Naavi.org

Following the direction of the Supreme Court to the Center to file an affidavit on its measures to regulate social media and the discussions on whether Aadhaar can be linked to the Social media accounts, UIDAI has come out with its view that a “New Law is needed for Aaadhaar_Social Media Linkage”.

UIDAI has been often at the receiving end with the Supreme Court  on the permitted uses of Aadhaar on which the citizens of India have spent crores of rupees. Recently, eminent jurist Harish Salve said that “Supreme Court” is responsible for the economic slow down in India.

In the mining sector alone, 23 lakh jobs appear to have been lost because of the Supreme Court judgements.

The reason for such opinions to be coming forth is that Supreme Court is often going beyond its judicial duties and not allowing the Government to do its executive functions because it has a soft corner for the Anti Modi lawyer brigade who find fault in everything the Government does.

Perhaps the Supreme Court has now realized that there is some truth in these allegations and hence has gone slightly soft in its latest order regarding the “Linking of Aadhaar to Social Media”. It has directed the Government to come up with its guideline in this matter.

The bench of Justices Deepak Gupta and Aniruddha Bose has observed that “Technology” has taken a “Dangerous turn”  and there is a need to curb the misuse of social media.

In December 2018, the Government had actually come up with a revision of its 2011 administrative notification on “Intermediary Guidelines under Section 79 of ITA 2000/8”. This had several provisions to regulate fake news in social media.

This was just an administrative notification but the Government afraid of its own ability to meet the legal scrutiny put up the notification for public comments. Since it was a pre-election scenario, lot of noise was raised by the political opposition and a petition was also filed in the Supreme Court. The public comment was sought and the guideline went into the oblivion and the lobby which was against the regulations succeeded in stalling the regulation.

Now the Supreme Court is coming back to advise the Government on framing a regulation. It is necessary for the Court to now dismiss the earlier petition against the regulation and let the Government proceed with the regulation.

Naavi has time and again pointed out that there is a need to regulate the social media from being misused and one of the means is to allow “Identified Social Media Players” an extra freedom to express themselves as against the “Anonymous Cyber Stonepelters“. The so called “Trolls” in social media are mostly people who hold fake accounts and use it to discourage expression of some people who dare to express themselves identifying themselves.

Many of the articles on this site  highlight not only the problems but also the solutions. Even now Naavi recommends that a suitable solution to prevent misuse of Social Media can be implemented without the need for the Government to tinker with the Aadhaar law.

This has been discussed several times in this site and can be operationalized without any delay if the technical framework can be built up to back the suggestions.

But so far there has been a lack of will from the Government or Private technology players. I hope that the current situation will at least prompt some aggressive technology people to take up this project immediately.

Such companies can even implead in the current suit in the Supreme Court and plead for an opportunity to present its plan so that if the Supreme Court or the Government has any suggestions they can be implemented. Alternatively the Government can present the project as one line of approach to find a solution and respond to the Supreme Court.

We need to wait and see how the solution unfolds in the coming days.

Naavi

The Yahoo’s Nazi Memorabilia case fought between the French and the US jurisdictional issues had remained so far a landmark judgement on application of Jurisdiction involving websites that can be viewed across the borders. Finally that case upheld the jurisdiction of the US courts to determine what Yahoo Inc can do outside France on websites which are not in French language and therefore not directed specifically to the French citizens.

Now the judgement of the EU Court in respect of the exercise of “Right to be Forgotten” to be extended outside EU has been correctly struck down and provides the much needed clarity in the application of EU laws outside the EU region. In particular, the GDPR watchers would find some relief in this judgement.

At present our comments are based on news paper reports and we reserve our comments when the detailed order is studied. For immediate reference, we refer to the article in moneycontrol.com titled “Google wins case over reach of EU right to be forgotten”

According to the report, the EU Court of justice has said

“…There is no obligation under EU law for a search engine operator to extend the rule beyond the EU States”

In a manner of satisfying its ego, the Court has also said that the search engine operator must put measures in place to “Discourage” internet users from going outside the EU to find that information. This needs to be ignored because if the Court admits lack of jurisdiction in the first place to apply the law, it lacks jurisdiction to advise and set guidelines for the operations of organizations outside EU.

During the last one year, many citizens of EU have been harassing companies in other countries including India with notices related to GDPR. Now these trouble makers should realize that there is a limit to the extra territorial jurisdiction of EU and it cannot infringe on the sovereignty of other countries.

This judgement should put a stop to all such arguments.

Copy of the judgement

Naavi

The ongoing controversy of “Preventing Fake News” has now taken an interesting turn with the Supreme Court directing the Government to file an affidavit within 3 weeks on how it proposes to link Aadhaar to the social media accounts as being discussed in the Madras High Court in a petition. The Supreme Court has acknowledged the misuse of social media and the adverse impact it has on the society and National Security.

In the past, when the Government came out with guidelines on “Intermediary Guidelines” as well as any other case involving the key word “Aadhaar”, the Supreme Court came down heavily against the Government as if it is selling out the Privacy Right of the Indian Citizens. The Privacy activists who want to oppose anything the Government does supported by the Congress advocates took the cases to the Supreme Court and prevented any action to be taken by the Government. But for this negative strategies pursued by some activists and supported by the Supreme Court, there would have been a strong “Intermediary Guidelines under Section 79 of ITA 2000” by this time.

Now the bench of the Supreme Court which has provided the current ruling appears to be very reasonable in acknowledging that neither the Supreme Court nor the High Courts are competent enough to take a final view on this techno legal matter and the Government is perhaps in a relatively better position to come up with a suggested solution.

The problem with the Government is that it does not have adequate mechanism to respond to such needs since it has killed the “Cyber Advisory Committee” which was mandatory for such purposes according to ITA 2000 and is banking on an inadequate set of Delhi based advisers to provide a solution which ultimately always falls short of expectations and meets the opposition of the Court.

I hope at least this time the Modi 2.0 Government finds a proper solution which should satisfy the Supreme Court.

Naavi has been advocating that within the provisions of the current ITA 2000 and the proposed structure of the Personal Data Privacy Act, there is a reasonably effective solution to meet this problem. Unfortunately the Government does not listen to innovative suggestions and the private sector is not sure of the revenue capability of such a solution. The so called “Innovators” in the Start Up domain are more interested in re-inventing the wheel by taking up the same type of project again and again without really taking up a really innovative project.

In the current context of the Supreme Court putting a sort of a dead line on “Traceability” of social media transactions, Naavi proposes that there can be a “Public-Private Partnership” which can meet the needs of the Government and at the same time make the project self sustaining and perhaps profitable.

I look forward to the Government coming up with a proposal to invite suggestions from the private sector and perhaps it may be possible to provide a good response to Supreme Court within the deadline.

Watch this space for more information on this topic.

Naavi

Yesterday, there was a conference titled “Communique19” at SITM (Symbiosis Institute of Telecom Management) , Pune.  (SITM is incidentally renaming itself more appropriately as Symbiosis Institute of Digital and Telecom management or SIDTM). The conference amongst other things discussed the Personal Data Protection Bill and the above photograph shows the panel members.

The panel as seen above consisted of (From Left to Right) Mr Satish Dwibashi of Wibmo.com, Mr Neeral Arora, Advocate and Forensic Expert, Dr Sriram of DSCI, Mr Venkata Satish Guttula of Rediff, as well as me and Mr Sridhar Sidhu of Wells Fargo.

While discussing the issues, I highlighted the differences between GDPR and PDPB/PDPA. I have explained the differences many times in this website and hence I am not going to repeat it and  will take up another point for discussion.

During the discussion which also raised the issue of  the “Data Governance Framework”, I highlighted the formation of the new Kris Gopalakrishna committee and the background in which the committee was formed.

I may recall my earlier article/s in which I had made a mention of “Community Privacy” as a concept which had been referred to by Justice Srikrishna in his report. I take this opportunity to explain what could be one instance of the “Community Privacy” which is reflected in the above photograph.

I, like other participants in the panel signed off a permission to SITM that any photographs taken during the session could be used by SITM in social media etc. This is pretty much what happens in every conference, though ICO, UK started the practice of giving a notice that such photographs may be considered as not violating the privacy of the individual.

The above photograph however has been uploaded by me here because I was one of the participants in the panel. However, in the process, I might have violated the wishes of any of the other participants who might have liked to keep the photograph out of view of the visitors of Naavi.org. Though the panelists might have given the permission to SITM and SITM has placed it in public domain and I have also sought permission from these gentlemen, it is not clear if they have consented for this publication.

This is a classic example of how data of one person becomes the “Shared Data” of another person due to the context in which the personal data is generated and the decision of the other person to share it according to his wishes could be a point of contention.

This is what Justice Srikrishna indicated as “Community Privacy Issue” for which PDPB/A (nor any other law like GDPR) has provided an explanation. He suggested that the Government may consider a new regulation for this purpose.

If Kris Gopalakrishna Committee (KGC) takes a cue from the preamble in the circular indicating the formation of the Committee and interprets the terms of reference that such “Community Data” is “Non Personal Data”, it may include community data as part of its discussion and declare it as part of the “Big Data” or provide another intermediary status to such “Community Data”.

Is this therefore a case of “Community Privacy” that  needs to be regulated? .

If so how do we regulate it?…

Can the photograph per-se without the names be considered as “Not identifiable” and hence “Anonymous”? Or

does the degree of “Anonymization” in this instance is nothing more than “De-identification”? and does not constitute “Anonymization” as defined under PDPB?

..these are some interesting thoughts that emerge out of this instance.

In the past, I had raised the issue of “Recording of Telephone Conversations” and expressed the opinion that the conversation belongs to both the “caller” and the “called” and recording is considered as the right of both persons. In the context of our discussions now, I see a clear explanation to my earlier view because this telephonic conversation belongs to the class of data now known as “Community Data” and hence all the members of the community (in this case the caller and the called) has joint and several rights to use the data as per their choice.

This “Joint and Several” right to dispose of the data will be the key to defining the regulation of community data. Once such data is considered the personal data of each of the individuals, the rest of the regulation may follow the lines of PDPB/A as the contextual risk assessment demands. While each member may have a right to refuse permission to consider the data as Community data by specific disclaimer,  it may be considered that by default the data belongs to all persons in the community.

As regards the original photographer, his status would be like a “Data Fiduciary” who posts it in a social media or deals with the information in any other manner in the general interest of the data principals.

As regards the “Anonymization”, it may be considered that the photo without the names is actually “Anonymized” but only to a basic level of obfuscation. The identity of the persons is known only to those who knows either from their memory or by use of some identification tool.

Had we perhaps masked the faces, the anonymization could have gone to the next level and if all the others had been cut off from the picture, perhaps the anonymization would have been complete though it would have eroded the value of the data completely.

The person who assigns identity to the respective persons is required to take up the responsibility of “Re-identification” of the anonymized data (Which will be a criminal offence when PDPB/A becomes operational), unless he can provide a suitable defence of either “Prior Permission” or “Prior publication”.

If the identity is assigned by an AI algorithm and it commits a mistake, then there will be other issues such as whether it was a “Negligent Mistake” or “Recklessness/mischief” and accordingly the responsibility will have to be placed.

Consent is otherwise inherent in the participants allowing themselves to be photographed.

While these comments and opinion applies without much of a controversy in case of a photograph of this nature on the stage where a panel discussion was held, during such conferences, many “Candid” photographs are also clicked by the photographers which may capture moments which the subject may or may not like to be made public.

How should such photographs be handled? will it require “Explicit Consent”? are points of a separate debate. The responsibility of the photographer and the first publisher of such photographs is high in such cases.

This discussion on “Community Privacy”  as well as the resolution through considering them as a “Joint and Several Right” is raised I believe for the first time in India. Readers are welcome to contribute their thoughts.  I hope the KGC takes note of these views and incorporates it in its deliberations.

I am also trying to convince a few experts in Bangalore to constitute a shadow committee to discuss and deliberate this issue of “Community Privacy” and publish a document. Let us see how this project proceeds.

Naavi