Privacy law cannot be only a tool for hiding oneself

Posted on January 15, 2018 by Vijayashankar Na

We often say that “One person’s right to extend the arm ends at the tip of the nose of the next person”. This is a well known cliche but often forgotten by those who are over enthusiastic on “Privacy” including the judges of the Supreme Court.

We are now in the midst of the drafting of the new Data Protection Law and there is all forms of demand on how the Privacy has to be protected.

There is one school of thought that “Privacy” has to be protected not only in terms of Information but also otherwise. In the GDPR there was mention of information processed “by automatic means” or “Semi automatic means” as the scope of the act. Now the Indian Data Protection Act (IDPA)for which the B N Srikrishna Committee published a white paper is finalizing the recommendation on the scope of the act. Should it be applicable only to “Electronic Information” or should it extend to “Paper and Voice” is one question that the committee has been posed.

We must shout out aloud at this point of time that the erudite 9 member Supreme Court which hurriedly passed a 547 page judgement just to declare “Privacy is a fundamental Right” abdicated its responsibility to define what is Privacy.  How can we then force the law to define “Privacy”? and to extend it beyond the “Electronic form” in which “Data Protection” is being discussed by the committee?.

It is therefore essential to accept the limitation that this new proposed law (IDPA) will have to restrict itself as a “Data Protection Act” and not as a “Privacy Protection Act”. Since Data is already protected in the ITA 2000/8, we can say that IDPA will now be a “Privacy Data Protection Act” meaning that it will only address information related to Privacy.

Since Privacy is not defined, any attempt to protect information about the vague entity called Privacy will also be reasonably vague. Hence the scope will have to use such words as

“Information such as Name, Address, Mobile Number, E Mail Address, Financial Information, Heath Information, Biometric information etc..”

Presently we leave the definition as any information that is capable of identifying or associating with a living individual. Nothing much can be done beyond this definition of Personal Information. If some software or person is clever enough to see some information and identify a living person through it through his clairvoyance, we cannot factor it into the definition beyond use of such words as

“Personally identifiable information includes any information which along with other information in the hands of the person could be used by any prudent person with ordinary capabilities to identify the true identity of the owner of the data”.

It can also state…

” Personally identifiable information does not include de-identified/anonymized information  or pseudonomized information which means that the identity apparently associated with the data cannot be reasonably used to identify the real identity of the data owner by a person of ordinary prudence with the information already in his hands?”

While “De-identified” data will go out of the legislation, there is a view by some that any attempt to “Re-identify” a de-identified data should be made a criminal offence.

While privacy activists can make a good case for sending the person who causes re-identification to the gallows if allowed, one must understand that it is the duty of the “Law Enforcement” on a day to day basis to read available information and try to identify criminals both present and potential. Many scientific data analytics including genetics try to identify the “Tendencies” to be a criminal. May be this is not a perfected science. But today scientists and law enforcement people browsing through CCTV footage and trying to identify people with face recognition features etc or identifying Car number plates to file a traffic violation case, can all be accused of “Identifying a De-identified data” and punished  if the law to be made does not take the possibility into consideration.

Further all the Data Analytics companies will be made “Illegal Activities” ab-initio. All Start ups in this filed have to close down.

If therefore “Re-identification” of “De-identified data” is made an offence, then we will be creating a new data protection regime in which the proposition that  “Data is New Oil” will be killed. Perhaps economists can estimate by how much percentage points the GDP of India will decline if this is made into a law.

The Google Glass technology is meant to view a person and immediately check the tags in Face book and Google to give you a flash back of the person you are now shaking hands with. Is it not “Re-identification” of the “Not identified”?. The entire industry of Artificial intelligence including the “Automated Car” , “Smart City Energy Management” etc uses plenty of data analytics which includes identification of the un-identified with the use of available data. Gait recognition is the new terrorist control measure that intelligence agencies use. Profiling of employees through their non verbal communication is a new science under development. Analysing social media information and developing a credit rating is another area of scientific research.

Should we kill all these innovations because some criminal wants to have the right to hide as part of right to privacy?

All those Privacy activists who strongly support Privacy to the extent of making the work of law enforcement impossible should think for a while on whether we have any need to protect the honest from the dishonest who want to hide.

I have recently quoted two instances in which I see how Privacy laws are protecting the criminals more than the honest and challenge the Privacy activists to prove me wrong.

First, I get an e-mail from a  Gmail ID which is either a fraudulent mail or a defamatory mail or a threatening mail. I am the recipient of the mail but the sender hides his identity with the help of Google by anonymization of the IP address.  The recipient of the e-mail which is me, have no right to ask Google to tell me who has sent me the e-mail hiding behind a self created pseudonomized ID.  If I want to know the identity of the person, I need to first approach the Police, get my complaint registered which may require payment of a bribe in most cases,  make them send a CrPc notice, wait for Google to send the IP resolution, thereafter send a similar request to the local ISP and finally get the address of the person who sent me the offending e-mail. All this takes so much time that by the time I get the information the criminal is no longer traceable.

This criminal friendly situation has been created because Google considers that the Privacy of the sender of the e-mail is more important than the Privacy of the receiver of the e-mail. This is a gross misuse of the concept of Privacy.

The same defense extends to all those who register fake websites and carry out phishing attacks. Their registration details are protected under what is termed as a “Right to Privacy”.

This practice of Privacy being used as a shield to protect criminals must be stopped.

Hence apart from the IDPA not criminalizing re-identification, a punishable offence, the law should not curtain the hands of the law enforcement by enabling Privacy to be used as a shield either by Google or any other web operator.

What should be punishable is the misuse of the re-identified data and posing unreasonable hurdles on re-identification when a genuine stake holder such as a receiver of an e-mail or a visitor of a website demand for the information. The Data controller can ask for an undertaking from the recipient not to misuse the information such as the IP address or telephone number and also have a process by which such demands are logged in with the Data Protection Authority to take further action when required.

But a refusal to divulge the information that protects the criminal should be itself made a crime.

I therefore request that in the IDPA, a provision is made where by a recipient of an E-Mail or a phone call or a visitor to a public website or a Twitter or Facebook is entitled to demand the identity of the sender of the communication with an undertaking not to misuse the information and be accountable for any punishment thereof and escrowing such request and declaration with the Data Protection authority.

Naavi

Posted in Cyber Law | Tagged , , , , | 1 Comment

Public Consultation on Data Protection Law….some points of discussion-3

Posted on January 15, 2018 by Vijayashankar Na

(This is a continuation of the previous article)

3.  A lot of discussion centered around the issue of “Consent” and “Informed Consent”. The issues were about the need for and effect of consents as an instrument of Privacy protection. There were also suggestions that consents should be applicable by processors also, consents should be standardized and simplified etc. The fact that India consists of illiterate users with multiple language use also was highlighted. The difficulties of handling “Employee Records” when the companies want to change the processors was also raised.

Comments:

It is true that “Consent” has been the main instrument with which Privacy protection is being handled worldwide. The focus has been that there has to be a proper Privacy Notice, there has to be an “Informed Consent”, the opt-out  should be the default option etc.

Consent Fatigue

At the same time the issue of “Consent fatigue” where by users are required to go through multiple consent forms several times during the day which makes them click on consents as a routine manner is unavoidable. If we continue to deal with “Consents” then we need to find a way to address the “Consent fatigue” issue.

Though the “Click Wrap Consents” donot have a strict legal validity in India, they still constitute a means of finalizing “Contracts” online which would be considered as “Implied Contracts”. Implied contracts have the short coming of being “Voidable” in respect of onerous fine print clauses and would not help either the consumer or the service provider at times of crisis.

In India, at present Section 43A of ITA 2008 provides “Contractual Consent” as the prime method of defining “Reasonable Security”. Hence when an employer obtains a valid contract with the employee at the time of employment which includes the right to process personal information, it can be considered as a “Consent” that can enable the employer to over ride the privacy obligations. Companies with multi national employees also are subject to the same law through many corporate seem to fear international regulations and consider their local rights as non existing.

The system of “Consent” cannot be changed. It will continue. However efforts to make it better in terms of making the user understand the nuances before he clicks the acceptance button and highlighting the onerous clauses to make them effective even in a deemed, standard form , implied contract should continue.

One of the suggestions made was to have a few standard form of consents which are colour coded so that the user knows exactly whether he is giving consent to a “Green Clause” with less amount of personal information being made available to “Red clause” with more information disclosure and risk were suggested.

These suggestions are also dependent on classification of data which includes special form of data which are derived from the data supplied by the data subject and converted into a more value added form. There are data such as “Psychometric data” or “Genetic data” which could be derived with effort from the Data collector. Assigning rights on them and restricting data aggregation and use of value  created out of aggregation is a challenge.

Some suggested that we need to even recognize “Community Data” and protect them.

Ease of Doing Business

It is essential for us to understand that in designing the new law, we cannot go overboard with all minute concerns real and imaginary. We need to look at creating a law that is possible to be understood and implemented. “Compliance” should be facilitated so that industry does not look at this as a “Hurdle” and the “Ease of Doing business in India” does not deteriorate.

Value Addition to Data

Also the possibility of the Data collector doing an analysis and creating additional processed data which is more valuable cannot be completely taken out of the rights of the processor. Even if the basic data belongs to the data subject, the derived data has an element of value addition by the Data collector which needs to be rewarded.

Some examples of such derived data pointed out by the participants included “Energy Consumption Data” and “Psychometric data” which may be extreme cases of artificial intelligence usage which are more for fiction writers of the future rather than the law makers of today. If “Data Analytics” is a key area of business in future, then it is possible that data can be used in multitude ways by technologists and law can only be set in generic terms to cover the “Identifiability” of data as a parameter of regulation.

The classification of “Identified” and “Identifiable with available data” and “Identifiable with further data that may be derived or available through instances such as mergers and acquisitions etc” need to be addressed. However, the level to which Artificial Intelaigence can go in future is not known to us today and hence some loss of privacy has to be factored into the legislation today. This can be introduced in the form of differential penalties when data is breached depending on the level of security that the Data controller demonstrates as having been used before the data was lost.

Data Trust as an intermediary

Considering these difficulties, there were multiple suggestions which came back to the central point of what we have suggested earlier as a “Data Trust”. These intermediaries can be instruments of effective collection and use of consents. They can also monitor the Data controllers and impose discipline in the industry. The concept has already been discussed earlier and hence it is not repeated here. But if it is accepted, there would be an instrument of managing “Data” as a “Property of the data subject” which is licensed to the Data Controller through the Data Trust. The Data Controller who makes revenue out of the data has to bear the cost of this infrastructure by sharing some of his spoils with the Data Trusts so that the consumer does not end up incurring higher direct costs. But the Consumer may be able to get better data security in respect of his Privacy information.

Many participants discussed the concept of “Co-regulation” where the Data controllers would participate in the last mile control of data security. The law may also end up not being too prescriptive and leave it for the Data Controllers and Processors to “Secure” and in case of failure, “Pay a penalty”.

Recognizing the importance of monitoring the activity of the Data controllers, some suggested that there should be public accountability and auditability of data controllers etc. Most of these are impractical and  from the security point of view are not recommended also. The processing infrastructure in most cases cannot be publicised and hence the only recourse is to get proper warranties and punish negligence adequately to ensure that Data Controllers maintain the security of data.

In such a regime, it is preferable that instead of regulating hundreds of Data Controllers, if we have  fewer “Data Trusts” it would be better from the point of view of management and regulation. Thus, the concept of Data Trusts present multiple advantages that need to be recognized by the law makers… is our suggestion.

Privacy Vs Law Enforcement Requirements

Naavi also pointed out that in many instances, Privacy Protection is used as a protection against law enforcement detection. Hence there is a pressure on law makers to include stringent prescriptions and not yield to any exemptions to be given to law enforcement. This is not ideal according to us. Privacy Protection is as much for honest citizens who consider law enforcement as their protectors and hence law should take this into consideration.

Data Tagging

In suggesting protection for data when it moves from one data controller to a data processor and subsequently to many sub contractors, a discussion ensued on whether it is possible for data to be tagged in such a manner that it can be traced wherever it moves so that it can be erased when necessary and updated when required. Many participants felt that this is technologically feasible and must be implemented through law.  However, the undersigned is of the opinion that “Personal Data” collected by a Data collector does not always remain as a single document that can be tagged when it is moved further. The collected data contains many data elements and sub data elements which may be split, distributed and re assembled elsewhere in a different context. Hence putting a traceable and auditable tag on personal information is not technically feasible and hence cannot be mandated. Instead mandating the legal responsibility to protect through sub contractor’s contracts is the only feasible option which can be put into the law either in the main law or through sectoral laws or regulations. This is already being done as a standard industry practice.

Cyber Security obligations

Repeated requests were made to mandate “Cyber Security” as part of the data protection laws. It would be introduced  as an obligation of the Data Collector (or the Data Trust) and certainly there is no case for a prescriptive information security policy being part of the main legislation. This is part of HIPAA legislated in 1996 and is relevant for sectoral laws and not for the umbrella law.

Foreign Data Subject

Discussions were had on “Data of Non Nationals” whether it should be covered or not. This is an important issue which should be part of the scope definition. When the personal data of any body including a non national comes into the hands of an Indian Data Controller or Data Collector there will be a contractual agreement between the data subject and the data collector. This should define the data protection obligations and should provide primacy to the Indian law by default. In our opinion any demand that such individuals directly dealing with Indian data collectors refusing to abide by Indian law is forcing the Indian data collectors to follow an alien law instead of the local law. This is not recommended for acceptance.

In the event of a foreign data subject coming through a foreign data collector/Controller who entrusts the data for processing to an Indian data processor, the obligations need to be set into a Business Associate/Sub Contractor contract and other things should be subordinate to the contractual obligation. This is the law in India under Section 4#A of ITA 2000 and must be respected.

Certification

One aspect that did not come up for full discussion was whether there would be any certification bodies that would certify the Data Protection in different agencies like the standards certifying bodies.

It is known that most data breaches have occurred in bodies that have been certified under PCI DSS or ISO 27001 etc. The presence of such certificates make the management complacent and reduce their vigilance. Instead the responsibility should remain with the management and they may be permitted to use any standards to achieve the objectives of securing the privacy data. It should be the choice of individual organizations to chose any standards external or internal, resort to certification or otherwise. The Data Protection Authority may however have their own standards for auditing and they may use any auditing firm including PWC as they so desire as long as the assessment is on the basis of the law as defined and not on other considerations.

Privacy After Death

A point was raised by the undersigned on whether Privacy Right should persist after death. Though not discussed in the general forum, it was pointed out by the undersigned that “Privacy” as a “Right to Life and Liberty” has no meaning after the death and Privacy of an X individual cannot be enforced as a right of Y. If a person has a deemed Privacy issue, it should be handled as a “Defamation” or “Attempted Defamation” issue rather than the Privacy issue. Hence the protection obligations should cease after the death of the individual.

Naavi’s Detailed Comments

A copy of the written response to the questionnaire from Naavi was submitted to the Committee. It  has incorporate the points mentioned here. The final version which may be submitted before 31st January 2018 will also be posted on naavi.org whether they are considered by the committee or not.

Post Script:

We close the recollection of the Public consultation exercise at Bangalore on 13th January 2018 in Bangalore here. We might not have recollected all aspects of the discussion. Omission f any is not intentional. I invite other participants to add their comments if any.

We shall continue to submit our own thoughts on the subject here in the coming days as well.

Naavi

Links to all the three parts of this report of the consultation are available here

Part I

 Part II

Part III

Posted in Cyber Law | Tagged , , , , , | Leave a comment

Public Consultation on Data Protection Law…. Some points of discussion-2

Posted on January 14, 2018 by Vijayashankar Na

(This is a continuation of the previous article)

2. One of the questions that arose during the discussions was on the “Data Breach Notification requirements” under the proposed act.

There was one concern of the industry that “Data Breach” reporting to the data subjects should not be mandated and even if required it should not be as immediate as notification to some industry authority etc.

This is a standard response from industry whenever data breach notification is suggested in any data protection act. Industry wants to protect its reputation by sweeping the data breach notification under the carpet. While most industry players would jump at Aadhaar leakage when reported, they would not like a breach in a Bank coming out in the open. Hence the demand that they should be exempted from notification of data breach to their customers.

Some industry players also brought out the issue of a need for time to determine whether a “Suspected data breach” is actually a “Data breach”, whether a “Data breach” is not exactly a data breach but only a “Denial of Service attack” etc and argued that industry should not be forced to report a data breach before it is confirmed.

However the industry agrees that most data breaches need to be confirmed with an audit  and many times the recognition of data breach itself takes months and after the recognition, the completion of the internal audit takes several more months. If therefore the industry demand in this respect is to be accepted, then data breach will never become public for more than an year.

Industry is however not averse to sharing some potential breach information with an industry organisation because they know that the industry organziation can be manipulated and hide the information of the data breach. For example, many wannacry attacks on ATMs of Banks were never reported by Banks and public never came to know of them. Even a major cyber attack on a Bank after the Swift system hacking in Bangladesh, was pushed under the carpet. Given an option even the UIDAI would like not to publicise the data breach reports on UIDAI because it hurts the reputation of the system.

The strong opposition to data breach notification to the data subjects itself indicates that it is a very effective deterrent that industry would not ignore. Hence it is absolutely essential that this data breach notification must be incorporated in the law as a mandate. The time limit in other international regulations is around 30 to 60 days and it would be necessary to make a provision for “Public Notification”  before 30 days.

In case there is difficulty in confirming the data breach because of the need for an audit etc.,  the notice can say that the investigation is under progress and the notice is a “Provisional Notice”.

Some persons also raised the issue of “Cost of Data breach notification” to the data subjects. The notification can be made

a) Through advertisement

b) Through notice in the website of the Data Controller

c) Through a notification in the Data Protection Authority website

c) Through e-mail

In order to further reduce the cost of “Advertisement”, a suggestion was made that  to the effect that Data Protection Authority can create a broadcast platform.  A mention can however be made that such services are already available at www.cyber-notice.com along with Section 65B certification. Industry is yet to recognize the potential of the service and perhaps a need for mandatory data breach notification would make the industry realize the need for such services. 

(Will be continued)

Naavi

Links to all the three parts of this report of the consultation are available here

Part I

 Part II

Part III

Posted in Cyber Law | Tagged , , , | Leave a comment

Public Consultation on Data Protection Law…. Some points of discussion-1

Posted on January 14, 2018 by Vijayashankar Na

During the discussion on the Data Protection white paper in Bangalore on 13th instant by three members of the Expert Committee led by the Chairman Justice B.N.Srikrishna, several interesting issues came up for discussion. While it is difficult to recall all the points discussed, I am trying to capture some of the interesting points raised along with my comments here.

The comments made here are not that of the expert committee members and should not be construed as views either accepted or rejected by the committee at this point of time. Justice Srikrishna was however a great listener and tried to probe the persons raising questions to understand the issue as much as possible. The ministry representatives have made suitable notes and they are likely to be discussed by the committee later and taken into account before a bill is recommended.

  1. One of the suggestions made was that the law should be people oriented and principle based.

Comment: In India, we still does not have a law on Privacy protection. Except for the fact that we know Supreme Court considers Privacy as a fundamental right of a person under Article 21 of our constitution under “Right to life and personal liberty”, we donot have a definition of what is “Privacy”.

The first question that the Indian Data Protection Act (IDPA) has to address therefore is whether we have one section in which we define what is Privacy. i.e. Do we incorporate a clause in the definitions, stating “Privacy means…..”.

The problem however is that the nine member bench of the Supreme Court itself did not take up the responsibility of defining what is “Privacy” and some of the judges in their respective individual orders (not forming part of the final signed collective operative order under the judgement of 24th August 2017 which we refer to today as the Puttawamy Privacy judgement) made different comments stating different aspects of our life as elements of “Privacy”.

This law therefore cannot take upon itself the responsibility of defining what is “Privacy”.

Currently, Information Technology Act 2000 (ITA 2000) has a definition of “Personal Information” and “Sensitive Personal Information” and has prescriptions of how it has to be protected by Body corporates,(under Section 43A) , how it has to be collected and protected by intermediaries (Section 79 of ITA 2000), what compensation may be available for wrongful loss arising therefrom (Section 43,66, 72A), how long the data has to be preserved (Section 67C), how the data can be intercepted and collected by Government agencies for national security reasons (Sections 69,79A, ,70B) etc,. All these are essential ingredients of a Data Protection Act in respect of “Data in electronic form”.

Will IDPA also address these issues?.. If so, will it be overlapping with ITA 2000/8 provisions? is one of the decisions that the committee needs to arrive at.

The IDPA as is being envisaged is addressing to what is referred to in the Puttaswamy judgement as “Information Privacy”. This definition is dependent on the definition of “Privacy” and a judgmental decision on “Which information addresses to Privacy”. For example, will an IMEI number be considered as “Personal Information”? if so, is it simply “Personal information” (PI) or is it “Sensitive personal Information” (SPI)? . Is an IP address a PI?, Is E Mail address a PI?. except for “Biometric” or “Password” there may not be a consensus of what is to be included or excluded from the definition of PI and where the line of demarcation has to be drawn between PI and SPI and whether the classification has to be even further refined as PI-Level I, PI-Level 11, SPI-Level I, SPI Level II etc needs to be decided.

In such an uncertain environment, the law cannot be “Prescriptive” at all. It has to be necessarily “Principle based”.

Now, if ITA 2000/8 already has a “Principle based”- “Due diligence” and “Reasonable Security Practice” already defined, what does the new IDPA do in repeating the same things in a different statute?

In this context, a question arises whether it is a good idea to simply make amendments to ITA 2008 to meet the objectives of the proposed IDPA.

If required, a new chapter can be added to ITA 2008 called “Chapter on Data Protection” and incorporate the requirements of registration of data controller etc., which are not adequately covered in ITA 2000/8.

 (Will be continued)

Naavi

Links to all the three parts of this report of the consultation are available here

Part I

 Part II

Part III

Posted in Cyber Law | Tagged , , , | 1 Comment

What “We the people” say on Judge’s Controversy

Posted on January 14, 2018 by Vijayashankar Na

The Four judges of Supreme Court who recently held a press conference appealed to the public through the media with a request ‘please take care of the institution and take care of the nation’. The judges namely Justices Chelamaeshwar, Rajan Gogoi, Madan B Lokur and Jurien Joseph were complaining that the Chief Justice as “Master of the Roaster” is actually behaving as a “Master” and he should not do so. They said that their efforts to make him allocate sensitive cases only amongst the top 5 judges were not being heeded and some cases are being allocated to the junior judges.

The revolting judges agreed that this was an unprecedented situation and they wanted to go through this exercise as otherwise history would accuse them of having sold their souls.

The conference itself was held very clumsily. The judges did not have the press release nor a proper statement to be handed out to the press. There were favoured lawyers who were in the crowd of the journalists and Mr Shekar Gupta a veteran journalist was even invited to sit on the dais.  Immediately after the press meeting, the CPI party leader Daniel Raja, a known opposition party leader was seen shaking hands with Justice Chelameshwar giving a political colour to the entire episode.

The judges came out as completely inexperienced in not only the manner in which they conducted the press conference but also the manner in which they were fumbling for words during the interaction.

Justice Chelameshwar said that what they wanted to share was a letter they had written to the CJI a copy of which would be shared and that is all they wanted to say. Gagoi confirmed that there is nothing more to say beyond the letter but inadvertently admitted that the admission of the case in the Justice Loya’s death was a reason for this press meet.

Mr Dushyant Dave has been the advocate strongly advocating that the Justice Loya case should not be heard by a specific judge and it should be heard only by one of these four judges as if they would give a decision in his favour only.

Another advocate Mrs Kamini Jaiswal who is bitterly against Mr Amit Shah indicated in her subsequent statements that the possibility of Mr Amit Shah not being convicted was the reason behind this revolt. It was as if Teesta Setlwad was speaking through Kamini Jaiswal.

Yet another advocate Indira Jaising has also been vocal with similar views indicating that the politics of “Anti Amit Shah” forces were truly pushing the judges into a corner with the press conference.

It appears that these three advocates are either directly or indirectly responsible for the current mess in the Judicial system and are unmindful of the damage that they have done to the Indian judiciary for their own personal gains.

It was not surprising that Congress followed up with its own Press Conference though it was also as indecisive as the Judges press conference. It appeared as if Mr K.S.Tulsi had strongly opposed Congress getting into this controversy but Kapil Sibal and P Chidambaram pushed through the conference.  Rahul Gandhi in his usual style spoke a rehearsed sentence and ran away without taking questions.

With the Meeting of D Raja with Chlemeshwar and the Congress press conference, it was clear that the Four Revolting Judges were playing the tune of the political parties. However much they may try to whitewash their intentions, the perception with the public is clear that this was a political agenda playing out through the four judges.

It appeared that these four judges wanted to say more but were restraining themselves. Finally the charges made by the four judges appeared hollow and self defeating. Had they been more forthright, they would have atleast sounded more convincing.

Since then, several legal luminaries are expressing their views on the points raised. A large number of advocates are on the side of the Four revolting Judges while a large number of past judges are holding  the view that conducting of the press conference was wrong.

If we ignore the perceptions and focus more on the problem they have highlighted, then solution is not difficult to find.

The accusation is that while the CJI is considered as having a discretion to constitute benches and allocate cases to any of them, he should do so only with the consultation of the 5 senior most judges who form the collegium.

While the Judges 2-5 in seniority who held the Press Conference hold that CJI is only the “First amongst equals ” and not more important than any of them, they consider that other judges of the supreme court who are 6-25 in seniority are lesser mortals who are not equal to the first five.

This does not seem to be a logical l argument and has to be rejected.

Either all the judges have the privileges attached to their seniority in which case the CJI as the senior most has higher privileges that includes the management of the roaster, or they should agree that all judges of the Supreme Court are equally competent to handle any legal matter before them without fear or favour and with the legal expertise required.

Expecting that the rule of “First amongst Equals” applies only to the first five and not to all the 25 judges of the Court indicates a self serving argument.

If we admit that the roaster allocation had some “Motive” behind it as implied by these four judges, we can also imply a “Motive” behind the accusation of the four revolting judges. If CJI wants to avoid handing over some sensitive cases to any of these four and wants to give it some other judge down the line which is a departure from the procedure indicates a “Bad motive”, then the demand that such cases should be handed over only to them and not to anybody else also indicates a “Bad Motive” on the part of the four judges.

If we leave aside these perceptions since these judges are not transparent about their motives and want to hide behind the respect they enjoy as judges of the highest court of the land, let us accept that the only grievance is that the allocations are being done not in accordance with the established procedures of the past where all the five senior most judges worked together as a collegium and distributed sensitive cases only amongst themselves so that none was unhappy but the current CJI is trying to break this tradition.

Perhaps this is making these judges insecure and their friend lawyers also more insecure because they were perhaps existing in the system more by the strength of their relationship with the judges rather than their ability to fight a case on the merits.

The solution for this is not in asking the media and the public to adjudicate since what “We the people ” may say will not be palatable either to these judges nor to their favoured lawyers. Nevertheless since they have sought our advise, let us provide them the advise.

The problem is about allocation of cases to the 25 judges of the Supreme Court in an equitable manner that justice is done to the petitioners. The criteria of seniority is only relevant as a demonstration of the expertise of a judge and not otherwise. Each judge may however carry a badge of domain expertise based on the type of cases in the past where he would have examined a particular domain in depth and thereby gained an expertise. There cannot be any expertise based on qualifications since the College qualifications of all the judges are at least 3 decades old and has no relevance today. For example, Mr Chelameshwar being a student of Physics in his college does not make him a domain expert in a case involving Noise pollution or Electric outage etc.

Either the judges have to declare their top three areas of interest/specialization based on their own self introspection or based on the cases they might have handled in their career  and have to be tagged with the domain of expertise which were required to resolve them.

Assigning a “Domain Expertise Tag” to every judgement released by a judge in all the Courts is a process that has to be introduced now so that after a decade or so, it becomes a reliable barometer to tag a Judge with his area of domain expertise. Criteria for this needs to be developed and adopted.

In the meantime, an adhoc measure can be adopted where each judge of the Supreme Court is asked to declare three areas of interest that is used as his “Specialization Tag”.

Every judge will automatically have a seniority tag also. Using these two tags along with a “Random Allocation Tag”, it is possible for the Chief Justice to select a Judge or a Bench of multiple judges for assigning any case.

For this purpose, the CJI may categorize a case as “Requiring a specific domain expertise”. He can use is “First amongst equals” privilege to do so. Similarly, he can decide on whether the case requires a single judge or more judges to be in the bench.  Having decided these two parameters out of his privilege of being the CJI, he can proceed to allocate cases in the following manner. CJI can also determine the workload of a judge and determine if he has to be part of the selection for a given case or not.

a) In case of single member allocations, the choice can be completely randomized, such as picking up a judge out of the 25 (or lesser numbers if some is over burdened with cases at present). It is possible to do this by computerized allocation with priority criteria for domain expertise and seniority to be set to zero.

b) In cases where two  judges are there in a bench, one of the selections can be made on domain expertise criteria and the other on random basis.

c) In cases there there are three or more members in the bench, one member may be selected on seniority basis, second on domain expertise basis and the third randomly.

In larger benches the criteria can be repeated for the balance vacancies to be filled up.

This process leaves enough scope for the CJI to exercise his privilege and also provide opportunities for the senior members to be part of the important cases where there are at least 3 members. The single member benches which are prone to manipulation by friendly advocates would be randomized so that no advocate would gain an unfair advantage with a petitioner saying “I Know this Judge, Come to me”.

If the Supreme Court wants a software to be developed for the purpose, I am sure that there would be many software professionals who would be willing to develop it for free as their contribution to protect the institution which is the concern of these four revolting judges.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

Public Consultation on Data Protection Legislation

Posted on January 14, 2018 by Vijayashankar Na

Yesterday, (13th January 2018), three members of the Judtice Srikrishna Committee on Data Protection Law participated in a public consultation program in Bangalore at the IISc auditorium.

Honourable Justice (Retd) B.N. Srikrishna, the Chairman of the committee was present along with two other members of the committee namely Mr Gopalakrishna and Rama Vedashree. A healthy discussion was held all through the day with around 100 participants which consisted of the elite Privacy practitioners in Bengaluru including IT professionals, Lawyers, Activists and some representatives from the academia. This was one of the four such meetings that are being held across the country while the option to submit the feedback continues on the website till January 31, 2018. The earlier meetings were held in Delhi and Hyderabad and the last meeting is being held at Mumbai.

Though this consultation was not directly related to a discussion on Aadhaar, there were many agitated Aadhaar critics in the meeting and raised their concerns. The Supreme Court which is resuming its hearing on Aadhaar on 17th January 2018 will take into account the efforts of the Government in improving the Privacy protection regime in the country both in its efforts to introduce the Virtual Aadhaar ID system as well as the introduction of a robust data protection law in India.  In that context, the efforts being taken by the committee to have a wide consultation across the country with experts from the field was important since one of the objections of the Anti-Aadhaar lobby has been that the Justice Srikrishna Committee itself did not have a proper representation of all stake holders. This consultation process therefore addresses this issue and takes the sting out of the criticism that the committee does not represent all the stakeholders.

Justice Srikrishna came through as a well informed person even in the field of Technology and gave confidence to the community that the Data Protection recommendations to be given by the committee would be fair and address most of the concerns. He was keen to listen to the views of everyone and responded where required with his own wit and humour, keeping the discussions lively throughout the day.

End of the day, the gathering was convinced that the job of framing the data protection law which has been pending since many years and passed through many versions would get another serious and fair try.

We urge professionals to take the time left to go through the white paper and submit their valuable views to the committee so that the opportunity to contribute to the law making in this important area is not missed.

Naavi.org hs been providing its views and will continue to do so in the next few days left.  So far some of the views have been expressed in the following articles.

1. Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights
2. Look beyond GDPR and Create Personal Data Trusts to manage Privacy of data subjects
3. “Compliance by Design” should be the motto of the Data Protection Act of India
4. We should forget the “Right to Forget” in Indian Data Protection Act
5. Personal Data should be considered a personal Property
6. Data Protection Act.. We should aim at Compliance with Pleasure not Compliance with Pain.
7. Right to Privacy should cease at death
8. Proposed Data Protection Legislation in India- White Paper released
9. All articles

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment