Naavi.org

Supreme Court cannot ignore the Virtual ID development regarding Aadhaar

Posted on April 5, 2018 by Vijayashankar Na

Supreme Court has now come to the end of hearing the PIL on the Aadhaar. Whatever be the actual petition it is clear that the opposition to Aadhaar stems mainly from the Black Money holders and Benami property holders who are threatened out of their existence with the identification of their misdeeds and Black wealth accumulated over time.

India having been corrupted systemically by the ruling Congress Party since the days of Mrs Indira Gandhi (as people of our generation know of), there is corruption in every aspect of our life. Our politicians, Bureaucrats, Police and even the Judiciary is exposed to the menace of corruption though different segments have absorbed it to different extent.

Businessmen also have accumulated black wealth but their accumulation is because of tax evasion. Otherwise the black money of businessmen is generated out of their hard work or business. The Black wealth accumulated by the officials and politicians on the other hand is of a different nature. It has originated out of corruption and additionally continued with tax evasion.

Now all these persons who are threatened with the loss of their ill gotten wealth have come together to petition to the Supreme Court that mandatory linking of Aadhaar to Bank accounts and the proposed property registrations is opposed to “Privacy” and hence it should be scrapped.

Privacy is not a shield for Corruption

Without any doubt, “Privacy” is being used as an excuse to cover up illegal accumulation of Black wealth and the Supreme Court cannot be seen as supporting this cause.

All Privacy regulations provide an exception that “Privacy” is not a right that can be used by a citizen when the State has to consider” Public Interest” and “National Security”.

We are not sure if the lawyers who will be arguing for the Government will not collude with the opposition and put up a weak argument to enable the Judiciary to scrap Aadhaar linkage to basic services.

A Citizen has no right to claim immunity from being punished for the larger good of the society. The judiciary has its role in checking the misuse of any law including the Aadhaar law just as the SC/ST atrocities Act.

Hence the Supreme Court Bench has to place the national interest paramount and not be swayed by the arguments of the Aadhaar opponents. I have some faith that the current CJI will ensure it. It should be done before the “Dissenting” judges take over our system and politicize the judiciary.

Virtual ID eliminates most of the concerns against Aadhaar

In this context, the much awaited Virtual Aadhaar ID scheme of UIDAI has now become operational. Under this scheme all services which require Aadhaar number will now use the “Pseudonomized ID” which is the 16 digit Virtual ID which the Aadaar holder picks up on the Aadhaar website. The original aadhaar number remains confidential with the user. The intermediary who uses the virtual ID will not have the demographic data mapped to the original Aadhaar ID and hence the kind of data breaches that happenned at the intermediary end in the past for which UIDAI is being blamed cannot happen in the future.

This Virtual ID is not a permanent ID and can be regenerated randomly every time the aadhaar holder wants to use it. He can use it as a single purpose ID and ensure that no two intermediaries have his data mapped to the same Aadhaar ID.

This system therefore addresses the concern on Aadhaar security at the intermediary end for all future transactions.

Of course some critics may still ask what about the past?. There could be solutions for the same which could be considered in future.

Critics will also ask what is the guarantee that the data may not be leaked from the UIDAI itself. There will of course be security at the UIDAI so that no single person will be able to leak Aadhaar information since multiple levles of authentication would be required.

If the critics still ask whether it is not possible for multiple persons to collude and commit a fraud, I would say if a day comes to that then we the Indians donot deserve the Aadhaar.

We know that when the previous Congress regime was in place, the country was run in the name of PM by a coterie which was Pro Pakistan and Anti India. It can be speculated that several of the national secrets could have then been shared with the enemy during this time. Conspiracies could have been hatched to put our Military to shame and create a bogey of Hindu terrorism. In future also, if those who want to destroy our country come to power, we are not sure if they will rule in the interest of the country.

The opposition political parties in India which are behind the Anti Aadhaar discussion in Supreme Court had once given Supari to eliminate Mr Modi much before he became PM. Now they are trying to use the Supreme Court as the weapon to kill the ambition of Mr Modi to eliminate corruption in India.

Hence the Aadhaar case has become a symbol of a fight between those who despise corruption and those who worship it.

If the opposition comes to power, there is the danger that they may themselves access Aadhaar data and hand it over to Cambridge Analytica so that they will never lose the election again.

Supreme Court has to show its character

I hope the final decision of the Supreme Court will prove that India still retains the ability to stand up to all divisive forces and show character that has made this country survive against the onslaught of foreign invasions time and again.

Naavi

Also Refer:

It is Y2K Momeent again in India with Virtual Aadhaar ID

How Aadhaar Security reaches a new dimesion with Virtual Aadhaar ID

Three days to go for mandatory use of Virtual Aadhaar ID Who is ready?

Is Private Sector ignoring Virtual Aadhaar ID?

Virtual Aadhaar ID; More breathing time for laggards

Posted in Cyber Law | Tagged Aadhaar, virtual ID | 1 Comment

Data Portability under GDPR… Is it Your Data to be ported or My Data?

Posted on April 3, 2018 by Vijayashankar Na

Data Portability is one of the contentious issues of the GDPR from the compliance angle. We had discussed the “Theory of Dynamic Personal Data” in one of our previous articles. That concept would be relevant to address the issue of Data Portability as envisaged in GDPR.

Article 20 of GDPR states as follows:

Article 20: Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. (Ed: Right to Erasure). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

The industry is struggling to understand how it can possibly tune up its processing system so as to keep the “Personal Data of the Data Subject” in one compact identifiable package so that when necessary it can be “Ported” or “Erased”.

If a Data Processor is setting up a new system for processing the data, it would be perhaps easier to design the system to meet this objective. But if he is already processing data and is now trying to implement GDPR over the existing set up which includes past stored data and the processing system, it would be a challenge to comply with the provision.

One of the key aspects of implementing Data Portability and Data Erasure is to ensure that a data subject’s personal data is always identifiable in a package and can be dealt with together when required.

In practice however, the complete set of personal data about a data subject gets acquired over a period of time and in bits and pieces. In this kind of “Data Aggregation”, there is one part of personal data which the data subject has handed over after an informed consent. This is a “Property” of the data subject and he has every right to deal with it as he likes.

But once this raw data is received by the data processor, it may be mixed with other data, analyzed, filtered, processed using intelligent data mining and analytical algorithms and another set of data which has a link to the raw data supplied by the data subject emerges. In course of time, the data subject also adds further data about himself which is another set of raw data that gets added.

At this point of time, the data with the data processor has two components namely raw data supplied by the data subject from time to time and the value added secondary data in which the raw data is embedded but there is much more value because of what has happened to the raw data with the processing. It is like the data subject has given the data processor, water, fruit juice concentrate and sugar in separate packets and the data processor has created a bottle full of juice with it.

Now the data subject comes and says, please “Port” my data to another “Data Processor”. Now the problem is for the data processor to separate the water, juice concentrate and sugar from the Bottle of juice and return the “Data of the Data Subject”. Any thing else is a different data and if that has to be transferred to another data processor, it will go along with the technical know how used by the first data processor to add value to the data. Obviously this is not acceptable to the data processor since it would dilute his IPR.

The key to GDPR data portability management is to develop a data processing model which keeps a tag on the “Raw data supplied by the data subject” even when it is being churned into a value added data by the data processor, so that when required, we can pull out the raw data and return it to the data subject.

If the system is designed intelligently, the data processor may still keep the value added data with himself but return the raw data components to the data subject. It will be like having the Cake and eating it too.

In order to design such a magic system, we may have to develop a suitable system on a case to case basis. But as indicated earlier, it is easier to introduce such systems prospectively and not retrospectively.

Hence it is better if GDPR liability is accepted only for the future personal data inflow and existing system which was in place is retained for Data Protection in respect of the past data.

It does not appear that GDPR has been conceived taking this “Prospective” or “Retrospective” implementation since the authorities seem to be oblivious to the practical issues involved in implementing some of the recommendations which appear good to read but impossible to comply.

In this discussion, we have assumed that the Data Subject does not lay claim for the value added part of the processed data and would be satisfied if his own raw data is returned to him. Hence in future we may have to differentiate data as “My Data” and “Your Data” and apply different privacy and security rules for them.

The technical implementation of this concept needs development of a middle ware data processing strategy which is out of scope of this article and also involve IPR in the design.

Naavi

Posted in Cyber Law | Tagged data porting, GDPR | Leave a comment

Definition of Undertaking under GDPR and its impact

Posted on April 3, 2018 by Vijayashankar Na

GDPR is liked by some as a good law to protect privacy of individuals and is often looked upon as an “Emerging Standard”. Many companies are working towards calling themselves “GDPR Compliant” since it makes a good marketing sense though GDPR does not apply to them. Even the Whitepaper on Data Protection Law which the Justice Srikrishna Committee made references to GDPR frequently giving a perception that Indian Data Protection law will be a reflection of GDPR in some way.

At the same time GDPR is hated by the IT Companies because it increases their cost of Privacy compliance and also holds the Damocles sword on their head with the obnoxious penalty clause of Administrative Fines.

In most privacy laws, the emphasis is to provide direct protection to the data subject by giving him compensation for adverse consequences of data breach. In order to reduce the possibility of privacy breach, the law also provides certain standards of compliance and to goad the companies to take compliance seriously, imposes fines and penalties for non compliance. The fine is meant to act as deterrence against neglect of “Due Diligence” requirements.

GDPR has used Administrative fines as a means of causing a “Chilling Effect” on the industry that they are at the mercy of the “Supervisory Authorities” who have been given powers to impose unreasonably large penalties.

Article 83 (4) and 83 (5) prescribe the penalties.

Under Article 83(4), certain infringements will be subject to administrative fines upto 10 million Euros (1 Euro=Rs 80) or in the case of an undertaking , upto 2% of the total worldwide annual turnover of the preceding financial year whichever is higher.

Under Article 83(5) certain infringements will be subject to administrative fines upto 20 million Euros (approx Rs 160 crores) or in the case of an undertaking , upto 4 % of the total worldwide annual turnover of the preceding financial year whichever is higher.

The lower fine is in respect of the following articles

Article 8: Child’s Consent

Article 11: Processing which does not require identification

Article: 25 to 39: Various obligations such as privacy by default, impact assessment, data breach notification failure etc

Article 42 and 43 : Certification related

The Higher fine is in respect of the following articles

Articles 5,6,7 and 9: violation of basic principles for processing including consent

Articles 12 to 22: Infringement of Data Subject’s Rights

Articles 44 to 49: Transfer of personal data to third countries

and non compliance of member state laws and order of a supervisory authority

In the penalty clause what strikes the eye is that in case of an “Undertaking” the penalty may be 2% or 4% of the total worldwide turnover.

To understand the impact of this clause, we need to understand what constitutes an “Undertaking” under the law applicable in this context.

The meaning of “Undertaking” is defined under articles 101 and 102 Treaty On the Functioning of European Union (TFEU).

One obvious way of determining the scope of this word is to consider that where one company exercises “Control” over another company, they form a single economic entity and hence are part of the same undertaking.

This means that if a company is a holding company and the subsidiary company is the one subject to penalty, the holding company may become part of the global undertaking. If the holding company is in EU and the subsidiary companies are in one or more other countries, then all of them will become part of the “Undertaking”. Beyond this, it would be the specific ruling that any Court may give or which the supervisory authority may imply.

If therefore, Infosys (an example only) is an Indian company and has subsidiaries in EU where it is a Data Controller and is subject to some fine, then the turnover of Infosys becomes part of the turnover of the undertaking. Now if Infosys subsidiaries in other countries also hold cross holdings in the EU entity, then some crazy EU court may add the global turnover of Infosys as the turnover of the undertaking to determine the fine.

This may mean that the revenue generated by the employees of the Company in India out of their operations here which have no relevance to EU operations will be taxed in EU.

The legality of such a measure is considered debatable.

Also, when Infosys-EU signs a Data Controller contract and creates a charge on the earnings in India which are enforceable against the EU subsidiary, the share holder’s of the Indian Company may have reasons to ask if their wealth gets eroded.

At first glance, the addition of “Global Turnover” in the computation of the penalty appears to be an over reach in law and may not sustain a proper scrutiny. But this is some thing which NASSCOM has to address and consult international law experts such as Harish Salve and clarify.

In the meantime, Indian companies having some operations through EU subsidiaries need to ensure that the “Holding Company Turnover” does not become a factor that increases the potential liability of the EU subsidiary. This can be done through shedding the “Holding Company Status” and ensuring that the EU subsidiary and the Indian parent (hitherto) company maintain an arms length relationship without any director level control or shareholder level control.

When companies who donot require to follow GDPR want to adopt GDPR as a “Standard” they should ensure through proper disclosures that “The adoption of GDPR compliance as a business strategy across all the global units of the undertaking” is not treated as a prima facie admission that there exists a global networking relationship across all such companies exposing the aggregate turnover of all such companies to the risk of being considered for fine computation.

I look forward to a response from NASSCOM on this matter.

Naavi

Posted in Cyber Law | Tagged article 83, GDPR, liability, penaty, undertaking | 1 Comment

In the wonderland of Quantum Cyber Law, Physics is part of Law specialization

Posted on April 3, 2018 by Vijayashankar Na

Ever since Law entered Cyber space and the term “Cyber Law” was coined, the field of law has been shaken up.

When ITA 2000 (Information Technology Act 2000) was notified and conventional lawyers started reading it they soon encountered right under Section 3, terms such as “Asymmetric Crypto system” and “Hashing”. Immediately it was clear that their years of study of LLB and experience in the Bar was of little relevance in the new emerging world of “Cyber Law”.

At this point of time, a breed of “Cyber Law Specialists” were born who studied ITA 2000 from its birth and had no prior in depth knowledge on Civil or Criminal law. Gradually, many of the “Computer Savvy Lawyers” who could understand some computer terms such as hard disk, memory, hacking, denial of service etc graduated as “Cyber Law Specialists” with different degrees of specialization in civil or criminal law along with an awareness of computer technology.

Simultaneously, pure technology specialists working in the area of “Cyber Forensics” also graduated into a multi discipline specialization by acquiring awareness of ITA 2000 or Cyber Laws.

With this convergence of technology knowledge/specialization with law specialization/awareness was born a new breed of specialists who could describe themselves as “Techno Legal Specialists”.

In the Information Security domain, these specialists became “Techno Legal (TL) Information Security Specialists”.

Some of these specialists like the undersigned recognized the importance of “Behaviour Science” in Information Security area just like in the case of “Criminology” and added the “Behaviour Science Specialization” to their forte to create a “Techno Legal Behavioural Science Specialization” to be used both for Cyber Criminology and Information Security.

We may recognize these developments as different generations of Cyber Law specializations that are developing not only in India but also elsewhere.

When we look at some of the emerging problems such as Section 65B of Indian Evidence Act and the struggle of the community to handle the Cyber Crimes emanating from the deep web, it is clear that we are still a long way off from mastering the art of “Techno Legal Behavioural Science (TLBS) Specialization” either in the Information Security area or in the Cyber Law area.

Failure to acquire this TLBS specialization in the Information Security domain results in increasing Cyber Crimes, data thefts etc including the Cyber Analytica kind of issues.

Failure to acquire this TLBS specialization in the Cyber Law domain results in increasing cases of bad Judgements such as the Section 66A and Shafhi Mohammad judgement by the Supreme Court of India or the Shapoorji Pallonji case judgement by Mumbai High Court.

Emerging Cyber Law Scenario

While there is a need to continue our work on creating better awareness and better understanding of the TL and TLBS concepts through our education system both in Law Education and in Engineering education and let it percolate through the practicing lawyers to the Judiciary, the environment has moved further with the advent of Artificial Intelligence and Quantum Computing making further changes to the interpretation of Cyber Law principles.

Just as Digital Signature concepts which included Asymmetric Crypto System and Hashing which are mathematical concepts into the domain of Cyber Law, the development of Quantum Computing has now brought “Physics” directly into the domain of Cyber Law.

Now a full rounded Cyber Lawyer needs to not only know law, computer technology and behavioural science, but also Physics.

We must remember that what we were calling as “Computer Technology” so far already incorporated “Physics” because every “Bit” that held the data in a computer device was actually a “Transistor” in miniature form and every processing on a computer happened with “Electronics” in the back end.

But just as “Classical Physics” was disrupted by “Quantum Physics” and the laws of Classical physics including the famous laws of Newton had to be re-written in the Quantum world and even the geniuses like Albert Einstein were proved wrong in parts in the Quantum Physics domain, all the current laws which we codify as “Cyber Laws” may need a complete re-look in the Quantum computing environment.

We must therefore recognize that the next generation of Cyber Law specialization is now here. I will call this the “Quantum Cyber Law Specialization”.

The Quantum Cyber Law (QuCL/QCL) specialists need to not only understand the depths of Law along with “Transistor based Classical Computers” but the emerging “Qubit based Quantum Computers” where the “Qubit” is not a transistor but a Nucleus or an Electron.

Just as the Classical Computer works on a transistor representing a “Bit” which can be either with a charge or no charge representing the binary states of one or zero, the Qubit represents an electron or a nucleus which is spinning either in the clockwise or anti clockwise direction representing the two states Zero or One.

The enigma of Quantum Computing however is the “Principle of Uncertainty” that a spin state of an electron can be one and zero at the same time but collapses into one of the two states at the time of measurement.

The readers of this blog consists mainly of Classical Cyber Law Followers. Some of them may find the concept of Quantum Computing a bundle of scientific fiction. They may have to chose to ignore some of the articles that may appear here on this “Emerging Technology” concepts and focus on improving their understanding of the “Transistor Based classical technology” and how it affects Section 65B etc .

But those crazy technology buffs who would like to explore the computer world of the future, it is necessary to slowly start grasping some of the new concepts to stay relevant in the post 2030 Cyber law world.

The undersigned is also in the process of exploring the Quantum Computing principles and is experimenting with some thoughts not all of which may be considered “Definitive”. Errors and mis-interpretation could be expected since this is considered as a learning process.

Readers may therefore treat some of these articles more as as hypothesis to be tested and tuned. The presented hypothesis may be debunked and improved. by Quantum Cyber Law (QuCL) watchers.

Understanding QuCL requires even more depth of technical knowledge than what is required for understanding Cyber Law as we know today.

Further the technical knowledge required for understanding QuCL would include the knowledge of Quantum Physics and its application to the creation of logic gateways and data store techniques which is more than what most computer science specialists possess in the natural course of their development.

I am yet to find a term to describe this “Multiple Domain Experts who know Computer Technology, Law and Physics”.

Probably they should be called “Techno Legal Physicists” or “Quantum Physics Technology Law Specialists” (QPTLS) and this specialization should be termed as Quantum Physics Techno logy law (QPTL) specialization.

Like many things in the life of Naavi, perhaps Naavi will be the first to describe himself as a Techno Legal Physicist or Quantum Physics Technology Law Specialist (now in the process of graduation).

Even today, many of the lawyers ask me in a cross examination in a Court “Where did you get your Cyber Law Degree” to make you an “Expert”. I normally reply that “In 1998 when I started studying Cyber Law and in 2000 when I started Cyber Law College, there was no other university or college which was qualified to give Cyber Law degrees (at least in India) and hence my Cyber Law specialization had to be and is self acquired”.

Similarly, now I have to say that the new specialization of “Techno Legal Physicist” or “Quantum Physics Technology Law Expert” will have to be a self acquired skill which I will endeavour to acquire through self study.

With this, I have a message to the Cross examining lawyers who try to embarass me on a witness box with questions that I donot have a law degree or a computer science degree and cannot call myself as eligible to give evidence on computer aspects. They must remember that I have a Master’s degree in Physics with a specialization in nuclear physics itself that makes me eligible to talk on law that depends on transistors and quantum mechanics, as an expert.

However, I humbly submit that “Expertise” is a “Relative expression”. Knowledge is so huge that no person can call himself an “Expert”. One can be more an expert than the other in a given niche area and may be a novice at the same time in another aspect.

The description of an “Expert” under Section 45/45A of Indian Evidence Act has to absorb the “Quantum Principle” that a witness may be an “Expert” or a “Novice” at the same time and it is only when his knowledge is measured against a specific question that his “State” will collapse into either “Expert” or “Not an Expert”.

Next time when a cross examining lawyer asks me, “Are you an Expert?” “Do you know technology?” etc., I may answer, “I am an expert or a novice at the same time like a Qubit being in the state of one of zero at the same time. You try to pose a question and I may collapse into either being an expert or not”.

Problem however is that the Judge may immediately say.. Please donot argue with the counsel and put counter questions… answer Yes or No not Both…..

Practicing lawyers specialized with court procedures may kindly advise me what would be the correct answer to the question that witnesses cannot be in quantum state and say “Yes and No” but have to be always in either “Yes” or “No” state.

In the wonderland of Quantum Cyber Law , a new specialization of Techno Legal Physics needs to be recognized to answer such questions.

Naavi

Posted in Cyber Law | Tagged cyber law, entanglement, Quantum physics, super positioning | Leave a comment

Theory of Dynamic Personal Data

Posted on March 31, 2018 by Vijayashankar Na

“Personal Data” is the object of data protection regulations such as the upcoming Data Protection Act of India, the DISHA 2018, as well as other laws such as GDPR and ITA 2008. “Protecting Personal Data” is considered “Information Privacy” by the Indian judiciary which declared “Privacy as a fundamental Right”. In all the data protection regulations, Data is classified as “Personal Data” and “Sensitive Personal Data (or special category personal data)” and different responsibilities are prescribed to the Data Controllers and Data Processors.

The current global controversy on Face Book being responsible for its customer’s profiles being used for influencing US elections is an interesting case study for examining the efficacy of the current data protection laws and where the laws have failed to capture the real nature of data and are therefore failing in the implementation of the data protection laws. If laws are failing in the current scenario, they will be failing more often when we consider the emerging era of Big Data Analytics, Artifical Intelligence and Quantum Computing.

While ITA 2008 and GDPR are already frozen, India has two data protection regulations in the pipeline namely the DISHA 2018 (Digital Information Security for Health Care Act) and Data Protection Act of India as being drafted by the Justice Srikrishna Committee. It is therefore a great opportunity for the Indian legislators to incorporate certain new provisions of data protection that other legislation including GDPR might have missed. Naavi has already provided some inputs on the proposed laws in earlier articles.

Theory of Dynamic Personal Data

This article will however introduce a new “Theory of Dynamic Personal Data” which if recognized and brought into our regulations may resolve some of the anomalies which we are presently facing.

The basic concept of this theory is that “Personal Data” is dynamic. It is not a static concept where one entity collects it under a “Consent” and uses it for a stated purpose and just destroys it afterwards.

Data once created cannot be easily destroyed. It can only be converted into another form where it looks different. It is therefore like “Energy” that cannot be destroyed in the universe but can only be converted from one state to another.

Energy can even be converted from being a “Particle” or a “Wave”. Similarly Data can be converted into a tangible “Document” or seen as “binary impressions on a magnetic or optical media”.

In the Quantum computing theory, “Data” can be in the form of Qubits with an uncertain state of being either a Zero or One but assuming a probabilistically determinable value when measured.Same “Uncertainty” can be there in the state of “Personal data” also even in the classical computing environment.

Data has a life cycle in which it is generated, re-generated, processed into a value added form, fused and fissioned, deleted and undeleted, forgotten and remembered, used and misused, de-identified or anonymized or pseudonomized and re-identified.

Hence any data protection law which assumes that an “Informed Consent” from the data subject to the first data collector will solve all the problems of “Information Privacy” is a complete myth.

What is required is for the law to recognize that “Personal Data is dynamic in nature” and at any given point of time it exists in a certain state of uncertainty. It can however be measured at a specific point of time when it shows up in a certain form. This is exactly similar to the “Uncertainty Principle” embedded in the “Superpostioning” concept of the Quantum computing.

Three Fundamental Rules of Dynamic Data Theory

We can define three fundamental rules of Dynamic Data Theory for further discussions

The first rule is that

“Personal Data does not exist in isolation but exists in the Data Universe”.

Such data universe consists of

-the data subject’s data in different forms with different data controllers, collected at different times, along with

-many versions of the personal data processed by different processors for different purposes and

-combined with the data of other data subjects.

The second rule is that

“Personal Data exists in an uncertain state where it may be personal or non personal, sensitive or otherwise and assumes a certain state at the time of its measurement.”

The third rule is that

“Personal Data is not “Absolute” in truth and accuracy and always exists in a form dependent on the context of its collection and use.”

How these rules should be integrated to law making

Let us now elaborate on these three rules and discuss why a data protection law that does not consider these rules is defective ab-initio.

We define “Personal Data” as that information that is identifiable with a living person. Obviously, Name is the primary identifier for an individual in the physical world. In the Cyber world, it is the e-mail ID or an Avtar ID that substitutes the name as the real identity of a Netizen.

Address in the physical world, the IP address in the cyber world are also identifiers.

Additionally, there could be other parameters such as the Mobile Number, the Aadhaar number, PAN number, the Voter’s ID etc which are all different identity parameters.

There are also additional parameters such as the age, sex, political affiliation, sexual preference, the health information, the financial information etc that are also considered “Personal information” when they are identifiable with a living individual.

The basic or “Primary” personal information is not the health or financial information but the physical identity information such as the name and address or the cyber identity parameters such as the biometric or password. Other information may be important but they are “Secondary Personal Information”.

So far, no law has defined “Primary Personal Information” and “Secondary Personal Information”. We have jumped from “Personal Information” to “Sensitive personal information” without clearly defining which is “Primary” and which is “Secondary”.

In the personal data cycle, “Personal Information” starts with the “Birth Certificate” which defines the name of an individual along with that of his parents, place of birth, date and time of birth. This is the “Primary Personal Information” at the atomic state. Within this, it is difficult to determine which comes first and which comes later.

In olden days, birth certificates used to be issues as “Son/daughter of X, the father and Y the mother”. The name actually came later as an assignment by the parents in the naming ceremony. However, convention today is to issue a “Birth Certificate” incorporating the assigned name. Hence the parameters of the birth certificate namely the Name, data of birth, place of birth, name of father and mother, is the atomic level personal information that needs to be defined as “Primary Personal Information”.

Subsequently other information about the data subject gets added including the record of the DNA profile or blood group etc. Further the education, employment particulars, bank particulars, other health parameters all get added to the “Personal Information”.

What we need to recognize here is that “Personal data changes its state on a continuous basis” though it may appear from time to time in the form of a snap shot which is the electronic document such as PAN card or Aadhaar card, Medical report, Bank statement etc.

Hence law has to define “Personal Information” as an “Evolving set of data that gets tagged to the Primary personal information created with the birth certificate parameters”. It is only the birth certificate parameters that can be frozen as an “Electronic Document defining the personal Information of an individual” and this gets extinguished with the “Death Certificate”.

In between, even the name of the person may change if the person so desires. His age ticks every second, his health data and financial data changes every moment. If therefore we want “Personal Data to be accurate” as a legal requirement, the personal data record has to be updated every moment which is not feasible.

It is in this context that I say that “Personal Data is in an uncertain state” and only when you want to measure it, you try to get a health report or a bank report where the personal data is frozen at a given point of time and place. This is the “Superpositioning Nature of the personal Data” similar to the Quantum computing scenario. While the Quantum super positioning can assume either Zero or One, the Personal Data is a “Continuum” of many states and is changing all along.

In this context, personal data of a person exists in a “Data Universe” where new data gets generated and some of the new data gets tagged with the Personal ID of the data subject and we say that “Personal Data has changed”. But this change of data can be recognized only of the Data Controller becomes aware of the change.

If a data subject shares his data with one data controller on 1st January 2018 and with another data controller on 31st January 2018, the two will be different. Each will be using the data based on the consent obtained and processing it and deriving inferences as if they know the truth. If the data subject says he will vote for BJP on January 2018 then he will be classified as a BJP oriented person. If on January 31, he says he will vote for Mr X from Congress who is the local candidate in the forthcoming election, the data changes colour and makes him a Congress supporter.

If both data is available to a single data processor he will compute a data analytic report showing the trend that this voter is changing his profile and the trend is that he is moving from BJP to Congress. If before the election, Modi makes a speech the trend may change again.

In such a scenario, the “Profiling” remains uncertain. Hence the so called “personal data” which includes the political affiliation is just an interpretation by a data processor with the available information on hand and his own skill in interpretation and it is not an absolute truth that the person is either a BJP supporter or a Congress supporter.

Without understanding the three rules, if law tries to say “No body shall use personal data except as provided by a consent”, then one has to question “Which data are we talking about”?

Is it the direct data that is provided by the individual once that he is a BJP supporter and another time as a Congress supporter? or

Is it the “Processed Data” that says that the person is an undecided voter and may change his preference based on the stimuli he receives closer to the election?

If an analyst like Cambridge Analytica comes to a conclusion, and develops a “Profile Report”, should the law consider this as a “Primary or Secondary Personal data” provided by the data subject or a “Derived Information” that is not necessarily guaranteed as the true and absolute personal information but is only an expert’s view of the analysis.

If so, should the data anlaytics firm be punished for data breach if it shares its analysis with a candidate who is trying to finalize his communication strategy? is a question which the law makers need to answer.

Today, the law makers say that all these decisions will be decided by the “Consent”. According to them they feel… “Let the person collecting the consent get the consent for processing it, deriving meanings and then sharing it with some body else for profit or for a cause etc.”

However at the time of obtaining a consent, the data controller only has a limited view of what information he is getting and how he may use it. But due to the “Dynamic nature of the data”, after collection, the data in the hands of the data controller “Grows”, “metamorphoses” into a different form and he discovers that he can now make new uses of the data.

What he bought was perhaps a caterpillar and now it has become a butterfly.

Should the law now say, go back to the data subject and ask him if he can use the butterfly instead of the caterpillar? . Of course law can say so.. because law can be an ass.

But what we need to ask the law makers is whether we can create a law which recognizes that the data which looks to be a caterpillar today may die as a caterpillar or change into a beautiful butterfly and we should encourage the data holder to nurse the caterpillar in any way the data controller wants and make it more valuable than what it was when it was handed over by the data subject. This is the business of Data mining and data analytics on which a huge part of the IT industry is standing today.

Another complication in the data scenario is that data may be processed by a number of down stream data processors and today we define due diligence at each level in the form of a “Consent” or “Processing Contract” which can only capture known information about the data and not what can be “Discovered”. Also, down stream data processors are not aware of the original consent and have to proceed with their processing only on the basis of the data processing contract as provided to them by the Data collector.

If data protection laws try to curb the “Discovery”, of new uses of data, we will be curbing scientific development and the concept “Data is the New Oil” would be killed to the detriment of the progress of the society.

If therefore Mr Aleksandr Kogan created some inferences based on the data he obtained by from Face Book users under a separate consent given on his APP, then the inference he derived was a “Derived Data” and not “Absolute Personal Data” of the data subject.

Presently the community is fighting over the issue as if “Personal data” has been breached. But actually what has happened is that some body created a notional value addition and some body paid money to buy it. It is a total speculation that it was beneficial to Mr Trump and whether similar analysis in India will benefit BJP or Congress, no body knows.

The “Dynamic Personal Data” theory breaks the guardian knot and releases the “Processed Data” from the constraints of the “Consent on the raw data”.

In other words, the consent obtained for transferring the cater pillar is not allowed to restrain the use of the Butterfly.

Quantum States of Personal Data

When personal data is in the hands of one data processor, it is in a certain state of certainty defined by the information obtained under the “consent”. But while the data is being put to use, it slowly gathers energy and becomes more and more useful with additional information flowing in from a different source and from a different person.

For example, one person in a certain street address says that he likes to vote for BJP. Then let us say another piece of data that the person attended a BJP rally or a BJP team visited him at his house and had a discussion gets added to the data base. Now the first information gets hotter and hotter until the analyst of the data comes to a conclusion with his algorithm that this is a BJP voter and profiles him as such.

In this example, we can see that a “Personal Information” attains the status of a “Sensitive personal information” without the data subject doing anything or providing any additional information by himself. Same thing may happen when the Google map adds data that this data subject visits a dialysis center every week and the inference is that he is a kidney patient. If this data is looked along with the financial information of the data subject, one can infer if he is a prospective candidate for accepting kidney donation.

This sort of movement of Personal information from one state to another after accumulation of additional data from the Big Data platform or by his own contribution is like the “Quantum Jump” of an electron rendering the atom state change. If the incoming data energy is less than the quantum requirement, it increases its entropy but remains a “personal information” only. But when the entropy level crosses a certain quantum level, the data changes its status. If the data energy is strong enough then it is not only the electron that makes a quantum jump but the nucleus itself may go into fission and change the entire profile of the data. In the Cambridge Analytica case, if the advertising input is strong enough then the profile of the data subject may alter from a BJP supporter to a Congress supporter or vice versa.

Now according to present data protection laws, the information which was earlier only a “personal information” got fused with other information such as “BJP party activity in the areas” and the result was a “Political profiling” of the data subject which is “Sensitive personal information”. As it is now happening, data privacy activists will say this is an inappropriate use of the consent for manipulating the voter behaviour and should not be allowed.

But is this change of status “Controllable” by law stating that you cannot bombard the data subject with additional information? . If done, are we trying to curb the business of advertising and communication itself? is a point that the data protection laws need to address before jumping to introducing stringent data protection laws in the light of the Face Book -Cambridge Analytica issue.

Thus we need to remember that Data is not static. It grows with the accumulation of additional data from the surroundings. In the process data changes colour and renders the earlier consent meaningless in the new scenario.

Similarly, non personal data can become personal data when there is fusion of identification parameters and an identifiable personal information may become de-identified personal information if the identity parameters are removed.

The Data Protection law in the next generation cannot be blind to this aspect of “Dynamic State of Personal Data” and should not create laws with the assumption that personal data always remains in a static form until the data subject himself provides new data inputs with new consents etc.

Is it a Diamond or Charcoal?

In this process of Data Transition through its life cycle, the value of data may change substantially. Just as Carbon can exist both as charcoal or diamond based on how it is processed, Data can remain worthless or become valuable depending on the processing.

If data processing creates a diamond,

should we stop such processing because the charcoal supplier supplied it at a throw away price thinking that it will be used for burning and gave his consent for its use while the processor applied technology to compress the charcoal and discovered a means of converting it to diamond?

should we mandate that all data subjects will get royalty when their personal data will be used to create profits to the down stream industries?..

is a challenge that the data protection law makers of India need to consider when they draft the new laws.

Naavi

Reference Articles:

Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights

Uphold the “Right to Know” against “Right to Privacy” in the new Data Protection Law

We should forget the “Right to Forget” in Indian Data Protection Act

Cambridge Analytica and Indian Cyber Laws

Personal Data should be considered a personal Property

Public Consultation on Data Protection Legislation

Public Consultation on Data Protection Law…. Some points of discussion : Part I, Part I, Part III

Why We need a Data Breach Protection Act rather than Data Protection Act

CCTV footages.. Whose property is it any way?

Impact of Supreme Court’s Order on Right to Privacy on Cyber Space and Data Protection

Concatenating the individual Conclusions of the Privacy Judgement

Data Protection Act.. We should aim at Compliance with Pleasure not Compliance with Pain.

Look beyond GDPR and Create Personal Data Trusts to manage Privacy of data subjects

Privacy law cannot be only a tool for hiding oneself

Earlier innovative theoretcial Thoughts of Naavi

Theory of IS Motivation

“Theory of Secure Technology Adoption”… what it is..

Section 65B and its relation to the Theory of Soul and Body, rebirth and past life memory

The Three Plus One dimensions of Information Security

Fighting susceptibility for “Cyber Hypnotism” with Ulysses Contracts

Compulsive Cyber Offence Syndrome

Posted in Cyber Law | Tagged data protection, naavi, privacy protection, theory of dynamic personal data | 2 Comments

Draft Law on Health Care Security released for public comments

Posted on March 28, 2018 by Vijayashankar Na

In the midst of the discussions on Privacy and Data Protection following the Cambridge Analytica controversy, the Ministry of Health and Family Welfare, Government of India has released the long pending draft of the Health Care sector law on Privacy and Information Security.

Earlier, a discussion on this had been started at Naavi.org under the title of Health Care Data Privacy and Security Act (HDPSA). Now the Act has been renamed as Digital Information Security in Health Care, Act (DISHA).

A copy of the draft is available here:

Public comments have been invited upto 21st April 2018 which may be sent to egov-mohfw@nic.in

Naavi.org will also provide its own comments in the next fortnight.

This law will be in addition to ITA 2008 and the proposed Privacy and Data Protection Act which the Srikrishna Committee is drafting. We also know that the TK Vishwanathan committee was also drafting an amendment to ITA 2008.

With the undue attention that Cambridge Analytica is getting, there is complete chaos in the domain of Privacy and Data Protection and now this additional law will add further spice to the discussions.

Coinciding with this spur of activity GDPR is being implemented by many Indian companies for the deadline of 25th May 2018.

It is therefore a very active period for Privacy professionals in India. Hopefully we will be able to avoid overlapping legislations and conflicts in different laws making the work of compliance difficult.

Naavi

Posted in Cyber Law | Leave a comment