Naavi.org

Yesterday, while travelling from Mysore to Bangalore, I was surprised to see “OPPO Police Station” in Ramanagara on the highway. For a moment,  I was confused if China has taken over India and Oppo has been given charge of internal security!

May be Karnataka Home Minister and DGP can explain.

Some time back, in Bangalore, we have seen Police Station Name boards in the name of Airtel. But to see the name boards in the name of a Chinese Company indicates that our administrators have not considering the impact of such blind acceptance of commercial sponsorship of even sensitive matters such as internal security in India.

If this trend continues, we need not be surprised if Police uniforms carry Oppo or Vivo brands just like our Cricketers. May be even our Ministers may paint Huawei on their cars.

This trend must stop and stop immediately.

Acceptance of sponsorship of foreign commercial organization’s money for routine maintenance of administrative machinery of the Government is another form of “Corruption”. If Police are obliged to companies for even putting up of their name boards, then how will they take up a complaint against these companies lodged by any citizen of India?

It is necessary that all Government agencies should follow a principle where by corporate sponsorships doesn’t compromise on the constitutional obligations of the Government agencies.

On the other hand if these companies want to sponsor some event such as educating the masses on Cyber crime issues etc, it should be fine. But in such cases also the public should be promptly notified that

“This event is commercially sponsored by ……. Government undertakes not to compromise its principles in favour of the sponsors by virtue of this sponsorpship”.

In the meantime, I urge my friends in the media to file an RTI and find out what is the consideration paid by OPPO to host a board “OPPO POLICE STATION” in the Bangalore Mysore highway as rent per day and what is the normal market value of a hoarding in the same area and arrive at the opportunity loss suffered by the Government.

If OPPO has simply spent a few thousand rupees to get the Board organized, I would like to replace the board with “Naavi Police Station” and donate a board twice the size of the current board.

At least “Naavi” brand is associated with fighting Cyber Crimes unlike OPPO which as a Chinese Company is suspected that it may have a back door in its software.

Will the Government of Karnataka clarify? Will the Media question the prudence of who ever took this bizarre decision?

Naavi

We have been discussing the “Limited Liability” Circular of RBI which was first issued in draft form on August 11, 2016 and confirmed on July 6 2017.

However, recently when one of the customers of SBI Cards from Chennai, (a respectable employee of a MNC software company) who had lost money on a fraudulent credit card transaction, requested them to redress his grievance under the provisions of this circular, SBI Card replied to them that they are not aware of the existence of such a circular.

In an email reply from ceo@sbicard.com dated 1st September 2017, signed by one Jaspreet Kaur, SBI Card replied

“…we are not in receipt of any communication from RBI regarding limited liability clause. “

The Bank has provided the IP addresses from which the fraudulent transactions have been made which indicate transactions somewhere in Jharkhand while the customer is in Chennai.

This indicates that SBI card authentication system has not implemented “Adaptive Authentication” to identify an unusual transaction, as is required under various cyber Security guidelines issued by RBI from time to time.

Obviously, if Jaspreet Kaur does not know even the important Limited Liability circular, we may presume that she must be not only ignorant but incapable of understanding what is “Adaptive Authentication”.

Employing such inefficient persons with an authority to reply under an e-mail “Ceo@sbicard.com” indicates the complete lack of competence of SBI Cards to handle the responsibility of credit cards.

We also are surprised that this fraudulent transaction being a credit card transaction in which a payment has been made to a merchant, a “Charge Back” option has not been exercised by SBI Cards.

The concerned merchant is the beneficiary of a fraudulent transaction and therefore is part of a “Money Laundering” exercise. Hence SBI Card should not have hesitated to allow a charge back immediately.

SBI Cards should make a public statement if the Card holder who is also a customer of the Bank is not as much important as the Merchant who may also be a customer of either SBI itself or some other Bank.

If SBI/SBICards was aware of the Limited liability circular, they should have introduced a grievance redressal mechanism as well as indicated a policy for determination of the liabilities under various conditions. No such policy has so far been published by SBI even after two months since the circular was issued.

The casual handling of the complaint by Ms Jaspreet Kaur indicates the possibility of her being an accomplice in the fraud.

I wish Police in Chennai register a case against SBI Card as an organization and Ms Jaspreet Kaur as an individual who by her “negligence” and “an attempt to shield a fraudster” become an accomplice to the fraudulent transaction.

I also do not think that Ms Jaspreet kaur could be the CEO of SBI Card. If she is not the designated CEO of SBI Cards, her using the e-mail CEO@SBIcards.com is an attempt to cheat the customer with misrepresentation and possible unauthorized use of a senior executive’s e-mail ID which are offences under Section 66C and 66D of ITA 2008. These are cognizable offences and Chennai police should make use of this provision in pursuing the complaint.

I call upon the Chairman of SBI to also initiate an internal enquiry on the complaint and ensure that customer complaints are handled with more responsibility.

I also request RBI to also pull up SBI for not ensuring that its executives are not properly informed about the RBI Circular and if no satisfactory explanation is available, suspend the Credit Card license of SBI Cards.

I am looking forward to immediate response from some responsible person in SBI and request him to redress the grievance of this customer. (Ref: Interaction ID : 123634897427)

It is a general observation that  a large number of frauds happen in the credit card system of SBI Cards, much more than in other Banks. The reason is apparent that the SBI cards is being managed by incompetent persons who may be hand in glove with the fraudsters. There is a need for an in depth enquiry by CBI on the functioning of SBI Cards so that customers may not be subject to a “SBI Risk”.

Naavi

IAPP had organized a half day session at IIIT Bangalore in which the Privacy issues surrounding Aaadhaar was discussed in the light of the recent Supreme Court judgement. A summary of thoughts shared by the undersigned in the meet is reproduced here.

The reference to the Nine member Bench of Supreme Court was made during the discussion in the smaller bench on the Constitutional validity of Aadhaar in which one point brought out by the Government was that Privacy is not a fundamental right. Sensing the danger of the argument being held valid on account of the two earlier judgments of the Supreme Court namely the M.P.Singh and Kharak Singh judgments, one of which was from a 8 member bench, the CJI quickly set up the Nine member bench which in double quick time came up with its massive judgement and cleared the path for the smaller bench to proceed with the Aadhaar hearing under the specific consideration that Privacy is a Fundamental right.

Once this issue is settled, the Government will have to justify the Aadhaar Act under one of the “Reasonable Restriction” clauses under Article 19(2).

In this context, the issues before us are to understand

a) Does Aadhaar per-se violate Privacy?

b) Does the mandating of Aadhaar for social benefits violate Privacy?

c)Does Linking of Aadhaar to PAN violate Privacy?

d) Does leaking of Aadhaar Data through e-hospital app violate privacy

e) Does leaking of Aadhaar data through biometric device violate Privacy?

f) Once biometric is compromised, is there a way out to put the clock back?

We must recognize that Aadhaar was perceived as a data base of demographic and biometric data linked to a random number. This number was supposed to be held confidential by the owner and presented with his biometric to those agencies which needed to verify any particular parameter associated with the Aaadhaar such as the name,address, father’s name, data of birth etc. The query was supposed to be always answered in binary Yes or No and aadhaar data was not supposed to travel on the internet.

However in its implementation, Aadhaar is now used as an ID card and any authorized person who seeks information is allowed to download the entire aadhaar information on his systems where the data along with the Aadhaar number resides. The query is answered not only with the biometric but also on OTP over the registered mobile. There are also authorized APIs that lift the data from the Aadhaar server and populate forms at the User end. e-Hospital application was one such application which was at the center of the recent suspected data breach.

Similarly, wherever biometric devices are used, the biometric has to be captured and then transmitted to the Aadhaar server for authentication. Though the transmission is encrypted, it is possible for a copy of the encrypted bio metric to be stored at the device end as was. This was detected in one instance where E Mudhra and Axis bank had sent stored biometric for authentication and UIDAI had filed a criminal complaint.

Since the devices would be under the control of the intermediaries, even if UIDAI ensures an audit of the devices before it is approved, there is a possibility of them being tampered with subsequently.

The current generation of biometric devices and the technology adopted for referring the captured biometric to the UIDAI server does not seem to be secure enough to prevent storage of biometric and this could be a Privacy threat.

Thus in most cases Privacy information leakage occurs at the user end and not at the UIDAI end.  Hence what is required by UIDAI to ensure is a process by which users take the responsibility for leakage of Aadhaar data.

Currently this is determined by the provisions of ITA 2000/8 under Section 79 and 43A along with other provisions.

The issue of Aadhaar and Privacy should therefore be seen in the context of how the Aadhaar intermediaries obtain the consent of the Aadhaar users and whether it satisfies the internationally accepted principles of disclosure, minimal usage, security, limited period retention etc.

Some of the legal luminaries do consider that “Consent” being a “Contract”, it cannot be used to circumvent the abrogation of “Fundamental Rights”. In view of this, the consents need to be carefully drafted to avoid litigations.

Compliance therefore becomes a challenge to the companies who need to use “Data” as the raw material for their business.

If Aaadhar related privacy issues are to be tackled there is need to relook at the technology by which Aadhaar data base is accessed by the intermediaries who provide various services using Aadhaar as an ID. Government also should stop treating Aadhaar as an ID card which can be shared at various usage points to be photocopied and used.

If before the Aadhaar hearing comes up again in the Supreme Court, the Government issues a policy guideline on how Aadhaar data base is to be used, it may strengthen the argument to defend the Aadhaar system, Otherwise there could be a danger of impossible restrictions being imposed by the Court which may need change of many of the use cases which is under contemplation.

Naavi

A high profile Privacy Summit had been organized at Taj West End by CCAI (Corporate Counsel Association of India) along with IAPP in which several issues of Privacy were discussed in the emerging technology environment.

The undersigned participating in one of the sessions on presented his views on the relationship between Cyber Security and Cyber Insurance.

A Summary of thoughts presented in this connection are reproduced here:

Cyber Insurance has two parts namely the First Party Coverage and Third party coverage.

The first party coverage refers to the costs incurred by the insured after a breach on invoking DRP/BCP, Payment of Regulatory Fines, Cost of audit and assessment of the breach, forensic investigation of the breach, litigation, ransom payments data breach notification cost etc. These are all costs incurred by the Company for which reimbursement is sought.

The third party coverage refers to the loss suffered by customers (including public) arising out of the breach at the insured facilities. This depends on the claims made by the outsiders. Consequent to the recent Privacy judgement, it is expected that the litigation in this domain may increase and as a result even the cost of cost of cyber insurance may also increase.

Cyber Security Risk Management includes four elements namely Mitigation, Avoidance, Absorption and Transfer (Insurance). While Mitigation is the responsibility of the IS team, Avoidance is a business decision and Absorption is a management decision. Risk Transfer through Cyber Insurance is a decision in which all the stake holders namely the Information Security, Business and Management  should all take together.

In many companies, the decision on Cyber Insurance may be taken at the CFO level as a budgetary provision.

Ideally, Cyber Security personnel should be involved both at the time of taking of a Cyber Insurance policy as well as at the time when Claim is preferred.

When a Claim is preferred the Insurance Company will naturally contest to say

-Breach was caused out of negligence

-Breach was caused by insiders or other reasons not covered under the policy

-Breach occurred long time back and was not detected in time and was not plugged in time to reduce the damage

-At the time of taking the policy, the risk was known and not disclosed.

-Coverage is limited to part of the loss only, because the insured is a co-insurer in part because the assets were undervalued at the time of underwriting

–Policy has sub limits and hence not payable in full, etc.

No Insurance company will be/can be magnanimous as to say…I will ignore all your follies and pay whatever you ask.

At the same time, the Company needs to defend

-It was not negligent

-Root cause of loss is within the risks covered

-Assets are fully valued at the time of the underwriting

-Breach was detected in time and acted upon

-Reasonable action is taken to legally defend the claims against the company and pursue claims against the persons causing the breach, So that Insurance company can step into the shoes of the insurer and pursue its claim against the end beneficiaries of the breach etc.

Company has to all provide evidence that reasonable Security practice is in existence today, yesterday and through out the life of the policy.

All this can be done only by the Information Security team and not by the CFO. It is for this reason that the Information Security team should be at the center of a decision on Cyber Insurance all the time.

There are some challenges in the Cyber Insurance including lack of adequate metrix to measure the security posture of an organization so that a “Risk based Premium” is determined beyond the usual claims of “I am ISO 27001/PCI-DSS compliant” etc.

Challenges are also noticed since normally it takes a time for breaches to be identified and addressed.

It is also not easy for the Information Security professionals to clearly understand the different limitations in the Cyber Insurance contract and since Insurance contracts are contracts of “Utmost Faith” and can be voided by the Insurance company if it can prove that the insured had not shared all relevant information at the time of making his proposal. It is also a challenge to value the assets insured so that the Insurance Company does not limit the claims on the grounds of “Under valuation of Assets”.

As regards the response to a breach when identified, a Company needs to have a clear policy based on the obligations under the Cyber Insurance contract to decide if the breach has to be reported (even when there is no claim preferred) and for all the actions required to be taken such as filing of a Police Complaint, conducting internal forensic assessment, etc.

It is also necessary for the Company to avoid mis-communication to the public and press which can cause more harm to the reputation of the company and increase the losses under claim.

In view of the complications involved in a Cyber Insurance Contract and the high stakes involved, there  is therefore a need to obtain appropriate consultation from experts before a Cyber Insurance contract is purchased by an entity.

During the discussions the difficulty of the Insurance companies to assess the Cyber Risk and link it to the Premium was also discussed due to lack of information on cyber crimes in general. The Insurance companies are therefore forced to base their premium fixation on the cost of re-insurance. This has prevented the Cyber Insurance companies from providing appropriate credit to the security measures taken by the insured to reduce the Cyber Risks and more effort is required in this direction so that investments made on Cyber Security should reduce the cost of insurance at least to some extent.

Naavi

A Round table was held at National Law School of India, Bangalore, the premier law education institute in the country on assessing the impact of the Supreme Court order on Right to Privacy on Cyber Space and Data Protection. Dr Professor Nagaratna, Dr Professor Subbarao, from NLSUI led the discussions and several other invited guests from IT industry, Advocates, Police, Research scholars participated in the consultation program.

Participating in the discussion, the undersigned shared his views on the subject reproduced below:

Assessing the Impact of Supreme Court’s Order on Right to Privacy on Cyber Space and Data Protection

Discussion@ NLSUI, 31^st August 2017

A Note By Naavi

Law is meant to be complied with by the Citizens. Hence it has to be written in a manner that is easily and precisely understood by the stake holders. A well written law brings better compliance than a law that people cannot properly understand. This principle also applies when laws are made by way of Jurisprudence developed in major Judgement of superior Courts. If the Judgement are precise and lucid, it will be well understood by the citizens and there will be better compliance. We need to assess this Judgement keeping this basic principle in mind.

The Order

The Bench in its 547 page judgement has given out a one page order signed by all the judges making just one major point namely:

“The right to Privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.

Additionally the order specifically mentions that the earlier judgements in the M.P.Singh and Kharaksingh Cases have been over ruled.

Apart from the order, individual judgements have been given by 5 judges and the other four have given a common judgement. Some of these individual judgements list some conclusions after reflections and other citations from Indian and foreign judgements.

The operating part of the judgement is however limited to the declaration that Right to Privacy is a “Fundamental Right”. It means that the Government cannot make any law that infringes the right any previous laws made can be challenged. However, the Right is subject to the “Reasonable Restrictions” under Article 21 and it would be the line of defense whenever a law is challenged.

While infringement of the Privacy Right by the State can empower a citizen to claim damages from the Government, it cannot be used to claim damages from a Non State body.

Impact on Non State Bodies

Individuals and Companies who are not State bodies shall be liable on the basis of any law made by the Government to protect Privacy of a Citizen as per the obligation under the Constitution.

At present no law exists specifically to protect the Privacy of an Individual. However, Information Technology Act 2000/8 has certain provisions which afford protection to “Personal” data of an individual in electronic form which is collected and processed by a corporate entity.

Lack of Definition of Privacy

In the Judgement, it has been admitted that there is no acceptable definition of “Privacy” as it prevails in India. Earlier, the various judgements of the Supreme Court including the Kharak Singh judgement used the concept of Privacy Right as a “Right to be left alone”. It was mostly viewed in the context of “Physical Privacy”.

Additionally, some of the Judges have made reference to “Information Privacy” where “Right to decide how information that is related to the Privacy of a person may be collected and used” is recognized as a facet of Privacy. Again this is not part of the order and hence not binding under this judgement.

The current judgement did not add an acceptable definition of Privacy in its final order though different judges in their reflections made many remarks.  At least one Judge (Justice Chelameswar) categorically stated “….Definitional uncertainty is no reason to not recognize the existence of the right of privacy…. “.

As a result the “Right to Privacy” is now sought to be defended with a vague understanding of the definition of “Privacy”. Citizens and Companies will have to therefore consider protection of Privacy of other Citizens and not to infringe them without having a clear understanding of what right they are really protecting.

If there is any dispute whether a “Right” is infringed and what is infringed is the “Right to Privacy”, then a reference would be required to be made a Court to define on a case to case basis whether the “Right which was infringed was in deed a Right to Privacy”.

The public will therefore look for the specific legal provision where the Privacy Right is mandated to be protected to find out whether they are indeed compliant with law or not.

For example, in cases where ITA 2000/8 applies, public and companies will look for the definition of “Personal Information” and “Sensitive Personal Information”. It also has certain sections like the Section 43A, Section 72A, Section 79, Section 65, Section 67C, Section 66E, Section 69, Section 69B, Section 70B etc. where different aspects of Privacy are referred to. All this applies to electronic documents other than excluded documents under Section 1(4). They do not apply to non-electronic documents or oral statements.

Courts have the right to not only interpret the law but to write the law

Justice Chelameswar has however made an interesting statement which implies that any decision of the Court in this regard may not necessarily be dictated by what is provided in the law.

 According to him

“To sanctify an argument that whatever is not found in the text of the Constitution cannot become a part of the Constitution would be too primitive an understanding of the Constitution and contrary to settled cannons of constitutional interpretation”

What this observation means is that even if the Constitution or any law does not mention something in the text of the law, the Court can still interpret the law to contain such text by way of an interpretation.

This makes law completely arbitrary and leaves not only interpreting what is written in the law but also import any other text not present there in as if the law is being “Re written”.

When we remember that Justice Chelameswar and Justice Nariman, who are part of this bench were also the Judges who in the Shreya Singhal Case struck down Section 66A considering that Messaging is no different from Publishing and Words used in the section were vague and also refused to read down the provisions and retain the section but insisted that it has to be struck down, it is surprising that they have now changed their view completely.

In this judgement the Court is ruling on “Protection of Privacy” without freezing on what is meant by “Privacy”. This is not considered vague. Also now the Court is read to not only “Read down” but also “Write down” law in any manner in which the Judges consider it correct.

This inconsistency in judicial approach creates needless confusion to companies who would like to be compliant with law.

With this approach of laying down law without clarity is undesirable. As a result, any law can be interpreted by the Court any time and what is written in the law is immaterial.

In such a scenario, compliance is almost impossible and Businesses will not be able to invest in technologies and build an infrastructure or brand without the constant fear that law may be re-interpreted by a Court in a different manner and make their business illegal.

ITA 2008 approach to Privacy Protection

ITA 2008 defines Personal Information as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. (Notification of 11^th April 2011).

The sensitive Personal information is defined as password,  financial information such as Bank account or credit card or debit card or other payment instrument details ,  physical, physiological and mental health condition; sexual orientation;  medical records and history;  Biometric information;  any detail relating to the above clauses as provided to body corporate for providing service; and  any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

Under Section 72A, any person disclosing personal information in violation of an agreement with the data subject is liable for 3 year imprisonment.

Under Section 43A, which is applicable only to companies, a company handling “Sensitive Personal Information” needs to implement “Reasonable Security Practices” failing which it would be liable to pay compensation.

Under Section 43, any person who “Diminishes the value of information residing inside a computer” or obtains unauthorized access to information (whether personal, or sensitive personal or any other) is liable for payment of compensation and additionally for 3 year imprisonment.

Further there is data retention requirements (Sec 67C, sec 65) bodily privacy protection, (Sec 66E), Disclosure and interception related issues (Sec 69, 69B, 70B) for which punishments are prescribed. Section 79 is a complete reproduction of internationally accepted norms of privacy protection as applicable to information intermediaries.

ITA 2000/8 however provides emphasis on “Contract” with the data subject which gets translated into “Informed consent”. Hence any company dealing with privacy related information has to focus on obtaining a proper consent after a proper disclosure of why an information is being collected, what all information is collected, how they are used, how they are shared, how they are secured, how long they are retained etc.

The law is reasonably robust, though there is lacuna in its implementation. Companies are negligent in not going for a structured ITA 2008 compliance exercise despite nudging by the Government through various means.

Now the Government is contemplating a separate law on Data Protection for which a committee led by another retired Judge of Supreme Court (Justice Srikrishna) is working. Since this is a “Data Protection law”, it has to address only what ITA 2008 has already addressed. It is expected that it would focus on the administrative part of the data protection including appointment of a data commissioner, replacing the Adjudication and Cyber Appellate Tribunals with a separate system. Hopefully there will be not much of a need to ticker with ITA 2000/8 itself to ensure that the two laws are not contradictory.

What Can change after the Judgement?

Now that this judgement elevates Privacy to the status of a “Fundamental Right” there will be a greater attention from the Privacy advocates and there would be a number of frivolous litigations on e-commerce players who are today banking on the “Contractual Permissions” from the data subjects.

The common approach of business is to offer a service under the specific condition that certain data is shared and it may be used by them in a certain manner in which they generate some additional revenue.

In a way the data subject “Trades” his personal information for a benefit. Whether he gets a fair price for his data or whether he is allowing the data processor to get free data is perhaps a point of debate. We however have to recognize that the world is already recognising the IPR laws in which often the author/inventor gets some small revenue and transfers the rights to a business entity which makes a windfall. These imbalances in data trade cannot be easily regulated by law and should be left to the NGOs and better education of the consumer.

Businesses like Data Anaytics, Advertising etc. survive only on collection and use of personal data. Some businesses can do with de-identified data but many need value which comes only with identified data. In the digital economy “Data” is considered an important commodity just like “Oil” and hence imposing irrational curbs on its usage in the guise of “Privacy” will be counterproductive.

Additionally “Privacy” is always at logger head with Security and even the Judges in this judgement have recognized this. Hence Government and Companies will try to justify certain practices on the basis of security requirements while whether there were “Compelling reasons” for the same will remain eternally a debate in Courts.

What is required now is for development of good enforcement machinery which will guide the Companies in India to protect the Privacy of individuals and ensure that a fair price will be paid to them whenever personal data is used for commercial purposes.  How this will be done is the challenge for the Data Protection Act in the anvil.

Technically, apart from De-Identification, Regulated Anonymity concepts provide a strategy for striking balance between Privacy Rights and Security requirements. They need to be harnessed in the Data Protection regime.

Industry therefore may continue to follow the principles of Data Protection under ITA 2008 as its obligation for “Privacy Protection” and await the Data Protection Act for any review of its strategies.

Naavi

www.naavi.org

31^st August 2017

The deliberations of the Round table are likely to be collated and submitted by NLSUI to the Government and the Srikrishna Panel on Data Protection.

Naavi

(This is in continuation of our discussion on Justice Chelmeshwar’s part of the judgement in the Privacy case)

While the nine eminent judges went about their mission to declare “Privacy As a Fundamental Right”, they also encountered the problem defining what is “Privacy”.

The challenge of defining Privacy Rights without a definition of Privacy has confronted law makers as well as law followers which has not been appreciated much in the past. Now it is interesting to see that even the nine judges are unable to agree on how to define “Privacy Right”.

Justice Chelmeshwar uses his Judicial freedom to

-first admit that ” Whether it is possible to arrive at a coherent, integrated and structured statement explaining the right of privacy is a question that has been troubling scholars and judges in various jurisdictions for decades.” and

-then to say “In my opinion, there is no need to resolve all definitional concerns at an abstract level to understand the nature of the right to privacy….Definitional uncertainty is no reason to not recognize the existence of the right of privacy….“.

He then concludes that “for the purpose of this case, it is sufficient to go by the understanding that the right to privacy consists of three facets i.e. repose, sanctuary and intimate decision. Each of these facets is so essential for the liberty of human beings”.

These three facets “repose”, “sanctuary” and Intimate Decision” are picked from academic concepts postulated by a US author Bostwick.

“Repose” refers to freedom from unwarranted stimuli, “sanctuary” to protection against intrusive observation, and “intimate decision” to autonomy with respect to the most personal life choices. All these are covered under the concept of Privacy being “Right to be Left Alone”.

Unfortunately, the definition does not form part of the order and is not handled similarly by other Judges. Hence it remains one of the opinions of the nine judges.

This means that search for an acceptable definition of Privacy continues even after this judgement.

Though Privacy Invasion is recognized  from State as well as Individuals and Companies, the judgement does not provide proper guideline on how the stake holders need to respond.

Of course it is understood that the Government cannot make any laws that infringes on the Privacy Rights subject to “Reasonable Restrictions” as per Article 19 of the Constitution.

However, when Privacy invasion occurs either by the State or another individual or a Company, there is no wisdom on how the affected individual would be compensated. For this we need to await a law from the Government.

Presently law is being contemplated on “Data Protection” which is not directly equal to “Privacy Protection”. In the absence of an agreed definition of Privacy, it is not easy to define what information/data can be considered as “Relevant for Privacy Protection” and has to be protected in the Data Protection Act.

Other judges have used the term “Information Privacy” to identify personal information in data form and state that “Right to control collection and dissemination of such personal information” is “Privacy Rights in the Data world”.

This is acceptable for the Privacy Protection in data form but inadequate when protection of Privacy is to be considered when information is handled orally or through non electronic written form.

The Judgement does not clarify this and therefore the Government formulating Data Protection Act or Companies and Individuals who look at ITA 2008 for Privacy protection in data form are not wiser when privacy has to be protected in non-elctronic form.

Additionally, several stray aspects of life are loosely cited as examples that may define different facets of Privacy. For example, Justice Chelmeshwar reflects on ” Decision to stop medical treatment by a patient”  or a decision of a woman to bear or not bear a child, or abort pregnancy as Privacy issues. The reflections go on into many other areas including right to work and chose the type of work, right to travel, right to chose a place of residence, as other areas where the principles of Privacy can be extended.

Justice Chelmeshwar has even delved into political issues by commenting

“I do not think that anybody would like to be told by the State as to what they should eat or how they should dress or whom they should be associated with either in their personal, social or political life.”

Similarly other judges have included the Right to sexual orientation as part of Privacy in their reflections.

By making such comments in the body of the judgement, all these issues are being projected as part of “Privacy Rights” which in future will come up to Supreme Court in the form of writ petitions from the Citizens of India trying to protect their fundamental rights.

No doubt that this is a feather in the cap of Indian democracy that our Judiciary considers that an information that if I post in my WhatsApp that “I ate Masala Dosa at Vidyarthi Bhavan today ” and some body forwards it outside, it can be contested as “Violation of my Privacy Rights”. But.. is this what Privacy Right protection all about?

Adding these reflections in the Judgement without a proper confirmation on either acceptance or rejection of the same by a majority of judges as a part of the final order has only brought in more confusion to the public and was completely avoidable.

Now individuals and companies are placed in a dilemma if these individual reflections are to be treated as part of the order or ignored. This will only help frivolous litigations in future from which no body but the Privacy advocates benefit.

Considering the vague reflections included in the judgement, it would not be surprising if tomorrow, in a divorce case, husband or wife may claim “Privacy Right” not to be “husband and wife” or  “Transfers in Jobs” may be contested as “Right to Privacy” and so on. The capacity of this judgement leading to nuisance litigations is very high because of the numerous reflections being made part of the judgment document though they are not part of the final order.

For the time being, it may therefore be better to ignore these stray comments since they are not part of the final order or form a majority common decision. Government when it frames the Data Protection law should not give weightage to all these different instances of life as “Privacy Issues” and make life unbearable.

In these facets, the Judgement reflects an attitude of the Court to consider the judgement as an erudite academic essay  without the need for concluding it properly with either acceptance or rejection of a point of view.

Similarly when a decision of multiple judges are involved, if individual opinions are not consolidated into groups with indication of which judge agrees or rejects the issue, and further export it into the final order, the communication to the public remains incomplete.

As a result, after such a judgement, stake holders are not wiser than what they were before. Perhaps they are more confused than before.

The “uncertainty” created out of such “Vague” judgments can be avoided if Judges consider that a Judgement is not written to show case how much the Judge knows about a subject but how much the public needs to know in solving a legal problem.

[P.S: I am aware that it is not customary for anybody to make comments on the judgement particularly when it comes from the highest Court of the land.

But in the hope of Courts rendering judgments which can be read and understood by common people without the need for intermediaries, I have found it necessary to express these views.

Commercially, if there is more the confusion in the market, better it is for consultants like us because some body is needed to interpret the interpretations rightly or wrongly and present it again to some other Court so that debate can continue.

But law is not meant for creating commercial value to consultants and lawyers. Law has to be simple and understandable by the Citizens and other stake holders so that they can comply with them without the assistance of a third party.

Voluntary compliance will suffer if law is vague and complicated and the trend has to change towards law being lucidly explained. This may not be possible in the writing of the law but it is possible in the judgement. Hence even if Law can be vague but Judgement should be precise. I hope we will see short and precise judgement particularly when it involves concepts that need to be understood by Citizens and adopted as part of their life styles.

The touch stone of the “Privacy Judgement” is whether this judgement can be understood by the common man on the street who is the subject who has to enjoy “Privacy” as a “Fundamental Right”. If “Privacy Law” is meant to be understood as a PG Diploma course, then Law of Privacy will remain an elite concept and does not reach to the masses.

Naavi