digital signing there could be an issue but such situations can still be logged with a post signing verification whenever the digitally signatory is connected on the internet.
When such verification calls are made, there could be practical issues including privacy issues to be considered but the concerns can be handled since we are verifying through a secure connection between the digital signer and the CA.
I hope the CCA would consider some of these measures as a part of its rule making power until such time that the ITA 2008 itself can incorporate such measures as part of the law.
I look forward to suggestions from security experts in this regard. The request has already been made on the CCA and I am awaiting the response.
P.S: This suggestion arose due to a query from Mr Uday Gupta, one of the readers of an article on this site on digital signatures and I thank him for raising this issue.
Naavi
[P.S: This may not be a Cyber Law Issue but is a matter of concern to the youth in the IT industry and reflects the personal experience of the undersigned in interacting with several young persons in the IT industry with whom the author interacts as a part of his Cyber law activities. This should also not be considered as anti women …. Naavi]
The recent decision of the three member bench of the Supreme Court holding that there is no need for a Family welfare committee to advise the Police before an arrest can be made under Section 498A may be technically justifiable. But the view of the Supreme Court over turning the earlier decision of a two member bench to meant to prevent abuse of the provisions of the Section 498A and introduce some safety measures is not consistent with the aggressive view taken in respect of other issues such as in the case of Section 377, or even Section 66A of ITA 2000/8.
In the cases of Sec 377 (IPC) or Sec 66A (ITA 2000/8) the Court went ahead with striking down earlier legal provisions and change the law in the Court without waiting for the legislature alone to do it. But when it comes to 498A, it tries to make the Government responsible to change the law. If it can change IPC or ITA 2000/8 in other cases, it is not clear why it cannot change the law in the case of 498A.
Merely making a lofty statement that the Court is aware of the abuse does not suffice to show the concern for justice and fairness which should be the hallmark of the Apex Court.
Making such statements for records but following them with measures to remove the safeguards introduced by another bench of the Supreme Court itself and enhancing the scope of misuse of law is not a welcome development.
Section 498A has been so much abused that it has already dented the confidence of the Indian male on the Indian marriage system. Many young males are refusing to get married because of the “Risk of Marriage”. There are many professional extortionist young girls who use dowry harassment and domestic violence to extract unreasonable damages in cases of normal domestic differences of opinion.
This argument against 498A is not a bias against women because in all the cases of 498A, along with the husbands and the father in law, it is the women in the house like the mother in law or the sister in law who gets dragged into being accused as accomplices. The cases are often propped up not by the wife who may actually want to compromise but by her parents who for their ego try to show their power.
This objection to the supreme court decision should not be confused as reflecting any intention to deny that there is a need to protect women in genuine cases of dowry harassment. There is definitely a need to prevent such harassment and victims do need protection of law.
But there is a need for the law to learn from the past experience and ensure that there is a balance which prevents misuse. Also , it is agreed that divorce may the preferred solution in cases where the boy and the girl have an irretrievable break down of relationship often because of their relationships outside marriage. Hence a forced compromise is not a solution to broken marriages. It can only lead to further domestic violence. Hence divorce requests are to be handled realistically and facilitated. But when it comes to settlement, the Courts should recognize that one of the strong motives for divorce could be the ability of the girl to extract a large compensation. Hence many girls who are financially better than the husband often ending up claiming damages to which they should not be eligible.
The divorces become acrimonious because the girls have the practice of invoking Domestic Violence case complaints as part of every divorce. This should be seriously discouraged.
The Supreme Court bench does not seem to have considered the plight of innocent senior citizens who have been dragged to jail by violent daughter in laws.
If the Supreme Court does not show consistency and uphold justice to common man in every aspect of law whether it is 498A or 66A or 377, it is the reputation of the Court which is in jeopardy.
It is unfortunate that in the Section 498A issue, the Supreme Court has already declared its intention that it prefers to follow it’s own whimsical ways of deciding on different issues, some times being logical and humane and some times adopting a completely irrational approach to problems.
Now the current ruling will only increase corruption in the Police but the damage has already been done. The solution to the problem now lies either with the Government at the Center or in the States.
First and foremost the higher officials of the Police in the States should themselves initiate a proper process to ensure that Section 498A is not used to harass innocents. It should not allow arrests without the intervention of a higher level officer preferably beyond the Station level.
Probably the State Police should create a special committee of police officers to replace the Family welfare committee which was proposed by the earlier Supreme Court which should direct the station level investigating officer if arrest is required or not. I suppose this will be permitted within this judgement.
This could be within the administrative powers of the State police and the political sanction of the State Government. Since the issue is not political, I suppose there should be no problem in the State Governments taking a quick stand in this respect.
The second solution is for the Central Government to move in quickly if required through an ordinance to ensure that the imprisonment provision in Section 498A is softened by reducing the maximum imprisonment to some thing like 3 months and allowing quick bail. It should only be for deterrence.
In case of exceptional cases where there is real harassment leading to a dowry death there are other provisions under which the accused can be punished for life or with death sentence.
While the Supreme Court conveniently says that there are alternate provisions of getting a bail and hence there is no need of the safety clause, the same logic applies to the fact that there are alternative measures to punish the really guilty and there is no need to arrest the poor husbands when his newly wed wife runs away to her parent’s place and launches litigation alleging all kinds of torture on every known relative of the husband when there is no real threat to her. It appears that the judges had not made a proper assessment of such cases before arriving at their current decision.
I hope that the Central Government of Mr Modi and the different State Governments try to address the issue with necessary changes in law to prevent abuse of Section 498A.
Naavi
