Hacking of EVMs is Cyber Terrorism

Posted on December 19, 2017 by Vijayashankar Na

It is unfortunate that many of the politicians are irresponsibly commenting on hacking of EVMs . If anybody has suggestions to improve the security of EVMs, it should be welcome. But making irresponsible statements and spreading rumours is an attempt to undermine the Indian election mechanism and must be stopped.

As we understand, EVMs are manufactured by public sector organizations, shuffled before being issued for any particular booth, and are always under the physical custody of some officials. They are finally tested before they are committed for use. There are some kinds of checks subsequently on the total votes polled.

Naavi has long time back spoken about the Cyber Law Compliance aspects of EVMs and the EC has now introduced the VVPAT system (Voter Verified Paper Trail System) which will become mandatory by the next set of elections. In this system the voter views the printed slip before the completion of voting. Then the slips are collected in a sealed box. These slips will  be counted if there is an election petition which orders the re-counting of the slips. If a person sees that the slip is different, then he can raise his objection then and there.

There is however a system of procedures designed to make it impossible to tamper with the EVMs under ordinary set of circumstances. Making theoretical claims or assuming that several Election Commission officials will collude etc is a mischievous claim not substantiated by evidence.

However, there are many opposition parties including the Congress party which uses EVM as an excuse to cover its losses.

Even when VVPAT system is used, it is possible that some opposition party supporters may simply claim that the slip is different from what he has voted, and it has fallen into the sealed box and cannot be verified, there are situations where false alarms may be raised by unscrupulous supporters of a political party to disturb the election process.

If this has not happened till now, it can be envisaged that it will happen next time. I will be surprised if such tactics are not used to discredit the system during the next elections in Karnataka since the current CM of Congress is himself opposing the EVM system.

In the light of these attempts to discredit the EVM system by unscrupulous politicians, it is necessary for Election Commission to ensure that no political party member or a member of the public makes a dishonest claim that EVM is hacked or is hackable.

In order to ensure that people are serious about EVMs, Election Commission should declare that EVMs are “Protected Systems under Section 70 of Information Technology Act 2000”. EC has already developed the standard operating procedure (SOP) for accessing the systems and hence a notification accompanied by the SOP as required under the Act can be quickly made.

Once EVMs are considered as “Protected Systems”, any attempt to hack any EVM, even by any employee of EC will be considered as an offence carrying a punishment of 10 years.

Additionally, under Section 66F of ITA 2000/8, any action that could damage or disrupt or adversely affect the EVMs can be considered as an offence under section 66F (1) (A). Additionally, any incitement to commit hacking of an EVM or disruption of the EVM usage can be considered as causing injury to the interests of the state and brought under Section 66(F) (1) (B).

In either case, the offence carries an imprisonment of upto life and would be termed “Cyber Terrorism”.

EC has already given one opportunity to those claiming that EVMs are hackable to demonstrate the possibility. This was not used by any of the political parties such as Congress or AAP. Now the new kid called Hardik Patel has started talking of EVMs about which his knowledge may be suspect.

EC can however make another offer to anybody to seek an appointment to demonstrate their claim if they have any credible doubt. Obviously, they should demonstrate that the system can be hacked under the conditions under which they are used and not expect that the hacker would be able to open the machine and insert any chips into it. Such “Request for Demonstration” should be publicised and the person requesting must be made to deposit a security deposit to cover the expenses and prevent frivolous requests which can be returned only if the charge made is proved.

EC can also invite suggestions for improving the security of the system and honestly try to implement suggestions if they are useful.

I am sure that EC would not be averse to these suggestions which they should announce immediately and shut the mouth of irresponsible politicians.

Naavi

Posted in Cyber Law | Leave a comment

Limited Liability on Electronic Banking Frauds also extends to Cooperative Banks

Posted on December 18, 2017 by Vijayashankar Na

On July 6, 2017, RBI released the “Customer Protection-Limiting Liability of Customers in Unauthorized Electronic Banking Transactions”.

The circular indicated that a customer is entitled to “Zero Liability” in case of loss arising out of frauds in E banking in which

a) There is a contributory fraud or negligence or deficiency on the part of the Bank irrespective of whether or not the transaction is reported by the customer

b) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and the customer notifies the Bank within three working days of receiving the communication from the Bank regarding the unauthorized transaction

Further the Customer would have a “Limited Liability” of Rs 5000 or 10000 or 25000/- (depending on the nature of the customer) in cases where the responsibility for the unauthorized electronic banking transaction lies neither with the Bank nor the customer and when there is a delay (of four to seven working days) in notifying the Bank.

If the delay in reporting the transaction where the fault lies with neither the Bank nor the customer, the Bank’s boards were expected to come up with their policies on how much of liability they would bear.

However, even after nearly five months, we donot see any such policy from any of the Banks being announced at least on their websites. (If any Bank disagrees, they are requested to keep us informed so that we can correct this statement). This shows that RBI has not been able to impose its regulation so far on the Banks.

The circular of July 6, 2017 was applicable to all Scheduled Commercial Banks including RRBs, All Small Finance Banks and Payment Banks.

Now, on 14th December, RBI issued a follow up circular extending the applicability of the Circular also to the Primary (Urban) Cooperative Banks, State Cooperative Banks and District Central Cooperative Banks.

While it was natural that all Banks which were in the E-Banking activity had to come under one regulation as regards protecting the Consumers and it was more important in the case of the rural banks such as the Cooperative sector Banks, RBI needs to ensure that the Banks take it’s regulations seriously.

Recently, we came across a fraud in which a well known journalist reported that a supplementary credit card had been issued in her name and an outstanding debit in the card was claimed from her by none other than HDFC Bank. She also reported that the Bank refused to accept her complaint and insisted that the amount was payable by her.

In many instances the frauds happen because of “Phishing”. In some cases the customers do give out their Passwords or OTP without being aware of the possibility of the fraud. It is in such cases that Banks and Customers need to resolve who has to bear the liability. In most cases there would be no doubt that the customer would be a victim but the Bank tries to claim that it also is a victim and hence if the customer is negligent in giving away his credentials then he should bear the loss himself and not the Bank.

However, we need to ask the Bankers whether they are pitting their information security capabilities and knowledge with the awareness of the customer and claiming that the customer has to be more intelligent than the Bank. RBI has clearly advised these banks to adopt “Adaptive Authentication” and a robust Cyber Security Framework which should identify fraudulent transactions before they occur and take measures to prevent a fraud before it occurs. In some cases the money would have been debited to one account but the payment would not have been irrevocably paid out to the fraudster and it may lie in the system with another Banker. In such cases if the paying bank moves the collecting bank immediately and stops the withdrawal, the fraud could be prevented. But the Banks are so arrogant and fraudster friendly that they will raise 100 questions to the customer that he should file a police complaint, give complaint in writing, accept that he has given away the password etc, besides saying my Manager is not available etc… and delay action.

Many banks make their Call center access difficult and not provide specific fraud reporting mechanism directly on the SMS which they must send. If the customer says that they have not received SMS, Banks often refuse to accept.

All these hurdles need to be addressed by RBI by conducting the audit of Banks on the implementation of the July 6th Circular at branch level without which the intentions of RBI will not be implemented in practice.

RBI has also since June 2001, mandated that Customers should be protected by picking up the legal risk themselves and using the Cyber Insurance cover. But none of the Banks have so far sent one SMS to their customers about Cyber Insurance cover they have taken for them though they might have sent scores of messages for not linking Aadhaar.

The Chair persons of the Banks need to be pulled up by RBI for ignoring the RBI guidelines and apart from imposing some fine or the other, they must make an example of some Banks and suspend the Chair person. Banks like Axis Bank which were considered as the habitual offenders during the demonetization days continue to carry on business without paying for their guilt.

The definition of “negligence” in the limited liability circular on the part of the Bank will have to be evaluated in this context of “Not correcting past mistakes” and even in case of Phishing where there is negligence on the part of the customer, “Contributory negligence” on the part of the Bank should be recognized.

It is some time back that ICICI Bank was pulled up by the Adjudicator of Tamil Nadu and made to pay for their negligence in the S.Umashankar case. Perhaps many have forgotten the case and there is a need for other similar judicial interventions holding the Banks liable for Banking frauds before we ensure security in the Banking scenario.

Some of these Banks are even challenging the RBI by adopting to use of Bitcoins and also use of Block chain against the Banking laws. RBI unfortunately is unable to take corrective action and letting the public continue to take risks which they should not take,

Will RBI now wake up and take necessary corrective action so that the Customers feel safe?

Naavi

Posted in Cyber Law | Leave a comment

“Compliance by Design” should be the motto of the Data Protection Act of India

Posted on December 15, 2017 by Vijayashankar Na

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

“Privacy by Design” is a concept which GDPR expects from Data Controllers and Data Processors.  The concept of Privacy by design basically means that measures for Privacy protection should be initiated right from the inception of a project and during the engineering process. It is not an after thought considered over the layer of processing but should be embedded into the basic framework of processing.

The concept of Privacy by design imposes a sense of responsibility on software manufactures who have a tendency to design software solely for functional purpose and expect Privacy to be taken care of manually at the time of implementation.

This concept needs to be extended to complete compliance of all provisions of the Data Protection Act which can be controlled by technical means by making “Compliance By Design” as a mandatory provision under law so that the responsibility for compliance is shared by both the software developers and the users. This could mean that systems and outsourced services should have mandatory encryption, mandatory authentication in the form of non repudiable digital signature system, mandatory compliance of data retention, mandatory archival of log records etc.

If such “Compliance by design” is mandated, then the quality of software products from the point of view of “Data Security” would increase and in the event of any “Data Breach” caused by vulnerabilities in the software systems, some responsibility may be imposed on the software companies also. This would help SMEs in particular who donot have greater dependency on the software suppliers, who donot agree for source code audit or for source code escrowing and also donot guarantee that their software is free from bugs.

Larger companies may have better ability to take their own measures to secure the systems irrespective of the vulnerabilities they come with. They also have the power to extract maintenance contracts and source code audits better than the SMEs and hence the proposal for Compliance by design should help SMEs more than large entities provided the definition of “By design” is extended to software development.

The new data protection act can consider imposition of “Compliance By Design” as one of the responsibilities of system developers (both hardware and software). In order to incorporate this provision, a separate chapter that defines the compliance requirements of the Data Controllers, Data Processors and Data Managers (as proposed in our previous article) along with how the fact of compliance should be disclosed to the public and to the Data Protection Authority. This should obviously be controlled through Registration and penal de-registration of entities who are Data Controllers/Processors/Managers.

Hopefully Compliance requirements donot simply remain on paper but are followed up for strict implementation.

In order to ensure that Compliance is taken seriously, Cyber Insurance should also be made mandatory so that the Cost of Insurance should incentivise the business entities to invest the right resources in achieving compliance.

The SKC has asked the feed back on whether the law should be made retrospective or prospective. If “Compliance” is an honest expectation, it goes without saying that the law has to be enforced prospectively with reasonable time given for compliance.

In the meantime the regulatory authorities need to even provide guidance and assistance to the Data processors and Controllers in the SME sector so that they can achieve compliance in the specified time. The compliance schedule also need to be extended with an additional time for smaller entities taking into account the incidence of cost as well as scarcity of manpower to assist them in the compliance.

The compliance dead line could therefore be about 1 year for large units and about 2 years for smaller units, with exact definition of what is Small and what is not being decided on the basis of turnover.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

We should forget the “Right to Forget” in Indian Data Protection Act

Posted on December 15, 2017 by Vijayashankar Na

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The EU law on Privacy under GDPR recognizes the “Right to Forget” which essentially means that the data subject can demand that his personal information should be erased from the records in the custody of the data processor/data controller once the data subject withdraws his consent.

Enabling “Erasure” of data is not as simple as it looks since data has a tendency to multiply and spread in different systems within the processing organization and it is often difficult to even recognize where all the copies of data are present. With need to back up data for reasons of disaster recovery and different versions of data getting created during the course of relationship of a customer with a data processing entity, when a demand for deletion comes up, it is difficult to ensure the complete erasure of data.

Further, since data is related to National Security and Crime control, there is a legal obligation to “Retain Data” in many circumstances. There will therefore be a conflict of interest between the need to erase data on request and the need to retain data for control of criminal activities. Even the need for Governance such as Direct benefit Transfer with the use of Aadhaar requires data to be retained and not erased at the request of only the data subject.

Even when Privacy is considered as a Fundamental Right, the law provides for exemptions for security purpose and hence the “Right to Forget” or “Right of erasure” is a concept which cannot be considered for the Data Protection Act.

Posted in Cyber Law | Tagged , , , , , , , | Leave a comment

Personal Data should be considered a personal Property

Posted on December 15, 2017 by Vijayashankar Na

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

Many of the issues connected with Privacy arise out of the complaint that “information collected by a Data Controller” is processed in such a manner that the data subject feels that his privacy has been breached. Hence “Consent” is sought and obtained before collection of information. Section 79 of ITA 2000/8 under its rules has already adopted the procedure of disclosure and consent when an “Intermediary” collects personal data from a data subject in India. The fact that “Consent” should be an “Informed consent” is also well appreciated.

However most data subjects never care to read the Privacy statements or Privacy policies when presented to them before a specific use of a service. Many service providers also take blanket permissions ignoring the principles of minimal collection and purposeful use.

In the absence of proper legal requirements, data subjects can only try to take legal action against an entity that breaches the law if they can claim damages. But in most cases, damages cannot immediately be recognized and evaluated and hence “breach” can be recognized but not its consequences. Hence there can be no legal remedy in most cases.

When a data protection law is in place, the regulator can take action for breaches even when no damage is claimed by any data subject. Though this provision is available even now under Section 46 of ITA 2000/8, it is hardly recognized as existing. When the new law comes in, since there will be a recognized regulator called the “Data Protection Officer of India”, it will be his duty to monitor the industry and initiate action when required.

Some data controllers may blame the data processors for the breach and data processors may allege that the data controller did not indicate the responsibilities properly in the SLA. Even now many of the data processors in India coming under GDPR allege that they donot have a proper Business Associate Contract from their vendors specifying the information security requirements. Hence the responsibilities cast on the data processors is vague and goes without compliance.

The new law should ensure that this “Vagueness” is removed, by making it mandatory that the Data Controller who is the person/entity to whom the data subject provides the personal data and  “Consent” to use that data in a particular manner, take full responsibility for any breach and also mandate that any sub processors are bound with specific instructions which are clear. If the sub processor is also within the Indian jurisdiction, it may suffice to make a reference to the legal provision in toto by referring to the Act. But when the Data Controller and Data Processor are in different jurisdictional areas, it is necessary for the Data Controller to specify in a contract the actual responsibilities related to the processing of any data set/s and not leave it vague.

Assuming that this provision is taken care of, we can expect that all controllers will present comprehensive “Consent Requisitions” whenever online consent is required. They may even justify in the requisition the purpose of collection and how the information will be secured etc. However, in the process the consent requisition will be a long online document which no user is likely to read at length and just proceed to click “I Accept” and start availing the service. In some cases the service provider may say that “Continued use of the service is deemed to be a consent of the privacy policy” and provide a hyper link which the user does not care to open and see.

Such online consents may not be treated as proper  “Informed Consent” because it is not digitally signed and also because the likelihood of it having been read and understood before it is consented to is low. Since India does not recognize the Click Wrap contract  the acceptance of consent by the click of the button has no legal sanctity. The consent therefore only becomes an “Implied Consent of a dotted line contract”, where the fine point details could be considered voidable at the option of the customer.

Even when such consents are treated as contractually acceptable, the data subject may not be able to decypher the intricacies of the contract and take an informed decision. When multiple parties require multiple types of consents and multiple times, there would be inevitably the “consent fatigue” that makes him simply click without a second thought.

Hence the current system of each data controller taking individual consent each time a data is required for a specific purpose is not practically efficient.

One of the ways by which we can overcome this is to treat personal data as a property of value to the data subject and every usage as “Licensed Use” with some kind of rewards to be available to the data subject which is proportionate to the benefits that the data user may enjoy. In this concept the data subject actually sells the right to use his personal data for a consideration. However to manage this system, the data subject needs professional assistance and hence there is a role for an intermediary “Who Collects consents and data, keeps it with himself and releases it on specific request to a user as a personal Data manager of the data subject”.

The “Data Manager” being a professional agency knows the value of the personal data to different service providers and maximize the returns to the data subject. It is not necessary that the reward to the data subject is in the form of direct money. It could be in the form of reward points that are exchanged for some valuable service.

Further, the “Data Manager” as an intermediary can act like the “Personal Data Locker” and offer services such as anonymization and pseudonomization as well as providing limited set data devoid of key identifiers. He can ensure that value addition in the form of data mining and Big data analytics can be conducted without compromising the privacy of the data subject.

In order to provide an opportunity for such intermediary business, Personal property should be recognized as the property of the individual and he should have the right to license it for a price. The proposed data protection act should also recognize and define the role of the “Data Manager” as a business in which the data subject transfers the right to manage his personal data exclusively to one such agency. This role is different from that of the “Data Controller” and “Data Processor” as is used in laws such as GDPR. He should deal with the Data Controllers and ensures that they adhere to the principles such as minimal collection, purposeful use, adequate security, removal on completion etc. When he approves disclosure of personal data of his clients, he can ensure that adequate value is returned to the data subject however small it is.

The Data manager will subsume the role of the Data Controller to the extent that the data subject provides his consent only to the Data manager and all that the data controller gets is a “proxy identity”. The linking between the proxy identity and the real identity is in the hands of the Data Manager and the principles enunciated in our earlier discussions on “Regulated Anonymity” can be used so that only responsible data controllers will get the real identity based premium personal data. Others can get a lower valued proxy identity data. Some others may use limited data set and others the de-identified data. Thus the Data Manager can effectively classify and package data offerings and create value where as today the data subject does not get any value for his personal data which he shares with various service providers.

This type of parallel thinking can be incorporated in the Indian Data Protection Act so that it does not become simply a rehash of the GDPR or other international data protection legislation.

Naavi

Posted in Cyber Law | Tagged , , , , , , , | Leave a comment

Data Protection Act.. We should aim at Compliance with Pleasure not Compliance with Pain.

Posted on December 15, 2017 by Vijayashankar Na

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The Justice Srikrishna Committee (SKC) has propounded 7 key principles of the Data Protection Act and proceeded to provide several questions in its report seeking public comments.

The Seven key principles under which the proposed Data Protection law would be based are as follows.

1.Technology agnosticism– The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.

2.Holistic application– The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims.

3.Informed consent– Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria.

4.Data minimisation– Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.

5.Controller  accountability–  The  data  controller  shall  be  held  accountable  for  any processing of data, whether by itself or entities with whom it may have shared the data for processing.

6.Structured enforcement– Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms.

7.Deterrent  penalties–  Penalties  on  wrongful  processing  must  be  adequate  to  ensure deterrence.

The above principles may determine the broad contours under which the SKC may work out a draft of the Data Protection Act of India (DPAI). In the background  the Supreme Court’s views on Aadhaar as an instrument of Governance and a potential tool of breach of Privacy will be weighing in the minds of those who will work on the drafts.

One of the first counters to be raised therefore is “Whether these principles need to be expanded? or Modified?”

It is in this context that we raise the first supplementary principle to be added to the list.

“The proposed Data protection Act should be amenable for compliance by all stakeholders with pleasure and appreciation of the purpose. It should not attempt to enforce the law compliance by pain… except to the inevitable minimum required pain that accompanies all changes.”

The second principle which follows the first is that the proposed law should confine itself to the limitations that is inherent in such a legislation. The law is proposed as “Data Protection Act of India” but is it the right defining of the proposed law? or should it be considered differently? is a question to ponder.

When the honourable 9 member bench of the Supreme Court (Puttaswamy Judgement) declared in a hurry that “Privacy is a Fundamental Right under the Constitution of India”, there was no time to deliberate and come to a conclusion on “What is Privacy”. The order did not specify the definition but said Privacy is a fundamental right. So the task before the Data Protection Act legislators include defining what they propose to protect.

A question naturally arises therefore that if the 9 eminent jurists could not define the enigmatic concept of “Privacy”, should the Data Protection Act of India attempt to do it?

Data protection legislation may not be the right law to define Privacy. It should be through a different law under the overall domain of  “Democratic Rights of an Indian Citizen under our constitution”.

On the other hand the Data Protection law can effectively define the “Security to be accorded to Data” of a particular type. “A Data Protection Act” should confine itself to protection of “Data” which may be personal data, sensitive personal data, or even corporate data. Calling an Act as “Data Protection Act” and confining it only to being an “Individual Information Privacy Protection Act” is not warranted.

However, India already has a law called “Information Technology Act” which has several provisions that fall in the category of “Data Protection”. It also has provisions that are meant to protect “Information Privacy” because of Sections 72A and 43A. Sections 43 and 66 along with several other sections such as Section 67C, Section 79, etc define responsibilities of individual information privacy protection. Sections like 69, 69A and 69B also provide the “Reasonable Exemptions”.

Now whatever the new Data Protection Act proposes will be in partial modification of ITA 2000/8 and will introduce a conflict with ITA 2000/8 and perhaps also on the UIDAI act.

The new Data Protection law should therefore decide if it steers clear of the existing ITA 2000/8 or trample upon its provisions and replace them with a new set of the same provisions under a different legal provision.

We should not forget that there is a “Health Care Data Privacy Act” which is also on the drawing board and has already been partially rolled out in the form of EHR guidelines (though the industry has largely ignored it).

One of the other principles that the proposed law should declare for itself is therefore the following:

The Proposed Data Protection Act shall work in harmony with the current established laws in the country such as Information Technology Act 2000Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,

The Key principles should therefore be increased from 7 to 9.

The main purpose of the suggestion is that we need a legislation that the stakeholders will absorb as a necessary legislation that is good for our society and hence all of us have a duty to comply with it.

Unlike the GDPR which tries to impose its will through  obnoxious penal provisions, Indian Data Protection Act or Information Privacy Protection Act, or Individual/Personal Information Privacy Protection Act, as it may be called should not bank upon its ability to control the market with its penal provisions. By stating that the penalty can be 4% of global turnover or 20 million Euros, GDPR is showing its muscle. India can counter this by saying that the penalty may be 5% of global turnover and INR 2 billion and make it applicable to any entity in the world. With such a provision we can also make the international community raise eyebrows and recognize our existence.

But is this the way law should be imposed? by threatening to wipe out a company in case of non compliance? and leave it to the mercy of the adjudicator to determine the final penalty and if possible use his discretion as a leverage to ask for favours from the accused?

Penalty should be a deterrent but it should not be so huge that the accused either declares bankruptcy immediately or thinks of bribing his way out. It is in this context that we say law should promote compliance not with pain but with pleasure.

Data Controller is also a stake holder

In the data protection law, the drafting people should also decide who is the stake holder/ or stake holders?. Is the stake holder solely the individual and others like the Data Controller or Data Processor only targets for imposing a penalty if they donot comply? ..when what they need to comply itself is unclear?

We must accept that a Company registered in India is as much an entity that needs Government protection as the individual who is a citizen of India. Hence the law of privacy cannot go over board and look at punishing the Data Controller severely as the EU law tries to do. Of course we donot trust the Companies as also the Government when it comes to Privacy protection and hence the need for the law. Law some times tries to provide protection to the Government separately (eg UIDAI) but imposes hefty fines on the private sector for the same offence. This may not be fair.

What follows therefore is that whatever law which is now being proposed, it should be equally applicable to a Company or the Government or an individual.

Secondly, if Individual’s data needs protection, corporate’s data also needs protection. If one is called “Privacy”, the other may be called “Data Protection”.

Hence if we call this new law as “Personal Information Privacy Protection Act”, then it can confine itself to protecting individuals against invasion of privacy that may arise because such information is not protected by a corporate or Government.

If we call this a “Data Protection Act”, then it should extend to Corporate data as well. Since ITA 2000/8 is already covering this aspect, there is no need to cover security of corporate data through this Act. On the same logic, if this law has to be a comprehensive law on Personal Data Protection, then Section 43A and 72A needs to be removed from ITA 2000/8.

If Section 43A and 72A are to be retained and the new law has to extend to privacy protection, then the law should clearly explain that the new provision is in addition to the earlier provisions in ITA 2000/8 and not in derogation of the earlier provisions present in ITA 2000/8.

If this precaution is not taken into account, we will end up with the argument which was presented by an advocate in an adjudication proceeding in Karnataka and accepted by the then adjudicator that “Introduction of Section 43A applicable for body corporate in ITA 2008 automatically changes the meaning of Section 43 and confines its jurisdiction to individuals only”. Though the undersigned did not subscribe to this view at that time and does not even now, if law is not clear, it enables such manipulation by clever advocates to the detriment of the society.

I therefore urge the SKC to declare that

what they are proposing is not in derogation of any of the existing laws and in particular the provisions contained in ITA 2000/8 on data protection in general and personal data protection in particular.

Jurisdictional Umbrella

It is more or less imperative that the law will define that it is applicable to the processing of data of an individual citizen of India by any person including a Company incorporated in India or otherwise or by Government in India or otherwise.

However, this will naturally lead to a conflict in implementation when the law is breached by a foreign company or a Government. Similarly a foreign Company or a Government may also try to impose its own law (eg GDPR) on an Indian company and claim penalties which may be significant and also involve foreign exchange outflow.

The Proposed law provides an opportunity to ensure that this conflict between different laws applicable to a single company in India is resolved without the company (registered in India and therefore expecting the Indian Government to protect it’s legitimate interests) having to face several international regulatory organizations at a given time.

Typically an organization handling data processing may have personal data from persons of different nationality. Each   now trying to impose its own laws and also extend extra territorial jurisdiction just like what GDPR has done in respect of information that belongs to its citizens. It has therefore become necessary for companies (Data Controllers or Data Processors) to tag every piece of personal information with the citizenship of the individual and try to apply appropriate laws. In one case it may involve “Right to Forget” and in another case there may be an “Obligation to retain”. In such cases, the Companies will be unable to comply with conviction if they donot have a data classification system that tags the information to the country of citizenship. (Hopefully there will be no dual citizenship problem).

This data protection law should recognize this problem of the business community and try to provide a solution.

The solution we suggest is two fold.

  1. Every consent should incorporate a specific clause which states that “This personal data shall be protected as per provisions of personal data protection applicable to ….. country. 
  2. The adjudication and imposition of penalties if any shall be determined as per the personal data protection regulations applicable to India and the Indian Data Protection Authority shall have the final authority in sanctioning any penalty in respect of any individual who is a citizen of India, any corporate or other organization registered and subject to Indian laws.

The jurisdiction clause is proposed as a mandatory part of the consent which itself should be mandatory.

This provision also means that if any EU entity imposes a penalty on an Indian Company, the Indian Data Protection Authority shall intervene to accept or reject the penalty claims.

In order to make the provisions of the new law fair, the law can offer reciprocal arrangements of similar nature to foreign jurisdictions and state

“Where penalties are imposed under the Personal Data Protection Act of India on a person who is either not a citizen of India or is a company registered outside India, then the Indian Data Protection Authority shall provide an opportunity to the Data Protection authority (if any) of the country to which the said company/individual belongs to implead on behalf of the said entity.”

Since some of these suggestions could interfere with international obligations, these may need to be properly drafted. The suggested intent is that no Indian Company will be directly made liable to any foreign authority whether by a contractual agreement or otherwise without a sanction of the Indian authorities. If this umbrella of protection is not created, GDPR will be an instrument that will create colonies in India and allow European companies control Indian Corporate entities.

Naavi

(Discussions will continue)

Posted in Cyber Law | Tagged , , , , , , | Leave a comment